* libgnutls: New configure option to compile out DSA support
The --disable-dsa configure option has been added to completely
disable DSA algorithm support.
* libgnutls: Experimental support for X25519Kyber768Draft00 key
exchange in TLS. For testing purposes, the hybrid post-quantum
key exchange defined in draft-tls-westerbaan-xyber768d00 has been
implemented using liboqs. Since the algorithm is still not finalized,
the support of this key exchange is disabled by default and can be
enabled with the --with-liboqs configure option.
* Rebase patches:
- gnutls-FIPS-140-3-references.patch
- gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=113
* libgnutls: PBMAC1 is now supported as a MAC mechanism for PKCS#12
To be compliant with FIPS 140-3, PKCS#12 files with MAC based on
PBKDF2 (PBMAC1) is now supported, according to the specification
proposed in draft-ietf-lamps-pkcs12-pbmac1.
* libgnutls: SHA3 extendable output functions (XOF) are now supported
SHA3 XOF, SHAKE128 and SHAKE256, are now usable through a new
public API gnutls_hash_squeeze.
* API and ABI modifications:
- gnutls_pkcs12_generate_mac3: New function
- gnutls_pkcs12_flags_t: New enum
- gnutls_hash_squeeze: New function
* Rebase patches:
- gnutls-FIPS-140-3-references.patch
- gnutls-FIPS-jitterentropy.patch
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=111
- Update to 3.8.5:
* libgnutls: Due to majority of usages and implementations of
RSA decryption with PKCS#1 v1.5 padding being incorrect,
leaving them vulnerable to Marvin attack, the RSAES-PKCS1-v1_5
is being deprecated (encryption and decryption) and will be
disabled in the future. A new option 'allow-rsa-pkcs1-encrypt'
has been added into the system-wide library configuration which
allows to enable/disable the RSAES-PKCS1-v1_5. Currently, the
RSAES-PKCS1-v1_5 is enabled by default.
* libgnutls: Added support for RIPEMD160 and PBES1-DES-SHA1 for
backward compatibility with GCR.
* libgnutls: A couple of memory related issues have been fixed in
RSA PKCS#1 v1.5 decryption error handling and deterministic ECDSA
with earlier versions of GMP. These were a regression introduced
in the 3.8.4 release. See #1535 and !1827.
* build: Fixed a bug where building gnutls statically failed due
to a duplicate definition of nettle_rsa_compute_root_tr().
* API and ABI modifications:
- GNUTLS_PKCS_PBES1_DES_SHA1: New enum member of
gnutls_pkcs_encrypt_flags_t
* Rebase patches:
- gnutls-FIPS-TLS_KDF_selftest.patch
- gnutls-FIPS-140-3-references.patch
OBS-URL: https://build.opensuse.org/request/show/1165440
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=109
- jitterentropy: Release the memory of the entropy collector when
using jitterentropy with phtreads as there is also a
pre-intitization done in the main thread. [bsc#1221242]
* Add gnutls-FIPS-jitterentropy-deinit-threads.patch
- Update to 3.8.4:
* libgnutls: RSA-OAEP encryption scheme is now supported
To use it with an unrestricted RSA private key, one would need to
initialize a gnutls_x509_spki_t object with necessary parameters
for RSA-OAEP and attach it to the private key. It is also possible
to import restricted private keys if they are stored in PKCS#8
format.
* libgnutls: Fix side-channel in the deterministic ECDSA.
Reported by George Pantelakis (#1516).
[GNUTLS-SA-2023-12-04, CVSS: medium] [bsc#1221746, CVE-2024-28834]
* libgnutls: Fixed a bug where certtool crashed when verifying a
certificate chain with more than 16 certificates. Reported by
William Woodruff (#1525) and yixiangzhike (#1527).
[GNUTLS-SA-2024-01-23, CVSS: medium] [bsc#1221747, CVE-2024-28835]
* libgnutls: Compression libraries are now loaded dynamically as needed
instead of all being loaded during gnutls library initialization.
As a result, the library initialization should be faster.
* build: The gnutls library can now be linked with the static library
of GMP. Note that in order for this to work libgmp.a needs to be
compiled with -fPIC and libhogweed in Nettle also has to be linked
to the static library of GMP. This can be used to prevent custom
memory allocators from being overriden by other applications.
* API and ABI modifications:
- gnutls_x509_spki_get_rsa_oaep_params: New function.
- gnutls_x509_spki_set_rsa_oaep_params: New function.
OBS-URL: https://build.opensuse.org/request/show/1161324
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=107
- Update to 3.8.3:
* libgnutls: Fix more timing side-channel inside RSA-PSK key
exchange. [GNUTLS-SA-2024-01-14, CVSS: medium]
[bsc#1218865, CVE-2024-0553]
* libgnutls: Fix assertion failure when verifying a certificate
chain with a cycle of cross signatures.
[GNUTLS-SA-2024-01-09, CVSS: medium] [bsc#1218862, CVE-2024-0567]
* libgnutls: Fix regression in handling Ed25519 keys stored in
PKCS#11 token certtool was unable to handle Ed25519 keys
generated on PKCS#11 with pkcs11-tool (OpenSC).
This is a regression introduced in 3.8.2.
* Rebase gnutls-FIPS-140-3-references.patch
* Updated upstream gnutls.keyring
OBS-URL: https://build.opensuse.org/request/show/1139454
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=103
- Update to 3.8.2: [bsc#1217277, CVE-2023-5981]
* libgnutls: Fix timing side-channel inside RSA-PSK key exchange.
[GNUTLS-SA-2023-10-23, CVSS: medium] [CVE-2023-5981]
* libgnutls: Add API functions to perform ECDH and DH key agreement
The functionality has been there for a long time though they were
not available as part of the public API. This enables applications
to implement custom protocols leveraging non-interactive key
agreement with ECDH and DH.
* libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452)
The new algorithms GNUTLS_CIPHER_AES_128_SIV_GCM and
GNUTLS_CIPHER_AES_256_SIV_GCM have been added to be used through
the AEAD interface. Note that, unlike
GNUTLS_CIPHER_AES_{128,256}_SIV_GCM, the authentication tag is
appended to the ciphertext, not prepended.
* libgnutls: transparent KTLS support is extended to FreeBSD kernel
The kernel TLS feature can now be enabled on FreeBSD as well as
Linux when compiled with the --enable-ktls configure option.
* gnutls-cli: New option --starttls-name
Depending on deployment, application protocols such as XMPP may
require a different origin address than the external address to be
presented prior to STARTTLS negotiation. The --starttls-name can
be used to specify specify the addresses separately.
* API and ABI modifications:
- gnutls_pubkey_import_dh_raw: New function
- gnutls_privkey_import_dh_raw: New function
- gnutls_pubkey_export_dh_raw: New function
- gnutls_privkey_export_dh_raw: New function
- gnutls_x509_privkey_import_dh_raw: New function
- gnutls_privkey_derive_secret: New function
- GNUTLS_KEYGEN_DH: New enum member of gnutls_keygen_types_t
OBS-URL: https://build.opensuse.org/request/show/1127282
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=101
- tests: Fix the SRP test that fails with SIGPIPE signal return due
to a socket being closed before using it.
* Add gnutls-srp-test-SIGPIPE.patch
- Update to version 3.8.1:
* libgnutls: ClientHello extensions are randomized by default
To make fingerprinting harder, TLS extensions in ClientHello
messages are shuffled. As this behavior may cause compatibility
issue with legacy applications that do not accept the last
extension without payload, the behavior can be reverted with the
%NO_SHUFFLE_EXTENSIONS priority keyword.
* libgnutls: Add support for RFC 9258 external PSK importer.
This enables to deploy the same PSK across multiple TLS versions
(TLS 1.2 and TLS 1.3) in a secure manner. To use, the application
needs to set up a callback that formats the PSK identity using
gnutls_psk_format_imported_identity().
* libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to
%GNUTLS_NO_DEFAULT_EXTENSIONS.
* libgnutls: Add additional PBKDF limit checks in FIPS mode as
defined in SP 800-132. Minimum salt length is 128 bits and
minimum iterations bound is 1000 for PBKDF in FIPS mode.
* libgnutls: Add a mechanism to control whether to enforce extended
master secret (RFC 7627). FIPS 140-3 mandates the use of TLS
session hash (extended master secret, EMS) in TLS 1.2. To enforce
this, a new priority keyword %FORCE_SESSION_HASH is added and if
it is set and EMS is not set, the peer aborts the connection. This
behavior is the default in FIPS mode, though it can be overridden
through the configuration file with the "tls-session-hash" option.
In either case non-EMS PRF is reported as a non-approved operation
through the FIPS service indicator.
OBS-URL: https://build.opensuse.org/request/show/1105136
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=98
- Update to 3.8.0: [bsc#1205763, bsc#1209627]
* libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key
exchange. Reported by Hubert Kario (#1050). Fix developed by
Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium]
[CVE-2023-0361]
* libgnutls: C++ library is now header only. All definitions
from gnutlsxx.c have been moved into gnutlsxx.h. Users of the
C++ interface have two options:
1. include gnutlsxx.h in their application and link against
the C library. (default)
2. include gnutlsxx.h in their application, compile with
GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link
against the C++ library.
* libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST
priority modifier have been added to allow disabling of the
status_request TLS extension in the client side.
* libgnutls: TLS heartbeat is disabled by default.
The heartbeat extension in TLS (RFC 6520) is not widely used
given other implementations dropped support for it. To enable
back support for it, supply --enable-heartbeat-support to
configure script.
* libgnutls: SRP authentication is now disabled by default.
It is disabled because the SRP authentication in TLS is not
up to date with the latest TLS standards and its ciphersuites
are based on the CBC mode and SHA-1. To enable it back, supply
--enable-srp-authentication option to configure script.
* libgnutls: All code has been indented using "indent -ppi1 -linux".
CI/CD has been adjusted to catch regressions. This is implemented
through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s
commit-check. You may run devel/indent-gnutls to fix any
OBS-URL: https://build.opensuse.org/request/show/1074130
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=88
- Verify only the libgnutls library HMAC [bsc#1199881]
* Do not use the brp-50-generate-fips-hmac script as this
is now calculated with the internal fipshmac tool.
* Add gnutls-verify-library-HMAC.patch
- Disable flaky test that fails in s390x architecture:
* Add gnutls-disable-flaky-test-dtls-resume.patch
- Consolidate the FIPS hmac files [bsc#1203245]
* Use the gnutls fipshmac tool instead of the brp-check-suse
and rename it to reflect on the library version.
- Add a gnutls.rpmlintrc file to remove a hidden-file-or-dir false
positive for the FIPS hmac calculation.
OBS-URL: https://build.opensuse.org/request/show/1034572
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=80
- The FIPS hmac is now calculated with an internal tool since
commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed and it has
been renamed to .gnutls.hmac. [bsc#1199881, bsc#1203245]
* Remove the fipscheck build dependency
* Check only the calculated hmac for libgnutls.so.30 since the
calculated hmacs for libnettle.so.8, libhogweed.so.6 and
libgmp.so.10 in .gnutls.hmac are incorrect.
* Add gnutls-FIPS-hmac-check-only-libgnutls.patch
* Remove gnutls-FIPS-Run-CFB8-without-offset.patch
- FIPS: Set error state when jent init failed in FIPS mode [bsc#1202146]
* Add patch gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
OBS-URL: https://build.opensuse.org/request/show/1011039
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=78
- Update to 3.7.8:
* libgnutls: In FIPS140 mode, RSA signature verification is an
approved operation if the key has modulus with known sizes
(1024, 1280, 1536, and 1792 bits), in addition to any modulus
sizes larger than 2048 bits, according to SP800-131A rev2.
* libgnutls: gnutls_session_channel_binding performs additional
checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
RFC9622 4.2, the "tls-exporter" channel binding is only usable
when the handshake is bound to a unique master secret (i.e.,
either TLS 1.3 or extended master secret extension is
negotiated). Otherwise the function now returns error.
* libgnutls: usage of the following functions, which are designed
to loosen restrictions imposed by allowlisting mode of
configuration, has been additionally restricted. Invoking
them is now only allowed if system-wide TLS priority string
has not been initialized yet:
- gnutls_digest_set_secure
- gnutls_sign_set_secure
- gnutls_sign_set_secure_for_certs
- gnutls_protocol_set_enabled
* Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
--with-guile-extension-dir configure option to properly
handle the guile extension directory.
* Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
* Update gnutls.keyring
* Add a build depencency on gtk-doc required by autoreconf
OBS-URL: https://build.opensuse.org/request/show/1009758
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=77
- FIPS: Additional modifications to the SLI. [bsc#1190698]
* Mark CMAC and GMAC and non-approved in gnutls_pbkfd2().
* Mark HMAC keylength less than 112 bits as non-approved in
gnutls_pbkfd2().
* Adapt the pbkdf2 selftest and the regression tests accordingly.
* Add gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
- FIPS: Port GnuTLS to use jitterentropy [bsc#1202146, jsc#SLE-24941]
* Add new dependency on jitterentropy
* Add gnutls-FIPS-jitterentropy.patch
- FIPS:
* Add gnutls_ECDSA_signing.patch [bsc#1190698]
- Check minimum keylength for symmetric key generation
- Only allows ECDSA signature with valid set of hashes
(SHA2 and SHA3)
OBS-URL: https://build.opensuse.org/request/show/1003480
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=73
- Update to 3.7.7:
* libgnutls: Fixed double free during verification of pkcs7
signatures. CVE-2022-2509
* libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument
less than or equal to 255 times hash digest size, to comply with
RFC 5869 2.3.
* libgnutls: Length limit for TLS PSK usernames has been increased
from 128 to 65535 characters
* libgnutls: AES-GCM encryption function now limits plaintext
length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
* libgnutls: New block cipher functions have been added to
transparently handle padding. gnutls_cipher_encrypt3 and
gnutls_cipher_decrypt3 can be used in combination of
GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove
padding if the length of the original plaintext is not a multiple
of the block size.
* libgnutls: New function for manual FIPS self-testing.
* API and ABI modifications:
- gnutls_fips140_run_self_tests: New function
- gnutls_cipher_encrypt3: New function
- gnutls_cipher_decrypt3: New function
- gnutls_cipher_padding_flags_t: New enum
* guile: Guile 1.8 is no longer supported
* guile: Session record port treats premature termination as EOF Previously,
a 'gnutls-error' exception with the 'error/premature-termination' value
would be thrown while reading from a session record port when the
underlying session was terminated prematurely. This was inconvenient
since users of the port may not be prepared to handle such an exception.
Reading from the session record port now returns the end-of-file object
instead of throwing an exception, just like it would for a proper
OBS-URL: https://build.opensuse.org/request/show/991873
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=69
- Update to version 3.7.6:
* libgnutls: Fixed invalid write when gnutls_realloc_zero() is
called with new_size < old_size. This bug caused heap
corruption when gnutls_realloc_zero() has been set as gmp
reallocfunc.
* Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed
upstream.
- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory
corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367,
boo#1199929).
- update to 3.7.5:
* add options disable session ticket usage in TLS 1.2 because
it does not provide forward secrecy
* For TLS 1.3 where session tickets do provide forward secrecy,
the PFS priority string now only disables session tickets in
TLS 1.2.
* Future backward incompatibility: in the next major release of
GnuTLS those flag and modifier are planned to be removed
* gnutls-cli, gnutls-serv: Channel binding for printing
information has been changed from tls-unique to tls-exporter
as tls-unique is not supported in TLS 1.3.
* Certificate sanity checks has been enhanced to make gnutls
more RFC 5280 compliant:
* Removed 3DES from FIPS approved algorithms
* Optimized support for AES-SIV-CMAC algorithms
* libgnutls: HKDF and AES-GCM algorithms are now approved in
FIPS-140 mode when used in TLS (forwarded request 979523 from 1Antoine1)
OBS-URL: https://build.opensuse.org/request/show/979801
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=139
- Update to version 3.7.6:
* libgnutls: Fixed invalid write when gnutls_realloc_zero() is
called with new_size < old_size. This bug caused heap
corruption when gnutls_realloc_zero() has been set as gmp
reallocfunc.
* Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed
upstream.
- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory
corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367,
boo#1199929).
- update to 3.7.5:
* add options disable session ticket usage in TLS 1.2 because
it does not provide forward secrecy
* For TLS 1.3 where session tickets do provide forward secrecy,
the PFS priority string now only disables session tickets in
TLS 1.2.
* Future backward incompatibility: in the next major release of
GnuTLS those flag and modifier are planned to be removed
* gnutls-cli, gnutls-serv: Channel binding for printing
information has been changed from tls-unique to tls-exporter
as tls-unique is not supported in TLS 1.3.
* Certificate sanity checks has been enhanced to make gnutls
more RFC 5280 compliant:
* Removed 3DES from FIPS approved algorithms
* Optimized support for AES-SIV-CMAC algorithms
* libgnutls: HKDF and AES-GCM algorithms are now approved in
FIPS-140 mode when used in TLS
OBS-URL: https://build.opensuse.org/request/show/979523
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=67
