gnutls

rpm/gnutls

SHA256

Fork 0

forked from pool/gnutls

Commit Graph

Author	SHA256	Message	Date
Pedro Monreal Gonzalez	cf30493c2c	Accepting request 1074130 from home:pmonrealgonzalez:branches:security:tls - Update to 3.8.0: [bsc#1205763, bsc#1209627] * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] * libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. * libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. * libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. * libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any OBS-URL: https://build.opensuse.org/request/show/1074130 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=88	2023-03-24 12:22:34 +00:00
Pedro Monreal Gonzalez	5fcfc4e55e	Accepting request 1003480 from home:pmonrealgonzalez:branches:security:tls - FIPS: Additional modifications to the SLI. [bsc#1190698] * Mark CMAC and GMAC and non-approved in gnutls_pbkfd2(). * Mark HMAC keylength less than 112 bits as non-approved in gnutls_pbkfd2(). * Adapt the pbkdf2 selftest and the regression tests accordingly. * Add gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch - FIPS: Port GnuTLS to use jitterentropy [bsc#1202146, jsc#SLE-24941] * Add new dependency on jitterentropy * Add gnutls-FIPS-jitterentropy.patch - FIPS: * Add gnutls_ECDSA_signing.patch [bsc#1190698] - Check minimum keylength for symmetric key generation - Only allows ECDSA signature with valid set of hashes (SHA2 and SHA3) OBS-URL: https://build.opensuse.org/request/show/1003480 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=73	2022-09-14 08:41:21 +00:00

Author

SHA256

Message

Date

Pedro Monreal Gonzalez

cf30493c2c

Accepting request 1074130 from home:pmonrealgonzalez:branches:security:tls

- Update to 3.8.0: [bsc#1205763, bsc#1209627]
  * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key
    exchange. Reported by Hubert Kario (#1050). Fix developed by
    Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium]
    [CVE-2023-0361]
  * libgnutls: C++ library is now header only. All definitions
    from gnutlsxx.c have been moved into gnutlsxx.h. Users of the
    C++ interface have two options:
    1. include gnutlsxx.h in their application and link against
       the C library. (default)
    2. include gnutlsxx.h in their application, compile with
       GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link
       against the C++ library.
  * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST
    priority modifier have been added to allow disabling of the
    status_request TLS extension in the client side.
  * libgnutls: TLS heartbeat is disabled by default.
    The heartbeat extension in TLS (RFC 6520) is not widely used
    given other implementations dropped support for it. To enable
    back support for it, supply --enable-heartbeat-support to
    configure script.
  * libgnutls: SRP authentication is now disabled by default.
    It is disabled because the SRP authentication in TLS is not
    up to date with the latest TLS standards and its ciphersuites
    are based on the CBC mode and SHA-1. To enable it back, supply
    --enable-srp-authentication option to configure script.
  * libgnutls: All code has been indented using "indent -ppi1 -linux".
    CI/CD has been adjusted to catch regressions. This is implemented
    through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s
    commit-check. You may run devel/indent-gnutls to fix any

OBS-URL: https://build.opensuse.org/request/show/1074130
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=88

2023-03-24 12:22:34 +00:00

Pedro Monreal Gonzalez

5fcfc4e55e

Accepting request 1003480 from home:pmonrealgonzalez:branches:security:tls

- FIPS: Additional modifications to the SLI. [bsc#1190698]
  * Mark CMAC and GMAC and non-approved in gnutls_pbkfd2().
  * Mark HMAC keylength less than 112 bits as non-approved in
    gnutls_pbkfd2().
  * Adapt the pbkdf2 selftest and the regression tests accordingly.
  * Add gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch

- FIPS: Port GnuTLS to use jitterentropy [bsc#1202146, jsc#SLE-24941]
  * Add new dependency on jitterentropy
  * Add gnutls-FIPS-jitterentropy.patch

- FIPS:
  * Add gnutls_ECDSA_signing.patch [bsc#1190698]
    - Check minimum keylength for symmetric key generation
    - Only allows ECDSA signature with valid set of hashes
      (SHA2 and SHA3)

OBS-URL: https://build.opensuse.org/request/show/1003480
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=73

2022-09-14 08:41:21 +00:00

2 Commits