rpm/gnutls
SHA256
1
0
Fork 0
forked from pool/gnutls
Code Pull Requests Activity

Compare commits

merge into: rpm:factory
Branches Tags
rpm:factory rpm:devel pool:slfo-1.2 pool:slfo-main pool:factory pool:devel
...
pull from: pool:factory
Branches Tags
pool:slfo-1.2 pool:slfo-main pool:factory pool:devel rpm:factory rpm:devel

18 Commits
factory ... factory

Author SHA256 Message Date
Dominique Leuenberger
5626443305 Accepting request 1297470 from security:tls 
- Build with leancrypto. The liboqs support for post-quantum
  cryptography (PQC) has been removed and is only provided through
  leancrypto.

- Update to 3.8.10:
  * libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
    Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
    [bsc#1246299, CVE-2025-6395]
  * libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
    Spotted by oss-fuzz and reported by OpenAI Security Research Team,
    and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
    CVSS: medium] [bsc#1246233, CVE-2025-32989]
  * libgnutls: Fix double-free upon error when exporting otherName in SAN
    Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
    CVSS: low] [bsc#1246232, CVE-2025-32988]
  * certtool: Fix 1-byte write buffer overrun when parsing template
    Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
    CVSS: low] [bsc#1246267, CVE-2025-32990]
  * libgnutls: PKCS#11 modules can now be used to override the default
    cryptographic backend. Use the [provider] section in the system-wide config
    to specify path and pin to the module (see system-wide config Documentation).
  * libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
    support. The library running on the aforementioned version now utilizes the
    kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
    TLS session. The --enable-ktls configure option as well as the system-wide
    kTLS configuration(see GnuTLS Documentation) are still required to enable
    this feature.
  * libgnutls: liboqs support for PQC has been removed
    For maintenance purposes, support for post-quantum cryptography
    (PQC) is now only provided through leancrypto. The experimental key

OBS-URL: https://build.opensuse.org/request/show/1297470
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=164
 2025-08-05 12:20:17 +00:00
Pedro Monreal Gonzalez
d4ad3961e3 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=131 2025-08-04 10:55:14 +00:00
Pedro Monreal Gonzalez
8412719df6 - Build with leancrypto. The liboqs support for post-quantum 
cryptography (PQC) has been removed and is only provided through
  leancrypto.

- Build with TPM 2.0 support via tpm2-0-tss.

- Update to 3.8.9:

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=130
 2025-07-16 09:21:10 +00:00
Pedro Monreal Gonzalez
81f2d36642 - Update to 3.8.10: 
* libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
    Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
    [bsc#1246299, CVE-2025-6395]
  * libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
    Spotted by oss-fuzz and reported by OpenAI Security Research Team,
    and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
    CVSS: medium] [bsc#1246233, CVE-2025-32989]
  * libgnutls: Fix double-free upon error when exporting otherName in SAN
    Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
    CVSS: low] [bsc#1246232, CVE-2025-32988]
  * certtool: Fix 1-byte write buffer overrun when parsing template
    Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
    CVSS: low] [bsc#1246267, CVE-2025-32990]
  * libgnutls: PKCS#11 modules can now be used to override the default
    cryptographic backend. Use the [provider] section in the system-wide config
    to specify path and pin to the module (see system-wide config Documentation).
  * libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
    support. The library running on the aforementioned version now utilizes the
    kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
    TLS session. The --enable-ktls configure option as well as the system-wide
    kTLS configuration(see GnuTLS Documentation) are still required to enable
    this feature.
  * libgnutls: liboqs support for PQC has been removed
    For maintenance purposes, support for post-quantum cryptography
    (PQC) is now only provided through leancrypto. The experimental key
    exchange algorithm, X25519Kyber768Draft00, which is based on the
    round 3 candidate of Kyber and only supported through liboqs has
    also been removed altogether.
  * libgnutls: TLS certificate compression methods can now be set with

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=129
 2025-07-15 07:34:08 +00:00
Lucas Mulling
20f38b1453 - enable ktls support 
- enable brotli and zstd compression support

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=128
 2025-07-14 01:12:35 +00:00
Dominique Leuenberger
8d1c2f957a Accepting request 1273335 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1273335
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=163
 2025-04-30 17:02:35 +00:00
Pedro Monreal Gonzalez
f6d4418be4 - Fix FIPS mode running on Tumbleweed [bsc#1237101] 
* When nettle or libhogweed are installed with glbic-hwcaps for x86_64-v3,
    some paths differ and we are unable to match the hmac file for the lib.
  * Add gnutls-FIPS-HMAC-x86_64-v3-opt.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=126
 2025-04-29 08:05:41 +00:00
Ana Guerrero
7953f0ffcf Accepting request 1268601 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1268601
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=162
 2025-04-14 10:55:31 +00:00
Pedro Monreal Gonzalez
76993b2de0 - Disable liboqs on armv6 
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=124
 2025-04-11 11:42:31 +00:00
Ana Guerrero
5aa6f611ec Accepting request 1255878 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1255878
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=161
 2025-03-26 20:17:57 +00:00
Pedro Monreal Gonzalez
d0cf2319d1 - FIPS: Mark SHA-1 as non-approved in the SLI for all operations. [jsc#PED-12224] 
* Add gnutls-FIPS-disable-mac-sha1.patch

- bsc#1237101, FIPS selfcheck fails on tumbleweed
  * Match dependent library names ( nettle, gmp, hogweed ) even when they include full verison in soname
  * Add gnutls-fips-sonames-check.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=122
 2025-03-25 09:35:55 +00:00
Dominique Leuenberger
f7915feb05 Accepting request 1248196 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1248196
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=160
 2025-02-25 15:40:09 +00:00
Angel Yankov
67ef93e3e1 * Add gnutls-skip-pqx-test.patch 
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=120
 2025-02-24 15:31:40 +00:00
Pedro Monreal Gonzalez
f82cc71bfb - Update to 3.8.9 
- libgnutls: leancrypto was added as an interim option for PQC
    The library can now be built with leancrypto instead of liboqs for
    post-quantum cryptography (PQC), when configured with
    --with-leancrypto option instead of --with-liboqs.
  - libgnutls: Experimental support for ML-DSA signature algorithm
    The library and certtool now support ML-DSA signature algorithm as
    defined in FIPS 204 and based on
    draft-ietf-lamps-dilithium-certificates-04. This feature is
    currently marked as experimental and can only be enabled when
    compiled with --with-leancrypto or --with-liboqs.
    Contributed by David Dudas.
  - libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
    The support for ML-KEM post-quantum key encapsulation mechanisms
    has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
    MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
    draft-kwiatkowski-tls-ecdhe-mlkem-03.
  - libgnutls: Fix potential DoS in handling certificates with numerous name
    constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
    bundled copy of libtasn1 has also been updated to the latest 4.20.0
    release to complete the fix.  Reported by Bing Shi (#1553).
    [GNUTLS-SA-2025-02-07, CVSS: medium] [bsc#1236974, CVE-2024-12243
  - Licensing information moved to REAMDE.md, COPYING, COPYING.LESSERv2
  * Rebased gnutls-FIPS-140-3-references.patch
  * Rebased gnutls-FIPS-TLS_KDF_selftest.patch
  * Rebased gnutls-FIPS-jitterentropy.patch
  * Rebased gnutls-disable-flaky-test-dtls-resume.patch
  * Rebased gnutls-srp-test-SIGPIPE.patch
  * Rebased gnutls-3.5.11-skip-trust-store-tests.patch
  * Add gnutls-set-cligen-python-interp.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=119
 2025-02-24 12:46:22 +00:00
Ana Guerrero
1c06047e0c Accepting request 1224137 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1224137
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=159
 2024-11-15 14:37:54 +00:00
Pedro Monreal Gonzalez
0e88121289 - Update to 3.8.8: 
- libgnutls: Experimental support for X25519MLKEM768 and
    SecP256r1MLKEM768 key exchange in TLS 1.3:  The support for
    post-quantum key exchanges has been extended to cover the final
    standard of ML-KEM, following draft-kwiatkowski-tls-ecdhe-mlkem.
    The minimum supported version of liboqs is bumped to 0.11.0.
  - libgnutls: All records included in an OCSP response are now checked
    in TLS: Previously, when multiple records are provided in a single
    OCSP response, only the first record was considered; now all those
    records are examined until the server certificate matches.
  - libgnutls: Handling of malformed compress_certificate extension is
    now more standard compliant: The server behavior of receiving a
    malformed compress_certificate extension now more strictly follows
    RFC 8879; return illegal_parameter alert instead of bad_certificate,
    as well as overlong extension data is properly rejected.
  - build: More flexible library linking options for compression
    libraries, TPM, and liboqs support: The configure options,
    --with-zstd, --with-brotli, --with-zlib, --with-tpm2, and --with-liboqs
    now take 4 states: yes/link/dlopen/no, to specify how the libraries
    are linked or loaded.
  * Rebase gnutls-FIPS-140-3-references.patch

- FIPS: Allow to perform the integrity check with the hmac provided
  by each library [bsc#1226724]
  * Rebase gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=117
 2024-11-14 09:41:10 +00:00
Ana Guerrero
e4c415ffa3 Accepting request 1204664 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1204664
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=158
 2024-10-01 15:11:13 +00:00
Pedro Monreal Gonzalez
fb6da79b80 - Build with liboqs to support the X25519Kyber768 post-quantum key 
exchange algorithm.

Note that since crypto-policies doesn't enable X25519Kyber768 yet,
it will only be used if the gnutls policy is manually edited
(for now).

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=115
 2024-09-30 06:48:36 +00:00
19 changed files with 1006 additions and 495 deletions
Expand all files Collapse all files

8
gnutls-3.5.11-skip-trust-store-tests.patch
View File

@@ -15,11 +15,11 @@ need ca-certificates-mozilla to run.
But this would create a build cycle. Skip test. But this would create a build cycle. Skip test.
Index: gnutls-3.6.15/tests/trust-store.c Index: gnutls-3.8.9/tests/trust-store.c
=================================================================== ===================================================================
--- gnutls-3.6.15.orig/tests/trust-store.c 2020-09-08 10:24:24.018094247 +0200 --- gnutls-3.8.9.orig/tests/trust-store.c
+++ gnutls-3.6.15/tests/trust-store.c 2020-09-08 10:24:25.534104346 +0200 +++ gnutls-3.8.9/tests/trust-store.c
@@ -44,6 +44,9 @@ static void tls_log_func(int level, cons @@ -42,6 +42,9 @@ static void tls_log_func(int level, cons
void doit(void) void doit(void)
{ {

24
gnutls-3.8.10-disable-ktls_test.patch Normal file
View File

@@ -0,0 +1,24 @@
Index: gnutls-3.8.10/tests/Makefile.am
===================================================================
--- gnutls-3.8.10.orig/tests/Makefile.am
+++ gnutls-3.8.10/tests/Makefile.am
@@ -527,13 +527,13 @@ if !WINDOWS
#
if ENABLE_KTLS
-indirect_tests += gnutls_ktls
-dist_check_SCRIPTS += ktls.sh
+#indirect_tests += gnutls_ktls
+#dist_check_SCRIPTS += ktls.sh
-indirect_tests += ktls_keyupdate
-ktls_keyupdate_SOURCES = tls13/key_update.c
-ktls_keyupdate_CFLAGS = -DUSE_KTLS
-dist_check_SCRIPTS += ktls_keyupdate.sh
+#indirect_tests += ktls_keyupdate
+#ktls_keyupdate_SOURCES = tls13/key_update.c
+#ktls_keyupdate_CFLAGS = -DUSE_KTLS
+#dist_check_SCRIPTS += ktls_keyupdate.sh
endif
dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb

BIN
gnutls-3.8.10.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
gnutls-3.8.10.tar.xz.sig Normal file
View File

Binary file not shown.

3
gnutls-3.8.7.1.tar.xz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9ca0ddaccce28a74fa18d738744190afb3b0daebef74e6ad686bf7bef99abd60
size 6695404

BIN
gnutls-3.8.7.1.tar.xz.sig
View File

Binary file not shown.

376
gnutls-FIPS-140-3-references.patch
View File

@@ -1,8 +1,8 @@
Index: gnutls-3.8.7/configure.ac Index: gnutls-3.8.10/configure.ac
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/configure.ac --- gnutls-3.8.10.orig/configure.ac
+++ gnutls-3.8.7/configure.ac +++ gnutls-3.8.10/configure.ac
@@ -624,19 +624,19 @@ LT_INIT([disable-static,win32-dll,shared @@ -665,19 +665,19 @@ LT_INIT([disable-static,win32-dll,shared
AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);]) AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
AC_ARG_ENABLE(fips140-mode, AC_ARG_ENABLE(fips140-mode,
@@ -25,10 +25,10 @@ Index: gnutls-3.8.7/configure.ac
AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name], AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
[specify the FIPS140 module name]), [specify the FIPS140 module name]),
Index: gnutls-3.8.7/doc/cha-gtls-app.texi Index: gnutls-3.8.10/doc/cha-gtls-app.texi
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/cha-gtls-app.texi --- gnutls-3.8.10.orig/doc/cha-gtls-app.texi
+++ gnutls-3.8.7/doc/cha-gtls-app.texi +++ gnutls-3.8.10/doc/cha-gtls-app.texi
@@ -222,7 +222,7 @@ CPU. The currently available options are @@ -222,7 +222,7 @@ CPU. The currently available options are
@end itemize @end itemize
@@ -38,10 +38,10 @@ Index: gnutls-3.8.7/doc/cha-gtls-app.texi
if set to one it will force the FIPS mode enablement. if set to one it will force the FIPS mode enablement.
@end multitable @end multitable
Index: gnutls-3.8.7/doc/cha-internals.texi Index: gnutls-3.8.10/doc/cha-internals.texi
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/cha-internals.texi --- gnutls-3.8.10.orig/doc/cha-internals.texi
+++ gnutls-3.8.7/doc/cha-internals.texi +++ gnutls-3.8.10/doc/cha-internals.texi
@@ -14,7 +14,7 @@ happens inside the black box. @@ -14,7 +14,7 @@ happens inside the black box.
* TLS Hello Extension Handling:: * TLS Hello Extension Handling::
* Cryptographic Backend:: * Cryptographic Backend::
@@ -162,11 +162,11 @@ Index: gnutls-3.8.7/doc/cha-internals.texi
operation. It can be attached to the current execution thread with operation. It can be attached to the current execution thread with
@funcref{gnutls_fips140_push_context} and its internal state will be @funcref{gnutls_fips140_push_context} and its internal state will be
updated until it is detached with updated until it is detached with
Index: gnutls-3.8.7/doc/enums.texi Index: gnutls-3.8.10/doc/enums.texi
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/enums.texi --- gnutls-3.8.10.orig/doc/enums.texi
+++ gnutls-3.8.7/doc/enums.texi +++ gnutls-3.8.10/doc/enums.texi
@@ -1204,7 +1204,7 @@ application traffic secret is installed @@ -1230,7 +1230,7 @@ application traffic secret is installed
@c gnutls_fips_mode_t @c gnutls_fips_mode_t
@table @code @table @code
@item GNUTLS_@-FIPS140_@-DISABLED @item GNUTLS_@-FIPS140_@-DISABLED
@@ -175,7 +175,7 @@ Index: gnutls-3.8.7/doc/enums.texi
@item GNUTLS_@-FIPS140_@-STRICT @item GNUTLS_@-FIPS140_@-STRICT
The default mode; all forbidden operations will cause an The default mode; all forbidden operations will cause an
operation failure via error code. operation failure via error code.
@@ -1212,8 +1212,8 @@ operation failure via error code. @@ -1238,8 +1238,8 @@ operation failure via error code.
A transient state during library initialization. That state A transient state during library initialization. That state
cannot be set or seen by applications. cannot be set or seen by applications.
@item GNUTLS_@-FIPS140_@-LAX @item GNUTLS_@-FIPS140_@-LAX
@@ -186,10 +186,10 @@ Index: gnutls-3.8.7/doc/enums.texi
application is aware of the followed security policy, and needs application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility). to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG @item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.7/doc/functions/gnutls_fips140_set_mode Index: gnutls-3.8.10/doc/functions/gnutls_fips140_set_mode
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/functions/gnutls_fips140_set_mode --- gnutls-3.8.10.orig/doc/functions/gnutls_fips140_set_mode
+++ gnutls-3.8.7/doc/functions/gnutls_fips140_set_mode +++ gnutls-3.8.10/doc/functions/gnutls_fips140_set_mode
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
@@ -215,11 +215,11 @@ Index: gnutls-3.8.7/doc/functions/gnutls_fips140_set_mode
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode. switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.7/doc/gnutls.html Index: gnutls-3.8.10/doc/gnutls.html
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/gnutls.html --- gnutls-3.8.10.orig/doc/gnutls.html
+++ gnutls-3.8.7/doc/gnutls.html +++ gnutls-3.8.10/doc/gnutls.html
@@ -485,7 +485,7 @@ Documentation License&rdquo;. @@ -490,7 +490,7 @@ Documentation License&rdquo;.
<li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li> <li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
<li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li> <li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
<li><a id="toc-Random-Number-Generators" href="#Random-Number-Generators_002dinternals">11.6 Random Number Generators</a></li> <li><a id="toc-Random-Number-Generators" href="#Random-Number-Generators_002dinternals">11.6 Random Number Generators</a></li>
@@ -228,7 +228,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
</ul></li> </ul></li>
<li><a id="toc-Upgrading-from-previous-versions-1" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li> <li><a id="toc-Upgrading-from-previous-versions-1" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li>
<li><a id="toc-Support-1" href="#Support">Appendix B Support</a> <li><a id="toc-Support-1" href="#Support">Appendix B Support</a>
@@ -9028,7 +9028,7 @@ CPU. The currently available options are @@ -9050,7 +9050,7 @@ CPU. The currently available options are
</li><li>0x200000: Enable VIA PHE </li><li>0x200000: Enable VIA PHE
</li><li>0x400000: Enable VIA PHE SHA512 </li><li>0x400000: Enable VIA PHE SHA512
</li></ul></td></tr> </li></ul></td></tr>
@@ -237,7 +237,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
if set to one it will force the FIPS mode enablement.</td></tr> if set to one it will force the FIPS mode enablement.</td></tr>
</tbody> </tbody>
</table> </table>
@@ -18448,7 +18448,7 @@ None: @@ -18547,7 +18547,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands --inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library --provider=file Specify the PKCS #11 provider library
- file must pre-exist - file must pre-exist
@@ -246,7 +246,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
--list-config Reports the configuration of the library --list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file --logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material --keymatexport=str Label used for exporting keying material
@@ -19468,7 +19468,7 @@ happens inside the black box. @@ -19567,7 +19567,7 @@ happens inside the black box.
<li><a href="#TLS-Hello-Extension-Handling" accesskey="4">TLS Extension Handling</a></li> <li><a href="#TLS-Hello-Extension-Handling" accesskey="4">TLS Extension Handling</a></li>
<li><a href="#Cryptographic-Backend" accesskey="5">Cryptographic Backend</a></li> <li><a href="#Cryptographic-Backend" accesskey="5">Cryptographic Backend</a></li>
<li><a href="#Random-Number-Generators_002dinternals" accesskey="6">Random Number Generators</a></li> <li><a href="#Random-Number-Generators_002dinternals" accesskey="6">Random Number Generators</a></li>
@@ -255,7 +255,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
</ul> </ul>
<hr> <hr>
<div class="section-level-extent" id="The-TLS-Protocol"> <div class="section-level-extent" id="The-TLS-Protocol">
@@ -19993,7 +19993,7 @@ For more information see <a class="ref" @@ -20092,7 +20092,7 @@ For more information see <a class="ref"
<div class="section-level-extent" id="Random-Number-Generators_002dinternals"> <div class="section-level-extent" id="Random-Number-Generators_002dinternals">
<div class="nav-panel"> <div class="nav-panel">
<p> <p>
@@ -264,7 +264,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
</div> </div>
<h3 class="section" id="Random-Number-Generators"><span>11.6 Random Number Generators<a class="copiable-link" href="#Random-Number-Generators"> &para;</a></span></h3> <h3 class="section" id="Random-Number-Generators"><span>11.6 Random Number Generators<a class="copiable-link" href="#Random-Number-Generators"> &para;</a></span></h3>
@@ -20001,7 +20001,7 @@ Next: <a href="#FIPS140_002d2-mode" acce @@ -20100,7 +20100,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
<p>GnuTLS provides two random generators. The default, and the AES-DRBG random <p>GnuTLS provides two random generators. The default, and the AES-DRBG random
generator which is only used when the library is compiled with support for generator which is only used when the library is compiled with support for
@@ -273,7 +273,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
</p> </p>
<h4 class="subheading" id="The-default-generator-_002d-inner-workings"><span>The default generator - inner workings<a class="copiable-link" href="#The-default-generator-_002d-inner-workings"> &para;</a></span></h4> <h4 class="subheading" id="The-default-generator-_002d-inner-workings"><span>The default generator - inner workings<a class="copiable-link" href="#The-default-generator-_002d-inner-workings"> &para;</a></span></h4>
@@ -20138,22 +20138,22 @@ on the above paragraph, all levels are i @@ -20237,22 +20237,22 @@ on the above paragraph, all levels are i
<p> <p>
Previous: <a href="#Random-Number-Generators_002dinternals" accesskey="p" rel="prev">Random Number Generators</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p> Previous: <a href="#Random-Number-Generators_002dinternals" accesskey="p" rel="prev">Random Number Generators</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div> </div>
@@ -302,7 +302,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
as follows. as follows.
</p> </p>
<ul class="itemize mark-bullet"> <ul class="itemize mark-bullet">
@@ -20162,12 +20162,12 @@ as follows. @@ -20261,12 +20261,12 @@ as follows.
</li><li>Algorithm self-tests are run on library load </li><li>Algorithm self-tests are run on library load
</li></ul> </li></ul>
@@ -318,7 +318,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
</li><li>Any cryptographic operation will be refused if any of the self-tests failed </li><li>Any cryptographic operation will be refused if any of the self-tests failed
</li></ul> </li></ul>
@@ -20176,7 +20176,7 @@ modified as follows. @@ -20275,7 +20275,7 @@ modified as follows.
environment variable <code class="code">GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS</code> will disable environment variable <code class="code">GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS</code> will disable
the library integrity tests on startup, and the variable the library integrity tests on startup, and the variable
<code class="code">GNUTLS_FORCE_FIPS_MODE</code> can be set to force a value from <code class="code">GNUTLS_FORCE_FIPS_MODE</code> can be set to force a value from
@@ -327,7 +327,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
mode, while &rsquo;0&rsquo; will disable it. mode, while &rsquo;0&rsquo; will disable it.
</p> </p>
<p>The integrity checks for the dependent libraries and GnuTLS are performed <p>The integrity checks for the dependent libraries and GnuTLS are performed
@@ -20184,13 +20184,13 @@ using &rsquo;.hmac&rsquo; files which ar @@ -20283,13 +20283,13 @@ using &rsquo;.hmac&rsquo; files which ar
key for the operations can be provided on compile-time with the configure key for the operations can be provided on compile-time with the configure
option &rsquo;&ndash;with-fips140-key&rsquo;. The MAC algorithm used is HMAC-SHA256. option &rsquo;&ndash;with-fips140-key&rsquo;. The MAC algorithm used is HMAC-SHA256.
</p> </p>
@@ -344,7 +344,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
the application can relax these requirements via <a class="ref" href="#gnutls_005ffips140_005fset_005fmode">gnutls_fips140_set_mode</a> the application can relax these requirements via <a class="ref" href="#gnutls_005ffips140_005fset_005fmode">gnutls_fips140_set_mode</a>
which can switch to alternative modes as in <a class="ref" href="#gnutls_005ffips_005fmode_005ft">Figure 11.5</a>. which can switch to alternative modes as in <a class="ref" href="#gnutls_005ffips_005fmode_005ft">Figure 11.5</a>.
</p> </p>
@@ -20199,7 +20199,7 @@ which can switch to alternative modes as @@ -20298,7 +20298,7 @@ which can switch to alternative modes as
<dl class="table"> <dl class="table">
<dt><code class="code">GNUTLS_FIPS140_DISABLED</code></dt> <dt><code class="code">GNUTLS_FIPS140_DISABLED</code></dt>
@@ -353,7 +353,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
</p></dd> </p></dd>
<dt><code class="code">GNUTLS_FIPS140_STRICT</code></dt> <dt><code class="code">GNUTLS_FIPS140_STRICT</code></dt>
<dd><p>The default mode; all forbidden operations will cause an <dd><p>The default mode; all forbidden operations will cause an
@@ -20210,8 +20210,8 @@ operation failure via error code. @@ -20309,8 +20309,8 @@ operation failure via error code.
cannot be set or seen by applications. cannot be set or seen by applications.
</p></dd> </p></dd>
<dt><code class="code">GNUTLS_FIPS140_LAX</code></dt> <dt><code class="code">GNUTLS_FIPS140_LAX</code></dt>
@@ -364,7 +364,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
application is aware of the followed security policy, and needs application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility). to utilize disallowed operations for other reasons (e.g., compatibility).
</p></dd> </p></dd>
@@ -20222,7 +20222,7 @@ to a message to the audit callback funct @@ -20321,7 +20321,7 @@ to a message to the audit callback funct
</dl> </dl>
<div class="caption"><p><strong class="strong">Figure 11.5: </strong>The <code class="code">gnutls_fips_mode_t</code> enumeration.</p></div></div> <div class="caption"><p><strong class="strong">Figure 11.5: </strong>The <code class="code">gnutls_fips_mode_t</code> enumeration.</p></div></div>
<p>The intention of this API is to be used by applications which may run in <p>The intention of this API is to be used by applications which may run in
@@ -373,7 +373,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
e.g., for non-security related purposes. In these cases applications should e.g., for non-security related purposes. In these cases applications should
wrap the non-compliant code within blocks like the following. wrap the non-compliant code within blocks like the following.
</p> </p>
@@ -20251,9 +20251,9 @@ if (gnutls_fips140_mode_enabled()) @@ -20350,9 +20350,9 @@ if (gnutls_fips140_mode_enabled())
<p>The reason of the <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> flag in the <p>The reason of the <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> flag in the
previous calls is to localize the change in the mode. Note also, that previous calls is to localize the change in the mode. Note also, that
such a block has no effect when the library is not operating such a block has no effect when the library is not operating
@@ -385,7 +385,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
</p><div class="example"> </p><div class="example">
<pre class="example-preformatted">gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); <pre class="example-preformatted">gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
</pre></div> </pre></div>
@@ -20276,7 +20276,7 @@ performed within a given context. @@ -20375,7 +20375,7 @@ performed within a given context.
<dt><code class="code"><var class="var">int</var> <a class="ref" href="#gnutls_005ffips140_005fpop_005fcontext">gnutls_fips140_pop_context</a> ( <var class="var">void</var>)</code></dt> <dt><code class="code"><var class="var">int</var> <a class="ref" href="#gnutls_005ffips140_005fpop_005fcontext">gnutls_fips140_pop_context</a> ( <var class="var">void</var>)</code></dt>
</dl> </dl>
@@ -394,7 +394,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
operation. It can be attached to the current execution thread with operation. It can be attached to the current execution thread with
<a class="ref" href="#gnutls_005ffips140_005fpush_005fcontext">gnutls_fips140_push_context</a> and its internal state will be <a class="ref" href="#gnutls_005ffips140_005fpush_005fcontext">gnutls_fips140_push_context</a> and its internal state will be
updated until it is detached with updated until it is detached with
@@ -20649,8 +20649,8 @@ Previous: <a href="#Contributing" access @@ -20748,8 +20748,8 @@ Previous: <a href="#Contributing" access
to an auditor that the crypto component follows some best practices, such to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives. as unit testing and reliance on well known crypto primitives.
</p> </p>
@@ -405,7 +405,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
</p> </p>
<hr> <hr>
</div> </div>
@@ -24567,7 +24567,7 @@ unusable. This function is not thread-s @@ -24680,7 +24680,7 @@ unusable. This function is not thread-s
<h4 class="subheading" id="gnutls_005ffips140_005fset_005fmode-1"><span>gnutls_fips140_set_mode<a class="copiable-link" href="#gnutls_005ffips140_005fset_005fmode-1"> &para;</a></span></h4> <h4 class="subheading" id="gnutls_005ffips140_005fset_005fmode-1"><span>gnutls_fips140_set_mode<a class="copiable-link" href="#gnutls_005ffips140_005fset_005fmode-1"> &para;</a></span></h4>
<a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn"> <a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn">
<dt class="deftypefn deftypefun-alias-deftypefn" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href="#index-gnutls_005ffips140_005fset_005fmode"> &para;</a></span></dt> <dt class="deftypefn deftypefun-alias-deftypefn" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href="#index-gnutls_005ffips140_005fset_005fmode"> &para;</a></span></dt>
@@ -414,7 +414,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
</p> </p>
<p><var class="var">flags</var>: should be zero or <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> <p><var class="var">flags</var>: should be zero or <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code>
</p> </p>
@@ -24576,13 +24576,13 @@ unusable. This function is not thread-s @@ -24689,13 +24689,13 @@ unusable. This function is not thread-s
behavior with no flags after threads are created is undefined. behavior with no flags after threads are created is undefined.
</p> </p>
<p>When the flag <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> is specified <p>When the flag <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> is specified
@@ -430,7 +430,7 @@ Index: gnutls-3.8.7/doc/gnutls.html
values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library
switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode. switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode.
</p> </p>
@@ -47003,7 +47003,7 @@ Next: <a href="#Concept-Index" accesskey @@ -47153,7 +47153,7 @@ Next: <a href="#Concept-Index" accesskey
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
@@ -439,11 +439,11 @@ Index: gnutls-3.8.7/doc/gnutls.html
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
Index: gnutls-3.8.7/doc/gnutls.info-3 Index: gnutls-3.8.10/doc/gnutls.info-3
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/gnutls.info-3 --- gnutls-3.8.10.orig/doc/gnutls.info-3
+++ gnutls-3.8.7/doc/gnutls.info-3 +++ gnutls-3.8.10/doc/gnutls.info-3
@@ -2104,7 +2104,7 @@ to more. Both will exit with a st @@ -2319,7 +2319,7 @@ to more. Both will exit with a st
--inline-commands-prefix=str Change the default delimiter for inline commands --inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library --provider=file Specify the PKCS #11 provider library
- file must pre-exist - file must pre-exist
@@ -452,7 +452,7 @@ Index: gnutls-3.8.7/doc/gnutls.info-3
--list-config Reports the configuration of the library --list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file --logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material --keymatexport=str Label used for exporting keying material
@@ -3257,7 +3257,7 @@ to know what happens inside the black bo @@ -3472,7 +3472,7 @@ to know what happens inside the black bo
* TLS Hello Extension Handling:: * TLS Hello Extension Handling::
* Cryptographic Backend:: * Cryptographic Backend::
* Random Number Generators-internals:: * Random Number Generators-internals::
@@ -461,7 +461,7 @@ Index: gnutls-3.8.7/doc/gnutls.info-3
 
File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS
@@ -3785,7 +3785,7 @@ and abstract key types::. @@ -4000,7 +4000,7 @@ and abstract key types::.
kernel implementation of /dev/crypto. kernel implementation of /dev/crypto.
 
@@ -470,7 +470,7 @@ Index: gnutls-3.8.7/doc/gnutls.info-3
11.6 Random Number Generators 11.6 Random Number Generators
============================= =============================
@@ -3795,7 +3795,7 @@ About the generators @@ -4010,7 +4010,7 @@ About the generators
GnuTLS provides two random generators. The default, and the AES-DRBG GnuTLS provides two random generators. The default, and the AES-DRBG
random generator which is only used when the library is compiled with random generator which is only used when the library is compiled with
@@ -479,7 +479,7 @@ Index: gnutls-3.8.7/doc/gnutls.info-3
The default generator - inner workings The default generator - inner workings
-------------------------------------- --------------------------------------
@@ -4026,7 +4026,7 @@ in *note Figure 11.5: gnutls_fips_mode_t @@ -4241,7 +4241,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
Figure 11.5: The gnutls_fips_mode_t enumeration. Figure 11.5: The gnutls_fips_mode_t enumeration.
The intention of this API is to be used by applications which may run in The intention of this API is to be used by applications which may run in
@@ -488,7 +488,7 @@ Index: gnutls-3.8.7/doc/gnutls.info-3
set, e.g., for non-security related purposes. In these cases set, e.g., for non-security related purposes. In these cases
applications should wrap the non-compliant code within blocks like the applications should wrap the non-compliant code within blocks like the
following. following.
@@ -4050,10 +4050,10 @@ are macros to simplify the following seq @@ -4265,10 +4265,10 @@ are macros to simplify the following seq
The reason of the GNUTLS_FIPS140_SET_MODE_THREAD flag in the previous The reason of the GNUTLS_FIPS140_SET_MODE_THREAD flag in the previous
calls is to localize the change in the mode. Note also, that such a calls is to localize the change in the mode. Note also, that such a
@@ -501,7 +501,7 @@ Index: gnutls-3.8.7/doc/gnutls.info-3
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
Service indicator Service indicator
@@ -4535,8 +4535,8 @@ There are certifications from national o @@ -4750,8 +4750,8 @@ There are certifications from national o
practices, such as unit testing and reliance on well known crypto practices, such as unit testing and reliance on well known crypto
primitives. primitives.
@@ -512,7 +512,7 @@ Index: gnutls-3.8.7/doc/gnutls.info-3
 
File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top
@@ -9007,7 +9007,7 @@ gnutls_fips140_set_mode @@ -9236,7 +9236,7 @@ gnutls_fips140_set_mode
-- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE, -- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE,
unsigned FLAGS) unsigned FLAGS)
@@ -521,10 +521,10 @@ Index: gnutls-3.8.7/doc/gnutls.info-3
FLAGS: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD FLAGS: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD
Index: gnutls-3.8.7/doc/invoke-gnutls-cli.texi Index: gnutls-3.8.10/doc/invoke-gnutls-cli.texi
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/invoke-gnutls-cli.texi --- gnutls-3.8.10.orig/doc/invoke-gnutls-cli.texi
+++ gnutls-3.8.7/doc/invoke-gnutls-cli.texi +++ gnutls-3.8.10/doc/invoke-gnutls-cli.texi
@@ -102,7 +102,7 @@ None: @@ -102,7 +102,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands --inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library --provider=file Specify the PKCS #11 provider library
@@ -534,10 +534,10 @@ Index: gnutls-3.8.7/doc/invoke-gnutls-cli.texi
--list-config Reports the configuration of the library --list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file --logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material --keymatexport=str Label used for exporting keying material
Index: gnutls-3.8.7/doc/manpages/gnutls-cli.1 Index: gnutls-3.8.10/doc/manpages/gnutls-cli.1
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/manpages/gnutls-cli.1 --- gnutls-3.8.10.orig/doc/manpages/gnutls-cli.1
+++ gnutls-3.8.7/doc/manpages/gnutls-cli.1 +++ gnutls-3.8.10/doc/manpages/gnutls-cli.1
@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library. @@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
This will override the default options in /etc/gnutls/pkcs11.conf This will override the default options in /etc/gnutls/pkcs11.conf
.TP .TP
@@ -547,11 +547,11 @@ Index: gnutls-3.8.7/doc/manpages/gnutls-cli.1
.sp .sp
.TP .TP
.NOP \f\*[B-Font]\-\-list\-config\f[] .NOP \f\*[B-Font]\-\-list\-config\f[]
Index: gnutls-3.8.7/doc/reference/html/gnutls-gnutls.html Index: gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/reference/html/gnutls-gnutls.html --- gnutls-3.8.10.orig/doc/reference/html/gnutls-gnutls.html
+++ gnutls-3.8.7/doc/reference/html/gnutls-gnutls.html +++ gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html
@@ -20870,12 +20870,12 @@ gnutls_fips140_set_mode (<em class="para @@ -20874,12 +20874,12 @@ gnutls_fips140_set_mode (<em class="para
(globally), and should be called prior to creating any threads. Its (globally), and should be called prior to creating any threads. Its
behavior with no flags after threads are created is undefined.</p> behavior with no flags after threads are created is undefined.</p>
<p>When the flag <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SET-MODE-THREAD:CAPS" title="GNUTLS_FIPS140_SET_MODE_THREAD"><code class="literal">GNUTLS_FIPS140_SET_MODE_THREAD</code></a> is specified <p>When the flag <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SET-MODE-THREAD:CAPS" title="GNUTLS_FIPS140_SET_MODE_THREAD"><code class="literal">GNUTLS_FIPS140_SET_MODE_THREAD</code></a> is specified
@@ -566,7 +566,7 @@ Index: gnutls-3.8.7/doc/reference/html/gnutls-gnutls.html
values for <em class="parameter"><code>mode</code></em> values for <em class="parameter"><code>mode</code></em>
or to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SELFTESTS:CAPS"><code class="literal">GNUTLS_FIPS140_SELFTESTS</code></a> mode, the library or to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SELFTESTS:CAPS"><code class="literal">GNUTLS_FIPS140_SELFTESTS</code></a> mode, the library
switches to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-STRICT:CAPS"><code class="literal">GNUTLS_FIPS140_STRICT</code></a> mode.</p> switches to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-STRICT:CAPS"><code class="literal">GNUTLS_FIPS140_STRICT</code></a> mode.</p>
@@ -20890,7 +20890,7 @@ switches to <a class="link" href="gnutls @@ -20894,7 +20894,7 @@ switches to <a class="link" href="gnutls
<tbody> <tbody>
<tr> <tr>
<td class="parameter_name"><p>mode</p></td> <td class="parameter_name"><p>mode</p></td>
@@ -575,7 +575,7 @@ Index: gnutls-3.8.7/doc/reference/html/gnutls-gnutls.html
<td class="parameter_annotations"> </td> <td class="parameter_annotations"> </td>
</tr> </tr>
<tr> <tr>
@@ -25950,7 +25950,7 @@ encryption</p> @@ -26035,7 +26035,7 @@ encryption</p>
<hr> <hr>
<div class="refsect2"> <div class="refsect2">
<a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3> <a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3>
@@ -584,7 +584,7 @@ Index: gnutls-3.8.7/doc/reference/html/gnutls-gnutls.html
<div class="refsect3"> <div class="refsect3">
<a name="gnutls-fips-mode-t.members"></a><h4>Members</h4> <a name="gnutls-fips-mode-t.members"></a><h4>Members</h4>
<div class="informaltable"><table class="informaltable" width="100%" border="0"> <div class="informaltable"><table class="informaltable" width="100%" border="0">
@@ -25963,7 +25963,7 @@ encryption</p> @@ -26048,7 +26048,7 @@ encryption</p>
<tr> <tr>
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td> <td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td>
<td class="enum_member_description"> <td class="enum_member_description">
@@ -593,7 +593,7 @@ Index: gnutls-3.8.7/doc/reference/html/gnutls-gnutls.html
</td> </td>
<td class="enum_member_annotations"> </td> <td class="enum_member_annotations"> </td>
</tr> </tr>
@@ -25986,8 +25986,8 @@ operation failure via error code.</p> @@ -26071,8 +26071,8 @@ operation failure via error code.</p>
<tr> <tr>
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td> <td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td>
<td class="enum_member_description"> <td class="enum_member_description">
@@ -604,17 +604,17 @@ Index: gnutls-3.8.7/doc/reference/html/gnutls-gnutls.html
application is aware of the followed security policy, and needs application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).</p> to utilize disallowed operations for other reasons (e.g., compatibility).</p>
</td> </td>
@@ -27627,4 +27627,4 @@ This is used by <a class="link" href="gn @@ -27712,4 +27712,4 @@ This is used by <a class="link" href="gn
<div class="footer"> <div class="footer">
<hr>Generated by GTK-Doc V1.34.0</div> <hr>Generated by GTK-Doc V1.34.0</div>
</body> </body>
-</html> -</html>
\ No newline at end of file \ No newline at end of file
+</html> +</html>
Index: gnutls-3.8.7/lib/fips.c Index: gnutls-3.8.10/lib/fips.c
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/lib/fips.c --- gnutls-3.8.10.orig/lib/fips.c
+++ gnutls-3.8.7/lib/fips.c +++ gnutls-3.8.10/lib/fips.c
@@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void) @@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
} }
@@ -633,7 +633,7 @@ Index: gnutls-3.8.7/lib/fips.c
ret = GNUTLS_FIPS140_SELFTESTS; ret = GNUTLS_FIPS140_SELFTESTS;
goto exit; goto exit;
} }
@@ -724,7 +724,7 @@ unsigned gnutls_fips140_mode_enabled(voi @@ -745,7 +745,7 @@ unsigned gnutls_fips140_mode_enabled(voi
/** /**
* gnutls_fips140_set_mode: * gnutls_fips140_set_mode:
@@ -642,7 +642,7 @@ Index: gnutls-3.8.7/lib/fips.c
* @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD * @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
* *
* That function is not thread-safe when changing the mode with no flags * That function is not thread-safe when changing the mode with no flags
@@ -732,13 +732,13 @@ unsigned gnutls_fips140_mode_enabled(voi @@ -753,13 +753,13 @@ unsigned gnutls_fips140_mode_enabled(voi
* behavior with no flags after threads are created is undefined. * behavior with no flags after threads are created is undefined.
* *
* When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified * When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
@@ -658,7 +658,7 @@ Index: gnutls-3.8.7/lib/fips.c
* values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library * values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
* switches to %GNUTLS_FIPS140_STRICT mode. * switches to %GNUTLS_FIPS140_STRICT mode.
* *
@@ -750,10 +750,10 @@ void gnutls_fips140_set_mode(gnutls_fips @@ -771,10 +771,10 @@ void gnutls_fips140_set_mode(gnutls_fips
gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled(); gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
if (prev == GNUTLS_FIPS140_DISABLED || if (prev == GNUTLS_FIPS140_DISABLED ||
prev == GNUTLS_FIPS140_SELFTESTS) { prev == GNUTLS_FIPS140_SELFTESTS) {
@@ -671,7 +671,7 @@ Index: gnutls-3.8.7/lib/fips.c
return; return;
} }
@@ -766,7 +766,7 @@ void gnutls_fips140_set_mode(gnutls_fips @@ -787,7 +787,7 @@ void gnutls_fips140_set_mode(gnutls_fips
case GNUTLS_FIPS140_SELFTESTS: case GNUTLS_FIPS140_SELFTESTS:
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@@ -680,7 +680,7 @@ Index: gnutls-3.8.7/lib/fips.c
mode = GNUTLS_FIPS140_STRICT; mode = GNUTLS_FIPS140_STRICT;
break; break;
default: default:
@@ -942,7 +942,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -963,7 +963,7 @@ void _gnutls_switch_fips_state(gnutls_fi
} }
if (!_tfips_context) { if (!_tfips_context) {
@@ -689,7 +689,7 @@ Index: gnutls-3.8.7/lib/fips.c
return; return;
} }
@@ -956,7 +956,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -977,7 +977,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) { if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@@ -698,7 +698,7 @@ Index: gnutls-3.8.7/lib/fips.c
operation_state_to_string(state)); operation_state_to_string(state));
} }
_tfips_context->state = state; _tfips_context->state = state;
@@ -967,7 +967,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -988,7 +988,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) { if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@@ -707,7 +707,7 @@ Index: gnutls-3.8.7/lib/fips.c
operation_state_to_string(state)); operation_state_to_string(state));
} }
_tfips_context->state = state; _tfips_context->state = state;
@@ -979,7 +979,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -1000,7 +1000,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) { if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@@ -716,7 +716,7 @@ Index: gnutls-3.8.7/lib/fips.c
operation_state_to_string( operation_state_to_string(
_tfips_context->state), _tfips_context->state),
operation_state_to_string(state)); operation_state_to_string(state));
@@ -1041,7 +1041,7 @@ int gnutls_fips140_run_self_tests(void) @@ -1062,7 +1062,7 @@ int gnutls_fips140_run_self_tests(void)
ret < 0) { ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(NULL, _gnutls_audit_log(NULL,
@@ -725,7 +725,7 @@ Index: gnutls-3.8.7/lib/fips.c
} else { } else {
/* Restore the previous library state */ /* Restore the previous library state */
_gnutls_switch_lib_state(prev_lib_state); _gnutls_switch_lib_state(prev_lib_state);
@@ -1053,7 +1053,7 @@ int gnutls_fips140_run_self_tests(void) @@ -1074,7 +1074,7 @@ int gnutls_fips140_run_self_tests(void)
if (gnutls_fips140_pop_context() < 0) { if (gnutls_fips140_pop_context() < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log( _gnutls_audit_log(
@@ -734,11 +734,11 @@ Index: gnutls-3.8.7/lib/fips.c
} }
gnutls_fips140_context_deinit(fips_context); gnutls_fips140_context_deinit(fips_context);
} }
Index: gnutls-3.8.7/lib/fips.h Index: gnutls-3.8.10/lib/fips.h
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/lib/fips.h --- gnutls-3.8.10.orig/lib/fips.h
+++ gnutls-3.8.7/lib/fips.h +++ gnutls-3.8.10/lib/fips.h
@@ -163,7 +163,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci @@ -161,7 +161,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
} }
#ifdef ENABLE_FIPS140 #ifdef ENABLE_FIPS140
@@ -747,7 +747,7 @@ Index: gnutls-3.8.7/lib/fips.h
* and return an error if necessary or ignore */ * and return an error if necessary or ignore */
#define FIPS_RULE(condition, ret_error, ...) \ #define FIPS_RULE(condition, ret_error, ...) \
{ \ { \
@@ -173,10 +173,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci @@ -171,10 +171,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
if (_mode == GNUTLS_FIPS140_LOG) { \ if (_mode == GNUTLS_FIPS140_LOG) { \
_gnutls_audit_log( \ _gnutls_audit_log( \
NULL, \ NULL, \
@@ -760,7 +760,7 @@ Index: gnutls-3.8.7/lib/fips.h
return ret_error; \ return ret_error; \
} \ } \
} \ } \
@@ -191,7 +191,7 @@ inline static bool is_mac_algo_allowed(g @@ -189,7 +189,7 @@ inline static bool is_mac_algo_allowed(g
switch (mode) { switch (mode) {
case GNUTLS_FIPS140_LOG: case GNUTLS_FIPS140_LOG:
_gnutls_audit_log(NULL, _gnutls_audit_log(NULL,
@@ -769,7 +769,7 @@ Index: gnutls-3.8.7/lib/fips.h
gnutls_mac_get_name(algo)); gnutls_mac_get_name(algo));
FALLTHROUGH; FALLTHROUGH;
case GNUTLS_FIPS140_DISABLED: case GNUTLS_FIPS140_DISABLED:
@@ -213,7 +213,7 @@ inline static bool is_cipher_algo_allowe @@ -211,7 +211,7 @@ inline static bool is_cipher_algo_allowe
switch (mode) { switch (mode) {
case GNUTLS_FIPS140_LOG: case GNUTLS_FIPS140_LOG:
_gnutls_audit_log(NULL, _gnutls_audit_log(NULL,
@@ -778,11 +778,11 @@ Index: gnutls-3.8.7/lib/fips.h
gnutls_cipher_get_name(algo)); gnutls_cipher_get_name(algo));
FALLTHROUGH; FALLTHROUGH;
case GNUTLS_FIPS140_DISABLED: case GNUTLS_FIPS140_DISABLED:
Index: gnutls-3.8.7/lib/global.c Index: gnutls-3.8.10/lib/global.c
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/lib/global.c --- gnutls-3.8.10.orig/lib/global.c
+++ gnutls-3.8.7/lib/global.c +++ gnutls-3.8.10/lib/global.c
@@ -339,12 +339,12 @@ static int _gnutls_global_init(unsigned @@ -349,12 +349,12 @@ static int _gnutls_global_init(unsigned
#ifdef ENABLE_FIPS140 #ifdef ENABLE_FIPS140
res = _gnutls_fips_mode_enabled(); res = _gnutls_fips_mode_enabled();
@@ -797,7 +797,7 @@ Index: gnutls-3.8.7/lib/global.c
_gnutls_priority_update_fips(); _gnutls_priority_update_fips();
/* first round of self checks, these are done on the /* first round of self checks, these are done on the
@@ -354,7 +354,7 @@ static int _gnutls_global_init(unsigned @@ -364,7 +364,7 @@ static int _gnutls_global_init(unsigned
if (ret < 0) { if (ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log( _gnutls_audit_log(
@@ -806,7 +806,7 @@ Index: gnutls-3.8.7/lib/global.c
if (res != 2) { if (res != 2) {
gnutls_assert(); gnutls_assert();
goto out; goto out;
@@ -377,7 +377,7 @@ static int _gnutls_global_init(unsigned @@ -390,7 +390,7 @@ static int _gnutls_global_init(unsigned
if (ret < 0) { if (ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log( _gnutls_audit_log(
@@ -815,11 +815,11 @@ Index: gnutls-3.8.7/lib/global.c
if (res != 2) { if (res != 2) {
gnutls_assert(); gnutls_assert();
goto out; goto out;
Index: gnutls-3.8.7/lib/includes/gnutls/gnutls.h.in Index: gnutls-3.8.10/lib/includes/gnutls/gnutls.h.in
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/lib/includes/gnutls/gnutls.h.in --- gnutls-3.8.10.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.8.7/lib/includes/gnutls/gnutls.h.in +++ gnutls-3.8.10/lib/includes/gnutls/gnutls.h.in
@@ -3213,16 +3213,16 @@ typedef int (*gnutls_alert_read_func)(gn @@ -3236,16 +3236,16 @@ typedef int (*gnutls_alert_read_func)(gn
void gnutls_alert_set_read_function(gnutls_session_t session, void gnutls_alert_set_read_function(gnutls_session_t session,
gnutls_alert_read_func func); gnutls_alert_read_func func);
@@ -840,7 +840,7 @@ Index: gnutls-3.8.7/lib/includes/gnutls/gnutls.h.in
* application is aware of the followed security policy, and needs * application is aware of the followed security policy, and needs
* to utilize disallowed operations for other reasons (e.g., compatibility). * to utilize disallowed operations for other reasons (e.g., compatibility).
* @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results * @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results
@@ -3230,7 +3230,7 @@ unsigned gnutls_fips140_mode_enabled(voi @@ -3253,7 +3253,7 @@ unsigned gnutls_fips140_mode_enabled(voi
* @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state * @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state
* cannot be set or seen by applications. * cannot be set or seen by applications.
* *
@@ -849,10 +849,10 @@ Index: gnutls-3.8.7/lib/includes/gnutls/gnutls.h.in
*/ */
typedef enum gnutls_fips_mode_t { typedef enum gnutls_fips_mode_t {
GNUTLS_FIPS140_DISABLED = 0, GNUTLS_FIPS140_DISABLED = 0,
Index: gnutls-3.8.7/src/cli.c Index: gnutls-3.8.10/src/cli.c
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/src/cli.c --- gnutls-3.8.10.orig/src/cli.c
+++ gnutls-3.8.7/src/cli.c +++ gnutls-3.8.10/src/cli.c
@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char ** @@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
if (HAVE_OPT(FIPS140_MODE)) { if (HAVE_OPT(FIPS140_MODE)) {
@@ -866,10 +866,10 @@ Index: gnutls-3.8.7/src/cli.c
exit(1); exit(1);
} }
Index: gnutls-3.8.7/src/gnutls-cli-options.c Index: gnutls-3.8.10/src/gnutls-cli-options.c
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/src/gnutls-cli-options.c --- gnutls-3.8.10.orig/src/gnutls-cli-options.c
+++ gnutls-3.8.7/src/gnutls-cli-options.c +++ gnutls-3.8.10/src/gnutls-cli-options.c
@@ -843,7 +843,7 @@ usage (FILE *out, int status) @@ -843,7 +843,7 @@ usage (FILE *out, int status)
" --inline-commands-prefix=str Change the default delimiter for inline commands\n" " --inline-commands-prefix=str Change the default delimiter for inline commands\n"
" --provider=file Specify the PKCS #11 provider library\n" " --provider=file Specify the PKCS #11 provider library\n"
@@ -879,10 +879,10 @@ Index: gnutls-3.8.7/src/gnutls-cli-options.c
" --list-config Reports the configuration of the library\n" " --list-config Reports the configuration of the library\n"
" --logfile=str Redirect informational messages to a specific file\n" " --logfile=str Redirect informational messages to a specific file\n"
" --keymatexport=str Label used for exporting keying material\n" " --keymatexport=str Label used for exporting keying material\n"
Index: gnutls-3.8.7/tests/cert-tests/gost.sh Index: gnutls-3.8.10/tests/cert-tests/gost.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/cert-tests/gost.sh --- gnutls-3.8.10.orig/tests/cert-tests/gost.sh
+++ gnutls-3.8.7/tests/cert-tests/gost.sh +++ gnutls-3.8.10/tests/cert-tests/gost.sh
@@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then @@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@@ -892,10 +892,10 @@ Index: gnutls-3.8.7/tests/cert-tests/gost.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/tests/cert-tests/pkcs12-corner-cases.sh Index: gnutls-3.8.10/tests/cert-tests/pkcs12-corner-cases.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/cert-tests/pkcs12-corner-cases.sh --- gnutls-3.8.10.orig/tests/cert-tests/pkcs12-corner-cases.sh
+++ gnutls-3.8.7/tests/cert-tests/pkcs12-corner-cases.sh +++ gnutls-3.8.10/tests/cert-tests/pkcs12-corner-cases.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@@ -905,10 +905,10 @@ Index: gnutls-3.8.7/tests/cert-tests/pkcs12-corner-cases.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/tests/cert-tests/pkcs12-encode.sh Index: gnutls-3.8.10/tests/cert-tests/pkcs12-encode.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/cert-tests/pkcs12-encode.sh --- gnutls-3.8.10.orig/tests/cert-tests/pkcs12-encode.sh
+++ gnutls-3.8.7/tests/cert-tests/pkcs12-encode.sh +++ gnutls-3.8.10/tests/cert-tests/pkcs12-encode.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@@ -918,10 +918,10 @@ Index: gnutls-3.8.7/tests/cert-tests/pkcs12-encode.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/tests/cert-tests/pkcs12-gost.sh Index: gnutls-3.8.10/tests/cert-tests/pkcs12-gost.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/cert-tests/pkcs12-gost.sh --- gnutls-3.8.10.orig/tests/cert-tests/pkcs12-gost.sh
+++ gnutls-3.8.7/tests/cert-tests/pkcs12-gost.sh +++ gnutls-3.8.10/tests/cert-tests/pkcs12-gost.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@@ -931,10 +931,10 @@ Index: gnutls-3.8.7/tests/cert-tests/pkcs12-gost.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/tests/cert-tests/pkcs12.sh Index: gnutls-3.8.10/tests/cert-tests/pkcs12.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/cert-tests/pkcs12.sh --- gnutls-3.8.10.orig/tests/cert-tests/pkcs12.sh
+++ gnutls-3.8.7/tests/cert-tests/pkcs12.sh +++ gnutls-3.8.10/tests/cert-tests/pkcs12.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@@ -944,10 +944,10 @@ Index: gnutls-3.8.7/tests/cert-tests/pkcs12.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/tests/cert-tests/pkcs8-decode.sh Index: gnutls-3.8.10/tests/cert-tests/pkcs8-decode.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/cert-tests/pkcs8-decode.sh --- gnutls-3.8.10.orig/tests/cert-tests/pkcs8-decode.sh
+++ gnutls-3.8.7/tests/cert-tests/pkcs8-decode.sh +++ gnutls-3.8.10/tests/cert-tests/pkcs8-decode.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@@ -957,10 +957,10 @@ Index: gnutls-3.8.7/tests/cert-tests/pkcs8-decode.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/tests/cert-tests/pkcs8-eddsa.sh Index: gnutls-3.8.10/tests/cert-tests/pkcs8-eddsa.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/cert-tests/pkcs8-eddsa.sh --- gnutls-3.8.10.orig/tests/cert-tests/pkcs8-eddsa.sh
+++ gnutls-3.8.7/tests/cert-tests/pkcs8-eddsa.sh +++ gnutls-3.8.10/tests/cert-tests/pkcs8-eddsa.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@@ -970,10 +970,10 @@ Index: gnutls-3.8.7/tests/cert-tests/pkcs8-eddsa.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/tests/cert-tests/pkcs8-gost.sh Index: gnutls-3.8.10/tests/cert-tests/pkcs8-gost.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/cert-tests/pkcs8-gost.sh --- gnutls-3.8.10.orig/tests/cert-tests/pkcs8-gost.sh
+++ gnutls-3.8.7/tests/cert-tests/pkcs8-gost.sh +++ gnutls-3.8.10/tests/cert-tests/pkcs8-gost.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@@ -983,10 +983,10 @@ Index: gnutls-3.8.7/tests/cert-tests/pkcs8-gost.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/tests/cert-tests/pkcs8.sh Index: gnutls-3.8.10/tests/cert-tests/pkcs8.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/cert-tests/pkcs8.sh --- gnutls-3.8.10.orig/tests/cert-tests/pkcs8.sh
+++ gnutls-3.8.7/tests/cert-tests/pkcs8.sh +++ gnutls-3.8.10/tests/cert-tests/pkcs8.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@@ -996,10 +996,10 @@ Index: gnutls-3.8.7/tests/cert-tests/pkcs8.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/tests/cipher-listings.sh Index: gnutls-3.8.10/tests/cipher-listings.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/cipher-listings.sh --- gnutls-3.8.10.orig/tests/cipher-listings.sh
+++ gnutls-3.8.7/tests/cipher-listings.sh +++ gnutls-3.8.10/tests/cipher-listings.sh
@@ -63,7 +63,7 @@ check() @@ -63,7 +63,7 @@ check()
${CLI} --fips140-mode ${CLI} --fips140-mode
@@ -1009,10 +1009,10 @@ Index: gnutls-3.8.7/tests/cipher-listings.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/tests/testpkcs11.sh Index: gnutls-3.8.10/tests/testpkcs11.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/testpkcs11.sh --- gnutls-3.8.10.orig/tests/testpkcs11.sh
+++ gnutls-3.8.7/tests/testpkcs11.sh +++ gnutls-3.8.10/tests/testpkcs11.sh
@@ -26,7 +26,7 @@ @@ -26,7 +26,7 @@
RETCODE=0 RETCODE=0
@@ -1022,10 +1022,10 @@ Index: gnutls-3.8.7/tests/testpkcs11.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/doc/enums/gnutls_fips_mode_t Index: gnutls-3.8.10/doc/enums/gnutls_fips_mode_t
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/enums/gnutls_fips_mode_t --- gnutls-3.8.10.orig/doc/enums/gnutls_fips_mode_t
+++ gnutls-3.8.7/doc/enums/gnutls_fips_mode_t +++ gnutls-3.8.10/doc/enums/gnutls_fips_mode_t
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
@c gnutls_fips_mode_t @c gnutls_fips_mode_t
@table @code @table @code
@@ -1046,11 +1046,11 @@ Index: gnutls-3.8.7/doc/enums/gnutls_fips_mode_t
application is aware of the followed security policy, and needs application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility). to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG @item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.7/doc/gnutls-api.texi Index: gnutls-3.8.10/doc/gnutls-api.texi
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/gnutls-api.texi --- gnutls-3.8.10.orig/doc/gnutls-api.texi
+++ gnutls-3.8.7/doc/gnutls-api.texi +++ gnutls-3.8.10/doc/gnutls-api.texi
@@ -3275,7 +3275,7 @@ unusable. This function is not thread-s @@ -3279,7 +3279,7 @@ unusable. This function is not thread-s
@subheading gnutls_fips140_set_mode @subheading gnutls_fips140_set_mode
@anchor{gnutls_fips140_set_mode} @anchor{gnutls_fips140_set_mode}
@deftypefun {void} {gnutls_fips140_set_mode} (gnutls_fips_mode_t @var{mode}, unsigned @var{flags}) @deftypefun {void} {gnutls_fips140_set_mode} (gnutls_fips_mode_t @var{mode}, unsigned @var{flags})
@@ -1059,7 +1059,7 @@ Index: gnutls-3.8.7/doc/gnutls-api.texi
@var{flags}: should be zero or @code{GNUTLS_FIPS140_SET_MODE_THREAD} @var{flags}: should be zero or @code{GNUTLS_FIPS140_SET_MODE_THREAD}
@@ -3284,13 +3284,13 @@ That function is not thread-safe when ch @@ -3288,13 +3288,13 @@ That function is not thread-safe when ch
behavior with no flags after threads are created is undefined. behavior with no flags after threads are created is undefined.
When the flag @code{GNUTLS_FIPS140_SET_MODE_THREAD} is specified When the flag @code{GNUTLS_FIPS140_SET_MODE_THREAD} is specified
@@ -1075,10 +1075,10 @@ Index: gnutls-3.8.7/doc/gnutls-api.texi
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode. switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.7/lib/ext/session_ticket.c Index: gnutls-3.8.10/lib/ext/session_ticket.c
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/lib/ext/session_ticket.c --- gnutls-3.8.10.orig/lib/ext/session_ticket.c
+++ gnutls-3.8.7/lib/ext/session_ticket.c +++ gnutls-3.8.10/lib/ext/session_ticket.c
@@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g @@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
{ {
if (_gnutls_fips_mode_enabled()) { if (_gnutls_fips_mode_enabled()) {
@@ -1088,10 +1088,10 @@ Index: gnutls-3.8.7/lib/ext/session_ticket.c
* some limits on allowed key size, thus it is not * some limits on allowed key size, thus it is not
* used. These limits do not affect this function as * used. These limits do not affect this function as
* it does not generate a "key" but rather key material * it does not generate a "key" but rather key material
Index: gnutls-3.8.7/lib/libgnutls.map Index: gnutls-3.8.10/lib/libgnutls.map
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/lib/libgnutls.map --- gnutls-3.8.10.orig/lib/libgnutls.map
+++ gnutls-3.8.7/lib/libgnutls.map +++ gnutls-3.8.10/lib/libgnutls.map
@@ -1459,7 +1459,7 @@ GNUTLS_FIPS140_3_4 { @@ -1459,7 +1459,7 @@ GNUTLS_FIPS140_3_4 {
gnutls_hkdf_self_test; gnutls_hkdf_self_test;
gnutls_pbkdf2_self_test; gnutls_pbkdf2_self_test;
@@ -1101,11 +1101,11 @@ Index: gnutls-3.8.7/lib/libgnutls.map
drbg_aes_reseed; drbg_aes_reseed;
drbg_aes_init; drbg_aes_init;
drbg_aes_generate; drbg_aes_generate;
Index: gnutls-3.8.7/lib/nettle/mac.c Index: gnutls-3.8.10/lib/nettle/mac.c
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/lib/nettle/mac.c --- gnutls-3.8.10.orig/lib/nettle/mac.c
+++ gnutls-3.8.7/lib/nettle/mac.c +++ gnutls-3.8.10/lib/nettle/mac.c
@@ -270,7 +270,7 @@ static void _wrap_gmac_digest(void *_ctx @@ -292,7 +292,7 @@ static void _wrap_gmac_digest(void *_ctx
static int _mac_ctx_init(gnutls_mac_algorithm_t algo, static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
struct nettle_mac_ctx *ctx) struct nettle_mac_ctx *ctx)
{ {
@@ -1114,19 +1114,19 @@ Index: gnutls-3.8.7/lib/nettle/mac.c
* gnutls_hash_init() and gnutls_hmac_init() */ * gnutls_hash_init() and gnutls_hmac_init() */
ctx->set_nonce = NULL; ctx->set_nonce = NULL;
@@ -663,7 +663,7 @@ static void _md5_sha1_init(void *_ctx) @@ -688,7 +688,7 @@ static void _md5_sha1_init(void *_ctx)
static int _ctx_init(gnutls_digest_algorithm_t algo, static int _ctx_init(gnutls_digest_algorithm_t algo,
struct nettle_hash_ctx *ctx) struct nettle_hash_ctx *ctx)
{ {
- /* Any FIPS140-2 related enforcement is performed on - /* Any FIPS140-2 related enforcement is performed on
+ /* Any FIPS140-3 related enforcement is performed on + /* Any FIPS140-3 related enforcement is performed on
* gnutls_hash_init() and gnutls_hmac_init() */ * gnutls_hash_init() and gnutls_hmac_init() */
switch (algo) {
case GNUTLS_DIG_MD5: ctx->finished = NULL;
Index: gnutls-3.8.7/config.h.in Index: gnutls-3.8.10/config.h.in
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/config.h.in --- gnutls-3.8.10.orig/config.h.in
+++ gnutls-3.8.7/config.h.in +++ gnutls-3.8.10/config.h.in
@@ -104,7 +104,7 @@ @@ -104,7 +104,7 @@
/* enable DHE */ /* enable DHE */
#undef ENABLE_ECDHE #undef ENABLE_ECDHE
@@ -1145,11 +1145,11 @@ Index: gnutls-3.8.7/config.h.in
#undef FIPS_KEY #undef FIPS_KEY
/* The FIPS140 module name */ /* The FIPS140 module name */
Index: gnutls-3.8.7/configure Index: gnutls-3.8.10/configure
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/configure --- gnutls-3.8.10.orig/configure
+++ gnutls-3.8.7/configure +++ gnutls-3.8.10/configure
@@ -4453,7 +4453,7 @@ Optional Features: @@ -4484,7 +4484,7 @@ Optional Features:
--enable-fast-install[=PKGS] --enable-fast-install[=PKGS]
optimize for fast installation [default=yes] optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds) --disable-libtool-lock avoid locking (might break parallel builds)
@@ -1158,10 +1158,10 @@ Index: gnutls-3.8.7/configure
--enable-strict-x509 enable stricter sanity checks for x509 certificates --enable-strict-x509 enable stricter sanity checks for x509 certificates
--disable-non-suiteb-curves --disable-non-suiteb-curves
disable curves not in SuiteB disable curves not in SuiteB
Index: gnutls-3.8.7/doc/cha-support.texi Index: gnutls-3.8.10/doc/cha-support.texi
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/cha-support.texi --- gnutls-3.8.10.orig/doc/cha-support.texi
+++ gnutls-3.8.7/doc/cha-support.texi +++ gnutls-3.8.10/doc/cha-support.texi
@@ -134,5 +134,5 @@ There are certifications from national o @@ -134,5 +134,5 @@ There are certifications from national o
to an auditor that the crypto component follows some best practices, such to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives. as unit testing and reliance on well known crypto primitives.
@@ -1170,10 +1170,10 @@ Index: gnutls-3.8.7/doc/cha-support.texi
-See @ref{FIPS140-2 mode} for more information. -See @ref{FIPS140-2 mode} for more information.
+GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux. +GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
+See @ref{FIPS140-3 mode} for more information. +See @ref{FIPS140-3 mode} for more information.
Index: gnutls-3.8.7/src/gnutls-cli-options.json Index: gnutls-3.8.10/src/gnutls-cli-options.json
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/src/gnutls-cli-options.json --- gnutls-3.8.10.orig/src/gnutls-cli-options.json
+++ gnutls-3.8.7/src/gnutls-cli-options.json +++ gnutls-3.8.10/src/gnutls-cli-options.json
@@ -384,7 +384,7 @@ @@ -384,7 +384,7 @@
}, },
{ {
@@ -1183,10 +1183,10 @@ Index: gnutls-3.8.7/src/gnutls-cli-options.json
}, },
{ {
"long-option": "list-config", "long-option": "list-config",
Index: gnutls-3.8.7/tests/pkcs11-tool.sh Index: gnutls-3.8.10/tests/pkcs11-tool.sh
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/tests/pkcs11-tool.sh --- gnutls-3.8.10.orig/tests/pkcs11-tool.sh
+++ gnutls-3.8.7/tests/pkcs11-tool.sh +++ gnutls-3.8.10/tests/pkcs11-tool.sh
@@ -30,7 +30,7 @@ set -x @@ -30,7 +30,7 @@ set -x
: ${DIFF=diff} : ${DIFF=diff}
@@ -1196,10 +1196,10 @@ Index: gnutls-3.8.7/tests/pkcs11-tool.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.7/doc/manpages/gnutls_fips140_set_mode.3 Index: gnutls-3.8.10/doc/manpages/gnutls_fips140_set_mode.3
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/manpages/gnutls_fips140_set_mode.3 --- gnutls-3.8.10.orig/doc/manpages/gnutls_fips140_set_mode.3
+++ gnutls-3.8.7/doc/manpages/gnutls_fips140_set_mode.3 +++ gnutls-3.8.10/doc/manpages/gnutls_fips140_set_mode.3
@@ -8,7 +8,7 @@ gnutls_fips140_set_mode \- API function @@ -8,7 +8,7 @@ gnutls_fips140_set_mode \- API function
.BI "void gnutls_fips140_set_mode(gnutls_fips_mode_t " mode ", unsigned " flags ");" .BI "void gnutls_fips140_set_mode(gnutls_fips_mode_t " mode ", unsigned " flags ");"
.SH ARGUMENTS .SH ARGUMENTS
@@ -1225,16 +1225,16 @@ Index: gnutls-3.8.7/doc/manpages/gnutls_fips140_set_mode.3
values for \fImode\fP or to \fBGNUTLS_FIPS140_SELFTESTS\fP mode, the library values for \fImode\fP or to \fBGNUTLS_FIPS140_SELFTESTS\fP mode, the library
switches to \fBGNUTLS_FIPS140_STRICT\fP mode. switches to \fBGNUTLS_FIPS140_STRICT\fP mode.
.SH "SINCE" .SH "SINCE"
Index: gnutls-3.8.7/doc/gnutls.info Index: gnutls-3.8.10/doc/gnutls.info
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/doc/gnutls.info --- gnutls-3.8.10.orig/doc/gnutls.info
+++ gnutls-3.8.7/doc/gnutls.info +++ gnutls-3.8.10/doc/gnutls.info
@@ -619,7 +619,7 @@ Ref: fig-crypto-layers743524 @@ -624,7 +624,7 @@ Ref: fig-crypto-layers746569
Ref: Cryptographic Backend-Footnote-1746831 Ref: Cryptographic Backend-Footnote-1749876
Ref: Cryptographic Backend-Footnote-2746916 Ref: Cryptographic Backend-Footnote-2749961
Node: Random Number Generators-internals747028 Node: Random Number Generators-internals750073
-Node: FIPS140-2 mode754484 -Node: FIPS140-2 mode757529
+Node: FIPS140-3 mode754484 +Node: FIPS140-3 mode757529
Ref: gnutls_fips_mode_t757148 Ref: gnutls_fips_mode_t760193
Node: Upgrading from previous versions760816 Node: Upgrading from previous versions763861
Node: Support775054 Node: Support778099

221
gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
View File

@@ -1,117 +1,120 @@
Index: gnutls-3.8.7/lib/fips.c Index: gnutls-3.8.8/lib/fips.c
=================================================================== ===================================================================
--- gnutls-3.8.7.orig/lib/fips.c --- gnutls-3.8.8.orig/lib/fips.c
+++ gnutls-3.8.7/lib/fips.c +++ gnutls-3.8.8/lib/fips.c
@@ -177,20 +177,32 @@ struct hmac_entry { @@ -349,11 +349,90 @@ static int load_hmac_file(struct hmac_fi
struct hmac_file { }
int version;
struct hmac_entry gnutls;
+#if 0
+ /* Disable nettle, hogweed and gmp HMAC verification as
+ * they are calculated during build of the respective
+ * packages and can differ from the ones listed here.
+ */
struct hmac_entry nettle;
struct hmac_entry hogweed;
#ifdef GMP_LIBRARY_SONAME
struct hmac_entry gmp;
#endif
+#endif
};
struct lib_paths {
char gnutls[GNUTLS_PATH_MAX];
+#if 0
+ /* Disable nettle, hogweed and gmp HMAC verification as
+ * they are calculated during build of the respective
+ * packages and can differ from the ones listed here.
+ */
char nettle[GNUTLS_PATH_MAX];
char hogweed[GNUTLS_PATH_MAX];
#ifdef GMP_LIBRARY_SONAME
char gmp[GNUTLS_PATH_MAX];
#endif
+#endif
};
/* /*
@@ -250,6 +262,11 @@ static int handler(void *user, const cha + * check_dep_lib_hmac:
} + * @path: path to the library which hmac should be compared
} else if (!strcmp(section, GNUTLS_LIBRARY_SONAME)) { + *
return lib_handler(&p->gnutls, section, name, value); + * Verify that HMAC of a given library matches the hmac in the file
+#if 0 + * provided by the library, named: .<libname>.so.<soname>.hmac.
+ /* Disable nettle, hogweed and gmp HMAC verification as + *
+ * they are calculated during build of the respective + * Returns: 0 on successful HMAC verification, a negative error code otherwise
+ * packages and can differ from the ones listed here. + */
+ */ +static int check_dep_lib_hmac(const char *path)
} else if (!strcmp(section, NETTLE_LIBRARY_SONAME)) { +{
return lib_handler(&p->nettle, section, name, value); + int ret;
} else if (!strcmp(section, HOGWEED_LIBRARY_SONAME)) { + unsigned prev;
@@ -258,6 +275,7 @@ static int handler(void *user, const cha + uint8_t hmac[HMAC_SIZE];
} else if (!strcmp(section, GMP_LIBRARY_SONAME)) { + gnutls_datum_t data;
return lib_handler(&p->gmp, section, name, value); + char hmac_path[GNUTLS_PATH_MAX];
#endif + uint8_t lib_hmac[HMAC_SIZE];
+#endif + size_t lib_hmac_size;
} else { +
return 0; + _gnutls_debug_log("Loading: %s\n", path);
} + ret = gnutls_load_file(path, &data);
@@ -403,6 +422,11 @@ static int callback(struct dl_phdr_info + if (ret < 0) {
+ _gnutls_debug_log("Could not load %s: %s\n", path,
if (!strcmp(soname, GNUTLS_LIBRARY_SONAME)) + gnutls_strerror(ret));
_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path); + return gnutls_assert_val(ret);
+#if 0 + }
+ /* Disable nettle, hogweed and gmp HMAC verification as +
+ * they are calculated during build of the respective + prev = _gnutls_get_lib_state();
+ * packages and can differ from the ones listed here. + _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL);
+ */ + ret = gnutls_hmac_fast(HMAC_ALGO, FIPS_KEY, sizeof(FIPS_KEY) - 1,
else if (!strcmp(soname, NETTLE_LIBRARY_SONAME)) + data.data, data.size, hmac);
_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); + _gnutls_switch_lib_state(prev);
else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) +
@@ -411,6 +435,7 @@ static int callback(struct dl_phdr_info + gnutls_free(data.data);
else if (!strcmp(soname, GMP_LIBRARY_SONAME)) + if (ret < 0) {
_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path); + _gnutls_debug_log("Could not calculate HMAC for %s: %s\n", path,
#endif + gnutls_strerror(ret));
+#endif + return gnutls_assert_val(ret);
return 0; + }
} +
+ /* Check now the integrity of the hmac provided by the library */
@@ -423,6 +448,11 @@ static int load_lib_paths(struct lib_pat + ret = get_hmac_path(hmac_path, sizeof(hmac_path), path);
_gnutls_debug_log("Gnutls library path was not found\n"); + if (ret < 0) {
return gnutls_assert_val(GNUTLS_E_FILE_ERROR); + _gnutls_debug_log("Could not get hmac file path: %s\n",
} + gnutls_strerror(ret));
+#if 0 + return ret;
+ /* Disable nettle, hogweed and gmp HMAC verification as + }
+ * they are calculated during build of the respective + _gnutls_debug_log("Loading: %s\n", hmac_path);
+ * packages and can differ from the ones listed here. + ret = gnutls_load_file(hmac_path, &data);
+ */ + if (ret < 0) {
if (paths->nettle[0] == '\0') { + _gnutls_debug_log("Could not load %s: %s\n", hmac_path,
_gnutls_debug_log("Nettle library path was not found\n"); + gnutls_strerror(ret));
return gnutls_assert_val(GNUTLS_E_FILE_ERROR); + return gnutls_assert_val(ret);
@@ -437,6 +467,7 @@ static int load_lib_paths(struct lib_pat + }
return gnutls_assert_val(GNUTLS_E_FILE_ERROR); + lib_hmac_size = hex_data_size(data.size);
} + /* trim eventual newlines from the end of the data read from file */
#endif + while ((data.size > 0) && (data.data[data.size - 1] == '\n')) {
+#endif + data.data[data.size - 1] = 0;
+ data.size--;
return GNUTLS_E_SUCCESS; + }
} + ret = gnutls_hex_decode(&data, lib_hmac, &lib_hmac_size);
@@ -483,6 +514,11 @@ static int check_binary_integrity(void) + gnutls_free(data.data);
ret = check_lib_hmac(&hmac.gnutls, paths.gnutls); + if (ret < 0) {
+ _gnutls_debug_log("Could not hex decode hmac\n");
+ return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ }
+ ret = gnutls_memcmp(lib_hmac, hmac, HMAC_SIZE);
+ if (ret){
+ _gnutls_debug_log("Calculated MAC for %s does not match\n",
+ path);
+ gnutls_memset(hmac, 0, HMAC_SIZE);
+ gnutls_memset(lib_hmac, 0, HMAC_SIZE);
+ return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ }
+ _gnutls_debug_log("Successfully verified MAC for %s\n", path);
+ gnutls_memset(hmac, 0, HMAC_SIZE);
+ return 0;
+}
+
+/*
* check_lib_hmac:
* @entry: hmac file entry
* @path: path to the library which hmac should be compared
*
- * Verify that HMAC from hmac file entry matches HMAC of given library.
+ * Verify that HMAC from hmac file entry matches HMAC of gnutls library.
*
* Returns: 0 on successful HMAC verification, a negative error code otherwise
*/
@@ -496,17 +575,20 @@ static int check_binary_integrity(void)
if (ret < 0) if (ret < 0)
return ret; return ret;
+# if 0 #ifdef NETTLE_LIBRARY_SONAME
+ /* Disable nettle, hogweed and gmp HMAC verification as - ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ * they are calculated during build of the respective + //ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ * packages and can differ from the ones listed here. + ret = check_dep_lib_hmac(paths.nettle);
+ */ if (ret < 0)
ret = check_lib_hmac(&hmac.nettle, paths.nettle); return ret;
if (ret < 0) #endif
return ret; #ifdef HOGWEED_LIBRARY_SONAME
@@ -494,6 +530,7 @@ static int check_binary_integrity(void) - ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
+ //ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
+ ret = check_dep_lib_hmac(paths.hogweed);
if (ret < 0)
return ret;
#endif
#ifdef GMP_LIBRARY_SONAME
- ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ //ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ ret = check_dep_lib_hmac(paths.gmp);
if (ret < 0) if (ret < 0)
return ret; return ret;
#endif #endif
+#endif
return 0;
}

47
gnutls-FIPS-HMAC-x86_64-v3-opt.patch Normal file
View File

@@ -0,0 +1,47 @@
Index: gnutls-3.8.9/lib/fips.c
===================================================================
--- gnutls-3.8.9.orig/lib/fips.c
+++ gnutls-3.8.9/lib/fips.c
@@ -268,6 +268,28 @@ static int handler(void *user, const cha
return 1;
}
+
+/* In case of x86_64-v3 optmizations, names might differ in version numbers.
+ * @mac_file: buffer where the hmac file path will be written to
+ * @lib_path: path to the dependent library, used to deduce hmac file path
+ * @file_name: The file name of the library
+ */
+ static void get_hwcaps_lib_hmac_path(char *mac_file, const char *lib_path, char *file_name) {
+ // Cut name short if more than SOVER is present
+ char *soname = strstr(file_name, ".so.");
+ char correct_ext[256];
+ memset(correct_ext, 0x0, 256);
+ soname += strlen(".so.");
+ for (uint32_t i = 0; i < strlen(soname); i++) {
+ if (soname[i] == '.') {
+ int proper_len = soname - file_name + i;
+ strncpy(correct_ext, file_name, proper_len);
+ snprintf(mac_file, 256, "%.*s/.%.*s.hmac", (int)(file_name-lib_path),lib_path,proper_len,correct_ext);
+ break;
+ }
+ }
+}
+
/*
* get_hmac_path:
* @mac_file: buffer where the hmac file path will be written to
@@ -300,6 +322,13 @@ static int get_hmac_path(char *mac_file,
if (ret == 0)
return GNUTLS_E_SUCCESS;
+ if (strstr(gnutls_path, "glibc-hwcaps")) {
+ get_hwcaps_lib_hmac_path(mac_file, gnutls_path, p + 1);
+ ret = _gnutls_file_exists(mac_file);
+ if (ret == 0)
+ return GNUTLS_E_SUCCESS;
+ }
+
if (p == NULL)
ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac",
gnutls_path);

8
gnutls-FIPS-TLS_KDF_selftest.patch
View File

@@ -1,8 +1,8 @@
Index: gnutls-3.8.5/lib/fips.c Index: gnutls-3.8.9/lib/fips.c
=================================================================== ===================================================================
--- gnutls-3.8.5.orig/lib/fips.c --- gnutls-3.8.9.orig/lib/fips.c
+++ gnutls-3.8.5/lib/fips.c +++ gnutls-3.8.9/lib/fips.c
@@ -593,6 +593,26 @@ int _gnutls_fips_perform_self_checks2(vo @@ -621,6 +621,26 @@ int _gnutls_fips_perform_self_checks2(vo
return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
} }

181
gnutls-FIPS-disable-mac-sha1.patch Normal file
View File

@@ -0,0 +1,181 @@
commit c4eba74d4745e3a97b443abae1431658a826d2eb
Author: Angel Yankov <angel.yankov@suse.com>
Date: Thu Nov 28 11:02:07 2024 +0200
SHA-1 is not allowed in FIPS-140-3 anymore after 2030. Mark it as
unapproved
Signed-off-by: Angel Yankov <angel.yankov@suse.com>
Index: gnutls-3.8.10/lib/crypto-api.c
===================================================================
--- gnutls-3.8.10.orig/lib/crypto-api.c
+++ gnutls-3.8.10/lib/crypto-api.c
@@ -33,6 +33,7 @@
#include "crypto-api.h"
#include "iov.h"
#include "intprops.h"
+#include <gnutls/gnutls.h>
typedef struct api_cipher_hd_st {
cipher_hd_st ctx_enc;
@@ -597,7 +598,9 @@ int gnutls_hmac_init(gnutls_hmac_hd_t *d
bool not_approved = false;
/* MD5 is only allowed internally for TLS */
- if (!is_mac_algo_allowed(algorithm)) {
+ if (algorithm == GNUTLS_MAC_SHA1)
+ not_approved = true;
+ else if (!is_mac_algo_allowed(algorithm)) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
} else if (!is_mac_algo_approved_in_fips(algorithm)) {
@@ -757,8 +760,9 @@ int gnutls_hmac_fast(gnutls_mac_algorith
{
int ret;
bool not_approved = false;
-
- if (!is_mac_algo_allowed(algorithm)) {
+ if (algorithm == GNUTLS_MAC_SHA1)
+ not_approved = true;
+ else if (!is_mac_algo_allowed(algorithm)) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
} else if (!is_mac_algo_approved_in_fips(algorithm)) {
@@ -839,8 +843,9 @@ int gnutls_hash_init(gnutls_hash_hd_t *d
{
int ret;
bool not_approved = false;
-
- if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
+ if (algorithm == GNUTLS_MAC_SHA1)
+ not_approved = true;
+ else if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
} else if (!is_mac_algo_approved_in_fips(DIG_TO_MAC(algorithm))) {
@@ -957,8 +962,9 @@ int gnutls_hash_fast(gnutls_digest_algor
{
int ret;
bool not_approved = false;
-
- if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
+ if (algorithm == GNUTLS_MAC_SHA1)
+ not_approved = true;
+ else if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
} else if (!is_mac_algo_approved_in_fips(DIG_TO_MAC(algorithm))) {
@@ -2173,7 +2179,9 @@ int gnutls_pbkdf2(gnutls_mac_algorithm_t
bool not_approved = false;
/* MD5 is only allowed internally for TLS */
- if (!is_mac_algo_allowed(mac)) {
+ if (mac == GNUTLS_MAC_SHA1)
+ not_approved = true;
+ else if (!is_mac_algo_allowed(mac)) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
} else if (!is_mac_algo_hmac_approved_in_fips(mac)) {
Index: gnutls-3.8.10/lib/crypto-selftests.c
===================================================================
--- gnutls-3.8.10.orig/lib/crypto-selftests.c
+++ gnutls-3.8.10/lib/crypto-selftests.c
@@ -2891,7 +2891,7 @@ int gnutls_mac_self_test(unsigned flags,
case GNUTLS_MAC_UNKNOWN:
NON_FIPS_CASE(GNUTLS_MAC_MD5, test_mac, hmac_md5_vectors);
FALLTHROUGH;
- CASE(GNUTLS_MAC_SHA1, test_mac, hmac_sha1_vectors);
+ NON_FIPS_CASE(GNUTLS_MAC_SHA1, test_mac, hmac_sha1_vectors);
FALLTHROUGH;
CASE(GNUTLS_MAC_SHA224, test_mac, hmac_sha224_vectors);
FALLTHROUGH;
Index: gnutls-3.8.10/lib/fips.h
===================================================================
--- gnutls-3.8.10.orig/lib/fips.h
+++ gnutls-3.8.10/lib/fips.h
@@ -79,7 +79,6 @@ inline static bool
is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo)
{
switch (algo) {
- case GNUTLS_MAC_SHA1:
case GNUTLS_MAC_SHA256:
case GNUTLS_MAC_SHA384:
case GNUTLS_MAC_SHA512:
Index: gnutls-3.8.10/tests/fips-test.c
===================================================================
--- gnutls-3.8.10.orig/tests/fips-test.c
+++ gnutls-3.8.10/tests/fips-test.c
@@ -397,11 +397,12 @@ void doit(void)
}
FIPS_POP_CONTEXT(ERROR);
+ FIPS_PUSH_CONTEXT();
ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size);
if (ret < 0) {
- fail("gnutls_hmac_init failed\n");
+ fail("gnutls_hmac_init failed for sha1\n");
}
- gnutls_hmac_deinit(mh, NULL);
+ FIPS_POP_CONTEXT(NOT_APPROVED);
ret = gnutls_hmac_init(&mh, GNUTLS_MAC_MD5, key.data, key.size);
if (ret != GNUTLS_E_UNWANTED_ALGORITHM) {
@@ -736,7 +737,7 @@ void doit(void)
}
hashed_data.data = hash;
hashed_data.size = 20;
- FIPS_POP_CONTEXT(APPROVED);
+ FIPS_POP_CONTEXT(NOT_APPROVED);
/* Create a signature with ECDSA and SHA1 (2-pass API); not-approved */
FIPS_PUSH_CONTEXT();
Index: gnutls-3.8.10/tests/gnutls_hmac_fast.c
===================================================================
--- gnutls-3.8.10.orig/tests/gnutls_hmac_fast.c
+++ gnutls-3.8.10/tests/gnutls_hmac_fast.c
@@ -42,6 +42,11 @@ void doit(void)
if (debug)
gnutls_global_set_log_level(4711);
+ /* enable MD5 and SHA1 usage */
+ if (gnutls_fips140_mode_enabled()) {
+ gnutls_fips140_set_mode(GNUTLS_FIPS140_LOG, 0);
+ }
+
err = gnutls_hmac_fast(GNUTLS_MAC_SHA1, "keykeykey", 9, "abcdefgh", 8,
digest);
if (err < 0)
@@ -59,11 +64,6 @@ void doit(void)
}
}
- /* enable MD5 usage */
- if (gnutls_fips140_mode_enabled()) {
- gnutls_fips140_set_mode(GNUTLS_FIPS140_LOG, 0);
- }
-
err = gnutls_hmac_fast(GNUTLS_MAC_MD5, "keykeykey", 9, "abcdefgh", 8,
digest);
if (err < 0)
Index: gnutls-3.8.10/tests/kdf-api.c
===================================================================
--- gnutls-3.8.10.orig/tests/kdf-api.c
+++ gnutls-3.8.10/tests/kdf-api.c
@@ -108,7 +108,6 @@ inline static bool
is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo)
{
switch (algo) {
- case GNUTLS_MAC_SHA1:
case GNUTLS_MAC_SHA256:
case GNUTLS_MAC_SHA384:
case GNUTLS_MAC_SHA512:
@@ -145,7 +144,7 @@ static void test_pbkdf2(gnutls_mac_algor
assert(gnutls_hex_decode2(&hex, &salt) >= 0);
fips_push_context(fips_context);
- assert(gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length) >= 0);
+ gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length);
fips_pop_context(fips_context, expected_state);
gnutls_free(ikm.data);
gnutls_free(salt.data);

36
gnutls-FIPS-jitterentropy.patch
View File

@@ -1,7 +1,7 @@
Index: gnutls-3.8.6/lib/nettle/sysrng-linux.c Index: gnutls-3.8.9/lib/nettle/sysrng-linux.c
=================================================================== ===================================================================
--- gnutls-3.8.6.orig/lib/nettle/sysrng-linux.c --- gnutls-3.8.9.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.8.6/lib/nettle/sysrng-linux.c +++ gnutls-3.8.9/lib/nettle/sysrng-linux.c
@@ -49,6 +49,15 @@ @@ -49,6 +49,15 @@
get_entropy_func _rnd_get_system_entropy = NULL; get_entropy_func _rnd_get_system_entropy = NULL;
@@ -158,11 +158,11 @@ Index: gnutls-3.8.6/lib/nettle/sysrng-linux.c
+#endif +#endif
return; return;
} }
Index: gnutls-3.8.6/lib/nettle/Makefile.in Index: gnutls-3.8.9/lib/nettle/Makefile.in
=================================================================== ===================================================================
--- gnutls-3.8.6.orig/lib/nettle/Makefile.in --- gnutls-3.8.9.orig/lib/nettle/Makefile.in
+++ gnutls-3.8.6/lib/nettle/Makefile.in +++ gnutls-3.8.9/lib/nettle/Makefile.in
@@ -497,7 +497,7 @@ am__v_CC_1 = @@ -521,7 +521,7 @@ am__v_CC_1 =
CCLD = $(CC) CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -171,10 +171,10 @@ Index: gnutls-3.8.6/lib/nettle/Makefile.in
AM_V_CCLD = $(am__v_CCLD_@AM_V@) AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_0 = @echo " CCLD " $@;
Index: gnutls-3.8.6/lib/nettle/Makefile.am Index: gnutls-3.8.9/lib/nettle/Makefile.am
=================================================================== ===================================================================
--- gnutls-3.8.6.orig/lib/nettle/Makefile.am --- gnutls-3.8.9.orig/lib/nettle/Makefile.am
+++ gnutls-3.8.6/lib/nettle/Makefile.am +++ gnutls-3.8.9/lib/nettle/Makefile.am
@@ -20,7 +20,7 @@ @@ -20,7 +20,7 @@
include $(top_srcdir)/lib/common.mk include $(top_srcdir)/lib/common.mk
@@ -182,12 +182,12 @@ Index: gnutls-3.8.6/lib/nettle/Makefile.am
-AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS) -AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS)
+AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS) -ljitterentropy +AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS) -ljitterentropy
AM_CPPFLAGS = \ AM_CPPFLAGS += \
-I$(srcdir)/int \ -I$(srcdir)/int \
Index: gnutls-3.8.6/lib/nettle/rnd-fips.c Index: gnutls-3.8.9/lib/nettle/rnd-fips.c
=================================================================== ===================================================================
--- gnutls-3.8.6.orig/lib/nettle/rnd-fips.c --- gnutls-3.8.9.orig/lib/nettle/rnd-fips.c
+++ gnutls-3.8.6/lib/nettle/rnd-fips.c +++ gnutls-3.8.9/lib/nettle/rnd-fips.c
@@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc @@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
uint8_t buffer[DRBG_AES_SEED_SIZE]; uint8_t buffer[DRBG_AES_SEED_SIZE];
int ret; int ret;
@@ -210,11 +210,11 @@ Index: gnutls-3.8.6/lib/nettle/rnd-fips.c
ret = get_entropy(fctx, buffer, sizeof(buffer)); ret = get_entropy(fctx, buffer, sizeof(buffer));
if (ret < 0) { if (ret < 0) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
Index: gnutls-3.8.6/tests/Makefile.am Index: gnutls-3.8.9/tests/Makefile.am
=================================================================== ===================================================================
--- gnutls-3.8.6.orig/tests/Makefile.am --- gnutls-3.8.9.orig/tests/Makefile.am
+++ gnutls-3.8.6/tests/Makefile.am +++ gnutls-3.8.9/tests/Makefile.am
@@ -209,7 +209,7 @@ ctests += mini-record-2 simple gnutls_hm @@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm
dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \ dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \ keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \ tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \

12
gnutls-disable-flaky-test-dtls-resume.patch
View File

@@ -1,10 +1,10 @@
Index: gnutls-3.7.8/tests/Makefile.am Index: gnutls-3.8.10/tests/Makefile.am
=================================================================== ===================================================================
--- gnutls-3.7.8.orig/tests/Makefile.am --- gnutls-3.8.10.orig/tests/Makefile.am
+++ gnutls-3.7.8/tests/Makefile.am +++ gnutls-3.8.10/tests/Makefile.am
@@ -508,7 +508,7 @@ if !WINDOWS @@ -536,7 +536,7 @@ ktls_keyupdate_CFLAGS = -DUSE_KTLS
# List of tests not available/functional under windows dist_check_SCRIPTS += ktls_keyupdate.sh
# endif
-dist_check_SCRIPTS += dtls/dtls.sh dtls/dtls-resume.sh #dtls/dtls-nb -dist_check_SCRIPTS += dtls/dtls.sh dtls/dtls-resume.sh #dtls/dtls-nb
+dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb +dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb

27
gnutls-fips-sonames-check.patch Normal file
View File

@@ -0,0 +1,27 @@
Index: gnutls-3.8.9/lib/fips.c
===================================================================
--- gnutls-3.8.9.orig/lib/fips.c
+++ gnutls-3.8.9/lib/fips.c
@@ -484,18 +484,18 @@ static int callback(struct dl_phdr_info
const char *soname = last_component(path);
struct lib_paths *paths = (struct lib_paths *)data;
- if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
+ if (!strncmp(soname, GNUTLS_LIBRARY_SONAME, strlen(GNUTLS_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
#ifdef NETTLE_LIBRARY_SONAME
- else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
+ else if (!strncmp(soname, NETTLE_LIBRARY_SONAME, strlen(NETTLE_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
#endif
#ifdef HOGWEED_LIBRARY_SONAME
- else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+ else if (!strncmp(soname, HOGWEED_LIBRARY_SONAME, strlen(HOGWEED_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
#endif
#ifdef GMP_LIBRARY_SONAME
- else if (!strcmp(soname, GMP_LIBRARY_SONAME))
+ else if (!strncmp(soname, GMP_LIBRARY_SONAME, strlen(GMP_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
#endif
return 0;

10
gnutls-set-cligen-python-interp.patch Normal file
View File

@@ -0,0 +1,10 @@
Index: gnutls-3.8.9/cligen/cli-docgen.py
===================================================================
--- gnutls-3.8.9.orig/cligen/cli-docgen.py
+++ gnutls-3.8.9/cligen/cli-docgen.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
# Copyright (C) 2021-2022 Daiki Ueno
# SPDX-License-Identifier: LGPL-2.1-or-later

34
gnutls-skip-pqx-test.patch Normal file
View File

@@ -0,0 +1,34 @@
Index: gnutls-3.8.10/tests/Makefile.am
===================================================================
--- gnutls-3.8.10.orig/tests/Makefile.am
+++ gnutls-3.8.10/tests/Makefile.am
@@ -628,8 +628,6 @@ ctests += win32-certopenstore
endif
-dist_check_SCRIPTS += pqc-hybrid-kx.sh
-
cpptests =
if ENABLE_CXX
if HAVE_CMOCKA
Index: gnutls-3.8.10/tests/Makefile.in
===================================================================
--- gnutls-3.8.10.orig/tests/Makefile.in
+++ gnutls-3.8.10/tests/Makefile.in
@@ -3293,7 +3293,7 @@ am__dist_check_SCRIPTS_DIST = rfc2253-es
gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \
gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \
testpkcs11.sh certtool-pkcs11.sh pkcs11-tool.sh \
- p11-kit-load.sh danetool.sh tpmtool_test.sh pqc-hybrid-kx.sh
+ p11-kit-load.sh danetool.sh tpmtool_test.sh
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -7178,7 +7178,6 @@ dist_check_SCRIPTS = rfc2253-escape-test
$(am__append_18) $(am__append_20) $(am__append_21) \
$(am__append_23) $(am__append_25) $(am__append_26) \
$(am__append_27) $(am__append_29) $(am__append_30) \
- pqc-hybrid-kx.sh
@ENABLE_KTLS_TRUE@@WINDOWS_FALSE@ktls_keyupdate_SOURCES = tls13/key_update.c
@ENABLE_KTLS_TRUE@@WINDOWS_FALSE@ktls_keyupdate_CFLAGS = -DUSE_KTLS
@WINDOWS_FALSE@dtls_stress_SOURCES = dtls/dtls-stress.c

10
gnutls-srp-test-SIGPIPE.patch
View File

@@ -1,8 +1,8 @@
Index: gnutls-3.8.1/tests/srp.c Index: gnutls-3.8.9/tests/srp.c
=================================================================== ===================================================================
--- gnutls-3.8.1.orig/tests/srp.c --- gnutls-3.8.9.orig/tests/srp.c
+++ gnutls-3.8.1/tests/srp.c +++ gnutls-3.8.9/tests/srp.c
@@ -287,7 +289,7 @@ static void start(const char *name, cons @@ -290,7 +290,7 @@ static void start(const char *name, cons
if (child) { if (child) {
int status; int status;
/* parent */ /* parent */
@@ -11,7 +11,7 @@ Index: gnutls-3.8.1/tests/srp.c
client(fd[1], prio, user, pass, exp_err); client(fd[1], prio, user, pass, exp_err);
if (exp_err < 0) { if (exp_err < 0) {
kill(child, SIGTERM); kill(child, SIGTERM);
@@ -297,7 +299,7 @@ static void start(const char *name, cons @@ -300,7 +300,7 @@ static void start(const char *name, cons
check_wait_status(status); check_wait_status(status);
} }
} else { } else {

445
gnutls.changes
View File

File diff suppressed because it is too large Load Diff

56
gnutls.spec
View File

@@ -1,7 +1,8 @@
# #
# spec file for package gnutls # spec file for package gnutls
# #
# Copyright (c) 2024 SUSE LLC # Copyright (c) 2025 SUSE LLC
# Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@@ -39,15 +40,16 @@
%bcond_with kcapi %bcond_with kcapi
%endif %endif
%bcond_with tpm %bcond_with tpm
%bcond_without leancrypto
Name: gnutls Name: gnutls
Version: 3.8.7 Version: 3.8.10
Release: 0 Release: 0
Summary: The GNU Transport Layer Security Library Summary: The GNU Transport Layer Security Library
License: GPL-3.0-or-later AND LGPL-2.1-or-later License: GPL-3.0-or-later AND LGPL-2.1-or-later
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
URL: https://www.gnutls.org/ URL: https://www.gnutls.org/
Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.1.tar.xz Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz
Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.1.tar.xz.sig Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz.sig
# https://gnutls.org/gnutls-release-keyring.gpg # https://gnutls.org/gnutls-release-keyring.gpg
Source2: https://gnutls.org/gnutls-release-keyring.gpg#/gnutls.keyring Source2: https://gnutls.org/gnutls-release-keyring.gpg#/gnutls.keyring
Source3: baselibs.conf Source3: baselibs.conf
@@ -69,6 +71,15 @@ Patch102: gnutls-FIPS-jitterentropy.patch
#PATCH-FIX-SUSE bsc#1221242 Fix memleak in gnutls' jitterentropy collector #PATCH-FIX-SUSE bsc#1221242 Fix memleak in gnutls' jitterentropy collector
Patch103: gnutls-FIPS-jitterentropy-deinit-threads.patch Patch103: gnutls-FIPS-jitterentropy-deinit-threads.patch
%endif %endif
Patch104: gnutls-set-cligen-python-interp.patch
Patch105: gnutls-skip-pqx-test.patch
Patch106: gnutls-fips-sonames-check.patch
# PATCH-FIX-SUSE jsc#jsc#PED-12224 FIPS: Mark SHA1 as unapproved in the SLI
Patch107: gnutls-FIPS-disable-mac-sha1.patch
# PATCH-FIX-SUSE bsc#1237101 GNUTLS FIPS selfcheck is failing again on tumbleweed
Patch108: gnutls-FIPS-HMAC-x86_64-v3-opt.patch
# PATCH-FIX-SUSE Disable test
Patch109: gnutls-3.8.10-disable-ktls_test.patch
BuildRequires: autogen BuildRequires: autogen
BuildRequires: automake BuildRequires: automake
BuildRequires: datefudge BuildRequires: datefudge
@@ -87,10 +98,16 @@ BuildRequires: p11-kit-devel >= 0.23.1
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: xz BuildRequires: xz
BuildRequires: pkgconfig(autoopts) BuildRequires: pkgconfig(autoopts)
BuildRequires: pkgconfig(libbrotlidec)
BuildRequires: pkgconfig(libbrotlienc)
BuildRequires: pkgconfig(libzstd)
BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(zlib)
%if %{with kcapi} %if %{with kcapi}
BuildRequires: pkgconfig(libkcapi) BuildRequires: pkgconfig(libkcapi)
%endif %endif
%if %{with leancrypto}
BuildRequires: pkgconfig(leancrypto)
%endif
%if 0%{?suse_version} <= 1320 %if 0%{?suse_version} <= 1320
BuildRequires: net-tools BuildRequires: net-tools
%else %else
@@ -109,8 +126,8 @@ BuildRequires: libunbound-devel
%endif %endif
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
BuildRequires: crypto-policies BuildRequires: crypto-policies
Requires: crypto-policies
BuildRequires: jitterentropy-devel >= 3.4.0 BuildRequires: jitterentropy-devel >= 3.4.0
Requires: crypto-policies
Requires: libjitterentropy3 >= 3.4.0 Requires: libjitterentropy3 >= 3.4.0
%endif %endif
@@ -235,6 +252,11 @@ autoreconf -fiv
%if %{with srp} %if %{with srp}
--enable-srp-authentication \ --enable-srp-authentication \
%endif %endif
%if %{with leancrypto}
--with-leancrypto \
%else
--without-leancrypto \
%endif
%ifarch %{ix86} %{arm} %ifarch %{ix86} %{arm}
--disable-year2038 \ --disable-year2038 \
%endif %endif
@@ -242,6 +264,7 @@ autoreconf -fiv
--enable-fips140-mode \ --enable-fips140-mode \
--with-fips140-module-name="GnuTLS version" \ --with-fips140-module-name="GnuTLS version" \
--with-fips140-module-version="%{version}-%{release}" \ --with-fips140-module-version="%{version}-%{release}" \
--enable-ktls \
%{nil} %{nil}
%make_build %make_build
@@ -302,15 +325,12 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
} }
%endif %endif
%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %ldconfig_scriptlets -n libgnutls%{gnutls_sover}
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %ldconfig_scriptlets -n libgnutls-dane%{gnutls_dane_sover}
%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig %ldconfig_scriptlets -n libgnutlsxx%{gnutlsxx_sover}
%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
%files -f libgnutls.lang %files -f libgnutls.lang
%license LICENSE %license COPYING COPYING.LESSERv2
%doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
%{_bindir}/certtool %{_bindir}/certtool
%{_bindir}/gnutls-cli %{_bindir}/gnutls-cli
@@ -331,22 +351,22 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
%{_mandir}/man1/* %{_mandir}/man1/*
%files -n libgnutls%{gnutls_sover} %files -n libgnutls%{gnutls_sover}
%license LICENSE %license COPYING COPYING.LESSERv2
%{_libdir}/libgnutls.so.%{gnutls_sover}* %{_libdir}/libgnutls.so.%{gnutls_sover}*
%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
%if %{with dane} %if %{with dane}
%files -n libgnutls-dane%{gnutls_dane_sover} %files -n libgnutls-dane%{gnutls_dane_sover}
%license LICENSE %license COPYING COPYING.LESSERv2
%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}* %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
%endif %endif
%files -n libgnutlsxx%{gnutlsxx_sover} %files -n libgnutlsxx%{gnutlsxx_sover}
%license LICENSE %license COPYING COPYING.LESSERv2
%{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}* %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
%files -n libgnutls-devel %files -n libgnutls-devel
%license LICENSE %license COPYING COPYING.LESSERv2
%dir %{_includedir}/%{name} %dir %{_includedir}/%{name}
%{_includedir}/%{name}/abstract.h %{_includedir}/%{name}/abstract.h
%{_includedir}/%{name}/crypto.h %{_includedir}/%{name}/crypto.h
@@ -375,7 +395,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
%if %{with dane} %if %{with dane}
%files -n libgnutls-dane-devel %files -n libgnutls-dane-devel
%license LICENSE %license COPYING COPYING.LESSERv2
%dir %{_includedir}/%{name} %dir %{_includedir}/%{name}
%{_includedir}/%{name}/dane.h %{_includedir}/%{name}/dane.h
%{_libdir}/pkgconfig/gnutls-dane.pc %{_libdir}/pkgconfig/gnutls-dane.pc
@@ -383,7 +403,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
%endif %endif
%files -n libgnutlsxx-devel %files -n libgnutlsxx-devel
%license LICENSE %license COPYING COPYING.LESSERv2
%{_libdir}/libgnutlsxx.so %{_libdir}/libgnutlsxx.so
%dir %{_includedir}/%{name} %dir %{_includedir}/%{name}
%{_includedir}/%{name}/gnutlsxx.h %{_includedir}/%{name}/gnutlsxx.h