forked from pool/gnutls
Pedro Monreal Gonzalez
f914173517
- The FIPS hmac is now calculated with an internal tool since
commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed and it has
been renamed to .gnutls.hmac. [bsc#1199881, bsc#1203245]
* Remove the fipscheck build dependency
* Check only the calculated hmac for libgnutls.so.30 since the
calculated hmacs for libnettle.so.8, libhogweed.so.6 and
libgmp.so.10 in .gnutls.hmac are incorrect.
* Add gnutls-FIPS-hmac-check-only-libgnutls.patch
* Remove gnutls-FIPS-Run-CFB8-without-offset.patch
- FIPS: Set error state when jent init failed in FIPS mode [bsc#1202146]
* Add patch gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
OBS-URL: https://build.opensuse.org/request/show/1011039
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=78
92 lines
3.1 KiB
Diff
92 lines
3.1 KiB
Diff
---
|
|
lib/nettle/sysrng-linux.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
Index: gnutls-3.7.8/lib/nettle/sysrng-linux.c
|
|
===================================================================
|
|
--- gnutls-3.7.8.orig/lib/nettle/sysrng-linux.c
|
|
+++ gnutls-3.7.8/lib/nettle/sysrng-linux.c
|
|
@@ -49,11 +49,13 @@
|
|
get_entropy_func _rnd_get_system_entropy = NULL;
|
|
|
|
#if defined(__linux__)
|
|
-# ifdef ENABLE_FIPS140
|
|
+# if defined(ENABLE_FIPS140)
|
|
# define HAVE_JENT
|
|
# include <jitterentropy.h>
|
|
static int jent_initialized = 0;
|
|
static struct rand_data* ec = NULL;
|
|
+/* Declare function to fix a missing-prototypes compilation warning */
|
|
+void FIPS_jent_entropy_deinit(void);
|
|
# endif
|
|
# ifdef HAVE_GETRANDOM
|
|
# include <sys/random.h>
|
|
@@ -72,7 +74,8 @@ static ssize_t _getrandom0(void *buf, si
|
|
# endif
|
|
# endif
|
|
|
|
-# if defined(HAVE_JENT)
|
|
+# if defined(ENABLE_FIPS140)
|
|
+# if defined(HAVE_JENT)
|
|
/* check whether the CPU Jitter entropy collector is available. */
|
|
static unsigned FIPS_jent_entropy_init(void)
|
|
{
|
|
@@ -161,6 +164,7 @@ static int _rnd_get_system_entropy_jent(
|
|
|
|
return 0;
|
|
}
|
|
+# endif
|
|
# endif
|
|
|
|
static unsigned have_getrandom(void)
|
|
@@ -260,7 +264,8 @@ int _rnd_system_entropy_init(void)
|
|
int urandom_fd;
|
|
|
|
#if defined(__linux__)
|
|
-# if defined(HAVE_JENT)
|
|
+# if defined(ENABLE_FIPS140)
|
|
+# if defined(HAVE_JENT)
|
|
/* Enable jitterentropy usage if available */
|
|
if (FIPS_jent_entropy_init()) {
|
|
_rnd_get_system_entropy = _rnd_get_system_entropy_jent;
|
|
@@ -268,7 +273,14 @@ int _rnd_system_entropy_init(void)
|
|
return 0;
|
|
} else {
|
|
_gnutls_debug_log("jitterentropy is not available\n");
|
|
+ /* Set error state when FIPS_jent_entropy_init failed and FIPS mode is enabled */
|
|
+ if (_gnutls_fips_mode_enabled()) {
|
|
+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
|
|
+ _gnutls_switch_lib_state(LIB_STATE_ERROR);
|
|
+ return gnutls_assert_val(GNUTLS_E_RANDOM_DEVICE_ERROR);
|
|
+ }
|
|
}
|
|
+# endif
|
|
# endif
|
|
/* Enable getrandom() usage if available */
|
|
if (have_getrandom()) {
|
|
@@ -300,8 +312,10 @@ void _rnd_system_entropy_deinit(void)
|
|
{
|
|
/* A no-op now when we open and close /dev/urandom every time */
|
|
#if defined(__linux__)
|
|
-# if defined(HAVE_JENT)
|
|
+# if defined(ENABLE_FIPS140)
|
|
+# if defined(HAVE_JENT)
|
|
FIPS_jent_entropy_deinit();
|
|
+# endif
|
|
# endif
|
|
#endif
|
|
return;
|
|
Index: gnutls-3.7.8/tests/Makefile.am
|
|
===================================================================
|
|
--- gnutls-3.7.8.orig/tests/Makefile.am
|
|
+++ gnutls-3.7.8/tests/Makefile.am
|
|
@@ -208,7 +208,7 @@ ctests += mini-record-2 simple gnutls_hm
|
|
dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
|
|
keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
|
|
tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \
|
|
- set_x509_key_file_ocsp client-fastopen rng-sigint srp rng-pthread \
|
|
+ set_x509_key_file_ocsp client-fastopen srp rng-pthread \
|
|
safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
|
|
safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
|
|
rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \
|