Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2024-11-15 15:37:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new.2017 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Fri Nov 15 15:37:54 2024 rev:159 rq:1224137 version:3.8.8 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2024-10-01 17:11:17.824424377 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new.2017/gnutls.changes 2024-11-15 15:37:59.153217762 +0100 @@ -1,0 +2,25 @@ +Mon Nov 11 10:04:31 UTC 2024 - Pedro Monreal <[email protected]> + +- Update to 3.8.8: + - libgnutls: Experimental support for X25519MLKEM768 and + SecP256r1MLKEM768 key exchange in TLS 1.3: The support for + post-quantum key exchanges has been extended to cover the final + standard of ML-KEM, following draft-kwiatkowski-tls-ecdhe-mlkem. + The minimum supported version of liboqs is bumped to 0.11.0. + - libgnutls: All records included in an OCSP response are now checked + in TLS: Previously, when multiple records are provided in a single + OCSP response, only the first record was considered; now all those + records are examined until the server certificate matches. + - libgnutls: Handling of malformed compress_certificate extension is + now more standard compliant: The server behavior of receiving a + malformed compress_certificate extension now more strictly follows + RFC 8879; return illegal_parameter alert instead of bad_certificate, + as well as overlong extension data is properly rejected. + - build: More flexible library linking options for compression + libraries, TPM, and liboqs support: The configure options, + --with-zstd, --with-brotli, --with-zlib, --with-tpm2, and --with-liboqs + now take 4 states: yes/link/dlopen/no, to specify how the libraries + are linked or loaded. + * Rebase gnutls-FIPS-140-3-references.patch + +------------------------------------------------------------------- @@ -5,0 +31,7 @@ + +------------------------------------------------------------------- +Thu Sep 5 07:57:42 UTC 2024 - Pedro Monreal <[email protected]> + +- FIPS: Allow to perform the integrity check with the hmac provided + by each library [bsc#1226724] + * Rebase gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch Old: ---- gnutls-3.8.7.1.tar.xz gnutls-3.8.7.1.tar.xz.sig New: ---- gnutls-3.8.8.tar.xz gnutls-3.8.8.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.KVm62V/_old 2024-11-15 15:38:01.145301197 +0100 +++ /var/tmp/diff_new_pack.KVm62V/_new 2024-11-15 15:38:01.145301197 +0100 @@ -42,14 +42,14 @@ %endif %bcond_with tpm Name: gnutls -Version: 3.8.7 +Version: 3.8.8 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later Group: Productivity/Networking/Security URL: https://www.gnutls.org/ -Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.1.tar.xz -Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.1.tar.xz.sig +Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz +Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz.sig # https://gnutls.org/gnutls-release-keyring.gpg Source2: https://gnutls.org/gnutls-release-keyring.gpg#/gnutls.keyring Source3: baselibs.conf ++++++ gnutls-3.8.7.1.tar.xz -> gnutls-3.8.8.tar.xz ++++++ /work/SRC/openSUSE:Factory/gnutls/gnutls-3.8.7.1.tar.xz /work/SRC/openSUSE:Factory/.gnutls.new.2017/gnutls-3.8.8.tar.xz differ: char 26, line 1 ++++++ gnutls-FIPS-140-3-references.patch ++++++ ++++ 964 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/gnutls/gnutls-FIPS-140-3-references.patch ++++ and /work/SRC/openSUSE:Factory/.gnutls.new.2017/gnutls-FIPS-140-3-references.patch ++++++ gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch ++++++ --- /var/tmp/diff_new_pack.KVm62V/_old 2024-11-15 15:38:01.749326495 +0100 +++ /var/tmp/diff_new_pack.KVm62V/_new 2024-11-15 15:38:01.793328338 +0100 @@ -1,118 +1,121 @@ -Index: gnutls-3.8.7/lib/fips.c +Index: gnutls-3.8.8/lib/fips.c =================================================================== ---- gnutls-3.8.7.orig/lib/fips.c -+++ gnutls-3.8.7/lib/fips.c -@@ -177,20 +177,32 @@ struct hmac_entry { - struct hmac_file { - int version; - struct hmac_entry gnutls; -+#if 0 -+ /* Disable nettle, hogweed and gmp HMAC verification as -+ * they are calculated during build of the respective -+ * packages and can differ from the ones listed here. -+ */ - struct hmac_entry nettle; - struct hmac_entry hogweed; - #ifdef GMP_LIBRARY_SONAME - struct hmac_entry gmp; - #endif -+#endif - }; - - struct lib_paths { - char gnutls[GNUTLS_PATH_MAX]; -+#if 0 -+ /* Disable nettle, hogweed and gmp HMAC verification as -+ * they are calculated during build of the respective -+ * packages and can differ from the ones listed here. -+ */ - char nettle[GNUTLS_PATH_MAX]; - char hogweed[GNUTLS_PATH_MAX]; - #ifdef GMP_LIBRARY_SONAME - char gmp[GNUTLS_PATH_MAX]; - #endif -+#endif - }; - - /* -@@ -250,6 +262,11 @@ static int handler(void *user, const cha - } - } else if (!strcmp(section, GNUTLS_LIBRARY_SONAME)) { - return lib_handler(&p->gnutls, section, name, value); -+#if 0 -+ /* Disable nettle, hogweed and gmp HMAC verification as -+ * they are calculated during build of the respective -+ * packages and can differ from the ones listed here. -+ */ - } else if (!strcmp(section, NETTLE_LIBRARY_SONAME)) { - return lib_handler(&p->nettle, section, name, value); - } else if (!strcmp(section, HOGWEED_LIBRARY_SONAME)) { -@@ -258,6 +275,7 @@ static int handler(void *user, const cha - } else if (!strcmp(section, GMP_LIBRARY_SONAME)) { - return lib_handler(&p->gmp, section, name, value); - #endif -+#endif - } else { - return 0; - } -@@ -403,6 +422,11 @@ static int callback(struct dl_phdr_info - - if (!strcmp(soname, GNUTLS_LIBRARY_SONAME)) - _gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path); -+#if 0 -+ /* Disable nettle, hogweed and gmp HMAC verification as -+ * they are calculated during build of the respective -+ * packages and can differ from the ones listed here. -+ */ - else if (!strcmp(soname, NETTLE_LIBRARY_SONAME)) - _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); - else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) -@@ -411,6 +435,7 @@ static int callback(struct dl_phdr_info - else if (!strcmp(soname, GMP_LIBRARY_SONAME)) - _gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path); - #endif -+#endif - return 0; +--- gnutls-3.8.8.orig/lib/fips.c ++++ gnutls-3.8.8/lib/fips.c +@@ -349,11 +349,90 @@ static int load_hmac_file(struct hmac_fi } -@@ -423,6 +448,11 @@ static int load_lib_paths(struct lib_pat - _gnutls_debug_log("Gnutls library path was not found\n"); - return gnutls_assert_val(GNUTLS_E_FILE_ERROR); - } -+#if 0 -+ /* Disable nettle, hogweed and gmp HMAC verification as -+ * they are calculated during build of the respective -+ * packages and can differ from the ones listed here. -+ */ - if (paths->nettle[0] == '\0') { - _gnutls_debug_log("Nettle library path was not found\n"); - return gnutls_assert_val(GNUTLS_E_FILE_ERROR); -@@ -437,6 +467,7 @@ static int load_lib_paths(struct lib_pat - return gnutls_assert_val(GNUTLS_E_FILE_ERROR); - } - #endif -+#endif - - return GNUTLS_E_SUCCESS; - } -@@ -483,6 +514,11 @@ static int check_binary_integrity(void) - ret = check_lib_hmac(&hmac.gnutls, paths.gnutls); + /* ++ * check_dep_lib_hmac: ++ * @path: path to the library which hmac should be compared ++ * ++ * Verify that HMAC of a given library matches the hmac in the file ++ * provided by the library, named: .<libname>.so.<soname>.hmac. ++ * ++ * Returns: 0 on successful HMAC verification, a negative error code otherwise ++ */ ++static int check_dep_lib_hmac(const char *path) ++{ ++ int ret; ++ unsigned prev; ++ uint8_t hmac[HMAC_SIZE]; ++ gnutls_datum_t data; ++ char hmac_path[GNUTLS_PATH_MAX]; ++ uint8_t lib_hmac[HMAC_SIZE]; ++ size_t lib_hmac_size; ++ ++ _gnutls_debug_log("Loading: %s\n", path); ++ ret = gnutls_load_file(path, &data); ++ if (ret < 0) { ++ _gnutls_debug_log("Could not load %s: %s\n", path, ++ gnutls_strerror(ret)); ++ return gnutls_assert_val(ret); ++ } ++ ++ prev = _gnutls_get_lib_state(); ++ _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); ++ ret = gnutls_hmac_fast(HMAC_ALGO, FIPS_KEY, sizeof(FIPS_KEY) - 1, ++ data.data, data.size, hmac); ++ _gnutls_switch_lib_state(prev); ++ ++ gnutls_free(data.data); ++ if (ret < 0) { ++ _gnutls_debug_log("Could not calculate HMAC for %s: %s\n", path, ++ gnutls_strerror(ret)); ++ return gnutls_assert_val(ret); ++ } ++ ++ /* Check now the integrity of the hmac provided by the library */ ++ ret = get_hmac_path(hmac_path, sizeof(hmac_path), path); ++ if (ret < 0) { ++ _gnutls_debug_log("Could not get hmac file path: %s\n", ++ gnutls_strerror(ret)); ++ return ret; ++ } ++ _gnutls_debug_log("Loading: %s\n", hmac_path); ++ ret = gnutls_load_file(hmac_path, &data); ++ if (ret < 0) { ++ _gnutls_debug_log("Could not load %s: %s\n", hmac_path, ++ gnutls_strerror(ret)); ++ return gnutls_assert_val(ret); ++ } ++ lib_hmac_size = hex_data_size(data.size); ++ /* trim eventual newlines from the end of the data read from file */ ++ while ((data.size > 0) && (data.data[data.size - 1] == '\n')) { ++ data.data[data.size - 1] = 0; ++ data.size--; ++ } ++ ret = gnutls_hex_decode(&data, lib_hmac, &lib_hmac_size); ++ gnutls_free(data.data); ++ if (ret < 0) { ++ _gnutls_debug_log("Could not hex decode hmac\n"); ++ return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); ++ } ++ ret = gnutls_memcmp(lib_hmac, hmac, HMAC_SIZE); ++ if (ret){ ++ _gnutls_debug_log("Calculated MAC for %s does not match\n", ++ path); ++ gnutls_memset(hmac, 0, HMAC_SIZE); ++ gnutls_memset(lib_hmac, 0, HMAC_SIZE); ++ return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); ++ } ++ _gnutls_debug_log("Successfully verified MAC for %s\n", path); ++ gnutls_memset(hmac, 0, HMAC_SIZE); ++ return 0; ++} ++ ++/* + * check_lib_hmac: + * @entry: hmac file entry + * @path: path to the library which hmac should be compared + * +- * Verify that HMAC from hmac file entry matches HMAC of given library. ++ * Verify that HMAC from hmac file entry matches HMAC of gnutls library. + * + * Returns: 0 on successful HMAC verification, a negative error code otherwise + */ +@@ -496,17 +575,20 @@ static int check_binary_integrity(void) if (ret < 0) return ret; -+# if 0 -+ /* Disable nettle, hogweed and gmp HMAC verification as -+ * they are calculated during build of the respective -+ * packages and can differ from the ones listed here. -+ */ - ret = check_lib_hmac(&hmac.nettle, paths.nettle); + #ifdef NETTLE_LIBRARY_SONAME +- ret = check_lib_hmac(&hmac.nettle, paths.nettle); ++ //ret = check_lib_hmac(&hmac.nettle, paths.nettle); ++ ret = check_dep_lib_hmac(paths.nettle); if (ret < 0) return ret; -@@ -494,6 +530,7 @@ static int check_binary_integrity(void) + #endif + #ifdef HOGWEED_LIBRARY_SONAME +- ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); ++ //ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); ++ ret = check_dep_lib_hmac(paths.hogweed); + if (ret < 0) + return ret; + #endif + #ifdef GMP_LIBRARY_SONAME +- ret = check_lib_hmac(&hmac.gmp, paths.gmp); ++ //ret = check_lib_hmac(&hmac.gmp, paths.gmp); ++ ret = check_dep_lib_hmac(paths.gmp); if (ret < 0) return ret; #endif -+#endif - - return 0; - }
