Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2022-01-21 01:25:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new.1938 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Fri Jan 21 01:25:08 2022 rev:133 rq:947394 version:3.7.3 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2021-12-02 02:13:43.894941314 +0100 +++ /work/SRC/openSUSE:Factory/.gnutls.new.1938/gnutls.changes 2022-01-21 01:25:23.294600323 +0100 @@ -1,0 +2,122 @@ +Tue Jan 18 15:59:11 UTC 2022 - Pedro Monreal <[email protected]> + +- Update to 3.7.3: [bsc#1190698, bsc#1190796] + * libgnutls: The allowlisting configuration mode has been added + to the system-wide settings. In this mode, all the algorithms + are initially marked as insecure or disabled, while the + applications can re-enable them either through the [overrides] + section of the configuration file or the new API (#1172). + * The build infrastructure no longer depends on GNU AutoGen for + generating command-line option handling, template file parsing + in certtool, and documentation generation (#773, #774). This + change also removes run-time or bundled dependency on the + libopts library, and requires Python 3.6 or later to regenerate + the distribution tarball. Note that this brings in known backward + incompatibility in command-line tools, such as long options are + now case sensitive, while previously they were treated in a case + insensitive manner: for example --RSA is no longer a valid option + of certtool. The existing scripts using GnuTLS tools may need + adjustment for this change. + * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded + and used as a gnutls_privkey_t (#594). The code was originally written + for the OpenConnect VPN project by David Woodhouse. To generate such + blobs, use the tpm2tss-genkey tool from tpm2-tss-engine: + https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations + or the tpm2_encodeobject tool from unreleased tpm2-tools. + * libgnutls: The library now transparently enables Linux KTLS (kernel + TLS) when the feature is compiled in with --enable-ktls configuration + option (#1113). If the KTLS initialization fails it automatically falls + back to the user space implementation. + * certtool: The certtool command can now read the Certificate Transparency + (RFC 6962) SCT extension (#232). New API functions are also provided to + access and manipulate the extension values. + * certtool: The certtool command can now generate, manipulate, and evaluate + x25519 and x448 public keys, private keys, and certificates. + * libgnutls: Disabling a hashing algorithm through "insecure-hash" + configuration directive now also disables TLS ciphersuites that use it + as a PRF algorithm. + * libgnutls: PKCS#12 files are now created with modern algorithms by default + (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and + HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with + PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the + default PBKDF2 iteration count has been increased to 600000. + * libgnutls: PKCS#12 keys derived using GOST algorithm now uses + HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, + to conform with the latest TC-26 requirements (#1225). + * libgnutls: The library now provides a means to report the status + of approved cryptographic operations (!1465). To adhere to the + FIPS140-3 IG 2.4.C., this complements the existing mechanism to + prohibit the use of unapproved algorithms by making the library + unusable state. + * gnutls-cli: The gnutls-cli command now provides a --list-config + option to print the library configuration (!1508). + * libgnutls: Fixed possible race condition in + gnutls_x509_trust_list_verify_crt2 when a single trust list object + is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17, + CVSS: low] + * API and ABI modifications: + GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in + gnutls_privkey_flags_t + GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in + gnutls_certificate_verify_flags + gnutls_ecc_curve_set_enabled: Added. + gnutls_sign_set_secure: Added. + gnutls_sign_set_secure_for_certs: Added. + gnutls_digest_set_secure: Added. + gnutls_protocol_set_enabled: Added. + gnutls_fips140_context_init: New function + gnutls_fips140_context_deinit: New function + gnutls_fips140_push_context: New function + gnutls_fips140_pop_context: New function + gnutls_fips140_get_operation_state: New function + gnutls_fips140_operation_state_t: New enum + gnutls_transport_is_ktls_enabled: New function + gnutls_get_library_configuration: New function + * Remove patches fixed in the update: + - gnutls-FIPS-module-version.patch + - gnutls-FIPS-service-indicator.patch + - gnutls-FIPS-service-indicator-public-key.patch + - gnutls-FIPS-service-indicator-symmetric-key.patch + - gnutls-FIPS-RSA-PSS-flags.patch + - gnutls-FIPS-RSA-mod-sizes.patch + +------------------------------------------------------------------- +Tue Jan 18 14:41:04 UTC 2022 - Pedro Monreal <[email protected]> + +- FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468] + * Remove patches: + - gnutls-temporarily_disable_broken_guile_reauth_test.patch + - disable-psk-file-test.patch + +------------------------------------------------------------------- +Mon Jan 17 12:37:02 UTC 2022 - Pedro Monreal <[email protected]> + +- FIPS: Provide module identifier and version [bsc#1190796] + * Add configurable options to output the module name/identifier + (--with-fips140-module-name) and the module version + (--with-fips140-module-version). + * Add the CLI option list-config that reports the configuration + of the library. + * Add gnutls-FIPS-module-version.patch + +------------------------------------------------------------------- +Wed Dec 22 18:56:24 UTC 2021 - Pedro Monreal <[email protected]> + +- FIPS: Provide a service-level indicator [bsc#1190698] + * Add support for a "service indicator" as required in + the FIPS140-3 Implementation Guidance in section 2.4.C + * Add patches: + - gnutls-FIPS-service-indicator.patch + - gnutls-FIPS-service-indicator-public-key.patch + - gnutls-FIPS-service-indicator-symmetric-key.patch + - gnutls-FIPS-RSA-PSS-flags.patch + +------------------------------------------------------------------- +Thu Dec 16 12:35:46 UTC 2021 - Pedro Monreal <[email protected]> + +- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008] + * fips: allow more RSA modulus sizes + * Add gnutls-FIPS-RSA-mod-sizes.patch + * Delete gnutls-3.6.7-fips-rsa-4096.patch + +------------------------------------------------------------------- @@ -7,0 +130,12 @@ + +------------------------------------------------------------------- +Fri Oct 15 11:03:53 UTC 2021 - Pedro Monreal <[email protected]> + +- Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287] +- Add DANE guards + +------------------------------------------------------------------- +Wed Jul 21 10:21:46 UTC 2021 - Pedro Monreal <[email protected]> + +- Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch + since its already working. Old: ---- gnutls-3.7.2.tar.xz gnutls-3.7.2.tar.xz.sig gnutls-temporarily_disable_broken_guile_reauth_test.patch New: ---- gnutls-3.7.3.tar.xz gnutls-3.7.3.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.sqJPbw/_old 2022-01-21 01:25:24.082594922 +0100 +++ /var/tmp/diff_new_pack.sqJPbw/_new 2022-01-21 01:25:24.086594894 +0100 @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,7 +34,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.7.2 +Version: 3.7.3 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later @@ -46,8 +46,7 @@ Source3: baselibs.conf Patch0: gnutls-3.5.11-skip-trust-store-tests.patch Patch1: gnutls-3.6.6-set_guile_site_dir.patch -Patch2: gnutls-temporarily_disable_broken_guile_reauth_test.patch -Patch3: gnutls-FIPS-TLS_KDF_selftest.patch +Patch2: gnutls-FIPS-TLS_KDF_selftest.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -89,7 +88,8 @@ %if %{with guile} BuildRequires: guile-devel %endif -%if 0%{?suse_version} && ! 0%{?sle_version} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +BuildRequires: crypto-policies Requires: crypto-policies %endif @@ -100,13 +100,13 @@ %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library -# install libopenssl and libopenssl-hmac close together (bsc#1090765) License: LGPL-2.1-or-later Group: System/Libraries -%if 0%{?suse_version} && ! 0%{?sle_version} +# install libgnutls and libgnutls-hmac close together (bsc#1090765) +Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif -Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} %description -n libgnutls%{gnutls_sover} The GnuTLS library provides a secure layer over a reliable transport @@ -122,6 +122,7 @@ %description -n libgnutls%{gnutls_sover}-hmac FIPS SHA256 checksums of the libgnutls library. +%if %{with dane} %package -n libgnutls-dane%{gnutls_dane_sover} Summary: DANE support for the GNU Transport Layer Security Library License: LGPL-2.1-or-later @@ -131,12 +132,13 @@ The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. This package contains the "DANE" part of gnutls. +%endif %package -n libgnutlsxx%{gnutlsxx_sover} Summary: C++ API for the GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries -%if 0%{?suse_version} && ! 0%{?sle_version} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif @@ -149,7 +151,7 @@ Summary: Development package for the GnuTLS C API License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ -%if 0%{?suse_version} && ! 0%{?sle_version} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif Requires: glibc-devel @@ -161,6 +163,7 @@ %description -n libgnutls-devel Files needed for software development using gnutls. +%if %{with dane} %package -n libgnutls-dane-devel Summary: Development package for GnuTLS DANE component License: LGPL-2.1-or-later @@ -169,6 +172,7 @@ %description -n libgnutls-dane-devel Files needed for software development using gnutls. +%endif %package -n libgnutlsxx-devel Summary: Development package for the GnuTLS C++ API @@ -223,7 +227,14 @@ %else --disable-libdane \ %endif +%if %{with guile} + --enable-guile \ +%else + --disable-guile \ +%endif --enable-fips140-mode \ + --with-fips140-module-name="GnuTLS version" \ + --with-fips140-module-version="%{version}-%{release}" \ %{nil} make %{?_smp_mflags} @@ -255,7 +266,7 @@ %check %if ! 0%{?qemu_user_space_build} -#make %%{?_smp_mflags} check || { +# export GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { find -name test-suite.log -print -exec cat {} + exit 1 ++++++ gnutls-3.7.2.tar.xz -> gnutls-3.7.3.tar.xz ++++++ ++++ 247039 lines of diff (skipped)
