Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2023-08-23 14:56:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Wed Aug 23 14:56:48 2023 rev:150 rq:1105301 version:3.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2023-05-30 22:01:44.934765061 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new.1766/gnutls.changes 2023-08-23 14:56:59.757923832 +0200 @@ -1,0 +2,61 @@ +Tue Aug 22 15:00:57 UTC 2023 - Pedro Monreal <[email protected]> + +- Fix missing GNUTLS_NO_EXTENSIONS compatibility. + * Upstream: gitlab.com/gnutls/gnutls/commit/abfa8634 + * Add gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch + +------------------------------------------------------------------- +Mon Aug 21 09:33:40 UTC 2023 - Pedro Monreal <[email protected]> + +- tests: Fix the SRP test that fails with SIGPIPE signal return due + to a socket being closed before using it. + * Add gnutls-srp-test-SIGPIPE.patch + +------------------------------------------------------------------- +Mon Aug 7 07:51:59 UTC 2023 - Pedro Monreal <[email protected]> + +- Update to version 3.8.1: + * libgnutls: ClientHello extensions are randomized by default + To make fingerprinting harder, TLS extensions in ClientHello + messages are shuffled. As this behavior may cause compatibility + issue with legacy applications that do not accept the last + extension without payload, the behavior can be reverted with the + %NO_SHUFFLE_EXTENSIONS priority keyword. + * libgnutls: Add support for RFC 9258 external PSK importer. + This enables to deploy the same PSK across multiple TLS versions + (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application + needs to set up a callback that formats the PSK identity using + gnutls_psk_format_imported_identity(). + * libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to + %GNUTLS_NO_DEFAULT_EXTENSIONS. + * libgnutls: Add additional PBKDF limit checks in FIPS mode as + defined in SP 800-132. Minimum salt length is 128 bits and + minimum iterations bound is 1000 for PBKDF in FIPS mode. + * libgnutls: Add a mechanism to control whether to enforce extended + master secret (RFC 7627). FIPS 140-3 mandates the use of TLS + session hash (extended master secret, EMS) in TLS 1.2. To enforce + this, a new priority keyword %FORCE_SESSION_HASH is added and if + it is set and EMS is not set, the peer aborts the connection. This + behavior is the default in FIPS mode, though it can be overridden + through the configuration file with the "tls-session-hash" option. + In either case non-EMS PRF is reported as a non-approved operation + through the FIPS service indicator. + * New option --attime to specify current time. + To make testing with different timestamp to the system easier, the + tools doing certificate verification now provide a new option + --attime, which takes an arbitrary time. + * API and ABI modifications: + gnutls_psk_client_credentials_function3: New typedef + gnutls_psk_server_credentials_function3: New typedef + gnutls_psk_set_server_credentials_function3: New function + gnutls_psk_set_client_credentials_function3: New function + gnutls_psk_format_imported_identity: New function + GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags + * Rebase patches: + - gnutls-FIPS-140-3-references.patch + - gnutls-FIPS-jitterentropy.patch + * Remove patches merged/fixed upstream: + - gnutls-FIPS-PCT-DH.patch + - gnutls-FIPS-PCT-ECDH.patch + +------------------------------------------------------------------- Old: ---- gnutls-3.8.0.tar.xz gnutls-3.8.0.tar.xz.sig gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch New: ---- gnutls-3.8.1.tar.xz gnutls-3.8.1.tar.xz.sig gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch gnutls-srp-test-SIGPIPE.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.zTDfsa/_old 2023-08-23 14:57:03.581930668 +0200 +++ /var/tmp/diff_new_pack.zTDfsa/_new 2023-08-23 14:57:03.589930682 +0200 @@ -40,7 +40,7 @@ %endif %bcond_with tpm Name: gnutls -Version: 3.8.0 +Version: 3.8.1 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later @@ -56,17 +56,18 @@ Patch0: gnutls-3.5.11-skip-trust-store-tests.patch Patch1: gnutls-FIPS-TLS_KDF_selftest.patch Patch2: gnutls-disable-flaky-test-dtls-resume.patch +# PATCH-FIX-OPENSUSE The srp test fails with SIGPIPE +Patch3: gnutls-srp-test-SIGPIPE.patch +# PATCH-FIX-OPENSUSE Fix missing GNUTLS_NO_EXTENSIONS compatibility +Patch4: gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch # FIPS 140-3 patches: -#PATCH-FIX-SUSE bsc#1207183 FIPS: DH/ECDH PCT public key regeneration -Patch100: gnutls-FIPS-PCT-DH.patch -Patch101: gnutls-FIPS-PCT-ECDH.patch #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3 -Patch102: gnutls-FIPS-140-3-references.patch +Patch100: gnutls-FIPS-140-3-references.patch #PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp -Patch103: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch +Patch101: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy -Patch104: gnutls-FIPS-jitterentropy.patch +Patch102: gnutls-FIPS-jitterentropy.patch %endif BuildRequires: autogen BuildRequires: automake ++++++ gnutls-3.8.0.tar.xz -> gnutls-3.8.1.tar.xz ++++++ /work/SRC/openSUSE:Factory/gnutls/gnutls-3.8.0.tar.xz /work/SRC/openSUSE:Factory/.gnutls.new.1766/gnutls-3.8.1.tar.xz differ: char 26, line 1 ++++++ gnutls-FIPS-140-3-references.patch ++++++ ++++ 1334 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/gnutls/gnutls-FIPS-140-3-references.patch ++++ and /work/SRC/openSUSE:Factory/.gnutls.new.1766/gnutls-FIPS-140-3-references.patch ++++++ gnutls-FIPS-jitterentropy.patch ++++++ --- /var/tmp/diff_new_pack.zTDfsa/_old 2023-08-23 14:57:03.725930926 +0200 +++ /var/tmp/diff_new_pack.zTDfsa/_new 2023-08-23 14:57:03.733930940 +0200 @@ -1,7 +1,7 @@ -Index: gnutls-3.8.0/lib/nettle/sysrng-linux.c +Index: gnutls-3.8.1/lib/nettle/sysrng-linux.c =================================================================== ---- gnutls-3.8.0.orig/lib/nettle/sysrng-linux.c -+++ gnutls-3.8.0/lib/nettle/sysrng-linux.c +--- gnutls-3.8.1.orig/lib/nettle/sysrng-linux.c ++++ gnutls-3.8.1/lib/nettle/sysrng-linux.c @@ -49,6 +49,15 @@ get_entropy_func _rnd_get_system_entropy = NULL; @@ -15,12 +15,12 @@ +/* Declare function to fix a missing-prototypes compilation warning */ +void FIPS_jent_entropy_deinit(void); +# endif - # ifdef HAVE_GETRANDOM - # include <sys/random.h> - # else -@@ -67,6 +76,101 @@ static ssize_t _getrandom0(void *buf, si - # endif - # endif + #ifdef HAVE_GETRANDOM + #include <sys/random.h> + #else +@@ -68,6 +77,101 @@ static ssize_t _getrandom0(void *buf, si + #endif + #endif +# if defined(ENABLE_FIPS140) +# if defined(HAVE_JENT) @@ -120,7 +120,7 @@ static unsigned have_getrandom(void) { char c; -@@ -162,6 +266,24 @@ int _rnd_system_entropy_init(void) +@@ -163,6 +267,24 @@ int _rnd_system_entropy_init(void) int urandom_fd; #if defined(__linux__) @@ -145,7 +145,7 @@ /* Enable getrandom() usage if available */ if (have_getrandom()) { _rnd_get_system_entropy = _rnd_get_system_entropy_getrandom; -@@ -192,5 +314,12 @@ int _rnd_system_entropy_init(void) +@@ -193,5 +315,12 @@ int _rnd_system_entropy_init(void) void _rnd_system_entropy_deinit(void) { /* A no-op now when we open and close /dev/urandom every time */ @@ -158,11 +158,11 @@ +#endif return; } -Index: gnutls-3.8.0/lib/nettle/Makefile.in +Index: gnutls-3.8.1/lib/nettle/Makefile.in =================================================================== ---- gnutls-3.8.0.orig/lib/nettle/Makefile.in -+++ gnutls-3.8.0/lib/nettle/Makefile.in -@@ -399,7 +399,7 @@ am__v_CC_1 = +--- gnutls-3.8.1.orig/lib/nettle/Makefile.in ++++ gnutls-3.8.1/lib/nettle/Makefile.in +@@ -402,7 +402,7 @@ am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ @@ -171,10 +171,10 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; -Index: gnutls-3.8.0/lib/nettle/Makefile.am +Index: gnutls-3.8.1/lib/nettle/Makefile.am =================================================================== ---- gnutls-3.8.0.orig/lib/nettle/Makefile.am -+++ gnutls-3.8.0/lib/nettle/Makefile.am +--- gnutls-3.8.1.orig/lib/nettle/Makefile.am ++++ gnutls-3.8.1/lib/nettle/Makefile.am @@ -20,7 +20,7 @@ include $(top_srcdir)/lib/common.mk @@ -184,10 +184,10 @@ AM_CPPFLAGS = \ -I$(srcdir)/int \ -Index: gnutls-3.8.0/lib/nettle/rnd-fips.c +Index: gnutls-3.8.1/lib/nettle/rnd-fips.c =================================================================== ---- gnutls-3.8.0.orig/lib/nettle/rnd-fips.c -+++ gnutls-3.8.0/lib/nettle/rnd-fips.c +--- gnutls-3.8.1.orig/lib/nettle/rnd-fips.c ++++ gnutls-3.8.1/lib/nettle/rnd-fips.c @@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc uint8_t buffer[DRBG_AES_SEED_SIZE]; int ret; @@ -210,10 +210,10 @@ ret = get_entropy(fctx, buffer, sizeof(buffer)); if (ret < 0) { _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -Index: gnutls-3.8.0/tests/Makefile.am +Index: gnutls-3.8.1/tests/Makefile.am =================================================================== ---- gnutls-3.8.0.orig/tests/Makefile.am -+++ gnutls-3.8.0/tests/Makefile.am +--- gnutls-3.8.1.orig/tests/Makefile.am ++++ gnutls-3.8.1/tests/Makefile.am @@ -208,7 +208,7 @@ ctests += mini-record-2 simple gnutls_hm dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \ keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \ ++++++ gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch ++++++ >From abfa8634db940115a11a07596ce53c8f9c4f87d2 Mon Sep 17 00:00:00 2001 From: Adrian Bunk <[email protected]> Date: Sun, 6 Aug 2023 22:46:22 +0300 Subject: [PATCH] Move the GNUTLS_NO_EXTENSIONS compatibility #define to gnutls.h Signed-off-by: Adrian Bunk <[email protected]> --- lib/ext/ext_master_secret.h | 3 --- lib/includes/gnutls/gnutls.h.in | 3 +++ lib/state.h | 3 --- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/lib/ext/ext_master_secret.h b/lib/ext/ext_master_secret.h index 45d38178bd..419335b4e3 100644 --- a/lib/ext/ext_master_secret.h +++ b/lib/ext/ext_master_secret.h @@ -23,9 +23,6 @@ #ifndef GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H #define GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H -/* Keep backward compatibility */ -#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS - #include <hello_ext.h> extern const hello_ext_entry_st ext_mod_ext_master_secret; diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index ec132cb5c3..fc64c7a228 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -542,6 +542,9 @@ typedef enum { #define GNUTLS_ENABLE_CERT_TYPE_NEG 0 // Here for compatibility reasons +/* Keep backward compatibility */ +#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS + /** * gnutls_alert_level_t: * @GNUTLS_AL_WARNING: Alert of warning severity. diff --git a/lib/state.h b/lib/state.h index dc086bcf0d..975ceee3a7 100644 --- a/lib/state.h +++ b/lib/state.h @@ -110,7 +110,4 @@ inline static int _gnutls_PRF(gnutls_session_t session, const uint8_t *secret, #define DEFAULT_CERT_TYPE GNUTLS_CRT_X509 -/* Keep backward compatibility */ -#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS - #endif /* GNUTLS_LIB_STATE_H */ -- GitLab ++++++ gnutls-srp-test-SIGPIPE.patch ++++++ Index: gnutls-3.8.1/tests/srp.c =================================================================== --- gnutls-3.8.1.orig/tests/srp.c +++ gnutls-3.8.1/tests/srp.c @@ -287,7 +289,7 @@ static void start(const char *name, cons if (child) { int status; /* parent */ - close(fd[0]); + /* close(fd[0]); */ client(fd[1], prio, user, pass, exp_err); if (exp_err < 0) { kill(child, SIGTERM); @@ -297,7 +299,7 @@ static void start(const char *name, cons check_wait_status(status); } } else { - close(fd[1]); + /* close(fd[1]); */ server(fd[0], prio); exit(0); }
