Hello community, here is the log from the commit of package gnutls for openSUSE:Leap:15.2 checked in at 2020-04-30 18:51:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/gnutls (Old) and /work/SRC/openSUSE:Leap:15.2/.gnutls.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Thu Apr 30 18:51:15 2020 rev:47 rq:797230 version:3.6.7 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/gnutls/gnutls.changes 2020-04-22 14:13:15.354536080 +0200 +++ /work/SRC/openSUSE:Leap:15.2/.gnutls.new.2738/gnutls.changes 2020-04-30 18:51:22.900590631 +0200 @@ -1,0 +2,6 @@ +Tue Apr 21 13:52:11 UTC 2020 - Vítězslav Čížek <[email protected]> + +- Don't check for /etc/system-fips which we don't have (bsc#1169992) + * add gnutls-fips_mode_enabled.patch + +------------------------------------------------------------------- New: ---- gnutls-fips_mode_enabled.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.Cim4iC/_old 2020-04-30 18:51:23.620592166 +0200 +++ /var/tmp/diff_new_pack.Cim4iC/_new 2020-04-30 18:51:23.624592175 +0200 @@ -47,6 +47,7 @@ Patch7: gnutls-CVE-2020-11501.patch Patch8: 0001-Vendor-in-XTS-functionality-from-Nettle.patch Patch9: gnutls-fips_XTS_key_check.patch +Patch10: gnutls-fips_mode_enabled.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -190,6 +191,7 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 # dtls-resume test fails on PPC %ifarch ppc64 ppc64le ppc %patch2 -p1 ++++++ gnutls-fips_mode_enabled.patch ++++++ Index: gnutls-3.6.7/lib/fips.c =================================================================== --- gnutls-3.6.7.orig/lib/fips.c 2020-04-07 11:11:54.490109339 +0200 +++ gnutls-3.6.7/lib/fips.c 2020-04-21 14:54:51.262199739 +0200 @@ -38,7 +38,6 @@ unsigned int _gnutls_lib_state = LIB_STA #include <dlfcn.h> #define FIPS_KERNEL_FILE "/proc/sys/crypto/fips_enabled" -#define FIPS_SYSTEM_FILE "/etc/system-fips" /* We provide a per-thread FIPS-mode so that an application * can use gnutls_fips140_set_mode() to override a specific @@ -53,7 +52,7 @@ static int _skip_integrity_checks = 0; */ unsigned _gnutls_fips_mode_enabled(void) { - unsigned f1p = 0, f2p; + unsigned f1p = 0; FILE* fd; const char *p; unsigned ret; @@ -80,7 +79,7 @@ unsigned _gnutls_fips_mode_enabled(void) p = secure_getenv("GNUTLS_FORCE_FIPS_MODE"); if (p) { if (p[0] == '1') - ret = 1; + ret = GNUTLS_FIPS140_STRICT; else if (p[0] == '2') ret = GNUTLS_FIPS140_SELFTESTS; else if (p[0] == '3') @@ -102,22 +101,12 @@ unsigned _gnutls_fips_mode_enabled(void) else f1p = 0; } - f2p = !access(FIPS_SYSTEM_FILE, F_OK); - - if (f1p != 0 && f2p != 0) { + if (f1p != 0) { _gnutls_debug_log("FIPS140-2 mode enabled\n"); ret = GNUTLS_FIPS140_STRICT; goto exit; } - if (f2p != 0) { - /* a funny state where self tests are performed - * and ignored */ - _gnutls_debug_log("FIPS140-2 ZOMBIE mode enabled\n"); - ret = GNUTLS_FIPS140_SELFTESTS; - goto exit; - } - ret = GNUTLS_FIPS140_DISABLED; goto exit;
