commit gnutls for openSUSE:Leap:15.2:Update
Hello community, here is the log from the commit of package gnutls for openSUSE:Leap:15.2:Update checked in at 2020-10-26 10:22:11 Comparing /work/SRC/openSUSE:Leap:15.2:Update/gnutls (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.gnutls.new.3463 (New) Package is "gnutls" Mon Oct 26 10:22:11 2020 rev:1 rq:843553 version:unknown Changes: New Changes file: NO CHANGES FILE!!! New: _link Other differences: -- ++ _link ++
commit gnutls for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package gnutls for openSUSE:Leap:15.2
checked in at 2020-06-10 16:49:53
Comparing /work/SRC/openSUSE:Leap:15.2/gnutls (Old)
and /work/SRC/openSUSE:Leap:15.2/.gnutls.new.3606 (New)
Package is "gnutls"
Wed Jun 10 16:49:53 2020 rev:49 rq:813046 version:3.6.7
Changes:
--- /work/SRC/openSUSE:Leap:15.2/gnutls/gnutls.changes 2020-05-19
14:08:37.815016057 +0200
+++ /work/SRC/openSUSE:Leap:15.2/.gnutls.new.3606/gnutls.changes
2020-06-10 16:50:00.492377105 +0200
@@ -1,0 +2,18 @@
+Thu Jun 4 12:11:08 UTC 2020 - Vítězslav Čížek
+
+- GNUTLS-SA-2020-06-03 (Fixed insecure session ticket key construction)
+ The TLS server would not bind the session ticket encryption key with a
+ value supplied by the application until the initial key rotation, allowing
+ attacker to bypass authentication in TLS 1.3 and recover previous
+ conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777)
+ * add patches:
++ gnutls-CVE-2020-13777.patch
+- Fixed handling of certificate chain with cross-signed intermediate
+ CA certificates (#1008). (bsc#1172461)
+ * add patches:
++ 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch
++ 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
++ 0003-x509-trigger-fallback-verification-path-when-cert-is.patch
++ 0004-tests-add-test-case-for-certificate-chain-supersedin.patch
+
+---
New:
0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch
0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
0003-x509-trigger-fallback-verification-path-when-cert-is.patch
0004-tests-add-test-case-for-certificate-chain-supersedin.patch
gnutls-CVE-2020-13777.patch
Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.dzxF0D/_old 2020-06-10 16:50:01.052378730 +0200
+++ /var/tmp/diff_new_pack.dzxF0D/_new 2020-06-10 16:50:01.056378741 +0200
@@ -49,6 +49,12 @@
Patch9: gnutls-fips_XTS_key_check.patch
Patch10:gnutls-fips_mode_enabled.patch
Patch11:gnutls-3.6.7-fips-rsa-4096.patch
+Patch12:gnutls-CVE-2020-13777.patch
+# PATCH-FIX-UPSTREAM bsc#1172461
+Patch13:0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch
+Patch14:0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
+Patch15:0003-x509-trigger-fallback-verification-path-when-cert-is.patch
+Patch16:0004-tests-add-test-case-for-certificate-chain-supersedin.patch
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge
@@ -194,6 +200,11 @@
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
# dtls-resume test fails on PPC
%ifarch ppc64 ppc64le ppc
%patch2 -p1
@@ -262,6 +273,9 @@
%find_lang libgnutls --all-name
%check
+# created by 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch,
+# but without the executable permissions
+chmod a+x tests/server-weak-keys.sh
%if ! 0%{?qemu_user_space_build}
make %{?_smp_mflags} check || {
find -name test-suite.log -print -exec cat {} +
++ 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch ++
>From 1abb4298398ec6a942dc77384a19b3e3a2392341 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos
Date: Thu, 19 Dec 2019 09:37:34 +0100
Subject: [PATCH] _gnutls_verify_crt_status: apply algorithm checks to trusted
CAs
If a CA is found in the trusted list, check in addition to
time validity, whether the algorithms comply to the expected
level. This addresses the problem of accepting CAs which would
have been marked as insecure otherwise.
Resolves: #877
Signed-off-by: Nikos Mavrogiannopoulos
---
NEWS | 5 +++
lib/x509/verify.c | 68 ++--
tests/Makefile.am | 5 +--
tests/certs/rsa-512.pem | 20 +++
tests/server-weak-keys.sh | 72 +++
tests/test-chains.h | 18 +-
6 files changed, 160 insertions(+), 28 deletions(-)
create mode 100644 tests/certs/rsa-512.pem
create mode 100755 tests/server-weak-keys.sh
Index: gnutls-3.6.7/lib/x509/verify.c
===
--- gnutls-3.6.7.orig/lib/x509/verify.c 2020-06-05 11:45:24.359554720 +0200
+++ gnutls-3.6.7/lib/x509/verify.c 2020-06-05 11:45:38.007648125 +0200
@@ -855,6 +855,36 @@ gnutls_x509_crt_check_issuer(gnutls_x509
return is_issuer(cert, issuer);
}
+static
+unsigned check_ca_sanity(const gnutls_x509_crt_t issuer,
+time_t now, unsigned int flags)
+{
+ unsigned int status =
commit gnutls for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package gnutls for openSUSE:Leap:15.2
checked in at 2020-05-19 14:08:02
Comparing /work/SRC/openSUSE:Leap:15.2/gnutls (Old)
and /work/SRC/openSUSE:Leap:15.2/.gnutls.new.2738 (New)
Package is "gnutls"
Tue May 19 14:08:02 2020 rev:48 rq:805966 version:3.6.7
Changes:
--- /work/SRC/openSUSE:Leap:15.2/gnutls/gnutls.changes 2020-04-30
18:51:22.900590631 +0200
+++ /work/SRC/openSUSE:Leap:15.2/.gnutls.new.2738/gnutls.changes
2020-05-19 14:08:37.815016057 +0200
@@ -1,0 +2,6 @@
+Mon May 11 06:38:58 UTC 2020 - Alexander Bergmann
+
+- Add RSA 4096 key generation support in FIPS mode (bsc#1171422)
+ * add gnutls-3.6.7-fips-rsa-4096.patch
+
+---
New:
gnutls-3.6.7-fips-rsa-4096.patch
Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.2UPXeS/_old 2020-05-19 14:08:38.307017013 +0200
+++ /var/tmp/diff_new_pack.2UPXeS/_new 2020-05-19 14:08:38.307017013 +0200
@@ -48,6 +48,7 @@
Patch8: 0001-Vendor-in-XTS-functionality-from-Nettle.patch
Patch9: gnutls-fips_XTS_key_check.patch
Patch10:gnutls-fips_mode_enabled.patch
+Patch11:gnutls-3.6.7-fips-rsa-4096.patch
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge
@@ -192,6 +193,7 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
# dtls-resume test fails on PPC
%ifarch ppc64 ppc64le ppc
%patch2 -p1
++ gnutls-3.6.7-fips-rsa-4096.patch ++
diff -Nurp gnutls-3.6.7-orig/lib/nettle/int/rsa-keygen-fips186.c
gnutls-3.6.7/lib/nettle/int/rsa-keygen-fips186.c
--- gnutls-3.6.7-orig/lib/nettle/int/rsa-keygen-fips186.c 2019-01-05
12:28:47.0 +0100
+++ gnutls-3.6.7/lib/nettle/int/rsa-keygen-fips186.c2020-05-08
23:39:04.206472627 +0200
@@ -269,7 +269,8 @@ _rsa_generate_fips186_4_keypair(struct r
FIPS_RULE(n_size == 2048 && seed_length != 14 * 2, 0, "seed length
other than 28 bytes\n");
FIPS_RULE(n_size == 3072 && seed_length != 16 * 2, 0, "seed length
other than 32 bytes\n");
- FIPS_RULE(n_size != 2048 && n_size != 3072, 0, "unsupported size for
modulus\n");
+ FIPS_RULE(n_size == 4096 && seed_length != 24 * 2, 0, "seed length
other than 48 bytes\n");
+ FIPS_RULE(n_size != 2048 && n_size != 3072 && n_size != 4096, 0,
"unsupported size for modulus\n");
if (!mpz_tstbit(pub->e, 0)) {
_gnutls_debug_log("Unacceptable e (it is even)\n");
@@ -407,7 +408,7 @@ rsa_generate_fips186_4_keypair(struct rs
unsigned seed_length;
int ret;
- FIPS_RULE(n_size != 2048 && n_size != 3072, 0, "size of prime of other
than 2048 or 3072\n");
+ FIPS_RULE(n_size != 2048 && n_size != 3072 && n_size != 4096, 0, "size
of prime of other than 2048, 3072 or 4096\n");
seed_length = SEED_LENGTH(n_size);
if (seed_length > sizeof(seed))
commit gnutls for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package gnutls for openSUSE:Leap:15.2
checked in at 2020-04-30 18:51:15
Comparing /work/SRC/openSUSE:Leap:15.2/gnutls (Old)
and /work/SRC/openSUSE:Leap:15.2/.gnutls.new.2738 (New)
Package is "gnutls"
Thu Apr 30 18:51:15 2020 rev:47 rq:797230 version:3.6.7
Changes:
--- /work/SRC/openSUSE:Leap:15.2/gnutls/gnutls.changes 2020-04-22
14:13:15.354536080 +0200
+++ /work/SRC/openSUSE:Leap:15.2/.gnutls.new.2738/gnutls.changes
2020-04-30 18:51:22.900590631 +0200
@@ -1,0 +2,6 @@
+Tue Apr 21 13:52:11 UTC 2020 - Vítězslav Čížek
+
+- Don't check for /etc/system-fips which we don't have (bsc#1169992)
+ * add gnutls-fips_mode_enabled.patch
+
+---
New:
gnutls-fips_mode_enabled.patch
Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.Cim4iC/_old 2020-04-30 18:51:23.620592166 +0200
+++ /var/tmp/diff_new_pack.Cim4iC/_new 2020-04-30 18:51:23.624592175 +0200
@@ -47,6 +47,7 @@
Patch7: gnutls-CVE-2020-11501.patch
Patch8: 0001-Vendor-in-XTS-functionality-from-Nettle.patch
Patch9: gnutls-fips_XTS_key_check.patch
+Patch10:gnutls-fips_mode_enabled.patch
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge
@@ -190,6 +191,7 @@
%patch7 -p1
%patch8 -p1
%patch9 -p1
+%patch10 -p1
# dtls-resume test fails on PPC
%ifarch ppc64 ppc64le ppc
%patch2 -p1
++ gnutls-fips_mode_enabled.patch ++
Index: gnutls-3.6.7/lib/fips.c
===
--- gnutls-3.6.7.orig/lib/fips.c2020-04-07 11:11:54.490109339 +0200
+++ gnutls-3.6.7/lib/fips.c 2020-04-21 14:54:51.262199739 +0200
@@ -38,7 +38,6 @@ unsigned int _gnutls_lib_state = LIB_STA
#include
#define FIPS_KERNEL_FILE "/proc/sys/crypto/fips_enabled"
-#define FIPS_SYSTEM_FILE "/etc/system-fips"
/* We provide a per-thread FIPS-mode so that an application
* can use gnutls_fips140_set_mode() to override a specific
@@ -53,7 +52,7 @@ static int _skip_integrity_checks = 0;
*/
unsigned _gnutls_fips_mode_enabled(void)
{
- unsigned f1p = 0, f2p;
+ unsigned f1p = 0;
FILE* fd;
const char *p;
unsigned ret;
@@ -80,7 +79,7 @@ unsigned _gnutls_fips_mode_enabled(void)
p = secure_getenv("GNUTLS_FORCE_FIPS_MODE");
if (p) {
if (p[0] == '1')
- ret = 1;
+ ret = GNUTLS_FIPS140_STRICT;
else if (p[0] == '2')
ret = GNUTLS_FIPS140_SELFTESTS;
else if (p[0] == '3')
@@ -102,22 +101,12 @@ unsigned _gnutls_fips_mode_enabled(void)
else f1p = 0;
}
- f2p = !access(FIPS_SYSTEM_FILE, F_OK);
-
- if (f1p != 0 && f2p != 0) {
+ if (f1p != 0) {
_gnutls_debug_log("FIPS140-2 mode enabled\n");
ret = GNUTLS_FIPS140_STRICT;
goto exit;
}
- if (f2p != 0) {
- /* a funny state where self tests are performed
-* and ignored */
- _gnutls_debug_log("FIPS140-2 ZOMBIE mode enabled\n");
- ret = GNUTLS_FIPS140_SELFTESTS;
- goto exit;
- }
-
ret = GNUTLS_FIPS140_DISABLED;
goto exit;
commit gnutls for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package gnutls for openSUSE:Leap:15.2
checked in at 2020-04-22 14:13:14
Comparing /work/SRC/openSUSE:Leap:15.2/gnutls (Old)
and /work/SRC/openSUSE:Leap:15.2/.gnutls.new.2738 (New)
Package is "gnutls"
Wed Apr 22 14:13:14 2020 rev:46 rq:796011 version:3.6.7
Changes:
--- /work/SRC/openSUSE:Leap:15.2/gnutls/gnutls.changes 2020-04-14
14:20:52.413269672 +0200
+++ /work/SRC/openSUSE:Leap:15.2/.gnutls.new.2738/gnutls.changes
2020-04-22 14:13:15.354536080 +0200
@@ -1,0 +2,7 @@
+Tue Apr 7 09:02:49 UTC 2020 - Vítězslav Čížek
+
+- Backport AES XTS support (bsc#1168835)
+ * add 0001-Vendor-in-XTS-functionality-from-Nettle.patch
+ * add gnutls-fips_XTS_key_check.patch
+
+---
@@ -4,2 +11,3 @@
-- Fix zero random value in DTLS client hello (bsc#1168345)
- * add gnutls-CVE-2020-X.patch
+- Fix zero random value in DTLS client hello
+ (CVE-2020-11501, bsc#1168345)
+ * add gnutls-CVE-2020-11501.patch
Old:
gnutls-CVE-2020-X.patch
New:
0001-Vendor-in-XTS-functionality-from-Nettle.patch
gnutls-CVE-2020-11501.patch
gnutls-fips_XTS_key_check.patch
Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.HXcV8s/_old 2020-04-22 14:13:15.898537179 +0200
+++ /var/tmp/diff_new_pack.HXcV8s/_new 2020-04-22 14:13:15.902537187 +0200
@@ -44,7 +44,9 @@
Patch4: gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch
Patch5: gnutls-3.6.7-fips_DH_ECDH_key_tests.patch
Patch6: gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
-Patch7: gnutls-CVE-2020-X.patch
+Patch7: gnutls-CVE-2020-11501.patch
+Patch8: 0001-Vendor-in-XTS-functionality-from-Nettle.patch
+Patch9: gnutls-fips_XTS_key_check.patch
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge
@@ -186,6 +188,8 @@
%patch5 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
+%patch9 -p1
# dtls-resume test fails on PPC
%ifarch ppc64 ppc64le ppc
%patch2 -p1
++ 0001-Vendor-in-XTS-functionality-from-Nettle.patch ++
699 lines (skipped)
++ gnutls-CVE-2020-X.patch -> gnutls-CVE-2020-11501.patch ++
++ gnutls-fips_XTS_key_check.patch ++
Index: gnutls-3.6.7/lib/nettle/backport/xts.c
===
--- gnutls-3.6.7.orig/lib/nettle/backport/xts.c 2020-04-07 11:11:54.506109418
+0200
+++ gnutls-3.6.7/lib/nettle/backport/xts.c 2020-04-07 16:52:48.543404370
+0200
@@ -203,6 +203,8 @@ xts_decrypt_message(const void *dec_ctx,
void
xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key)
{
+/* FIPS requires that the key and the tweak must not be non-equal */
+assert(memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) != 0);
aes128_set_encrypt_key(_key->cipher, key);
aes128_set_encrypt_key(_key->tweak_cipher, [AES128_KEY_SIZE]);
}
@@ -210,6 +212,8 @@ xts_aes128_set_encrypt_key(struct xts_ae
void
xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key)
{
+/* FIPS requires that the key and the tweak must not be non-equal */
+assert(memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) != 0);
aes128_set_decrypt_key(_key->cipher, key);
aes128_set_encrypt_key(_key->tweak_cipher, [AES128_KEY_SIZE]);
}
@@ -238,6 +242,8 @@ xts_aes128_decrypt_message(struct xts_ae
void
xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key)
{
+/* FIPS requires that the key and the tweak must not be non-equal */
+assert(memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) != 0);
aes256_set_encrypt_key(_key->cipher, key);
aes256_set_encrypt_key(_key->tweak_cipher, [AES256_KEY_SIZE]);
}
@@ -245,6 +251,8 @@ xts_aes256_set_encrypt_key(struct xts_ae
void
xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key)
{
+/* FIPS requires that the key and the tweak must not be non-equal */
+assert(memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) != 0);
aes256_set_decrypt_key(_key->cipher, key);
aes256_set_encrypt_key(_key->tweak_cipher, [AES256_KEY_SIZE]);
}
commit gnutls for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package gnutls for openSUSE:Leap:15.2
checked in at 2020-04-14 14:20:32
Comparing /work/SRC/openSUSE:Leap:15.2/gnutls (Old)
and /work/SRC/openSUSE:Leap:15.2/.gnutls.new.3248 (New)
Package is "gnutls"
Tue Apr 14 14:20:32 2020 rev:45 rq:793090 version:3.6.7
Changes:
--- /work/SRC/openSUSE:Leap:15.2/gnutls/gnutls.changes 2020-01-15
15:05:39.389911239 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.gnutls.new.3248/gnutls.changes
2020-04-14 14:20:52.413269672 +0200
@@ -1,0 +2,33 @@
+Thu Apr 2 08:38:40 UTC 2020 - Vítězslav Čížek
+
+- Fix zero random value in DTLS client hello (bsc#1168345)
+ * add gnutls-CVE-2020-X.patch
+
+---
+Mon Mar 30 12:43:33 UTC 2020 - Vítězslav Čížek
+
+- Split off FIPS checksums into a separate libgnutls30-hmac
+ subpackage (bsc#1152692)
+ * update baselibs.conf
+
+---
+Mon Mar 23 22:36:59 UTC 2020 - Jason Sikes
+
+- bsc#1166881 - FIPS: gnutls: cfb8 decryption issue
+ * No longer truncate output IV if input is shorter than block size.
+ * Added gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
+
+---
+Mon Mar 23 14:30:07 UTC 2020 - Jason Sikes
+
+- bsc#1155327 jira#SLE-9518 - FIPS: add DH key test
+ * Added Diffie Hellman public key verification test.
+ * gnutls-3.6.7-fips_DH_ECDH_key_tests.patch
+
+---
+Tue Sep 24 13:16:02 UTC 2019 - Vítězslav Čížek
+
+- Install checksums for binary integrity verification which are
+ required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
+
+---
New:
gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
gnutls-3.6.7-fips_DH_ECDH_key_tests.patch
gnutls-CVE-2020-X.patch
Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.qg6etr/_old 2020-04-14 14:20:52.849269998 +0200
+++ /var/tmp/diff_new_pack.qg6etr/_new 2020-04-14 14:20:52.85327 +0200
@@ -33,7 +33,7 @@
Summary:The GNU Transport Layer Security Library
License:LGPL-2.1-or-later AND GPL-3.0-or-later
Group: Productivity/Networking/Security
-URL:http://www.gnutls.org/
+URL:https://www.gnutls.org/
Source0:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
Source1:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
Source2:%{name}.keyring
@@ -42,10 +42,14 @@
Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
Patch3: disable-psk-file-test.patch
Patch4: gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch
+Patch5: gnutls-3.6.7-fips_DH_ECDH_key_tests.patch
+Patch6: gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
+Patch7: gnutls-CVE-2020-X.patch
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge
BuildRequires: fdupes
+BuildRequires: fipscheck
BuildRequires: gcc-c++
# The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure
we have it present
BuildRequires: iproute2
@@ -91,12 +95,23 @@
Summary:The GNU Transport Layer Security Library
License:LGPL-2.1-or-later
Group: System/Libraries
+# install libopenssl and libopenssl-hmac close together (bsc#1090765)
+Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
%description -n libgnutls%{gnutls_sover}
The GnuTLS library provides a secure layer over a reliable transport
layer. Currently the GnuTLS library implements the proposed standards
of the IETFs TLS working group.
+%package -n libgnutls%{gnutls_sover}-hmac
+Summary:Checksums of the GNU Transport Layer Security Library
+License:LGPL-2.1-or-later
+Group: System/Libraries
+Requires: libgnutls%{gnutls_sover} = %{version}-%{release}
+
+%description -n libgnutls%{gnutls_sover}-hmac
+FIPS SHA256 checksums of the libgnutls library.
+
%if %{with dane}
%package -n libgnutls-dane%{gnutls_dane_sover}
Summary:DANE support for the GNU Transport Layer Security Library
@@ -168,6 +183,9 @@
%patch1 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
# dtls-resume test fails on PPC
%ifarch ppc64 ppc64le ppc
%patch2 -p1
@@ -198,6 +216,21 @@
%{nil}
make %{?_smp_mflags}
+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+#
