commit gnutls for openSUSE:Factory

2026-05-05 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2026-05-05 15:14:22

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.30200 (New)


Package is "gnutls"

Tue May  5 15:14:22 2026 rev:169 rq:1350620 version:3.8.13

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2026-04-18 
21:30:59.276412662 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.30200/gnutls.changes 2026-05-05 
15:14:23.456752204 +0200
@@ -1,0 +2,97 @@
+Thu Apr 30 07:47:18 UTC 2026 - Pedro Monreal 
+
+- Update to 3.8.13:
+  * libgnutls: Add more checks to DTLS reassembly
+[GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846, bsc#1263705]
+  * libgnutls: Fix qsort comparator in DTLS reassembly
+[GNUTLS-SA-2026-04-29-2, CVSS: high] [CVE-2026-42009, bsc#1263708]
+  * libgnutls: Fix crashing on an underflow with a DTLS datagram
+A remotely triggerable underflow in the DTLS reassembly code led to
+a heap overrun.
+[GNUTLS-SA-2026-04-29-3, CVSS: high] [CVE-2026-33845, bsc#1263704]
+  * libgnutls: Fix RSA-PSK identity truncation
+[GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010, bsc#1263709]
+  * libgnutls: Fix case-sensitivity of domain name comparison in name 
constraints
+[GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833, bsc#1263707]
+  * libgnutls: Fix intersecting empty constraints
+[GNUTLS-SA-2026-04-29-6, CVSS: medium] [CVE-2026-42011, bsc#1263710]
+  * libgnutls: Suppress CN fallback in presence of URI and SRV SAN
+[GNUTLS-SA-2026-04-27-7, CVSS: medium] [CVE-2026-42012, bsc#1263711]
+  * libgnutls: Suppress CN fallback for oversized SAN
+[GNUTLS-SA-2026-04-27-8, CVSS: medium] [CVE-2026-42013, bsc#1263712]
+  * libgnutls: Fix use-after-free in gnutls_pkcs11_token_set_pin
+[GNUTLS-SA-2026-04-29-9, CVSS: medium] [CVE-2026-42014, bsc#1263713]
+  * libgnutls: Fix overread in RSA key exchange with PKCS#11 keys
+[GNUTLS-SA-2026-04-29-10, CVSS: medium] [CVE-2026-5260, bsc#1263715]
+  * libgnutls: Fix off-by-one in PKCS#12 bag element bounds check
+[GNUTLS-SA-2026-04-29-11, CVSS: low] [CVE-2026-42015, bsc#1263714]
+  * libgnutls: Fix multi-entry OCSP response revocation bypass
+[GNUTLS-SA-2026-04-29-12, CVSS: low] [CVE-2026-3832, bsc#1263706]
+  * libgnutls: Fix timing side-channel in PKCS#7 padding removal
+[GNUTLS-SA-2026-04-29-13, CVSS: low] [CVE-2026-5419, bsc#1263716]
+  * libgnutls: Fix PSK username comparison during rehandshake
+  * libgnutls: Fix OID length check for OCSP delegated signer EKU
+  * libgnutls: Fix AES keys persisting with pkcs11-provider
+  * libgnutls: Fix missing RSA key coprimality check in verify_params
+  * libgnutls: Fix overread when parsing OpenSSL PEM private keys
+  * libgnutls: Fix a theoretical double-free during certificate import
+  * libgnutls: Fix heap overread in SCT extension parser
+  * libgnutls: Zeroize shared secret derived during hybrid key exchange
+  * build: Support building with Nettle 4.0
+Nettle 4.0 was released in Feburary 2026, with API incompatibile
+changes from 3.10. The library can now compile with it, while
+Nettle 3.10 is still supported (#1791).
+  * libgnutls: Support deriving ML-DSA public key from an expanded private key
+RFC 9881 defines 3 private key formats for ML-DSA: "seed",
+"expandedKey" and both. It is now possible to derive a public key
+from a private key in the "expandedKey" format (#1723).
+  * libgnutls: Fix loading BIT STRING encoded EdDSA key from PKCS#11
+For compatibility reasons, the library supports two formats for
+EdDSA private keys: either ASN.1 BIT STRING (raw) or OCTET STRING
+(DER). Previously, loading a private key in the former format
+resulted in a failure, which is now fixed (#1749).
+  * libgnutls: HPKE (RFC 9180) is now supported as a technology preview
+The Hybrid Public Key Encryption (HPKE) is a flexible cryptographic
+protocol which enables to encrypt arbitrary data to a recipient, by
+combining key encapsulation mechanism (KEM) and authenticated
+encryption with additional data (AEAD). GnuTLS now includes the
+implementation contributed by David Dudas. Given this is a
+technology preview, the implementation and the API might suffer
+modification in the following period. Use --enable-hpke to turn on
+this feature (#1506).
+  * libgnutls: Fix TLS 1.3 client certificate selection
+For servers that send a signature_algorithms extension in 
CertificateRequest
+with new rsa_pss_rsae_* algorithms and without the legacy rsa_pkcs1_* ones,
+the client now properly considers RSA when selecting a certificate to send.
+This fixes TLS 1.3 interoperability with newer Java servers
+when using client certific

commit gnutls for openSUSE:Factory

2026-04-18 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2026-04-18 21:30:56

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.11940 (New)


Package is "gnutls"

Sat Apr 18 21:30:56 2026 rev:168 rq:1347712 version:3.8.12

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2026-03-27 
16:48:25.552714092 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.11940/gnutls.changes 2026-04-18 
21:30:59.276412662 +0200
@@ -1,0 +2,11 @@
+Fri Apr 17 11:26:12 UTC 2026 - Pedro Monreal 
+
+- Fix build with libnettle 4.0: (bsc#1257934)
+  * Support building with Nettle 4 [PR2075]
+  * accelerated: don't register custom HMAC for AArch64 if
+Nettle 4 [PR2080]
+  * Add patches:
+- gnutls-libnettle4-2075.patch
+- gnutls-libnettle4-2080.patch
+
+---

New:

  gnutls-libnettle4-2075.patch
  gnutls-libnettle4-2080.patch

--(New B)--
  New:  * Add patches:
- gnutls-libnettle4-2075.patch
- gnutls-libnettle4-2080.patch
  New:- gnutls-libnettle4-2075.patch
- gnutls-libnettle4-2080.patch
--(New E)--



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.0cvwow/_old  2026-04-18 21:31:01.720512074 +0200
+++ /var/tmp/diff_new_pack.0cvwow/_new  2026-04-18 21:31:01.740512888 +0200
@@ -70,6 +70,9 @@
 Patch5: gnutls-FIPS-140-3-references.patch
 #PATCH-FIX-SUSE bsc#1260395 Fix build with autoconf 2.73
 Patch6: gnutls-C23.patch
+#PATCH-FIX-UPSTREAM bsc#1257934 Fix build with libnettle 4.0
+Patch7: gnutls-libnettle4-2075.patch
+Patch8: gnutls-libnettle4-2080.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge


++ gnutls-libnettle4-2075.patch ++
 1943 lines (skipped)

++ gnutls-libnettle4-2080.patch ++
>From 80b2fd8c6606949b9639f860d73b01dd6ba450ac Mon Sep 17 00:00:00 2001
From: Daiki Ueno 
Date: Wed, 4 Mar 2026 10:07:22 +0900
Subject: [PATCH 1/2] accelerated: don't register custom HMAC for AArch64 if
 Nettle 4

As a follow-up of commit 4e3921c36529110a94c2a63e0d6601c502901589, add
missing #ifdefs for AArch64, as Nettle 4 doesn't provide an easy way
to implement a custom HMAC instance.

Signed-off-by: Daiki Ueno 
---
 lib/accelerated/aarch64/aarch64-common.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/lib/accelerated/aarch64/aarch64-common.c 
b/lib/accelerated/aarch64/aarch64-common.c
index 12b7386fc6..ce8fc8301a 100644
--- a/lib/accelerated/aarch64/aarch64-common.c
+++ b/lib/accelerated/aarch64/aarch64-common.c
@@ -141,11 +141,13 @@ static void _register_aarch64_crypto(unsigned 
capabilities)
gnutls_assert();
}
 
+#if defined(HAVE_LIBNETTLE) && defined(HMAC_SET_KEY)
ret = gnutls_crypto_single_mac_register(
GNUTLS_MAC_SHA1, 80, &_gnutls_hmac_sha_aarch64, 0);
if (ret < 0) {
gnutls_assert();
}
+#endif
}
 
if (_gnutls_arm_cpuid_s & ARMV8_SHA256) {
@@ -157,11 +159,13 @@ static void _register_aarch64_crypto(unsigned 
capabilities)
gnutls_assert();
}
 
+#if defined(HAVE_LIBNETTLE) && defined(HMAC_SET_KEY)
ret = gnutls_crypto_single_mac_register(
GNUTLS_MAC_SHA224, 80, &_gnutls_hmac_sha_aarch64, 0);
if (ret < 0) {
gnutls_assert();
}
+#endif
 
ret = gnutls_crypto_single_digest_register(
GNUTLS_DIG_SHA256, 80, &_gnutls_sha_aarch64, 0);
@@ -169,11 +173,13 @@ static void _register_aarch64_crypto(unsigned 
capabilities)
gnutls_assert();
}
 
+#if defined(HAVE_LIBNETTLE) && defined(HMAC_SET_KEY)
ret = gnutls_crypto_single_mac_register(
GNUTLS_MAC_SHA256, 80, &_gnutls_hmac_sha_aarch64, 0);
if (ret < 0) {
gnutls_assert();
}
+#endif
 
ret = gnutls_crypto_single_digest_register(
GNUTLS_DIG_SHA384, 80, &_gnutls_sha_aarch64, 0);
@@ -181,11 +187,13 @@ static void _register_aarch64_crypto(unsigned 
capabilities)
gnutls_assert();
}
 
+#if defined(HAVE_LIBNETTLE) && defined(HMAC_SET_KEY)
ret = gnutls_crypto_single_mac_register(
GNUTLS_MAC_SHA384, 80, &_gnutls_hmac_sha_aarch64, 0);
if (ret < 0) {
gnutls_assert();

commit gnutls for openSUSE:Factory

2026-03-27 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2026-03-27 16:48:22

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.8177 (New)


Package is "gnutls"

Fri Mar 27 16:48:22 2026 rev:167 rq:1342759 version:3.8.12

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2026-02-11 
19:12:09.964342655 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.8177/gnutls.changes  2026-03-27 
16:48:25.552714092 +0100
@@ -1,0 +2,6 @@
+Tue Mar 24 15:19:22 UTC 2026 - Pedro Monreal 
+
+- Fix build with autoconf 2.73 (bsc#1260395)
+  * Add gnutls-C23.patch
+
+---

New:

  gnutls-C23.patch

--(New B)--
  New:- Fix build with autoconf 2.73 (bsc#1260395)
  * Add gnutls-C23.patch
--(New E)--



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.7gTyUr/_old  2026-03-27 16:48:26.580756914 +0100
+++ /var/tmp/diff_new_pack.7gTyUr/_new  2026-03-27 16:48:26.580756914 +0100
@@ -68,6 +68,8 @@
 Patch4: gnutls-FIPS-disable-mac-sha1.patch
 #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
 Patch5: gnutls-FIPS-140-3-references.patch
+#PATCH-FIX-SUSE bsc#1260395 Fix build with autoconf 2.73
+Patch6: gnutls-C23.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge


++ gnutls-C23.patch ++
Index: gnutls-3.8.12/lib/fipshmac.c
===
--- gnutls-3.8.12.orig/lib/fipshmac.c
+++ gnutls-3.8.12/lib/fipshmac.c
@@ -44,6 +44,14 @@
 #define HMAC_ALGO GNUTLS_MAC_SHA256
 #define HMAC_STR_SIZE (2 * HMAC_SIZE + 1)
 
+/* Without C99 macros these functions have to
+ * be called. This may affect performance.
+ */
+void _gnutls_null_log(void *, ...)
+{
+return;
+}
+
 static int get_hmac(const char *path, char *hmac, size_t hmac_size)
 {
int ret;
Index: gnutls-3.8.12/tests/atfork.c
===
--- gnutls-3.8.12.orig/tests/atfork.c
+++ gnutls-3.8.12/tests/atfork.c
@@ -49,6 +49,14 @@ void doit(void)
  * macros from gnulib */
 #include "utils.h"
 
+/* Without C99 macros these functions have to
+ * be called. This may affect performance.
+ */
+void _gnutls_null_log(void *, ...)
+{
+return;
+}
+
 void doit(void)
 {
pid_t pid;

commit gnutls for openSUSE:Factory

2026-02-11 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2026-02-11 19:12:07

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1670 (New)


Package is "gnutls"

Wed Feb 11 19:12:07 2026 rev:166 rq:1332202 version:3.8.12

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2025-11-25 
15:53:19.367684684 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1670/gnutls.changes  2026-02-11 
19:12:09.964342655 +0100
@@ -1,0 +2,31 @@
+Tue Feb 10 08:50:55 UTC 2026 - Pedro Monreal 
+
+- Update to 3.8.12:
+  * Security fixes:
+- CVE-2026-1584: NULL pointer dereference in PSK binder verification 
(bsc#1257978)
+- CVE-2025-14831: Fix name constraint processing performance issue 
(bsc#1257960)
+  * libgnutls: Fix NULL pointer dereference in PSK binder verification
+A TLS 1.3 resumption attempt with an invalid PSK binder value in 
ClientHello
+could lead to a denial of service attack via crashing the server.
+The updated code guards against the problematic dereference.
+[Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]
+  * libgnutls: Fix name constraint processing performance issue
+Verifying certificates with pathological amounts of name constraints
+could lead to a denial of service attack via resource exhaustion.
+Reworked processing algorithms exhibit better performance characteristics.
+[Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]
+  * libgnutls: Fix multiple unexploitable overflows (#1783, #1786).
+  * libgnutls: Fall back to thread-unsafe module initialization
+Improve fallback handling for PKCS#11 modules that
+don't support thread-safe initialization (#1774).
+Also return filename from p11_kit_module_get_name() for unconfigured 
modules.
+  * libgnutls: Accept NULL as digest argument for gnutls_hash_output
+The accelerated implementation of gnutls_hash_output() now
+properly accepts NULL as the digest argument, matching the
+behavior of the reference implementation (#1769).
+  * srptool: Avoid a stack buffer overflow when processing large SRP groups 
(#1777).
+  * Rebase patches:
+- gnutls-FIPS-jitterentropy.patch
+- gnutls-FIPS-140-3-references.patch
+
+---

Old:

  gnutls-3.8.11.tar.xz
  gnutls-3.8.11.tar.xz.sig

New:

  gnutls-3.8.12.tar.xz
  gnutls-3.8.12.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.n7ILMW/_old  2026-02-11 19:12:10.752375836 +0100
+++ /var/tmp/diff_new_pack.n7ILMW/_new  2026-02-11 19:12:10.752375836 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
 # Copyright (c) 2025 Andreas Stieger 
 #
 # All modifications and additions to the file contributed by third parties
@@ -42,7 +42,7 @@
 %bcond_with tpm
 %bcond_without leancrypto
 Name:   gnutls
-Version:3.8.11
+Version:3.8.12
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later

++ gnutls-3.8.11.tar.xz -> gnutls-3.8.12.tar.xz ++
/work/SRC/openSUSE:Factory/gnutls/gnutls-3.8.11.tar.xz 
/work/SRC/openSUSE:Factory/.gnutls.new.1670/gnutls-3.8.12.tar.xz differ: char 
15, line 1

++ gnutls-FIPS-140-3-references.patch ++
 682 lines (skipped)
 between 
/work/SRC/openSUSE:Factory/gnutls/gnutls-FIPS-140-3-references.patch
 and 
/work/SRC/openSUSE:Factory/.gnutls.new.1670/gnutls-FIPS-140-3-references.patch

++ gnutls-FIPS-jitterentropy.patch ++
--- /var/tmp/diff_new_pack.n7ILMW/_old  2026-02-11 19:12:10.852380047 +0100
+++ /var/tmp/diff_new_pack.n7ILMW/_new  2026-02-11 19:12:10.860380384 +0100
@@ -1,7 +1,7 @@
-Index: gnutls-3.8.11/lib/nettle/sysrng-linux.c
+Index: gnutls-3.8.12/lib/nettle/sysrng-linux.c
 ===
 gnutls-3.8.11.orig/lib/nettle/sysrng-linux.c
-+++ gnutls-3.8.11/lib/nettle/sysrng-linux.c
+--- gnutls-3.8.12.orig/lib/nettle/sysrng-linux.c
 gnutls-3.8.12/lib/nettle/sysrng-linux.c
 @@ -49,6 +49,15 @@
  get_entropy_func _rnd_get_system_entropy = NULL;
  
@@ -158,10 +158,10 @@
 +#endif
return;
  }
-Index: gnutls-3.8.11/lib/nettle/Makefile.in
+Index: gnutls-3.8.12/lib/nettle/Makefile.in
 ===
 gnutls-3.8.11.orig/lib/nettle/Makefile.in
-+++ gnutls-3.8.11/lib/nettle/Makefile.in
+--- gnutls-3.8.12.orig/lib/nettle/Makefile.in
 gnutls-3.8.12/lib/nettle/Makefile.in
 @@ -522,7 +5

commit gnutls for openSUSE:Factory

2025-04-14 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2025-04-14 12:55:31

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1907 (New)


Package is "gnutls"

Mon Apr 14 12:55:31 2025 rev:162 rq:1268601 version:3.8.9

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2025-03-26 
21:19:27.588643714 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1907/gnutls.changes  2025-04-14 
12:56:09.814658789 +0200
@@ -1,0 +2,5 @@
+Thu Apr  3 10:19:59 UTC 2025 - Guillaume GARDET 
+
+- Disable liboqs on armv6
+
+---



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.HHe8B7/_old  2025-04-14 12:56:11.238718591 +0200
+++ /var/tmp/diff_new_pack.HHe8B7/_new  2025-04-14 12:56:11.238718591 +0200
@@ -35,7 +35,11 @@
 # disable for now, as our OBS builds do not work with it. Marcus 20220511
 #bcond_without kcapi
 %bcond_with kcapi
+%ifarch armv6l armv6hl
+%bcond_with liboqs
+%else
 %bcond_without liboqs
+%endif
 %else
 %bcond_with kcapi
 %bcond_with liboqs

commit gnutls for openSUSE:Factory

2025-03-26 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2025-03-26 21:17:57

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.2696 (New)


Package is "gnutls"

Wed Mar 26 21:17:57 2025 rev:161 rq:1255878 version:3.8.9

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2025-02-25 
16:40:56.802263439 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.2696/gnutls.changes  2025-03-26 
21:19:27.588643714 +0100
@@ -1,0 +2,13 @@
+Mon Mar 24 15:53:48 UTC 2025 - Angel Yankov 
+
+- FIPS: Mark SHA-1 as non-approved in the SLI for all operations. 
[jsc#PED-12224]
+  * Add gnutls-FIPS-disable-mac-sha1.patch
+
+---
+Tue Mar 18 07:56:18 UTC 2025 - Angel Yankov 
+
+- bsc#1237101, FIPS selfcheck fails on tumbleweed
+  * Match dependent library names ( nettle, gmp, hogweed ) even when they 
include full verison in soname
+  * Add gnutls-fips-sonames-check.patch 
+
+---

New:

  gnutls-FIPS-disable-mac-sha1.patch
  gnutls-fips-sonames-check.patch

BETA DEBUG BEGIN:
  New:- FIPS: Mark SHA-1 as non-approved in the SLI for all operations. 
[jsc#PED-12224]
  * Add gnutls-FIPS-disable-mac-sha1.patch
  New:  * Match dependent library names ( nettle, gmp, hogweed ) even when they 
include full verison in soname
  * Add gnutls-fips-sonames-check.patch 
BETA DEBUG END:



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.rdxgVl/_old  2025-03-26 21:19:28.368676093 +0100
+++ /var/tmp/diff_new_pack.rdxgVl/_new  2025-03-26 21:19:28.368676093 +0100
@@ -73,6 +73,10 @@
 %endif
 Patch104:   gnutls-set-cligen-python-interp.patch
 Patch105:   gnutls-skip-pqx-test.patch
+Patch106:   gnutls-fips-sonames-check.patch
+# PATCH-FIX-SUSE jsc#jsc#PED-12224 FIPS: Mark SHA1 as unapproved in the SLI
+Patch107:   gnutls-FIPS-disable-mac-sha1.patch
+
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge


++ gnutls-FIPS-disable-mac-sha1.patch ++
commit c4eba74d4745e3a97b443abae1431658a826d2eb
Author: Angel Yankov 
Date:   Thu Nov 28 11:02:07 2024 +0200

SHA-1 is not allowed in FIPS-140-3 anymore after 2030. Mark it as
unapproved

Signed-off-by: Angel Yankov 

diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index 0abbd7f69..f25ee0b14 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -33,6 +33,7 @@
 #include "crypto-api.h"
 #include "iov.h"
 #include "intprops.h"
+#include 
 
 typedef struct api_cipher_hd_st {
cipher_hd_st ctx_enc;
@@ -597,7 +598,9 @@ int gnutls_hmac_init(gnutls_hmac_hd_t *dig, 
gnutls_mac_algorithm_t algorithm,
bool not_approved = false;
 
/* MD5 is only allowed internally for TLS */
-   if (!is_mac_algo_allowed(algorithm)) {
+   if (algorithm == GNUTLS_MAC_SHA1) 
+   not_approved = true;
+   else if (!is_mac_algo_allowed(algorithm)) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
} else if (!is_mac_algo_approved_in_fips(algorithm)) {
@@ -757,8 +760,9 @@ int gnutls_hmac_fast(gnutls_mac_algorithm_t algorithm, 
const void *key,
 {
int ret;
bool not_approved = false;
-
-   if (!is_mac_algo_allowed(algorithm)) {
+   if (algorithm == GNUTLS_MAC_SHA1) 
+   not_approved = true;
+   else if (!is_mac_algo_allowed(algorithm)) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
} else if (!is_mac_algo_approved_in_fips(algorithm)) {
@@ -839,8 +843,9 @@ int gnutls_hash_init(gnutls_hash_hd_t *dig, 
gnutls_digest_algorithm_t algorithm)
 {
int ret;
bool not_approved = false;
-
-   if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
+   if (algorithm == GNUTLS_MAC_SHA1) 
+   not_approved = true;
+   else if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
} else if (!is_mac_algo_approved_in_fips(DIG_TO_MAC(algorithm))) {
@@ -957,8 +962,9 @@ int gnutls_hash_fast(gnutls_digest_algorithm_t algorithm, 
const void *ptext,
 {
int ret;
bool not_approved = false;
-
-   if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
+   if (algorithm == GNUTLS_MAC_SHA1) 
+   not_approved = true;
+   else if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
_

commit gnutls for openSUSE:Factory

2024-11-15 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2024-11-15 15:37:54

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.2017 (New)


Package is "gnutls"

Fri Nov 15 15:37:54 2024 rev:159 rq:1224137 version:3.8.8

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2024-10-01 
17:11:17.824424377 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.2017/gnutls.changes  2024-11-15 
15:37:59.153217762 +0100
@@ -1,0 +2,25 @@
+Mon Nov 11 10:04:31 UTC 2024 - Pedro Monreal 
+
+- Update to 3.8.8:
+  - libgnutls: Experimental support for X25519MLKEM768 and
+SecP256r1MLKEM768 key exchange in TLS 1.3:  The support for
+post-quantum key exchanges has been extended to cover the final
+standard of ML-KEM, following draft-kwiatkowski-tls-ecdhe-mlkem.
+The minimum supported version of liboqs is bumped to 0.11.0.
+  - libgnutls: All records included in an OCSP response are now checked
+in TLS: Previously, when multiple records are provided in a single
+OCSP response, only the first record was considered; now all those
+records are examined until the server certificate matches.
+  - libgnutls: Handling of malformed compress_certificate extension is
+now more standard compliant: The server behavior of receiving a
+malformed compress_certificate extension now more strictly follows
+RFC 8879; return illegal_parameter alert instead of bad_certificate,
+as well as overlong extension data is properly rejected.
+  - build: More flexible library linking options for compression
+libraries, TPM, and liboqs support: The configure options,
+--with-zstd, --with-brotli, --with-zlib, --with-tpm2, and --with-liboqs
+now take 4 states: yes/link/dlopen/no, to specify how the libraries
+are linked or loaded.
+  * Rebase gnutls-FIPS-140-3-references.patch
+
+---
@@ -5,0 +31,7 @@
+
+---
+Thu Sep  5 07:57:42 UTC 2024 - Pedro Monreal 
+
+- FIPS: Allow to perform the integrity check with the hmac provided
+  by each library [bsc#1226724]
+  * Rebase gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch

Old:

  gnutls-3.8.7.1.tar.xz
  gnutls-3.8.7.1.tar.xz.sig

New:

  gnutls-3.8.8.tar.xz
  gnutls-3.8.8.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.KVm62V/_old  2024-11-15 15:38:01.145301197 +0100
+++ /var/tmp/diff_new_pack.KVm62V/_new  2024-11-15 15:38:01.145301197 +0100
@@ -42,14 +42,14 @@
 %endif
 %bcond_with tpm
 Name:   gnutls
-Version:3.8.7
+Version:3.8.8
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later
 Group:  Productivity/Networking/Security
 URL:https://www.gnutls.org/
-Source0:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.1.tar.xz
-Source1:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.1.tar.xz.sig
+Source0:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz
+Source1:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz.sig
 # https://gnutls.org/gnutls-release-keyring.gpg
 Source2:https://gnutls.org/gnutls-release-keyring.gpg#/gnutls.keyring
 Source3:baselibs.conf

++ gnutls-3.8.7.1.tar.xz -> gnutls-3.8.8.tar.xz ++
/work/SRC/openSUSE:Factory/gnutls/gnutls-3.8.7.1.tar.xz 
/work/SRC/openSUSE:Factory/.gnutls.new.2017/gnutls-3.8.8.tar.xz differ: char 
26, line 1

++ gnutls-FIPS-140-3-references.patch ++
 964 lines (skipped)
 between 
/work/SRC/openSUSE:Factory/gnutls/gnutls-FIPS-140-3-references.patch
 and 
/work/SRC/openSUSE:Factory/.gnutls.new.2017/gnutls-FIPS-140-3-references.patch

++ gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch ++
--- /var/tmp/diff_new_pack.KVm62V/_old  2024-11-15 15:38:01.749326495 +0100
+++ /var/tmp/diff_new_pack.KVm62V/_new  2024-11-15 15:38:01.793328338 +0100
@@ -1,118 +1,121 @@
-Index: gnutls-3.8.7/lib/fips.c
+Index: gnutls-3.8.8/lib/fips.c
 ===
 gnutls-3.8.7.orig/lib/fips.c
-+++ gnutls-3.8.7/lib/fips.c
-@@ -177,20 +177,32 @@ struct hmac_entry {
- struct hmac_file {
-   int version;
-   struct hmac_entry gnutls;
-+#if 0
-+   /* Disable nettle, hogweed and gmp HMAC verification as
-+* they are calculated during build of the respective
-+* packages and can differ from the ones listed here.
-+*/
-   struct hmac_entry nettle;
-

commit gnutls for openSUSE:Factory

2024-07-26 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2024-07-26 16:14:59

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1882 (New)


Package is "gnutls"

Fri Jul 26 16:14:59 2024 rev:156 rq:1189560 version:3.8.6

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2024-04-08 
17:37:36.813213926 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1882/gnutls.changes  2024-07-26 
16:15:17.353195646 +0200
@@ -1,0 +2,19 @@
+Thu Jul 25 08:51:56 UTC 2024 - Pedro Monreal 
+
+- Update to 3.8.6:
+  * libgnutls: PBMAC1 is now supported as a MAC mechanism for PKCS#12
+To be compliant with FIPS 140-3, PKCS#12 files with MAC based on
+PBKDF2 (PBMAC1) is now supported, according to the specification
+proposed in draft-ietf-lamps-pkcs12-pbmac1.
+  * libgnutls: SHA3 extendable output functions (XOF) are now supported
+SHA3 XOF, SHAKE128 and SHAKE256, are now usable through a new
+public API gnutls_hash_squeeze.
+  * API and ABI modifications:
+- gnutls_pkcs12_generate_mac3: New function
+- gnutls_pkcs12_flags_t: New enum
+- gnutls_hash_squeeze: New function
+  * Rebase patches:
+- gnutls-FIPS-140-3-references.patch
+- gnutls-FIPS-jitterentropy.patch
+
+---

Old:

  gnutls-3.8.5.tar.xz
  gnutls-3.8.5.tar.xz.sig

New:

  gnutls-3.8.6.tar.xz
  gnutls-3.8.6.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.eTaO49/_old  2024-07-26 16:15:18.001221749 +0200
+++ /var/tmp/diff_new_pack.eTaO49/_new  2024-07-26 16:15:18.005221910 +0200
@@ -40,7 +40,7 @@
 %endif
 %bcond_with tpm
 Name:   gnutls
-Version:3.8.5
+Version:3.8.6
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later

++ gnutls-3.8.5.tar.xz -> gnutls-3.8.6.tar.xz ++
/work/SRC/openSUSE:Factory/gnutls/gnutls-3.8.5.tar.xz 
/work/SRC/openSUSE:Factory/.gnutls.new.1882/gnutls-3.8.6.tar.xz differ: char 
26, line 1

++ gnutls-FIPS-140-3-references.patch ++
 974 lines (skipped)
 between 
/work/SRC/openSUSE:Factory/gnutls/gnutls-FIPS-140-3-references.patch
 and 
/work/SRC/openSUSE:Factory/.gnutls.new.1882/gnutls-FIPS-140-3-references.patch

++ gnutls-FIPS-jitterentropy.patch ++
--- /var/tmp/diff_new_pack.eTaO49/_old  2024-07-26 16:15:18.089225294 +0200
+++ /var/tmp/diff_new_pack.eTaO49/_new  2024-07-26 16:15:18.093225456 +0200
@@ -1,7 +1,7 @@
-Index: gnutls-3.8.1/lib/nettle/sysrng-linux.c
+Index: gnutls-3.8.6/lib/nettle/sysrng-linux.c
 ===
 gnutls-3.8.1.orig/lib/nettle/sysrng-linux.c
-+++ gnutls-3.8.1/lib/nettle/sysrng-linux.c
+--- gnutls-3.8.6.orig/lib/nettle/sysrng-linux.c
 gnutls-3.8.6/lib/nettle/sysrng-linux.c
 @@ -49,6 +49,15 @@
  get_entropy_func _rnd_get_system_entropy = NULL;
  
@@ -158,11 +158,11 @@
 +#endif
return;
  }
-Index: gnutls-3.8.1/lib/nettle/Makefile.in
+Index: gnutls-3.8.6/lib/nettle/Makefile.in
 ===
 gnutls-3.8.1.orig/lib/nettle/Makefile.in
-+++ gnutls-3.8.1/lib/nettle/Makefile.in
-@@ -402,7 +402,7 @@ am__v_CC_1 =
+--- gnutls-3.8.6.orig/lib/nettle/Makefile.in
 gnutls-3.8.6/lib/nettle/Makefile.in
+@@ -497,7 +497,7 @@ am__v_CC_1 =
  CCLD = $(CC)
  LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -171,10 +171,10 @@
  AM_V_CCLD = $(am__v_CCLD_@AM_V@)
  am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
  am__v_CCLD_0 = @echo "  CCLD" $@;
-Index: gnutls-3.8.1/lib/nettle/Makefile.am
+Index: gnutls-3.8.6/lib/nettle/Makefile.am
 ===
 gnutls-3.8.1.orig/lib/nettle/Makefile.am
-+++ gnutls-3.8.1/lib/nettle/Makefile.am
+--- gnutls-3.8.6.orig/lib/nettle/Makefile.am
 gnutls-3.8.6/lib/nettle/Makefile.am
 @@ -20,7 +20,7 @@
  
  include $(top_srcdir)/lib/common.mk
@@ -184,10 +184,10 @@
  
  AM_CPPFLAGS = \
-I$(srcdir)/int \
-Index: gnutls-3.8.1/lib/nettle/rnd-fips.c
+Index: gnutls-3.8.6/lib/nettle/rnd-fips.c
 ===
 gnutls-3.8.1.orig/lib/nettle/rnd-fips.c
-+++ gnutls-3.8.1/lib/nettle/rnd-fips.c
+--- gnutls-3.8.6.orig/lib/nettle/rnd-fips.c
 gnutls-3.8.6/lib/nettle/rnd-fips.c
 @@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
uint8_t buffer[DRBG_AES_SEED_SIZE];
int ret;
@@ -210,16 +210,16 @@
ret =

commit gnutls for openSUSE:Factory

2024-04-08 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2024-04-08 17:37:29

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1905 (New)


Package is "gnutls"

Mon Apr  8 17:37:29 2024 rev:155 rq:1165545 version:3.8.5

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2024-03-28 
14:03:51.986396835 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1905/gnutls.changes  2024-04-08 
17:37:36.813213926 +0200
@@ -1,0 +2,27 @@
+Fri Apr  5 07:28:14 UTC 2024 - Pedro Monreal 
+
+- Update to 3.8.5:
+  * libgnutls: Due to majority of usages and implementations of
+RSA decryption with PKCS#1 v1.5 padding being incorrect,
+leaving them vulnerable to Marvin attack, the RSAES-PKCS1-v1_5
+is being deprecated (encryption and decryption) and will be
+disabled in the future. A new option 'allow-rsa-pkcs1-encrypt'
+has been added into the system-wide library configuration which
+allows to enable/disable the RSAES-PKCS1-v1_5. Currently, the
+RSAES-PKCS1-v1_5 is enabled by default.
+  * libgnutls: Added support for RIPEMD160 and PBES1-DES-SHA1 for
+backward compatibility with GCR.
+  * libgnutls: A couple of memory related issues have been fixed in
+RSA PKCS#1 v1.5 decryption error handling and deterministic ECDSA
+with earlier versions of GMP. These were a regression introduced
+in the 3.8.4 release. See #1535 and !1827.
+  * build: Fixed a bug where building gnutls statically failed due
+to a duplicate definition of nettle_rsa_compute_root_tr().
+  * API and ABI modifications:
+- GNUTLS_PKCS_PBES1_DES_SHA1: New enum member of
+  gnutls_pkcs_encrypt_flags_t
+  * Rebase patches:
+- gnutls-FIPS-TLS_KDF_selftest.patch
+- gnutls-FIPS-140-3-references.patch
+
+---

Old:

  gnutls-3.8.4.tar.xz
  gnutls-3.8.4.tar.xz.sig

New:

  gnutls-3.8.5.tar.xz
  gnutls-3.8.5.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.WCz7lB/_old  2024-04-08 17:37:38.149263162 +0200
+++ /var/tmp/diff_new_pack.WCz7lB/_new  2024-04-08 17:37:38.149263162 +0200
@@ -40,7 +40,7 @@
 %endif
 %bcond_with tpm
 Name:   gnutls
-Version:3.8.4
+Version:3.8.5
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later

++ gnutls-3.8.4.tar.xz -> gnutls-3.8.5.tar.xz ++
/work/SRC/openSUSE:Factory/gnutls/gnutls-3.8.4.tar.xz 
/work/SRC/openSUSE:Factory/.gnutls.new.1905/gnutls-3.8.5.tar.xz differ: char 
26, line 1

++ gnutls-FIPS-140-3-references.patch ++
 952 lines (skipped)
 between 
/work/SRC/openSUSE:Factory/gnutls/gnutls-FIPS-140-3-references.patch
 and 
/work/SRC/openSUSE:Factory/.gnutls.new.1905/gnutls-FIPS-140-3-references.patch

++ gnutls-FIPS-TLS_KDF_selftest.patch ++
--- /var/tmp/diff_new_pack.WCz7lB/_old  2024-04-08 17:37:38.221265816 +0200
+++ /var/tmp/diff_new_pack.WCz7lB/_new  2024-04-08 17:37:38.221265816 +0200
@@ -1,8 +1,8 @@
-Index: gnutls-3.7.7/lib/fips.c
+Index: gnutls-3.8.5/lib/fips.c
 ===
 gnutls-3.7.7.orig/lib/fips.c
-+++ gnutls-3.7.7/lib/fips.c
-@@ -517,6 +517,26 @@ int _gnutls_fips_perform_self_checks2(vo
+--- gnutls-3.8.5.orig/lib/fips.c
 gnutls-3.8.5/lib/fips.c
+@@ -593,6 +593,26 @@ int _gnutls_fips_perform_self_checks2(vo
return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
}
  
@@ -27,6 +27,6 @@
 +  }
 +
/* PK */
-   ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
-   if (ret < 0) {
+   if (_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
+   ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);

commit gnutls for openSUSE:Factory

2024-02-27 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2024-02-27 22:45:15

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1770 (New)


Package is "gnutls"

Tue Feb 27 22:45:15 2024 rev:153 rq:1151783 version:3.8.3

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2024-01-18 
21:51:49.713350400 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1770/gnutls.changes  2024-02-27 
22:45:38.696656619 +0100
@@ -1,0 +2,6 @@
+Wed Feb 21 18:04:48 UTC 2024 - Jan Engelhardt 
+
+- Remove some if..endif that do not affect any result
+- Split documentation (some 1100 files) to separate subpackage
+
+---



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.3f5k1w/_old  2024-02-27 22:45:39.636690712 +0100
+++ /var/tmp/diff_new_pack.3f5k1w/_new  2024-02-27 22:45:39.640690857 +0100
@@ -132,7 +132,6 @@
 layer. Currently the GnuTLS library implements the proposed standards
 of the IETF's TLS working group.
 
-%if %{with dane}
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:DANE support for the GNU Transport Layer Security Library
 License:LGPL-2.1-or-later
@@ -142,7 +141,6 @@
 The GnuTLS project aims to develop a library that provides a secure
 layer over a reliable transport layer.
 This package contains the "DANE" part of gnutls.
-%endif
 
 %package -n libgnutlsxx%{gnutlsxx_sover}
 Summary:C++ API for the GNU Transport Layer Security Library
@@ -172,7 +170,6 @@
 %description -n libgnutls-devel
 Files needed for software development using gnutls.
 
-%if %{with dane}
 %package -n libgnutls-dane-devel
 Summary:Development package for GnuTLS DANE component
 License:LGPL-2.1-or-later
@@ -181,7 +178,14 @@
 
 %description -n libgnutls-dane-devel
 Files needed for software development using gnutls.
-%endif
+
+%package -n libgnutls-devel-doc
+Summary:Manual and Info pages for libgnutls
+License:LGPL-2.1-or-later
+BuildArch:  noarch
+
+%description -n libgnutls-devel-doc
+Manpages (troff) and GNU Info pages for libgnutls.
 
 %package -n libgnutlsxx-devel
 Summary:Development package for the GnuTLS C++ API
@@ -298,12 +302,8 @@
 
 %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
 %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
-
-%if %{with dane}
 %post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
 %postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
-%endif
-
 %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 
@@ -365,9 +365,11 @@
 %{_includedir}/%{name}/urls.h
 %{_libdir}/libgnutls.so
 %{_libdir}/pkgconfig/gnutls.pc
+
+%files -n libgnutls-devel-doc
 %{_mandir}/man3/*
 %{_infodir}/*%{ext_info}
-%doc %{_docdir}/libgnutls-devel
+%{_docdir}/libgnutls-devel
 
 %if %{with dane}
 %files -n libgnutls-dane-devel

commit gnutls for openSUSE:Factory

2023-08-23 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2023-08-23 14:56:48

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1766 (New)


Package is "gnutls"

Wed Aug 23 14:56:48 2023 rev:150 rq:1105301 version:3.8.1

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2023-05-30 
22:01:44.934765061 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1766/gnutls.changes  2023-08-23 
14:56:59.757923832 +0200
@@ -1,0 +2,61 @@
+Tue Aug 22 15:00:57 UTC 2023 - Pedro Monreal 
+
+- Fix missing GNUTLS_NO_EXTENSIONS compatibility.
+  * Upstream: gitlab.com/gnutls/gnutls/commit/abfa8634
+  * Add gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch
+
+---
+Mon Aug 21 09:33:40 UTC 2023 - Pedro Monreal 
+
+- tests: Fix the SRP test that fails with SIGPIPE signal return due
+  to a socket being closed before using it.
+  * Add gnutls-srp-test-SIGPIPE.patch
+
+---
+Mon Aug 7 07:51:59 UTC 2023 - Pedro Monreal 
+
+- Update to version 3.8.1:
+  * libgnutls: ClientHello extensions are randomized by default
+To make fingerprinting harder, TLS extensions in ClientHello
+messages are shuffled. As this behavior may cause compatibility
+issue with legacy applications that do not accept the last
+extension without payload, the behavior can be reverted with the
+%NO_SHUFFLE_EXTENSIONS priority keyword.
+  * libgnutls: Add support for RFC 9258 external PSK importer.
+This enables to deploy the same PSK across multiple TLS versions
+(TLS 1.2 and TLS 1.3) in a secure manner. To use, the application
+needs to set up a callback that formats the PSK identity using
+gnutls_psk_format_imported_identity().
+  * libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to
+%GNUTLS_NO_DEFAULT_EXTENSIONS.
+  * libgnutls: Add additional PBKDF limit checks in FIPS mode as
+defined in SP 800-132. Minimum salt length is 128 bits and
+minimum iterations bound is 1000 for PBKDF in FIPS mode.
+  * libgnutls: Add a mechanism to control whether to enforce extended
+master secret (RFC 7627). FIPS 140-3 mandates the use of TLS
+session hash (extended master secret, EMS) in TLS 1.2. To enforce
+this, a new priority keyword %FORCE_SESSION_HASH is added and if
+it is set and EMS is not set, the peer aborts the connection. This
+behavior is the default in FIPS mode, though it can be overridden
+through the configuration file with the "tls-session-hash" option.
+In either case non-EMS PRF is reported as a non-approved operation
+through the FIPS service indicator.
+  * New option --attime to specify current time.
+To make testing with different timestamp to the system easier, the
+tools doing certificate verification now provide a new option
+--attime, which takes an arbitrary time.
+  * API and ABI modifications:
+gnutls_psk_client_credentials_function3: New typedef
+gnutls_psk_server_credentials_function3: New typedef
+gnutls_psk_set_server_credentials_function3: New function
+gnutls_psk_set_client_credentials_function3: New function
+gnutls_psk_format_imported_identity: New function
+GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags
+  * Rebase patches:
+- gnutls-FIPS-140-3-references.patch
+- gnutls-FIPS-jitterentropy.patch
+  * Remove patches merged/fixed upstream:
+- gnutls-FIPS-PCT-DH.patch
+- gnutls-FIPS-PCT-ECDH.patch
+
+---

Old:

  gnutls-3.8.0.tar.xz
  gnutls-3.8.0.tar.xz.sig
  gnutls-FIPS-PCT-DH.patch
  gnutls-FIPS-PCT-ECDH.patch

New:

  gnutls-3.8.1.tar.xz
  gnutls-3.8.1.tar.xz.sig
  gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch
  gnutls-srp-test-SIGPIPE.patch



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.zTDfsa/_old  2023-08-23 14:57:03.581930668 +0200
+++ /var/tmp/diff_new_pack.zTDfsa/_new  2023-08-23 14:57:03.589930682 +0200
@@ -40,7 +40,7 @@
 %endif
 %bcond_with tpm
 Name:   gnutls
-Version:3.8.0
+Version:3.8.1
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -56,17 +56,18 @@
 Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1: gnutls-FIPS-TLS_KDF_selftest.patch
 Patch2: gnutls-disable-flaky-test-dtls-resume.patch
+# PATCH-FIX-OPENSUSE The srp test fails with SIGPIPE
+Patch3: gnutls-srp-test-SIGPIPE.patch
+# PATCH-FIX-OPENSUSE Fix missing GNUTLS_NO_EXTENSI

commit gnutls for openSUSE:Factory

2023-05-30 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2023-05-30 22:01:41

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1533 (New)


Package is "gnutls"

Tue May 30 22:01:41 2023 rev:149 rq:1089748 version:3.8.0

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2023-05-26 
20:15:16.268190299 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1533/gnutls.changes  2023-05-30 
22:01:44.934765061 +0200
@@ -1,0 +2,6 @@
+Mon May 29 07:27:23 UTC 2023 - Pedro Monreal 
+
+- FIPS: Fix baselibs.conf to mention libgnutls30-hmac [bsc#1211476]
+  Extend also the checks in gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
+
+---



Other differences:
--
++ baselibs.conf ++
--- /var/tmp/diff_new_pack.JFyGQp/_old  2023-05-30 22:01:45.682769469 +0200
+++ /var/tmp/diff_new_pack.JFyGQp/_new  2023-05-30 22:01:45.686769493 +0200
@@ -1,7 +1,7 @@
 libgnutls30
   obsoletes "gnutls-"
-  provides "libgnutls30- = -%release"
-  obsoletes "libgnutls30- < -%release"
+  provides "libgnutls30-hmac- = -%release"
+  obsoletes "libgnutls30-hmac- < -%release"
 libgnutls-devel
   requires -libgnutls-
   requires "libgnutls30- = "


++ gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch ++
--- /var/tmp/diff_new_pack.JFyGQp/_old  2023-05-30 22:01:45.710769634 +0200
+++ /var/tmp/diff_new_pack.JFyGQp/_new  2023-05-30 22:01:45.714769658 +0200
@@ -2,7 +2,95 @@
 ===
 --- gnutls-3.8.0.orig/lib/fips.c
 +++ gnutls-3.8.0/lib/fips.c
-@@ -467,6 +467,11 @@ static int check_binary_integrity(void)
+@@ -171,16 +171,28 @@ struct hmac_entry {
+ struct hmac_file {
+   int version;
+   struct hmac_entry gnutls;
++#if 0
++  /* Disable nettle, hogweed and gpm HMAC verification as
++   * they are calculated during build of the respective
++   * packages and can differ from the ones listed here.
++   */
+   struct hmac_entry nettle;
+   struct hmac_entry hogweed;
+   struct hmac_entry gmp;
++#endif
+ };
+ 
+ struct lib_paths {
+   char gnutls[GNUTLS_PATH_MAX];
++#if 0
++  /* Disable nettle, hogweed and gpm HMAC verification as
++   * they are calculated during build of the respective
++   * packages and can differ from the ones listed here.
++   */
+   char nettle[GNUTLS_PATH_MAX];
+   char hogweed[GNUTLS_PATH_MAX];
+   char gmp[GNUTLS_PATH_MAX];
++#endif
+ };
+ 
+ /*
+@@ -241,12 +253,18 @@ static int handler(void *user, const cha
+   }
+   } else if (!strcmp(section, GNUTLS_LIBRARY_NAME)) {
+   return lib_handler(&p->gnutls, section, name, value);
++#if 0
++  /* Disable nettle, hogweed and gpm HMAC verification as
++   * they are calculated during build of the respective
++   * packages and can differ from the ones listed here.
++   */
+   } else if (!strcmp(section, NETTLE_LIBRARY_NAME)) {
+   return lib_handler(&p->nettle, section, name, value);
+   } else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
+   return lib_handler(&p->hogweed, section, name, value);
+   } else if (!strcmp(section, GMP_LIBRARY_NAME)) {
+   return lib_handler(&p->gmp, section, name, value);
++#endif
+   } else {
+   return 0;
+   }
+@@ -391,12 +409,18 @@ static int callback(struct dl_phdr_info
+ 
+   if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
+   _gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
++#if 0
++  /* Disable nettle, hogweed and gpm HMAC verification as
++   * they are calculated during build of the respective
++   * packages and can differ from the ones listed here.
++   */
+   else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
+   _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
+   else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+   _gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
+   else if (!strcmp(soname, GMP_LIBRARY_SONAME))
+   _gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
++#endif
+   return 0;
+ }
+ 
+@@ -409,6 +433,11 @@ static int load_lib_paths(struct lib_pat
+   _gnutls_debug_log("Gnutls library path was not found\n");
+   return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+   }
++#if 0
++  /* Disable nettle, hogweed and gpm HMAC verification as
++   * they are calculated during build of the respective
++   * packages and can differ from the ones listed here.
++   */
+   if (paths->nettle[0] == '\0') {
+   _gnutls_d

commit gnutls for openSUSE:Factory

2023-05-26 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2023-05-26 20:15:10

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1533 (New)


Package is "gnutls"

Fri May 26 20:15:10 2023 rev:148 rq:1089038 version:3.8.0

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2023-05-16 
14:21:50.473825675 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1533/gnutls.changes  2023-05-26 
20:15:16.268190299 +0200
@@ -1,0 +2,13 @@
+Wed May 24 11:01:10 UTC 2023 - Pedro Monreal 
+
+- FIPS: Skip the fixed HMAC verification for nettle, hogweed and
+  gmp libraries. These calculated HMACs change for every build of
+  each of these packages, we only have to verify that for gnutls.
+  * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476]
+
+---
+Mon May 22 11:32:53 UTC 2023 - Pedro Monreal 
+
+- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116]
+
+---

New:

  gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.CCukVp/_old  2023-05-26 20:15:16.900194066 +0200
+++ /var/tmp/diff_new_pack.CCukVp/_new  2023-05-26 20:15:16.904194090 +0200
@@ -62,9 +62,11 @@
 Patch101:   gnutls-FIPS-PCT-ECDH.patch
 #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
 Patch102:   gnutls-FIPS-140-3-references.patch
+#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, 
hogweed and gmp
+Patch103:   gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
-Patch103:   gnutls-FIPS-jitterentropy.patch
+Patch104:   gnutls-FIPS-jitterentropy.patch
 %endif
 BuildRequires:  autogen
 BuildRequires:  automake
@@ -118,10 +120,10 @@
 
 %package -n libgnutls%{gnutls_sover}
 Summary:The GNU Transport Layer Security Library
-# install libgnutls and libgnutls-hmac close together (bsc#1090765)
 License:LGPL-2.1-or-later
 Group:  System/Libraries
-Suggests:   libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Provides:   libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Obsoletes:  libgnutls%{gnutls_sover}-hmac < %{version}-%{release}
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:   crypto-policies
 %endif
@@ -131,15 +133,6 @@
 layer. Currently the GnuTLS library implements the proposed standards
 of the IETF's TLS working group.
 
-%package -n libgnutls%{gnutls_sover}-hmac
-Summary:Checksums of the GNU Transport Layer Security Library
-License:LGPL-2.1-or-later
-Group:  System/Libraries
-Requires:   libgnutls%{gnutls_sover} = %{version}-%{release}
-
-%description -n libgnutls%{gnutls_sover}-hmac
-FIPS SHA256 checksums of the libgnutls library.
-
 %if %{with dane}
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:DANE support for the GNU Transport Layer Security Library
@@ -339,9 +332,6 @@
 %files -n libgnutls%{gnutls_sover}
 %license LICENSE
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
-
-%files -n libgnutls%{gnutls_sover}-hmac
-%license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}

++ baselibs.conf ++
--- /var/tmp/diff_new_pack.CCukVp/_old  2023-05-26 20:15:16.932194257 +0200
+++ /var/tmp/diff_new_pack.CCukVp/_new  2023-05-26 20:15:16.936194280 +0200
@@ -1,8 +1,8 @@
 libgnutls30
   obsoletes "gnutls-"
+  provides "libgnutls30- = -%release"
+  obsoletes "libgnutls30- < -%release"
 libgnutls-devel
   requires -libgnutls-
   requires "libgnutls30- = "
-libgnutls30-hmac
-  requires "libgnutls30- = -%release"
 


++ gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch ++
Index: gnutls-3.8.0/lib/fips.c
===
--- gnutls-3.8.0.orig/lib/fips.c
+++ gnutls-3.8.0/lib/fips.c
@@ -467,6 +467,11 @@ static int check_binary_integrity(void)
ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
if (ret < 0)
return ret;
+# if 0
+   /* Disable nettle, hogweed and gpm HMAC verification as
+* they are calculated during build of the respective
+* packages and can differ from the ones listed here.
+*/
ret = check_lib_hmac(&hmac.nettle, paths.nettle);
if (ret < 0)
return ret;
@@ -476,6 +481,7 @@ static int check_binary_integrity(void)
ret = check_lib_hmac(&hmac.gmp, paths.gmp);
if (ret < 0)

commit gnutls for openSUSE:Factory

2023-05-16 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2023-05-16 14:15:50

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1533 (New)


Package is "gnutls"

Tue May 16 14:15:50 2023 rev:147 rq:1087198 version:3.8.0

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2023-04-11 
13:50:40.583192835 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1533/gnutls.changes  2023-05-16 
14:21:50.473825675 +0200
@@ -1,0 +2,5 @@
+Mon May 15 09:57:45 UTC 2023 - Guillaume GARDET 
+
+- Disable GNULIB's year2038 also for 32-bit arm - boo#1211394
+
+---



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.5ltWGs/_old  2023-05-16 14:21:51.301830410 +0200
+++ /var/tmp/diff_new_pack.5ltWGs/_new  2023-05-16 14:21:51.305830432 +0200
@@ -237,7 +237,7 @@
 %if %{with srp}
 --enable-srp-authentication \
 %endif
-%ifarch %{ix86}
+%ifarch %{ix86} %{arm}
 --disable-year2038 \
 %endif
 --enable-shared \

commit gnutls for openSUSE:Factory

2023-04-11 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2023-04-11 13:50:35

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.19717 (New)


Package is "gnutls"

Tue Apr 11 13:50:35 2023 rev:146 rq:1078280 version:3.8.0

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2023-02-16 
16:55:28.234607911 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.19717/gnutls.changes 2023-04-11 
13:50:40.583192835 +0200
@@ -1,0 +2,81 @@
+Mon Apr 10 14:48:41 UTC 2023 - Pedro Monreal 
+
+- Temporarily disable GNULIB's year2038 support for 64bit time_t
+  by using the --disable-year2038 flag. This omits support for
+  timestamps past the year 2038:
+  * Fixes the public API on 32-bit architectures avoiding to
+change the size of time_t as it cannot be changed without
+breaking the ABI compatibility.
+  * Upstream issue: https://gitlab.com/gnutls/gnutls/-/issues/1466
+
+---
+Tue Feb 21 10:17:00 UTC 2023 - Pedro Monreal 
+
+- Update to 3.8.0: [bsc#1205763, bsc#1209627]
+  * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key
+exchange. Reported by Hubert Kario (#1050). Fix developed by
+Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium]
+[CVE-2023-0361]
+  * libgnutls: C++ library is now header only. All definitions
+from gnutlsxx.c have been moved into gnutlsxx.h. Users of the
+C++ interface have two options:
+1. include gnutlsxx.h in their application and link against
+   the C library. (default)
+2. include gnutlsxx.h in their application, compile with
+   GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link
+   against the C++ library.
+  * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST
+priority modifier have been added to allow disabling of the
+status_request TLS extension in the client side.
+  * libgnutls: TLS heartbeat is disabled by default.
+The heartbeat extension in TLS (RFC 6520) is not widely used
+given other implementations dropped support for it. To enable
+back support for it, supply --enable-heartbeat-support to
+configure script.
+  * libgnutls: SRP authentication is now disabled by default.
+It is disabled because the SRP authentication in TLS is not
+up to date with the latest TLS standards and its ciphersuites
+are based on the CBC mode and SHA-1. To enable it back, supply
+--enable-srp-authentication option to configure script.
+  * libgnutls: All code has been indented using "indent -ppi1 -linux".
+CI/CD has been adjusted to catch regressions. This is implemented
+through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s
+commit-check. You may run devel/indent-gnutls to fix any
+indentation issues if you make code modifications.
+  * guile: Guile-bindings removed. They have been extracted into a
+separate project to reduce complexity and to simplify maintenance,
+see .
+  * minitasn1: Upgraded to libtasn1 version 4.19.
+  * API and ABI modifications:
+GNUTLS_NO_STATUS_REQUEST: New flag
+GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member
+GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member
+  * Merge gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
+and gnutls-FIPS-jitterentropy-threadsafe.patch into the main
+patch gnutls-FIPS-jitterentropy.patch
+  * Rebase gnutls-FIPS-140-3-references.patch
+  * Rebase patches with upstream version:
+- gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch
+  * Remove patches merged/fixed upstream:
+- gnutls-FIPS-disable-failing-tests.patch
+- gnutls-verify-library-HMAC.patch
+- gnutls_ECDSA_signing.patch
+- gnutls-Make-XTS-key-check-failure-not-fatal.patch
+- gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
+  * Update keyring with https://gnutls.org/gnutls-release-keyring.gpg
+
+---
+Thu Feb 16 19:43:04 UTC 2023 - Pedro Monreal 
+
+- FIPS: Make the jitterentropy calls thread-safe [bsc#1208146]
+  * Add gnutls-FIPS-jitterentropy-threadsafe.patch
+
+---
+Thu Feb 16 12:31:25 UTC 2023 - Pedro Monreal 
+
+- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183]
+  * Rebase patches with the version submitted upstream.
+  * Avoid copying the key material: gnutls-FIPS-PCT-DH.patch
+  * Improve logic around memory release: gnutls-FIPS-PCT-ECDH.patch
+
+---

Old:

  gnutls-3.7.9.tar.xz
  gnutls-3.7.9.tar.xz.sig
  gnutls-FIPS-SLI-pbkdf2-verif

commit gnutls for openSUSE:Factory

2023-02-16 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2023-02-16 16:55:19

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.22824 (New)


Package is "gnutls"

Thu Feb 16 16:55:19 2023 rev:145 rq:1065924 version:3.7.9

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2023-01-23 
18:30:25.755493823 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.22824/gnutls.changes 2023-02-16 
16:55:28.234607911 +0100
@@ -1,0 +2,8 @@
+Fri Feb 10 13:12:25 UTC 2023 - Pedro Monreal 
+
+- Update to 3.7.9: [bsc#1208143, CVE-2023-0361]
+  * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key
+exchange. [GNUTLS-SA-2020-07-14, CVSS: medium][CVE-2023-0361]
+  * Rebase gnutls-FIPS-140-3-references.patch
+
+---

Old:

  gnutls-3.7.8.tar.xz
  gnutls-3.7.8.tar.xz.sig

New:

  gnutls-3.7.9.tar.xz
  gnutls-3.7.9.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.ms2pV5/_old  2023-02-16 16:55:29.278612131 +0100
+++ /var/tmp/diff_new_pack.ms2pV5/_new  2023-02-16 16:55:29.282612146 +0100
@@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:   gnutls
-Version:3.7.8
+Version:3.7.9
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later

++ gnutls-3.7.8.tar.xz -> gnutls-3.7.9.tar.xz ++
/work/SRC/openSUSE:Factory/gnutls/gnutls-3.7.8.tar.xz 
/work/SRC/openSUSE:Factory/.gnutls.new.22824/gnutls-3.7.9.tar.xz differ: char 
26, line 1

++ gnutls-FIPS-140-3-references.patch ++
 694 lines (skipped)
 between 
/work/SRC/openSUSE:Factory/gnutls/gnutls-FIPS-140-3-references.patch
 and 
/work/SRC/openSUSE:Factory/.gnutls.new.22824/gnutls-FIPS-140-3-references.patch

commit gnutls for openSUSE:Factory

2023-01-23 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2023-01-23 18:30:24

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.32243 (New)


Package is "gnutls"

Mon Jan 23 18:30:24 2023 rev:144 rq:1060038 version:3.7.8

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-12-16 
17:51:04.575827625 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.32243/gnutls.changes 2023-01-23 
18:30:25.755493823 +0100
@@ -1,0 +2,13 @@
+Fri Jan 20 09:58:53 UTC 2023 - Pedro Monreal 
+
+- FIPS: Change all the 140-2 references to FIPS 140-3 in order to
+  account for the new FIPS certification [bsc#1207346]
+  * Add gnutls-FIPS-140-3-references.patch
+
+---
+Mon Jan 16 12:52:55 UTC 2023 - Pedro Monreal 
+
+- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183]
+  * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch
+
+---

New:

  gnutls-FIPS-140-3-references.patch
  gnutls-FIPS-PCT-DH.patch
  gnutls-FIPS-PCT-ECDH.patch



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.pILUY2/_old  2023-01-23 18:30:26.831500464 +0100
+++ /var/tmp/diff_new_pack.pILUY2/_new  2023-01-23 18:30:26.839500514 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -68,6 +68,11 @@
 Patch8: gnutls-disable-flaky-test-dtls-resume.patch
 #PATCH-FIX-OPENSUSE bsc#1199881 Verify only the libgnutls library HMAC
 Patch9: gnutls-verify-library-HMAC.patch
+#PATCH-FIX-SUSE bsc#1207183 FIPS: DH/ECDH PCT public key regeneration
+Patch10:gnutls-FIPS-PCT-DH.patch
+Patch11:gnutls-FIPS-PCT-ECDH.patch
+#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
+Patch12:gnutls-FIPS-140-3-references.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge


++ gnutls-FIPS-140-3-references.patch ++
 1335 lines (skipped)

++ gnutls-FIPS-PCT-DH.patch ++
Index: gnutls-3.7.8/lib/nettle/pk.c
===
--- gnutls-3.7.8.orig/lib/nettle/pk.c
+++ gnutls-3.7.8/lib/nettle/pk.c
@@ -2498,6 +2498,48 @@ static int pct_test(gnutls_pk_algorithm_
}
break;
case GNUTLS_PK_DH:
+   if (_gnutls_fips_mode_enabled()) {
+   /* Perform Owner Assurance of Pair-wise Consistency
+* according to SP800-56A (revision 3), 5.6.2.1.4.
+*
+* DH params (see lib/crypto-backend.h)
+*  [DSA_P] [0] is p (prime number)
+*  [DSA_Q] [1] is q (prime order)
+*  [DSA_G] [2] is g (generator)
+*  [DSA_Y] [3] is y (public key)
+*  [DSA_X] [4] is x (private key only)
+*
+* Regenerate the public key from the private key with
+* y = g^x mod p and compare it with the previous one.
+*/
+
+   mpz_t p, g, y, x;
+
+   mpz_init(p);
+   mpz_init(g);
+   mpz_init(y);
+   mpz_init(x);
+
+   mpz_set(p, params->params[DSA_P]);
+   mpz_set(g, params->params[DSA_G]);
+   mpz_set(x, params->params[DSA_X]);
+
+   mpz_powm(y, g, x, p);
+
+   ret = mpz_cmp(y, params->params[DSA_Y]);
+   if (unlikely(ret != 0)) {
+   ret = 
gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+   }
+
+   mpz_clear(p);
+   mpz_clear(g);
+   mpz_clear(y);
+   mpz_clear(x);
+   if (ret < 0) {
+   goto cleanup;
+   }
+   }
+   break;
case GNUTLS_PK_ECDH_X25519:
case GNUTLS_PK_ECDH_X448:
ret = 0;
@@ -2780,8 +2822,17 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a
}
}
 #endif
-
-   ret = _gnutls_mpi_init_multi(¶ms->params[DSA_Y], 
¶ms->params[DSA_

commit gnutls for openSUSE:Factory

2022-12-16 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-12-16 17:51:01

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1835 (New)


Package is "gnutls"

Fri Dec 16 17:51:01 2022 rev:143 rq:1043099 version:3.7.8

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-11-10 
14:21:34.850110732 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1835/gnutls.changes  2022-12-16 
17:51:04.575827625 +0100
@@ -1,0 +2,6 @@
+Mon Dec 12 08:58:58 UTC 2022 - Dirk Müller 
+
+- switch to pkgconfig(zlib) so that alternative providers can be
+  used
+
+---



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.WvpMZp/_old  2022-12-16 17:51:05.207831103 +0100
+++ /var/tmp/diff_new_pack.WvpMZp/_new  2022-12-16 17:51:05.211831125 +0100
@@ -86,8 +86,8 @@
 BuildRequires:  p11-kit-devel >= 0.23.1
 BuildRequires:  pkgconfig
 BuildRequires:  xz
-BuildRequires:  zlib-devel
 BuildRequires:  pkgconfig(autoopts)
+BuildRequires:  pkgconfig(zlib)
 %if %{with kcapi}
 BuildRequires:  pkgconfig(libkcapi)
 %endif

commit gnutls for openSUSE:Factory

2022-11-10 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-11-10 14:21:13

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1597 (New)


Package is "gnutls"

Thu Nov 10 14:21:13 2022 rev:142 rq:1034574 version:3.7.8

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-09-15 
22:58:07.789035729 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1597/gnutls.changes  2022-11-10 
14:21:34.850110732 +0100
@@ -1,0 +2,68 @@
+Tue Nov  8 12:52:18 UTC 2022 - Pedro Monreal 
+
+- Verify only the libgnutls library HMAC [bsc#1199881]
+  * Do not use the brp-50-generate-fips-hmac script as this
+is now calculated with the internal fipshmac tool.
+  * Add gnutls-verify-library-HMAC.patch
+
+---
+Wed Nov  2 20:51:43 UTC 2022 - Pedro Monreal 
+
+- Temporarily revert the jitterentropy patches in s390 and s390x
+  architectures until a fix is provided [bsc#1204937]
+- Disable flaky test that fails in s390x architecture:
+  * Add gnutls-disable-flaky-test-dtls-resume.patch
+
+---
+Fri Oct 14 11:35:33 UTC 2022 - Pedro Monreal 
+
+- Consolidate the FIPS hmac files [bsc#1203245]
+  * Use the gnutls fipshmac tool instead of the brp-check-suse
+and rename it to reflect on the library version.
+  * Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch
+- Add a gnutls.rpmlintrc file to remove a hidden-file-or-dir false
+  positive for the FIPS hmac calculation.
+
+---
+Sun Oct  9 12:53:27 UTC 2022 - Pedro Monreal 
+
+- Update to 3.7.8:
+  * libgnutls: In FIPS140 mode, RSA signature verification is an
+approved operation if the key has modulus with known sizes
+(1024, 1280, 1536, and 1792 bits), in addition to any modulus
+sizes larger than 2048 bits, according to SP800-131A rev2.
+  * libgnutls: gnutls_session_channel_binding performs additional
+checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
+RFC9622 4.2, the "tls-exporter" channel binding is only usable
+when the handshake is bound to a unique master secret (i.e.,
+either TLS 1.3 or extended master secret extension is
+negotiated). Otherwise the function now returns error.
+  * libgnutls: usage of the following functions, which are designed
+to loosen restrictions imposed by allowlisting mode of
+configuration, has been additionally restricted. Invoking
+them is now only allowed if system-wide TLS priority string
+has not been initialized yet:
+  - gnutls_digest_set_secure
+  - gnutls_sign_set_secure
+  - gnutls_sign_set_secure_for_certs
+  - gnutls_protocol_set_enabled
+  * Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
+--with-guile-extension-dir configure option to properly
+handle the guile extension directory.
+  * Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
+  * Update gnutls.keyring
+  * Add a build depencency on gtk-doc required by autoreconf
+
+---
+Fri Oct  7 09:30:44 UTC 2022 - Otto Hollmann 
+
+- FIPS: Set error state when jent init failed in FIPS mode [bsc#1202146]
+  * Add patch gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
+
+---
+Tue Oct  4 13:05:27 UTC 2022 - Otto Hollmann 
+
+- FIPS: Make XTS key check failure not fatal [bsc#1203779]
+  * Add gnutls-Make-XTS-key-check-failure-not-fatal.patch
+
+---

Old:

  gnutls-3.6.6-set_guile_site_dir.patch
  gnutls-3.7.7.tar.xz
  gnutls-3.7.7.tar.xz.sig
  gnutls-FIPS-Run-CFB8-without-offset.patch

New:

  gnutls-3.7.8.tar.xz
  gnutls-3.7.8.tar.xz.sig
  gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
  gnutls-Make-XTS-key-check-failure-not-fatal.patch
  gnutls-disable-flaky-test-dtls-resume.patch
  gnutls-verify-library-HMAC.patch
  gnutls.rpmlintrc



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.lK9bsn/_old  2022-11-10 14:21:35.698115533 +0100
+++ /var/tmp/diff_new_pack.lK9bsn/_new  2022-11-10 14:21:35.70211 +0100
@@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:   gnutls
-Version:3.7.7
+Version:3.7.8
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -44,27 +44,37 @@
 URL:https://www.gnutls.org/
 Source0:
https://www.gnupg.org/ftp/gcrypt/gn

commit gnutls for openSUSE:Factory

2022-09-15 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-09-15 22:57:52

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.2083 (New)


Package is "gnutls"

Thu Sep 15 22:57:52 2022 rev:141 rq:1003575 version:3.7.7

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-08-04 
13:22:47.260383625 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.2083/gnutls.changes  2022-09-15 
22:58:07.789035729 +0200
@@ -1,0 +2,30 @@
+Wed Sep 14 15:25:46 UTC 2022 - Pedro Monreal 
+
+- FIPS: Run the CFB8 cipher selftest without offset [bsc#1203245]
+  * CFB8 list of ciphers: GNUTLS_CIPHER_AES_{128,192,256}_CFB8
+  * Add gnutls-FIPS-Run-CFB8-without-offset.patch
+
+---
+Tue Sep 13 18:08:03 UTC 2022 - Andreas Stieger 
+
+- provide a libgnutls30-hmac-32bit to avoid uninstallable wine
+  when pattern-base-fips is installed [boo#1203353]
+
+---
+Tue Sep  6 16:17:12 UTC 2022 - Pedro Monreal 
+
+- FIPS: Additional modifications to the SLI. [bsc#1190698]
+  * Mark CMAC and GMAC and non-approved in gnutls_pbkfd2().
+  * Mark HMAC keylength less than 112 bits as non-approved in
+gnutls_pbkfd2().
+  * Adapt the pbkdf2 selftest and the regression tests accordingly.
+  * Add gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
+
+---
+Mon Aug  8 16:41:19 UTC 2022 - Pedro Monreal 
+
+- FIPS: Port GnuTLS to use jitterentropy [bsc#1202146, jsc#SLE-24941]
+  * Add new dependency on jitterentropy
+  * Add gnutls-FIPS-jitterentropy.patch
+
+---
@@ -48,0 +79,9 @@
+
+---
+Wed Jun 29 15:56:59 UTC 2022 - Richard Costa 
+
+- FIPS:
+  * Add gnutls_ECDSA_signing.patch [bsc#1190698]
+- Check minimum keylength for symmetric key generation
+- Only allows ECDSA signature with valid set of hashes
+  (SHA2 and SHA3)

New:

  gnutls-FIPS-Run-CFB8-without-offset.patch
  gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
  gnutls-FIPS-jitterentropy.patch
  gnutls_ECDSA_signing.patch



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.cTRP4D/_old  2022-09-15 22:58:08.437037558 +0200
+++ /var/tmp/diff_new_pack.cTRP4D/_new  2022-09-15 22:58:08.437037558 +0200
@@ -50,6 +50,15 @@
 Patch1: gnutls-3.6.6-set_guile_site_dir.patch
 Patch2: gnutls-FIPS-TLS_KDF_selftest.patch
 Patch3: gnutls-FIPS-disable-failing-tests.patch
+Patch4: gnutls_ECDSA_signing.patch
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
+Patch5: gnutls-FIPS-jitterentropy.patch
+%endif
+#PATCH-FIX-SUSE bsc#1190698 FIPS: SLI gnutls_pbkdf2: verify keylengths and 
allow SHA only
+Patch6: gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
+#PATCH-FIX-SUSE bsc#1203245 FIPS: Run the CFB8 cipher selftests without offset
+Patch7: gnutls-FIPS-Run-CFB8-without-offset.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -94,6 +103,8 @@
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 BuildRequires:  crypto-policies
 Requires:   crypto-policies
+BuildRequires:  jitterentropy-devel >= 3.4.0
+Requires:   libjitterentropy3 >= 3.4.0
 %endif
 
 %description

++ baselibs.conf ++
--- /var/tmp/diff_new_pack.cTRP4D/_old  2022-09-15 22:58:08.473037660 +0200
+++ /var/tmp/diff_new_pack.cTRP4D/_new  2022-09-15 22:58:08.477037672 +0200
@@ -3,4 +3,6 @@
 libgnutls-devel
   requires -libgnutls-
   requires "libgnutls30- = "
+libgnutls30-hmac
+  requires "libgnutls30- = -%release"
 


++ gnutls-FIPS-Run-CFB8-without-offset.patch ++
Index: gnutls-3.7.7/lib/crypto-selftests.c
===
--- gnutls-3.7.7.orig/lib/crypto-selftests.c
+++ gnutls-3.7.7/lib/crypto-selftests.c
@@ -2735,6 +2735,16 @@ int gnutls_cipher_self_test(unsigned fla
NON_FIPS_CASE(GNUTLS_CIPHER_CHACHA20_POLY1305, test_cipher_aead,
 chacha_poly1305_vectors);
FALLTHROUGH;
+   CASE(GNUTLS_CIPHER_AES_128_CFB8, test_cipher,
+aes128_cfb8_vectors);
+   FALLTHROUGH;
+   CASE(GNUTLS_CIPHER_AES_192_CFB8, test_cipher,
+aes192_cfb8_vectors);
+   FALLTHROUGH;
+   CASE(GNUTLS_CIPHER_AES_256_CFB8, test_cipher,
+

commit gnutls for openSUSE:Factory

2022-08-04 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-08-04 13:22:41

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1521 (New)


Package is "gnutls"

Thu Aug  4 13:22:41 2022 rev:140 rq:991995 version:3.7.7

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-05-31 
15:47:12.039980985 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1521/gnutls.changes  2022-08-04 
13:22:47.260383625 +0200
@@ -1,0 +2,49 @@
+Fri Jul 29 14:29:17 UTC 2022 - Pedro Monreal 
+
+- Update to 3.7.7: [bsc#1202020, CVE-2022-2509]
+  * libgnutls: Fixed double free during verification of pkcs7
+signatures. CVE-2022-2509
+  * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument
+less than or equal to 255 times hash digest size, to comply with
+RFC 5869 2.3.
+  * libgnutls: Length limit for TLS PSK usernames has been increased
+from 128 to 65535 characters
+  * libgnutls: AES-GCM encryption function now limits plaintext
+length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
+  * libgnutls: New block cipher functions have been added to
+transparently handle padding. gnutls_cipher_encrypt3 and
+gnutls_cipher_decrypt3 can be used in combination of
+GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove
+padding if the length of the original plaintext is not a multiple
+of the block size.
+  * libgnutls: New function for manual FIPS self-testing.
+  * API and ABI modifications:
+- gnutls_fips140_run_self_tests: New function
+- gnutls_cipher_encrypt3: New function
+- gnutls_cipher_decrypt3: New function
+- gnutls_cipher_padding_flags_t: New enum
+  * guile: Guile 1.8 is no longer supported
+  * guile: Session record port treats premature termination as EOF Previously,
+a 'gnutls-error' exception with the 'error/premature-termination' value
+would be thrown while reading from a session record port when the
+underlying session was terminated prematurely. This was inconvenient
+since users of the port may not be prepared to handle such an exception.
+Reading from the session record port now returns the end-of-file object
+instead of throwing an exception, just like it would for a proper
+session termination.
+  * guile: Session record ports can have a 'close' procedure. The
+'session-record-port' procedure now takes an optional second parameter,
+and a new 'set-session-record-port-close!' procedure is provided to
+specify a 'close' procedure for a session record port. This 'close'
+procedure lets users specify cleanup operations for when the port is
+closed, such as closing the file descriptor or port that backs the
+underlying session.
+  * Rebase patches:
+- gnutls-3.6.6-set_guile_site_dir.patch
+- gnutls-FIPS-TLS_KDF_selftest.patch
+- gnutls-FIPS-disable-failing-tests.patch
+  * Remove patch merged upstream:
+- gnutls-FIPS-PBKDF2-KAT-requirements.patch
+- https://gitlab.com/gnutls/gnutls/merge_requests/1561
+
+---

Old:

  gnutls-3.7.6.tar.xz
  gnutls-3.7.6.tar.xz.sig
  gnutls-FIPS-PBKDF2-KAT-requirements.patch

New:

  gnutls-3.7.7.tar.xz
  gnutls-3.7.7.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.YHbOBq/_old  2022-08-04 13:22:48.152386155 +0200
+++ /var/tmp/diff_new_pack.YHbOBq/_new  2022-08-04 13:22:48.156386167 +0200
@@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:   gnutls
-Version:3.7.6
+Version:3.7.7
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -50,8 +50,6 @@
 Patch1: gnutls-3.6.6-set_guile_site_dir.patch
 Patch2: gnutls-FIPS-TLS_KDF_selftest.patch
 Patch3: gnutls-FIPS-disable-failing-tests.patch
-#PATCH-FIX-SUSE bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT
-Patch4: gnutls-FIPS-PBKDF2-KAT-requirements.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -91,7 +89,7 @@
 %endif
 %endif
 %if %{with guile}
-BuildRequires:  guile-devel
+BuildRequires:  guile-devel > 1.8
 %endif
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 BuildRequires:  crypto-policies
@@ -194,7 +192,7 @@
 Summary:Guile wrappers for gnutls
 License:LGPL-2.1-or-later
 Group:  Development/Libraries/Other
-Requires:   guile
+Requires:   guile > 1.8
 
 %description guile
 GnuTLS Wrappers for GNU Guile, a dialect of Scheme.

++ gnutls-3.6.6-set_guile_site_dir.patch +

commit gnutls for openSUSE:Factory

2022-05-31 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-05-31 15:46:57

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1548 (New)


Package is "gnutls"

Tue May 31 15:46:57 2022 rev:139 rq:979801 version:3.7.6

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-05-26 
22:44:22.537767144 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1548/gnutls.changes  2022-05-31 
15:47:12.039980985 +0200
@@ -1,0 +2,39 @@
+Fri May 27 16:56:26 UTC 2022 - Antoine Belvire 
+
+- Update to version 3.7.6:
+  * libgnutls: Fixed invalid write when gnutls_realloc_zero() is
+called with new_size < old_size. This bug caused heap
+corruption when gnutls_realloc_zero() has been set as gmp
+reallocfunc.
+  * Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed
+upstream.
+
+---
+Wed May 25 19:46:21 UTC 2022 - Antoine Belvire 
+
+- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory
+  corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367,
+  boo#1199929).
+
+---
+Sat May 21 17:50:57 UTC 2022 - Andreas Stieger 
+
+- update to 3.7.5:
+  * add options disable session ticket usage in TLS 1.2 because
+it does not provide forward secrecy
+  * For TLS 1.3 where session tickets do provide forward secrecy,
+the PFS priority string now only disables session tickets in
+TLS 1.2.
+  * Future backward incompatibility: in the next major release of
+ GnuTLS those flag and modifier are planned to be removed
+  * gnutls-cli, gnutls-serv: Channel binding for printing
+information has been changed from tls-unique to tls-exporter
+as tls-unique is not supported in TLS 1.3.
+  * Certificate sanity checks has been enhanced to make gnutls
+more RFC 5280 compliant:
+  * Removed 3DES from FIPS approved algorithms
+  * Optimized support for AES-SIV-CMAC algorithms
+  * libgnutls: HKDF and AES-GCM algorithms are now approved in
+FIPS-140 mode when used in TLS
+
+---

Old:

  gnutls-3.7.4.tar.xz
  gnutls-3.7.4.tar.xz.sig

New:

  gnutls-3.7.6.tar.xz
  gnutls-3.7.6.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.2zDvXg/_old  2022-05-31 15:47:14.695982749 +0200
+++ /var/tmp/diff_new_pack.2zDvXg/_new  2022-05-31 15:47:14.699982751 +0200
@@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:   gnutls
-Version:3.7.4
+Version:3.7.6
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -159,7 +159,6 @@
 Requires:   glibc-devel
 Requires:   gnutls = %{version}
 Requires:   libgnutls%{gnutls_sover} = %{version}
-Requires(pre):  %{install_info_prereq}
 Provides:   gnutls-devel = %{version}-%{release}
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:   crypto-policies
@@ -186,7 +185,6 @@
 Requires:   libgnutls-devel = %{version}
 Requires:   libgnutlsxx%{gnutlsxx_sover} = %{version}
 Requires:   libstdc++-devel
-Requires(pre):  %{install_info_prereq}
 
 %description -n libgnutlsxx-devel
 Files needed for software development using gnutls.
@@ -241,7 +239,7 @@
 --with-fips140-module-name="GnuTLS version" \
 --with-fips140-module-version="%{version}-%{release}" \
 %{nil}
-make %{?_smp_mflags}
+%make_build
 
 %install
 %make_install
@@ -268,7 +266,7 @@
 
 %check
 %if ! 0%{?qemu_user_space_build}
-make %{?_smp_mflags} check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+%make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
 find -name test-suite.log -print -exec cat {} +
 exit 1
 }
@@ -290,12 +288,6 @@
 %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 
-%post -n libgnutls-devel
-%install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
-
-%preun -n libgnutls-devel
-%install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
-
 %files -f libgnutls.lang
 %license LICENSE
 %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
@@ -316,20 +308,25 @@
 %{_mandir}/man1/*
 
 %files -n libgnutls%{gnutls_sover}
+%license LICENSE
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
 
 %files -n libgnutls%{gnutls_sover}-hmac
+%license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}
+%license LICENSE
 %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*

commit gnutls for openSUSE:Factory

2022-05-26 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-05-26 22:44:21

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.2254 (New)


Package is "gnutls"

Thu May 26 22:44:21 2022 rev:138 rq: version:3.7.4

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-05-23 
15:51:28.374630953 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.2254/gnutls.changes  2022-05-26 
22:44:22.537767144 +0200
@@ -2,21 +1,0 @@
-Sat May 21 17:50:57 UTC 2022 - Andreas Stieger 
-
-- update to 3.7.5:
-  * add options disable session ticket usage in TLS 1.2 because
-it does not provide forward secrecy
-  * For TLS 1.3 where session tickets do provide forward secrecy,
-the PFS priority string now only disables session tickets in
-TLS 1.2.
-  * Future backward incompatibility: in the next major release of
- GnuTLS those flag and modifier are planned to be removed
-  * gnutls-cli, gnutls-serv: Channel binding for printing
-information has been changed from tls-unique to tls-exporter
-as tls-unique is not supported in TLS 1.3.
-  * Certificate sanity checks has been enhanced to make gnutls
-more RFC 5280 compliant:
-  * Removed 3DES from FIPS approved algorithms
-  * Optimized support for AES-SIV-CMAC algorithms
-  * libgnutls: HKDF and AES-GCM algorithms are now approved in
-FIPS-140 mode when used in TLS
-


Old:

  gnutls-3.7.5.tar.xz
  gnutls-3.7.5.tar.xz.sig

New:

  gnutls-3.7.4.tar.xz
  gnutls-3.7.4.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.fVafmI/_old  2022-05-26 22:44:23.213767705 +0200
+++ /var/tmp/diff_new_pack.fVafmI/_new  2022-05-26 22:44:23.217767709 +0200
@@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:   gnutls
-Version:3.7.5
+Version:3.7.4
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -159,6 +159,7 @@
 Requires:   glibc-devel
 Requires:   gnutls = %{version}
 Requires:   libgnutls%{gnutls_sover} = %{version}
+Requires(pre):  %{install_info_prereq}
 Provides:   gnutls-devel = %{version}-%{release}
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:   crypto-policies
@@ -185,6 +186,7 @@
 Requires:   libgnutls-devel = %{version}
 Requires:   libgnutlsxx%{gnutlsxx_sover} = %{version}
 Requires:   libstdc++-devel
+Requires(pre):  %{install_info_prereq}
 
 %description -n libgnutlsxx-devel
 Files needed for software development using gnutls.
@@ -239,7 +241,7 @@
 --with-fips140-module-name="GnuTLS version" \
 --with-fips140-module-version="%{version}-%{release}" \
 %{nil}
-%make_build
+make %{?_smp_mflags}
 
 %install
 %make_install
@@ -266,7 +268,7 @@
 
 %check
 %if ! 0%{?qemu_user_space_build}
-%make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+make %{?_smp_mflags} check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
 find -name test-suite.log -print -exec cat {} +
 exit 1
 }
@@ -288,6 +290,12 @@
 %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 
+%post -n libgnutls-devel
+%install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
+
+%preun -n libgnutls-devel
+%install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
+
 %files -f libgnutls.lang
 %license LICENSE
 %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
@@ -308,25 +316,20 @@
 %{_mandir}/man1/*
 
 %files -n libgnutls%{gnutls_sover}
-%license LICENSE
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
 
 %files -n libgnutls%{gnutls_sover}-hmac
-%license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}
-%license LICENSE
 %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
 %endif
 
 %files -n libgnutlsxx%{gnutlsxx_sover}
-%license LICENSE
 %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
 
 %files -n libgnutls-devel
-%license LICENSE
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/abstract.h
 %{_includedir}/%{name}/crypto.h
@@ -353,7 +356,6 @@
 
 %if %{with dane}
 %files -n libgnutls-dane-devel
-%license LICENSE
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/dane.h
 %{_libdir}/pkgconfig/gnutls-dane.pc
@@ -361,14 +363,12 @@
 %endif
 
 %files -n libgnutlsxx-devel
-%license LICENSE
 %{_libdir}/libgnutlsxx.so
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/gnutlsxx.h
 
 %if %{with guile}
 %files guile
-%license LICENSE
 %{_libdir}/guile/*
 %{_datadir}/g

commit gnutls for openSUSE:Factory

2022-05-23 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-05-23 15:51:27

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.2254 (New)


Package is "gnutls"

Mon May 23 15:51:27 2022 rev:137 rq:978504 version:3.7.5

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-05-17 
17:24:15.115161112 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.2254/gnutls.changes  2022-05-23 
15:51:28.374630953 +0200
@@ -1,0 +2,21 @@
+Sat May 21 17:50:57 UTC 2022 - Andreas Stieger 
+
+- update to 3.7.5:
+  * add options disable session ticket usage in TLS 1.2 because
+it does not provide forward secrecy
+  * For TLS 1.3 where session tickets do provide forward secrecy,
+the PFS priority string now only disables session tickets in
+TLS 1.2.
+  * Future backward incompatibility: in the next major release of
+ GnuTLS those flag and modifier are planned to be removed
+  * gnutls-cli, gnutls-serv: Channel binding for printing
+information has been changed from tls-unique to tls-exporter
+as tls-unique is not supported in TLS 1.3.
+  * Certificate sanity checks has been enhanced to make gnutls
+more RFC 5280 compliant:
+  * Removed 3DES from FIPS approved algorithms
+  * Optimized support for AES-SIV-CMAC algorithms
+  * libgnutls: HKDF and AES-GCM algorithms are now approved in
+FIPS-140 mode when used in TLS
+
+---

Old:

  gnutls-3.7.4.tar.xz
  gnutls-3.7.4.tar.xz.sig

New:

  gnutls-3.7.5.tar.xz
  gnutls-3.7.5.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.Ub4xVP/_old  2022-05-23 15:51:29.646632152 +0200
+++ /var/tmp/diff_new_pack.Ub4xVP/_new  2022-05-23 15:51:29.650632156 +0200
@@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:   gnutls
-Version:3.7.4
+Version:3.7.5
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -159,7 +159,6 @@
 Requires:   glibc-devel
 Requires:   gnutls = %{version}
 Requires:   libgnutls%{gnutls_sover} = %{version}
-Requires(pre):  %{install_info_prereq}
 Provides:   gnutls-devel = %{version}-%{release}
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:   crypto-policies
@@ -186,7 +185,6 @@
 Requires:   libgnutls-devel = %{version}
 Requires:   libgnutlsxx%{gnutlsxx_sover} = %{version}
 Requires:   libstdc++-devel
-Requires(pre):  %{install_info_prereq}
 
 %description -n libgnutlsxx-devel
 Files needed for software development using gnutls.
@@ -241,7 +239,7 @@
 --with-fips140-module-name="GnuTLS version" \
 --with-fips140-module-version="%{version}-%{release}" \
 %{nil}
-make %{?_smp_mflags}
+%make_build
 
 %install
 %make_install
@@ -268,7 +266,7 @@
 
 %check
 %if ! 0%{?qemu_user_space_build}
-make %{?_smp_mflags} check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+%make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
 find -name test-suite.log -print -exec cat {} +
 exit 1
 }
@@ -290,12 +288,6 @@
 %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 
-%post -n libgnutls-devel
-%install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
-
-%preun -n libgnutls-devel
-%install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
-
 %files -f libgnutls.lang
 %license LICENSE
 %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
@@ -316,20 +308,25 @@
 %{_mandir}/man1/*
 
 %files -n libgnutls%{gnutls_sover}
+%license LICENSE
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
 
 %files -n libgnutls%{gnutls_sover}-hmac
+%license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}
+%license LICENSE
 %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
 %endif
 
 %files -n libgnutlsxx%{gnutlsxx_sover}
+%license LICENSE
 %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
 
 %files -n libgnutls-devel
+%license LICENSE
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/abstract.h
 %{_includedir}/%{name}/crypto.h
@@ -356,6 +353,7 @@
 
 %if %{with dane}
 %files -n libgnutls-dane-devel
+%license LICENSE
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/dane.h
 %{_libdir}/pkgconfig/gnutls-dane.pc
@@ -363,12 +361,14 @@
 %endif
 
 %files -n libgnutlsxx-devel
+%license LICENSE
 %{_libdir}/libgnutlsxx.so
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/gnutlsxx.h
 
 %if %{with guile}
 %files guile
+%license LICENSE
 %{_libdir}/guile/*
 %{_data

commit gnutls for openSUSE:Factory

2022-05-17 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-05-17 17:24:01

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1538 (New)


Package is "gnutls"

Tue May 17 17:24:01 2022 rev:136 rq:977461 version:3.7.4

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-03-28 
16:59:04.284847943 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1538/gnutls.changes  2022-05-17 
17:24:15.115161112 +0200
@@ -1,0 +2,6 @@
+Wed May 11 09:19:52 UTC 2022 - Marcus Meissner 
+
+- disable kcapi usage for now, as kernel-obs-build not adjusted
+  to contain the algorithms. bsc#1189283
+
+---



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.nihrvH/_old  2022-05-17 17:24:15.899161822 +0200
+++ /var/tmp/diff_new_pack.nihrvH/_new  2022-05-17 17:24:15.907161829 +0200
@@ -27,7 +27,9 @@
 %endif
 # Enable Linux kernel AF_ALG based acceleration
 %if 0%{?suse_version} >= 1550
-%bcond_without kcapi
+# disable for now, as our OBS builds do not work with it. Marcus 20220511
+#bcond_without kcapi
+%bcond_with kcapi
 %else
 %bcond_with kcapi
 %endif
@@ -103,9 +105,9 @@
 
 %package -n libgnutls%{gnutls_sover}
 Summary:The GNU Transport Layer Security Library
+# install libgnutls and libgnutls-hmac close together (bsc#1090765)
 License:LGPL-2.1-or-later
 Group:  System/Libraries
-# install libgnutls and libgnutls-hmac close together (bsc#1090765)
 Suggests:   libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:   crypto-policies

commit gnutls for openSUSE:Factory

2022-03-28 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-03-28 16:58:39

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1900 (New)


Package is "gnutls"

Mon Mar 28 16:58:39 2022 rev:135 rq:964662 version:3.7.4

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-03-11 
21:41:00.798058958 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1900/gnutls.changes  2022-03-28 
16:59:04.284847943 +0200
@@ -1,0 +2,33 @@
+Fri Mar 18 18:31:06 UTC 2022 - Pedro Monreal 
+
+- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669]
+  * The IG 10.3.A and SP800-132 require some minimum parameters for
+the salt length, password length and iteration count. These
+parameters should be also used in the KAT.
+  * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch
+- Enable to run the regression tests also in FIPS mode.
+
+---
+Fri Mar 18 08:59:49 UTC 2022 - Pedro Monreal 
+
+- Update to 3.7.4:
+  * libgnutls: Added support for certificate compression as defined
+in RFC8879.
+  * certtool: Added option --compress-cert that allows user to
+specify compression  methods for certificate compression.
+  * libgnutls: GnuTLS can now be compiled with --enable-strict-x509
+configure option to enforce stricter certificate sanity checks
+that are compliant with RFC5280.
+  * libgnutls: Removed IA5String type from DirectoryString within
+issuer and subject name to make DirectoryString RFC5280 compliant.
+  * libgnutls: Added function to retrieve the name of current
+ciphersuite from session.
+  * Bump libgnutlsxx soname due to ABI break
+  * API and ABI modifications:
+- GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
+- GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
+- gnutls_compress_certificate_get_selected_method: Added
+- gnutls_compress_certificate_set_methods: Added
+  * Update gnutls.keyring
+
+---
@@ -94,0 +128 @@
+  * Add gnutls-FIPS-disable-failing-tests.patch

Old:

  gnutls-3.7.3.tar.xz
  gnutls-3.7.3.tar.xz.sig

New:

  gnutls-3.7.4.tar.xz
  gnutls-3.7.4.tar.xz.sig
  gnutls-FIPS-PBKDF2-KAT-requirements.patch
  gnutls-FIPS-disable-failing-tests.patch



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.iGITYX/_old  2022-03-28 16:59:06.372850780 +0200
+++ /var/tmp/diff_new_pack.iGITYX/_new  2022-03-28 16:59:06.376850785 +0200
@@ -17,7 +17,7 @@
 
 
 %define gnutls_sover 30
-%define gnutlsxx_sover 28
+%define gnutlsxx_sover 30
 %define gnutls_dane_sover 0
 # unbound isn't in SLE (bsc#1086428)
 %if 0%{?is_opensuse}
@@ -34,7 +34,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:   gnutls
-Version:3.7.3
+Version:3.7.4
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -47,6 +47,9 @@
 Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1: gnutls-3.6.6-set_guile_site_dir.patch
 Patch2: gnutls-FIPS-TLS_KDF_selftest.patch
+Patch3: gnutls-FIPS-disable-failing-tests.patch
+#PATCH-FIX-SUSE bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT
+Patch4: gnutls-FIPS-PBKDF2-KAT-requirements.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -250,8 +253,6 @@
 # install docs
 mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
 cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/
-mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference
-cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/
 mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples
 cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
 
@@ -265,11 +266,15 @@
 
 %check
 %if ! 0%{?qemu_user_space_build}
-# export GNUTLS_FORCE_FIPS_MODE=1
 make %{?_smp_mflags} check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
 find -name test-suite.log -print -exec cat {} +
 exit 1
 }
+#Run the regression tests also in FIPS mode
+GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} 
GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+find -name test-suite.log -print -exec cat {} +
+exit 1
+}
 %endif
 
 %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig

++ gnutls-3.7.3.tar.xz -> gnutls-3.7.4.tar.xz ++
 168918 lines of diff (skipped)

++ gnutls-FIPS-PBKDF2-KAT-requirements.patch ++
Index: gnutls-3.7.3/lib/crypto-selftests.c
===
--- gnutls-3.7.

commit gnutls for openSUSE:Factory

2022-03-11 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-03-11 21:40:58

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.25692 (New)


Package is "gnutls"

Fri Mar 11 21:40:58 2022 rev:134 rq:960464 version:3.7.3

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2022-01-21 
01:25:23.294600323 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.25692/gnutls.changes 2022-03-11 
21:41:00.798058958 +0100
@@ -1,0 +2,7 @@
+Sun Feb 27 07:52:30 UTC 2022 - Dirk M??ller 
+
+- build with lto
+- build with -Wl,-z,now -Wl,-z,relro
+- build without -fanalyzer, which cuts build time in ~ half 
+
+---



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.omtUoc/_old  2022-03-11 21:41:01.358059389 +0100
+++ /var/tmp/diff_new_pack.omtUoc/_new  2022-03-11 21:41:01.362059391 +0100
@@ -151,14 +151,14 @@
 Summary:Development package for the GnuTLS C API
 License:LGPL-2.1-or-later
 Group:  Development/Libraries/C and C++
-%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
-Requires:   crypto-policies
-%endif
 Requires:   glibc-devel
 Requires:   gnutls = %{version}
 Requires:   libgnutls%{gnutls_sover} = %{version}
 Requires(pre):  %{install_info_prereq}
 Provides:   gnutls-devel = %{version}-%{release}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+Requires:   crypto-policies
+%endif
 
 %description -n libgnutls-devel
 Files needed for software development using gnutls.
@@ -203,8 +203,7 @@
 echo "SYSTEM=NORMAL" >> tests/system.prio
 
 %build
-%define _lto_cflags %{nil}
-export LDFLAGS="-pie"
+export LDFLAGS="-pie -Wl,-z,now -Wl,-z,relro"
 export CFLAGS="%{optflags} -fPIE"
 export CXXFLAGS="%{optflags} -fPIE"
 #autoreconf -fiv
@@ -213,6 +212,7 @@
 gl_cv_func_printf_infinite_long_double=yes \
 --disable-static \
 --disable-rpath \
+--disable-gcc-warnings \
 --disable-silent-rules \
 %{?with_kcapi:--enable-afalg} \
 
--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
@@ -236,7 +236,6 @@
 --with-fips140-module-name="GnuTLS version" \
 --with-fips140-module-version="%{version}-%{release}" \
 %{nil}
-
 make %{?_smp_mflags}
 
 %install
@@ -267,7 +266,7 @@
 %check
 %if ! 0%{?qemu_user_space_build}
 # export GNUTLS_FORCE_FIPS_MODE=1
-make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+make %{?_smp_mflags} check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
 find -name test-suite.log -print -exec cat {} +
 exit 1
 }

commit gnutls for openSUSE:Factory

2022-01-20 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2022-01-21 01:25:08

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1938 (New)


Package is "gnutls"

Fri Jan 21 01:25:08 2022 rev:133 rq:947394 version:3.7.3

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2021-12-02 
02:13:43.894941314 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1938/gnutls.changes  2022-01-21 
01:25:23.294600323 +0100
@@ -1,0 +2,122 @@
+Tue Jan 18 15:59:11 UTC 2022 - Pedro Monreal 
+
+- Update to 3.7.3: [bsc#1190698, bsc#1190796]
+  * libgnutls: The allowlisting configuration mode has been added
+to the system-wide settings. In this mode, all the algorithms
+are initially marked as insecure or disabled, while the
+applications can re-enable them either through the [overrides]
+section of the configuration file or the new API (#1172).
+  * The build infrastructure no longer depends on GNU AutoGen for
+generating command-line option handling, template file parsing
+in certtool, and documentation generation (#773, #774). This
+change also removes run-time or bundled dependency on the
+libopts library, and requires Python 3.6 or later to regenerate
+the distribution tarball. Note that this brings in known backward
+incompatibility in command-line tools, such as long options are
+now case sensitive, while previously they were treated in a case
+insensitive manner: for example --RSA is no longer a valid option
+of certtool. The existing scripts using GnuTLS tools may need
+adjustment for this change.
+  * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
+and used as a gnutls_privkey_t (#594). The code was originally written
+for the OpenConnect VPN project by David Woodhouse. To generate such
+blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
+https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
+or the tpm2_encodeobject tool from unreleased tpm2-tools.
+  * libgnutls: The library now transparently enables Linux KTLS (kernel
+TLS) when the feature is compiled in with --enable-ktls configuration
+option (#1113). If the KTLS initialization fails it automatically falls
+back to the user space implementation.
+  * certtool: The certtool command can now read the Certificate Transparency
+(RFC 6962) SCT extension (#232).  New API functions are also provided to
+access and manipulate the extension values.
+  * certtool: The certtool command can now generate, manipulate, and evaluate
+x25519 and x448 public keys, private keys, and certificates.
+  * libgnutls: Disabling a hashing algorithm through "insecure-hash"
+configuration directive now also disables TLS ciphersuites that use it
+as a PRF algorithm.
+  * libgnutls: PKCS#12 files are now created with modern algorithms by default
+(!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and
+HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
+PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
+default PBKDF2 iteration count has been increased to 60.
+  * libgnutls: PKCS#12 keys derived using GOST algorithm now uses
+HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity,
+to conform with the latest TC-26 requirements (#1225).
+  * libgnutls: The library now provides a means to report the status
+of approved cryptographic operations (!1465). To adhere to the
+FIPS140-3 IG 2.4.C., this complements the existing mechanism to
+prohibit the use of unapproved algorithms by making the library
+unusable state.
+  * gnutls-cli: The gnutls-cli command now provides a --list-config
+option to print the library configuration (!1508).
+  * libgnutls: Fixed possible race condition in
+gnutls_x509_trust_list_verify_crt2 when a single trust list object
+is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17,
+CVSS: low]
+  * API and ABI modifications:
+GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in
+  gnutls_privkey_flags_t
+GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in
+  gnutls_certificate_verify_flags
+gnutls_ecc_curve_set_enabled: Added.
+gnutls_sign_set_secure: Added.
+gnutls_sign_set_secure_for_certs: Added.
+gnutls_digest_set_secure: Added.
+gnutls_protocol_set_enabled: Added.
+gnutls_fips140_context_init: New function
+gnutls_fips140_context_deinit: New function
+gnutls_fips140_push_context: New function
+gnutls_fips140_pop_context: New function
+gnutls_fips140_get_operation_state: New function
+gnutls_fips140_operation_state_t: N

commit gnutls for openSUSE:Factory

2021-12-01 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2021-12-01 20:46:35

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.31177 (New)


Package is "gnutls"

Wed Dec  1 20:46:35 2021 rev:132 rq:934095 version:3.7.2

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2021-06-05 
23:31:26.640428775 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.31177/gnutls.changes 2021-12-02 
02:13:43.894941314 +0100
@@ -1,0 +2,8 @@
+Fri Nov 26 08:26:19 UTC 2021 - Dominique Leuenberger 
+
+- Drop bogus condition "> 1550": that would mean 'more recent than
+  Tumbleweed' which is technically impossible, as Tumbleweed is the
+  leading project (and the condition causes issues as Tumbleweed
+  needs to move away from 1550 due to CODE 15 SP5 plans).
+
+---



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.OOf45j/_old  2021-12-02 02:13:44.418939716 +0100
+++ /var/tmp/diff_new_pack.OOf45j/_new  2021-12-02 02:13:44.422939704 +0100
@@ -352,19 +352,8 @@
 
 %if %{with guile}
 %files guile
-%if 0%{?suse_version} > 1550
-%{_libdir}/guile/3.0/guile-gnutls*.so*
-%{_libdir}/guile/3.0/site-ccache
-%{_libdir}/guile/3.0/site-ccache/gnutls
-%{_libdir}/guile/3.0/site-ccache/gnutls.go
-%{_libdir}/guile/3.0/site-ccache/gnutls/extra.go
-%{_datadir}/guile/gnutls
-%{_datadir}/guile/gnutls.scm
-%{_datadir}/guile/gnutls/extra.scm
-%else
 %{_libdir}/guile/*
 %{_datadir}/guile/gnutls*
 %endif
-%endif
 
 %changelog

commit gnutls for openSUSE:Factory

2021-06-05 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2021-06-05 23:30:59

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.1898 (New)


Package is "gnutls"

Sat Jun  5 23:30:59 2021 rev:131 rq:896687 version:3.7.2

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2021-05-18 
18:26:55.386837413 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1898/gnutls.changes  2021-06-05 
23:31:26.640428775 +0200
@@ -1,0 +2,22 @@
+Tue Jun  1 01:00:34 UTC 2021 - Ferdinand Thiessen 
+
+- Update to version 3.7.2
+  * Added Linux kernel AF_ALG based acceleration
+  * Fixed timing of early data exchange
+  * The priority string option DISABLE_TLS13_COMPAT_MODE was added
+to disable TLS 1.3 middlebox compatibility mode
+  * The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to
+GNUTLS_NO_IMPLICIT_INIT to reflect the purpose 
+  * certtool:
+* When signing a CSR, CRL distribution point (CDP) is no
+  longer copied from the signing CA by default
+* When producing certificates and certificate requests, subject
+  DN components that are provided individually will now be
+  ordered by assumed scale
+
+---
+Wed May 26 11:51:56 UTC 2021 - Pedro Monreal 
+
+- Rework the crypto-policies dependencies in libraries [bsc#1186385]
+
+---

Old:

  gnutls-3.7.1.tar.xz
  gnutls-3.7.1.tar.xz.sig

New:

  gnutls-3.7.2.tar.xz
  gnutls-3.7.2.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.kQ4dFn/_old  2021-06-05 23:31:27.34442 +0200
+++ /var/tmp/diff_new_pack.kQ4dFn/_new  2021-06-05 23:31:27.348430006 +0200
@@ -25,10 +25,16 @@
 %else
 %bcond_with dane
 %endif
+# Enable Linux kernel AF_ALG based acceleration
+%if 0%{?suse_version} >= 1550
+%bcond_without kcapi
+%else
+%bcond_with kcapi
+%endif
 %bcond_with tpm
 %bcond_without guile
 Name:   gnutls
-Version:3.7.1
+Version:3.7.2
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -61,6 +67,9 @@
 BuildRequires:  xz
 BuildRequires:  zlib-devel
 BuildRequires:  pkgconfig(autoopts)
+%if %{with kcapi}
+BuildRequires:  pkgconfig(libkcapi)
+%endif
 %if 0%{?suse_version} <= 1320
 BuildRequires:  net-tools
 %else
@@ -94,6 +103,9 @@
 # install libopenssl and libopenssl-hmac close together (bsc#1090765)
 License:LGPL-2.1-or-later
 Group:  System/Libraries
+%if 0%{?suse_version} && ! 0%{?sle_version}
+Requires:   crypto-policies
+%endif
 Suggests:   libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
 
 %description -n libgnutls%{gnutls_sover}
@@ -124,6 +136,9 @@
 Summary:C++ API for the GNU Transport Layer Security Library
 License:LGPL-2.1-or-later
 Group:  System/Libraries
+%if 0%{?suse_version} && ! 0%{?sle_version}
+Requires:   crypto-policies
+%endif
 
 %description -n libgnutlsxx%{gnutlsxx_sover}
 The GnuTLS library provides a secure layer over a reliable transport
@@ -134,8 +149,11 @@
 Summary:Development package for the GnuTLS C API
 License:LGPL-2.1-or-later
 Group:  Development/Libraries/C and C++
+%if 0%{?suse_version} && ! 0%{?sle_version}
+Requires:   crypto-policies
+%endif
 Requires:   glibc-devel
-Requires:   gnutls = %{version}-%{release}
+Requires:   gnutls = %{version}
 Requires:   libgnutls%{gnutls_sover} = %{version}
 Requires(pre):  %{install_info_prereq}
 Provides:   gnutls-devel = %{version}-%{release}
@@ -192,6 +210,7 @@
 --disable-static \
 --disable-rpath \
 --disable-silent-rules \
+%{?with_kcapi:--enable-afalg} \
 
--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
 
--with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config
 \
 --with-default-priority-string="@SYSTEM" \

++ gnutls-3.7.1.tar.xz -> gnutls-3.7.2.tar.xz ++
 126697 lines of diff (skipped)

commit gnutls for openSUSE:Factory

2021-05-18 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2021-05-18 18:26:41

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.2988 (New)


Package is "gnutls"

Tue May 18 18:26:41 2021 rev:130 rq:893142 version:3.7.1

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2021-03-16 
15:44:01.441000658 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.2988/gnutls.changes  2021-05-18 
18:26:55.386837413 +0200
@@ -1,0 +2,13 @@
+Thu May 13 16:34:28 UTC 2021 - Pedro Monreal 
+
+- Compute the FIPS hmac file without re-defining the
+  __os_install_post macro, use the brp-50-generate-fips-hmac
+  script instead. [bsc#1184555]
+
+---
+Thu Mar 18 13:13:07 UTC 2021 - Pedro Monreal 
+
+- Require the main package in devel and lib packages as the default
+  priorities are now set via crypto-policies. [bsc#1183082]
+
+---



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.14tS89/_old  2021-05-18 18:26:56.034834604 +0200
+++ /var/tmp/diff_new_pack.14tS89/_new  2021-05-18 18:26:56.038834587 +0200
@@ -31,7 +31,7 @@
 Version:3.7.1
 Release:0
 Summary:The GNU Transport Layer Security Library
-License:LGPL-2.1-or-later AND GPL-3.0-or-later
+License:GPL-3.0-or-later AND LGPL-2.1-or-later
 Group:  Productivity/Networking/Security
 URL:https://www.gnutls.org/
 Source0:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz
@@ -135,6 +135,7 @@
 License:LGPL-2.1-or-later
 Group:  Development/Libraries/C and C++
 Requires:   glibc-devel
+Requires:   gnutls = %{version}-%{release}
 Requires:   libgnutls%{gnutls_sover} = %{version}
 Requires(pre):  %{install_info_prereq}
 Provides:   gnutls-devel = %{version}-%{release}
@@ -208,27 +209,15 @@
 
 make %{?_smp_mflags}
 
-# the hmac hashes:
-#
-# this is a hack that re-defines the __os_install_post macro
-# for a simple reason: the macro strips the binaries and thereby
-# invalidates a HMAC that may have been created earlier.
-# solution: create the hashes _after_ the macro runs.
-#
-# this shows up earlier because otherwise the %%expand of
-# the macro is too late.
-# remark: This is the same as running
-#   openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
-%{expand:%%global __os_install_post {%__os_install_post
-%{_bindir}/fipshmac %{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
-}}
-
 %install
 %make_install
 rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
 # Do not package static libs and libtool files
 find %{buildroot} -type f -name "*.la" -delete -print
 
+# Compute FIPS hmac using the brp-50-generate-fips-hmac script
+export BRP_FIPSHMAC_FILES=%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
+
 # install docs
 mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
 cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/
@@ -264,6 +253,7 @@
 
 %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
+
 %post -n libgnutls-devel
 %install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz

commit gnutls for openSUSE:Factory

2021-03-16 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2021-03-16 15:42:53

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.2401 (New)


Package is "gnutls"

Tue Mar 16 15:42:53 2021 rev:129 rq:879119 version:3.7.1

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2021-03-03 
18:33:47.843330743 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.2401/gnutls.changes  2021-03-16 
15:44:01.441000658 +0100
@@ -1,0 +2,20 @@
+Fri Mar 12 18:45:38 UTC 2021 - Pedro Monreal 
+
+- Update to 3.7.1:
+[bsc#1183456, CVE-2021-20232] [bsc#1183457, CVE-2021-20231]
+  * Fixed potential use-after-free in sending "key_share" and
+"pre_shared_key" extensions.
+  * Fixed a regression in handling duplicated certs in a chain.
+  * Fixed sending of session ID in TLS 1.3 middlebox compatibility
+mode. In that mode the client shall always send a non-zero
+session ID to make the handshake resemble the TLS 1.2
+resumption; this was not true in the previous versions.
+  * Removed dependency on the external 'fipscheck' package,
+when compiled with --enable-fips140-mode.
+  * Added padlock acceleration for AES-192-CBC.
+- Remove patches upstream:
+  * gnutls-gnutls-cli-debug.patch
+  * gnutls-ignore-duplicate-certificates.patch
+  * gnutls-test-fixes.patch
+
+---

Old:

  gnutls-3.7.0.tar.xz
  gnutls-3.7.0.tar.xz.sig
  gnutls-gnutls-cli-debug.patch
  gnutls-ignore-duplicate-certificates.patch
  gnutls-test-fixes.patch

New:

  gnutls-3.7.1.tar.xz
  gnutls-3.7.1.tar.xz.sig



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.xKtZPq/_old  2021-03-16 15:44:02.193001861 +0100
+++ /var/tmp/diff_new_pack.xKtZPq/_new  2021-03-16 15:44:02.197001868 +0100
@@ -28,7 +28,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:   gnutls
-Version:3.7.0
+Version:3.7.1
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -42,12 +42,6 @@
 Patch1: gnutls-3.6.6-set_guile_site_dir.patch
 Patch2: gnutls-temporarily_disable_broken_guile_reauth_test.patch
 Patch3: gnutls-FIPS-TLS_KDF_selftest.patch
-#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1131
-Patch4: gnutls-ignore-duplicate-certificates.patch
-#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1135
-Patch5: gnutls-test-fixes.patch
-#PATCH-FIX-UPSTREAM bsc#1171565 gitlab.com/gnutls/gnutls/merge_requests/1387
-Patch6: gnutls-gnutls-cli-debug.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge

++ gnutls-3.7.0.tar.xz -> gnutls-3.7.1.tar.xz ++
 70367 lines of diff (skipped)

commit gnutls for openSUSE:Factory

2021-03-03 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2021-03-03 18:33:22

Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and  /work/SRC/openSUSE:Factory/.gnutls.new.2378 (New)


Package is "gnutls"

Wed Mar  3 18:33:22 2021 rev:128 rq:873444 version:3.7.0

Changes:

--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes2020-10-15 
13:45:00.629167283 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.2378/gnutls.changes  2021-03-03 
18:33:47.843330743 +0100
@@ -1,0 +2,67 @@
+Wed Feb 10 12:08:05 UTC 2021 - Pedro Monreal 
+
+- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565]
+  * Don't unset system priority settings in gnutls-cli-debug.sh
+  * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387
+- Add gnutls-gnutls-cli-debug.patch
+
+---
+Wed Feb 10 11:17:51 UTC 2021 - Pedro Monreal 
+
+- Fix: Test certificates in tests/testpkcs11-certs have expired
+  * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135
+- Add gnutls-test-fixes.patch
+
+---
+Mon Feb  8 18:05:56 UTC 2021 - Pedro Monreal 
+
+- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates
+  * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131
+- Add gnutls-ignore-duplicate-certificates.patch
+
+---
+Wed Jan 27 23:33:15 UTC 2021 - Pedro Monreal 
+
+- Update to 3.7.0
+  * Depend on nettle 3.6
+  * Added a new API that provides a callback function to retrieve
+missing certificates from incomplete certificate chains
+  * Added a new API that provides a callback function to output the
+complete path to the trusted root during certificate chain
+   verification
+  * OIDs exposed as gnutls_datum_t no longer account for the
+terminating null bytes, while the data field is null terminated.
+The affected API functions are: gnutls_ocsp_req_get_extension,
+gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
+  * Added a new set of API to enable QUIC implementation
+  * The crypto implementation override APIs deprecated in 3.6.9 are
+now no-op
+  * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support
+  * Support for padlock has been fixed to make it work with Zhaoxin CPU
+  * The maximum PIN length for PKCS #11 has been increased from 31
+bytes to 255 bytes
+- Remove patch fixed upstream:
+  * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
+- Add version guards for the crypto-policies package
+- Fix threading bug in libgnutls [bsc#1173434]
+  * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044
+
+---
+Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal 
+
+- Require the crypto-policies package [bsc#1180051]
+
+---
+Tue Nov 24 15:43:02 UTC 2020 - V??t??zslav ??ek 
+
+- Use the centralized crypto policy profile (jsc#SLE-15832)
+
+---
+Tue Nov 10 11:25:02 UTC 2020 - V??t??zslav ??ek 
+
+- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
+  * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
+- FIPS: Add TLS KDF selftest (bsc#1176671)
+  * add gnutls-FIPS-TLS_KDF_selftest.patch
+
+---

Old:

  gnutls-3.6.15.tar.xz
  gnutls-3.6.15.tar.xz.sig

New:

  gnutls-3.7.0.tar.xz
  gnutls-3.7.0.tar.xz.sig
  gnutls-FIPS-TLS_KDF_selftest.patch
  gnutls-gnutls-cli-debug.patch
  gnutls-ignore-duplicate-certificates.patch
  gnutls-test-fixes.patch



Other differences:
--
++ gnutls.spec ++
--- /var/tmp/diff_new_pack.CwNtjf/_old  2021-03-03 18:33:48.511331227 +0100
+++ /var/tmp/diff_new_pack.CwNtjf/_new  2021-03-03 18:33:48.511331227 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,19 +28,26 @@
 %bcond_with tpm
 %bcond_without guile
 Name:   gnutls
-Version:3.6.15
+Version:3.7.0
 Release:0
 Summary:The GNU Transport Layer Security Library
 License:LGPL-2.1-or-later AND GPL-3.0-or-later
 Group:  Productivity/Networking/Security
 URL:https://www.gnutls.org/
-Source0:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
-Source1:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{ve