Update to 3.8.9 release

Resolves: RHEL-70818 Resolves: RHEL-77881 Signed-off-by: Daiki Ueno <dueno@redhat.com>
2025-02-08 17:09:36 +09:00 · 2025-02-08 17:09:36 +09:00 · 22dcf8b347
commit 22dcf8b347
parent 8f088143d3
2 changed files with 23 additions and 28 deletions
--- a/gnutls-3.7.6-fips-sha1-sigver.patch
+++ b/gnutls-3.7.6-fips-sha1-sigver.patch
@ -1,20 +1,20 @@
-From cc7473a9ea185e072ab1bae0903c77bd7d7cf5bc Mon Sep 17 00:00:00 2001
+From 115c0edc929a3f09b0a252507112c0de70026b5e Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
-Date: Mon, 20 Nov 2023 07:45:42 +0900
+Date: Mon, 10 Feb 2025 11:43:51 +0900
 Subject: [PATCH] gnutls-3.7.6-fips-sha1-sigver.patch

 Signed-off-by: rpm-build <rpm-build>
 ---
- lib/nettle/pk.c   | 13 +++++--------
+ lib/nettle/pk.c   | 11 ++++-------
 lib/pubkey.c      |  3 ---
 tests/fips-test.c |  8 ++++----
- 3 files changed, 9 insertions(+), 15 deletions(-)
+ 3 files changed, 8 insertions(+), 14 deletions(-)

 diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
-index 4ddfcff..36a7c24 100644
+index 91eaffd..0b4788a 100644
 --- a/lib/nettle/pk.c
 +++ b/lib/nettle/pk.c
-@@ -1609,10 +1609,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+@@ -2784,10 +2784,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 		if (hash_len > vdata->size)
 			hash_len = vdata->size;
 
@ -25,18 +25,16 @@ index 4ddfcff..36a7c24 100644
 		case GNUTLS_MAC_SHA256:
 		case GNUTLS_MAC_SHA384:
 		case GNUTLS_MAC_SHA512:
-@@ -1683,8 +1680,8 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
- 			 * 2048-bit or one of the known lengths (1024, 1280,
- 			 * 1536, 1792; i.e., multiple of 256-bits).
- 			 *
+@@ -2857,7 +2854,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 		bits = mpz_sizeinbase(pub.n, 2);
+ 
+ 		/* In FIPS 140-3, RSA key size should be larger than 2048-bit.
 -			 * In addition to this, only SHA-1 and SHA-2 are allowed
-			 * for SigVer; it is checked in _pkcs1_rsa_verify_sig in
-+			 * In addition to this, only SHA-2 is allowed for
-+			 * SigVer; it is checked in _pkcs1_rsa_verify_sig in
+			 * In addition to this, only SHA-2 is allowed
+ 			 * for SigVer; it is checked in _pkcs1_rsa_verify_sig in
 			 * lib/pubkey.c.
 			 */
- 		if (unlikely(bits < 2048 && bits != 1024 && bits != 1280 &&
-@@ -1730,9 +1727,9 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+@@ -2903,9 +2900,9 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 		}
 
 		/* RSA modulus size should be 2048-bit or larger in FIPS
@ -50,10 +48,10 @@ index 4ddfcff..36a7c24 100644
 			 */
 		if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) {
 diff --git a/lib/pubkey.c b/lib/pubkey.c
-index 1139ad9..714806a 100644
+index 1e5ecf3..811e531 100644
 --- a/lib/pubkey.c
 +++ b/lib/pubkey.c
-@@ -2452,10 +2452,7 @@ static int _pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk,
+@@ -2516,10 +2516,7 @@ static int _pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk,
 	d.size = digest_size;
 
 	if (pk == GNUTLS_PK_RSA) {
@ -65,7 +63,7 @@ index 1139ad9..714806a 100644
 		case GNUTLS_MAC_SHA384:
 		case GNUTLS_MAC_SHA512:
 diff --git a/tests/fips-test.c b/tests/fips-test.c
-index 180da05..09120c1 100644
+index 3af4df7..c024427 100644
 --- a/tests/fips-test.c
 +++ b/tests/fips-test.c
@@ -596,7 +596,7 @@ void doit(void)
@ -86,7 +84,7 @@ index 180da05..09120c1 100644
 	gnutls_free(signature.data);
 	gnutls_pubkey_deinit(pubkey);
 	gnutls_privkey_deinit(privkey);
-@@ -708,7 +708,7 @@ void doit(void)
+@@ -707,7 +707,7 @@ void doit(void)
 	}
 	FIPS_POP_CONTEXT(NOT_APPROVED);
 
@ -95,7 +93,7 @@ index 180da05..09120c1 100644
 	FIPS_PUSH_CONTEXT();
 	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_ECDSA_SHA1,
 					 GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1,
-@@ -716,7 +716,7 @@ void doit(void)
+@@ -715,7 +715,7 @@ void doit(void)
 	if (ret < 0) {
 		fail("gnutls_pubkey_verify_data2 failed\n");
 	}
@ -105,5 +103,5 @@ index 180da05..09120c1 100644
 
 	/* Create a signature with ECDSA and SHA-1 (old API); not approved */
 -- 
-2.41.0
+2.48.1

--- a/gnutls.spec
+++ b/gnutls.spec
@ -12,7 +12,7 @@ sha256sum:close()
 print(string.sub(hash, 0, 16))
 }

-Version: 3.8.8
+Version: 3.8.9
 Release: %{?autorelease}%{!?autorelease:1%{?dist}}
 # not upstreamed: can we drop this as configure is regenerated when bootstrapping?
 Patch: gnutls-3.2.7-rpath.patch
@ -22,8 +22,6 @@ Patch: gnutls-3.7.2-enable-intel-cet.patch
 Patch: gnutls-3.7.2-no-explicit-init.patch
 # not upstreamed: to avoid any inconsistency between algorithms enabled through API vs the ones enabled through config file, for long-term support purposes
 Patch: gnutls-3.7.3-disable-config-reload.patch
-# not upstreamed: should be removed once --disable-dsa is ported
-Patch: gnutls-3.7.3-fips-dsa-post.patch
 # not upstreamed, reseed source DRBG for prediction resistance
 Patch: gnutls-3.7.6-drbg-reseed.patch
 # not upstreamed, hard blocking SHA-1 signature verification, for long-term support purposes
@ -448,7 +446,6 @@ export CCASFLAGS=""
    --disable-rpath \
    --disable-nls \
    --disable-cxx \
-    --enable-local-libopts \
    --enable-shared \
    --without-tpm \
    --with-included-unistring \
@ -546,7 +543,7 @@ popd
 %{_libdir}/.libgnutls.so.30*.hmac
 %endif
 %doc README.md AUTHORS NEWS THANKS
-%license LICENSE doc/COPYING doc/COPYING.LESSER
+%license COPYING COPYING.LESSERv2

 %files c++
 %{_libdir}/libgnutlsxx.so.*
@ -590,7 +587,7 @@ popd

 %if %{with mingw}
 %files -n mingw32-%{name}
-%license LICENSE doc/COPYING doc/COPYING.LESSER
+%license COPYING COPYING.LESSERv2
 %{mingw32_bindir}/certtool.exe
 %{mingw32_bindir}/gnutls-cli-debug.exe
 %{mingw32_bindir}/gnutls-cli.exe
@ -608,7 +605,7 @@ popd
 %{mingw32_includedir}/gnutls/

 %files -n mingw64-%{name}
-%license LICENSE doc/COPYING doc/COPYING.LESSER
+%license COPYING COPYING.LESSERv2
 %{mingw64_bindir}/certtool.exe
 %{mingw64_bindir}/gnutls-cli-debug.exe
 %{mingw64_bindir}/gnutls-cli.exe