From 22dcf8b347c2251cb89d9ded52fc8464b80bbc35 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sat, 8 Feb 2025 17:09:36 +0900 Subject: [PATCH] Update to 3.8.9 release Resolves: RHEL-70818 Resolves: RHEL-77881 Signed-off-by: Daiki Ueno --- gnutls-3.7.6-fips-sha1-sigver.patch | 40 ++++++++++++++--------------- gnutls.spec | 11 +++----- 2 files changed, 23 insertions(+), 28 deletions(-) diff --git a/gnutls-3.7.6-fips-sha1-sigver.patch b/gnutls-3.7.6-fips-sha1-sigver.patch index e71b739..ceda350 100644 --- a/gnutls-3.7.6-fips-sha1-sigver.patch +++ b/gnutls-3.7.6-fips-sha1-sigver.patch @@ -1,20 +1,20 @@ -From cc7473a9ea185e072ab1bae0903c77bd7d7cf5bc Mon Sep 17 00:00:00 2001 +From 115c0edc929a3f09b0a252507112c0de70026b5e Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 20 Nov 2023 07:45:42 +0900 +Date: Mon, 10 Feb 2025 11:43:51 +0900 Subject: [PATCH] gnutls-3.7.6-fips-sha1-sigver.patch Signed-off-by: rpm-build --- - lib/nettle/pk.c | 13 +++++-------- + lib/nettle/pk.c | 11 ++++------- lib/pubkey.c | 3 --- tests/fips-test.c | 8 ++++---- - 3 files changed, 9 insertions(+), 15 deletions(-) + 3 files changed, 8 insertions(+), 14 deletions(-) diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index 4ddfcff..36a7c24 100644 +index 91eaffd..0b4788a 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c -@@ -1609,10 +1609,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, +@@ -2784,10 +2784,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, if (hash_len > vdata->size) hash_len = vdata->size; @@ -25,18 +25,16 @@ index 4ddfcff..36a7c24 100644 case GNUTLS_MAC_SHA256: case GNUTLS_MAC_SHA384: case GNUTLS_MAC_SHA512: -@@ -1683,8 +1680,8 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, - * 2048-bit or one of the known lengths (1024, 1280, - * 1536, 1792; i.e., multiple of 256-bits). - * +@@ -2857,7 +2854,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, + bits = mpz_sizeinbase(pub.n, 2); + + /* In FIPS 140-3, RSA key size should be larger than 2048-bit. - * In addition to this, only SHA-1 and SHA-2 are allowed -- * for SigVer; it is checked in _pkcs1_rsa_verify_sig in -+ * In addition to this, only SHA-2 is allowed for -+ * SigVer; it is checked in _pkcs1_rsa_verify_sig in ++ * In addition to this, only SHA-2 is allowed + * for SigVer; it is checked in _pkcs1_rsa_verify_sig in * lib/pubkey.c. */ - if (unlikely(bits < 2048 && bits != 1024 && bits != 1280 && -@@ -1730,9 +1727,9 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, +@@ -2903,9 +2900,9 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, } /* RSA modulus size should be 2048-bit or larger in FIPS @@ -50,10 +48,10 @@ index 4ddfcff..36a7c24 100644 */ if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) { diff --git a/lib/pubkey.c b/lib/pubkey.c -index 1139ad9..714806a 100644 +index 1e5ecf3..811e531 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c -@@ -2452,10 +2452,7 @@ static int _pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk, +@@ -2516,10 +2516,7 @@ static int _pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk, d.size = digest_size; if (pk == GNUTLS_PK_RSA) { @@ -65,7 +63,7 @@ index 1139ad9..714806a 100644 case GNUTLS_MAC_SHA384: case GNUTLS_MAC_SHA512: diff --git a/tests/fips-test.c b/tests/fips-test.c -index 180da05..09120c1 100644 +index 3af4df7..c024427 100644 --- a/tests/fips-test.c +++ b/tests/fips-test.c @@ -596,7 +596,7 @@ void doit(void) @@ -86,7 +84,7 @@ index 180da05..09120c1 100644 gnutls_free(signature.data); gnutls_pubkey_deinit(pubkey); gnutls_privkey_deinit(privkey); -@@ -708,7 +708,7 @@ void doit(void) +@@ -707,7 +707,7 @@ void doit(void) } FIPS_POP_CONTEXT(NOT_APPROVED); @@ -95,7 +93,7 @@ index 180da05..09120c1 100644 FIPS_PUSH_CONTEXT(); ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_ECDSA_SHA1, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, -@@ -716,7 +716,7 @@ void doit(void) +@@ -715,7 +715,7 @@ void doit(void) if (ret < 0) { fail("gnutls_pubkey_verify_data2 failed\n"); } @@ -105,5 +103,5 @@ index 180da05..09120c1 100644 /* Create a signature with ECDSA and SHA-1 (old API); not approved */ -- -2.41.0 +2.48.1 diff --git a/gnutls.spec b/gnutls.spec index 9d6f892..df8c0e1 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,7 +12,7 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.8 +Version: 3.8.9 Release: %{?autorelease}%{!?autorelease:1%{?dist}} # not upstreamed: can we drop this as configure is regenerated when bootstrapping? Patch: gnutls-3.2.7-rpath.patch @@ -22,8 +22,6 @@ Patch: gnutls-3.7.2-enable-intel-cet.patch Patch: gnutls-3.7.2-no-explicit-init.patch # not upstreamed: to avoid any inconsistency between algorithms enabled through API vs the ones enabled through config file, for long-term support purposes Patch: gnutls-3.7.3-disable-config-reload.patch -# not upstreamed: should be removed once --disable-dsa is ported -Patch: gnutls-3.7.3-fips-dsa-post.patch # not upstreamed, reseed source DRBG for prediction resistance Patch: gnutls-3.7.6-drbg-reseed.patch # not upstreamed, hard blocking SHA-1 signature verification, for long-term support purposes @@ -448,7 +446,6 @@ export CCASFLAGS="" --disable-rpath \ --disable-nls \ --disable-cxx \ - --enable-local-libopts \ --enable-shared \ --without-tpm \ --with-included-unistring \ @@ -546,7 +543,7 @@ popd %{_libdir}/.libgnutls.so.30*.hmac %endif %doc README.md AUTHORS NEWS THANKS -%license LICENSE doc/COPYING doc/COPYING.LESSER +%license COPYING COPYING.LESSERv2 %files c++ %{_libdir}/libgnutlsxx.so.* @@ -590,7 +587,7 @@ popd %if %{with mingw} %files -n mingw32-%{name} -%license LICENSE doc/COPYING doc/COPYING.LESSER +%license COPYING COPYING.LESSERv2 %{mingw32_bindir}/certtool.exe %{mingw32_bindir}/gnutls-cli-debug.exe %{mingw32_bindir}/gnutls-cli.exe @@ -608,7 +605,7 @@ popd %{mingw32_includedir}/gnutls/ %files -n mingw64-%{name} -%license LICENSE doc/COPYING doc/COPYING.LESSER +%license COPYING COPYING.LESSERv2 %{mingw64_bindir}/certtool.exe %{mingw64_bindir}/gnutls-cli-debug.exe %{mingw64_bindir}/gnutls-cli.exe