diff --git a/.gitignore b/.gitignore index 7f5c956..3fdb9a7 100644 --- a/.gitignore +++ b/.gitignore @@ -137,3 +137,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.2.tar.xz.sig /gnutls-3.7.3.tar.xz /gnutls-3.7.3.tar.xz.sig +/gnutls-3.7.6.tar.xz +/gnutls-3.7.6.tar.xz.sig diff --git a/gnutls-3.7.3-fips-dsa-post.patch b/gnutls-3.7.3-fips-dsa-post.patch index c889590..7d1aea2 100644 --- a/gnutls-3.7.3-fips-dsa-post.patch +++ b/gnutls-3.7.3-fips-dsa-post.patch @@ -1,30 +1,29 @@ -From fcef3404733e0839cc0f8d1fcdc5bc0f8edc7e76 Mon Sep 17 00:00:00 2001 +From 0a29639ad24072afbd79b2ceede9976e51b9e2af Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Thu, 31 Mar 2022 11:20:28 +0200 +Date: Fri, 1 Jul 2022 16:46:07 +0900 Subject: [PATCH] fips: don't run POST for DSA -Signed-off-by: rpm-build +Signed-off-by: rpm-build <> --- - lib/fips.c | 6 ------ - 1 file changed, 6 deletions(-) + lib/fips.c | 5 ----- + 1 file changed, 5 deletions(-) diff --git a/lib/fips.c b/lib/fips.c -index 457a8c0..074e8e1 100644 +index 656d43e..c776690 100644 --- a/lib/fips.c +++ b/lib/fips.c -@@ -419,12 +419,6 @@ int _gnutls_fips_perform_self_checks2(void) - goto error; +@@ -523,11 +523,6 @@ int _gnutls_fips_perform_self_checks2(void) + return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); } - ret = gnutls_pk_self_test(0, GNUTLS_PK_DSA); - if (ret < 0) { -- gnutls_assert(); -- goto error; +- return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - ret = gnutls_pk_self_test(0, GNUTLS_PK_EC); if (ret < 0) { - gnutls_assert(); + return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); -- -2.34.1 +2.36.1 diff --git a/gnutls-3.7.6-fips-run-selftests.patch b/gnutls-3.7.6-fips-run-selftests.patch new file mode 100644 index 0000000..40cf389 --- /dev/null +++ b/gnutls-3.7.6-fips-run-selftests.patch @@ -0,0 +1,442 @@ +From 036fb360e5775f01ef25f5e712024a29930c462e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 3 Jun 2022 15:43:00 +0900 +Subject: [PATCH] fips: provide function to manually run FIPS self-tests + +FIPS140-3 IG 10.3.E Periodic Self-Testing says: + + At security levels 1 and 2, acceptable means for initiating the + periodic self-tests include a provided service, resetting, rebooting + or power cycling. + +Neither resetting, rebooting, nor power-cycling is suitable because +those involve operations outside of the module. Therefore this patch +adds a new API to manually run the substance of FIPS140 self-tests. + +Suggeested by Richard Costa and Stephan Mueller in: +https://gitlab.com/gnutls/gnutls/-/issues/1364 + +Signed-off-by: Daiki Ueno +--- + NEWS | 5 ++ + devel/libgnutls.abignore | 2 + + devel/symbols.last | 2 + + doc/Makefile.am | 2 + + doc/manpages/Makefile.am | 1 + + lib/fips.c | 139 ++++++++++++++++---------------- + lib/global.c | 14 +++- + lib/includes/gnutls/gnutls.h.in | 2 + + lib/libgnutls.map | 8 ++ + tests/fips-test.c | 7 ++ + 10 files changed, 110 insertions(+), 72 deletions(-) + +diff --git a/NEWS b/NEWS +index 70dd8a12b5..389be8acaa 100644 +--- a/NEWS ++++ b/NEWS +@@ -5,6 +5,11 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. + Copyright (C) 2013-2019 Nikos Mavrogiannopoulos + See the end for copying conditions. + ++* Version 3.7.7 (unreleased) ++ ++** API and ABI modifications: ++gnutls_fips140_run_self_tests: New function ++ + * Version 3.7.6 (released 2022-05-27) + + ** libgnutls: Fixed invalid write when gnutls_realloc_zero() +diff --git a/doc/Makefile.am b/doc/Makefile.am +index d20a021d97..34ef43866c 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -1096,6 +1096,8 @@ FUNCS += functions/gnutls_fips140_pop_context + FUNCS += functions/gnutls_fips140_pop_context.short + FUNCS += functions/gnutls_fips140_push_context + FUNCS += functions/gnutls_fips140_push_context.short ++FUNCS += functions/gnutls_fips140_run_self_tests ++FUNCS += functions/gnutls_fips140_run_self_tests.short + FUNCS += functions/gnutls_fips140_set_mode + FUNCS += functions/gnutls_fips140_set_mode.short + FUNCS += functions/gnutls_get_library_config +diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am +index d8c5f2854d..90906b0574 100644 +--- a/doc/manpages/Makefile.am ++++ b/doc/manpages/Makefile.am +@@ -380,6 +380,7 @@ APIMANS += gnutls_fips140_get_operation_state.3 + APIMANS += gnutls_fips140_mode_enabled.3 + APIMANS += gnutls_fips140_pop_context.3 + APIMANS += gnutls_fips140_push_context.3 ++APIMANS += gnutls_fips140_run_self_tests.3 + APIMANS += gnutls_fips140_set_mode.3 + APIMANS += gnutls_get_library_config.3 + APIMANS += gnutls_get_system_config_file.3 +diff --git a/lib/fips.c b/lib/fips.c +index e9c27f6df6..656d43e74a 100644 +--- a/lib/fips.c ++++ b/lib/fips.c +@@ -419,8 +419,6 @@ int _gnutls_fips_perform_self_checks1(void) + { + int ret; + +- _gnutls_switch_lib_state(LIB_STATE_SELFTEST); +- + /* Tests the FIPS algorithms used by nettle internally. + * In our case we test AES-CBC since nettle's AES is used by + * the DRBG-AES. +@@ -429,193 +427,153 @@ int _gnutls_fips_perform_self_checks1(void) + /* ciphers - one test per cipher */ + ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_128_CBC); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + return 0; +- +-error: +- _gnutls_switch_lib_state(LIB_STATE_ERROR); +- _gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n"); +- +- return GNUTLS_E_SELF_TEST_ERROR; + } + + int _gnutls_fips_perform_self_checks2(void) + { + int ret; + +- _gnutls_switch_lib_state(LIB_STATE_SELFTEST); +- + /* Tests the FIPS algorithms */ + + /* ciphers - one test per cipher */ + ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_3DES_CBC); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_XTS); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CFB8); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + /* Digest tests */ + ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_224); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_256); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_384); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_512); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + /* MAC (includes message digest test) */ + ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA1); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA224); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA256); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA384); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA512); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_mac_self_test(0, GNUTLS_MAC_AES_CMAC_256); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + /* PK */ + ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_pk_self_test(0, GNUTLS_PK_DSA); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_pk_self_test(0, GNUTLS_PK_EC); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = gnutls_pk_self_test(0, GNUTLS_PK_DH); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + /* HKDF */ + ret = gnutls_hkdf_self_test(0, GNUTLS_MAC_SHA256); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + /* PBKDF2 */ + ret = gnutls_pbkdf2_self_test(0, GNUTLS_MAC_SHA256); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + /* TLS-PRF */ + ret = gnutls_tlsprf_self_test(0, GNUTLS_MAC_SHA256); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + if (_gnutls_rnd_ops.self_test == NULL) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + /* this does not require rng initialization */ + ret = _gnutls_rnd_ops.self_test(); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + if (_skip_integrity_checks == 0) { + ret = check_binary_integrity(); + if (ret < 0) { +- gnutls_assert(); +- goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + } + + return 0; +- +-error: +- _gnutls_switch_lib_state(LIB_STATE_ERROR); +- _gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n"); +- +- return GNUTLS_E_SELF_TEST_ERROR; + } + #endif + +@@ -894,3 +852,48 @@ _gnutls_switch_fips_state(gnutls_fips140_operation_state_t state) + (void)state; + #endif + } ++ ++/** ++ * gnutls_fips140_run_self_tests: ++ * ++ * Manually perform the second round of the FIPS140 self-tests, ++ * including: ++ * ++ * - Known answer tests (KAT) for the selected set of symmetric ++ * cipher, MAC, public key, KDF, and DRBG ++ * - Library integrity checks ++ * ++ * Upon failure with FIPS140 mode enabled, it makes the library ++ * unusable. This function is not thread-safe. ++ * ++ * Returns: 0 upon success, a negative error code otherwise ++ * ++ * Since: 3.7.7 ++ */ ++int ++gnutls_fips140_run_self_tests(void) ++{ ++#ifdef ENABLE_FIPS140 ++ int ret; ++ unsigned prev_lib_state; ++ ++ /* Temporarily switch to LIB_STATE_SELFTEST as some of the ++ * algorithms are implemented using special constructs in ++ * self-tests (such as deterministic variants) */ ++ prev_lib_state = _gnutls_get_lib_state(); ++ _gnutls_switch_lib_state(LIB_STATE_SELFTEST); ++ ++ ret = _gnutls_fips_perform_self_checks2(); ++ if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED && ++ ret < 0) { ++ _gnutls_switch_lib_state(LIB_STATE_ERROR); ++ _gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n"); ++ } else { ++ /* Restore the previous library state */ ++ _gnutls_switch_lib_state(prev_lib_state); ++ } ++ return ret; ++#else ++ return 0; ++#endif ++} +diff --git a/lib/global.c b/lib/global.c +index faa7f0afb2..1b372c15bd 100644 +--- a/lib/global.c ++++ b/lib/global.c +@@ -336,9 +336,12 @@ static int _gnutls_global_init(unsigned constructor) + + /* first round of self checks, these are done on the + * nettle algorithms which are used internally */ ++ _gnutls_switch_lib_state(LIB_STATE_SELFTEST); + ret = _gnutls_fips_perform_self_checks1(); +- if (res != 2) { +- if (ret < 0) { ++ if (ret < 0) { ++ _gnutls_switch_lib_state(LIB_STATE_ERROR); ++ _gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n"); ++ if (res != 2) { + gnutls_assert(); + goto out; + } +@@ -355,9 +358,12 @@ static int _gnutls_global_init(unsigned constructor) + * (e.g., AESNI overridden AES). They are after _gnutls_register_accel_crypto() + * intentionally */ + if (res != 0) { ++ _gnutls_switch_lib_state(LIB_STATE_SELFTEST); + ret = _gnutls_fips_perform_self_checks2(); +- if (res != 2) { +- if (ret < 0) { ++ if (ret < 0) { ++ _gnutls_switch_lib_state(LIB_STATE_ERROR); ++ _gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n"); ++ if (res != 2) { + gnutls_assert(); + goto out; + } +diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in +index f7fc5d114a..5840f331e9 100644 +--- a/lib/includes/gnutls/gnutls.h.in ++++ b/lib/includes/gnutls/gnutls.h.in +@@ -3416,6 +3416,8 @@ gnutls_fips140_get_operation_state(gnutls_fips140_context_t context); + int gnutls_fips140_push_context(gnutls_fips140_context_t context); + int gnutls_fips140_pop_context(void); + ++int gnutls_fips140_run_self_tests(void); ++ + /* Gnutls error codes. The mapping to a TLS alert is also shown in + * comments. + */ +diff --git a/lib/libgnutls.map b/lib/libgnutls.map +index 0241946c8a..f42d5f9fae 100644 +--- a/lib/libgnutls.map ++++ b/lib/libgnutls.map +@@ -1399,6 +1399,14 @@ GNUTLS_3_7_5 + *; + } GNUTLS_3_7_4; + ++GNUTLS_3_7_7 ++{ ++ global: ++ gnutls_fips140_run_self_tests; ++ local: ++ *; ++} GNUTLS_3_7_5; ++ + GNUTLS_FIPS140_3_4 { + global: + gnutls_cipher_self_test; +diff --git a/tests/fips-test.c b/tests/fips-test.c +index a6a283fa67..31a5e26111 100644 +--- a/tests/fips-test.c ++++ b/tests/fips-test.c +@@ -525,6 +525,13 @@ void doit(void) + } + + gnutls_fips140_context_deinit(fips_context); ++ ++ /* run self-tests manually */ ++ ret = gnutls_fips140_run_self_tests(); ++ if (ret < 0) { ++ fail("gnutls_fips140_run_self_tests failed\n"); ++ } ++ + gnutls_global_deinit(); + return; + } +-- +2.36.1 + diff --git a/gnutls-3.7.6-libgnutlsxx-const.patch b/gnutls-3.7.6-libgnutlsxx-const.patch new file mode 100644 index 0000000..12a4638 --- /dev/null +++ b/gnutls-3.7.6-libgnutlsxx-const.patch @@ -0,0 +1,105 @@ +From 4a64e35cdc5ad438ab3bd256e7a4f5e8f7d6f21f Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 4 Jul 2022 09:49:09 +0900 +Subject: [PATCH] libgnutlsxx: revert ABI incompatible change + +This reverts 67cab96c1d59fec2e2b85ee054ec0015195cc35c. + +Signed-off-by: Daiki Ueno +--- + lib/gnutlsxx.cpp | 4 ++-- + lib/includes/gnutls/gnutlsxx.h | 14 +++++++------- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/lib/gnutlsxx.cpp b/lib/gnutlsxx.cpp +index f87490d371..3613502aba 100644 +--- a/lib/gnutlsxx.cpp ++++ b/lib/gnutlsxx.cpp +@@ -397,7 +397,7 @@ namespace gnutls + gnutls_db_remove_session (s); + } + +- bool server_session::db_check_entry (const gnutls_datum_t & session_data) const ++ bool server_session::db_check_entry (gnutls_datum_t & session_data) const + { + int ret = gnutls_db_check_entry (s, session_data); + +@@ -416,7 +416,7 @@ namespace gnutls + gnutls_credentials_clear (s); + } + +- void session::set_credentials (const credentials & cred) ++ void session::set_credentials (credentials & cred) + { + RETWRAP (gnutls_credentials_set (s, cred.get_type (), cred.ptr ())); + } +diff --git a/lib/includes/gnutls/gnutlsxx.h b/lib/includes/gnutls/gnutlsxx.h +index 23bbd4ea36..eeefb798a3 100644 +--- a/lib/includes/gnutls/gnutlsxx.h ++++ b/lib/includes/gnutls/gnutlsxx.h +@@ -42,7 +42,7 @@ namespace gnutls { + + class exception:public std::exception { + public: +- explicit exception(int x); ++ exception(int x); + const char *what() const throw(); + int get_code(); + protected: +@@ -104,7 +104,7 @@ namespace gnutls { + protected: + gnutls_session_t s; + public: +- explicit session(unsigned int); ++ session(unsigned int); + virtual ~ session(); + + gnutls_session_t ptr(); +@@ -173,7 +173,7 @@ namespace gnutls { + void set_max_handshake_packet_length(size_t max); + + void clear_credentials(); +- void set_credentials(const class credentials & cred); ++ void set_credentials(class credentials & cred); + + void set_transport_ptr(gnutls_transport_ptr_t ptr); + void set_transport_ptr(gnutls_transport_ptr_t recv_ptr, +@@ -239,7 +239,7 @@ namespace gnutls { + class server_session:public session { + public: + server_session(); +- explicit server_session(int flags); ++ server_session(int flags); + ~server_session(); + void db_remove() const; + +@@ -247,7 +247,7 @@ namespace gnutls { + void set_db(const DB & db); + + // returns true if session is expired +- bool db_check_entry(const gnutls_datum_t & session_data) const; ++ bool db_check_entry(gnutls_datum_t & session_data) const; + + // server side only + const char *get_srp_username() const; +@@ -264,7 +264,7 @@ namespace gnutls { + class client_session:public session { + public: + client_session(); +- explicit client_session(int flags); ++ client_session(int flags); + ~client_session(); + + void set_verify_cert(const char *hostname, unsigned flags); +@@ -281,7 +281,7 @@ namespace gnutls { + } gnutls_credentials_type_t get_type() const; + protected: + friend class session; +- explicit credentials(gnutls_credentials_type_t t); ++ credentials(gnutls_credentials_type_t t); + void *ptr() const; + void set_ptr(void *ptr); + gnutls_credentials_type_t type; +-- +2.36.1 + diff --git a/gnutls-release-keyring.gpg b/gnutls-release-keyring.gpg new file mode 100644 index 0000000..e33ee43 Binary files /dev/null and b/gnutls-release-keyring.gpg differ diff --git a/gnutls.spec b/gnutls.spec index fb2e685..0808d03 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,24 +12,23 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.7.3 -Release: 10%{?dist} -Patch1: gnutls-3.6.7-no-now-guile.patch -Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.7.2-enable-intel-cet.patch -Patch4: gnutls-3.7.2-no-explicit-init.patch -Patch5: gnutls-3.7.3-fips-rsa-keygen.patch -Patch6: gnutls-3.7.3-ktls-stub.patch -Patch7: gnutls-3.7.3-fips-pkcs12.patch -Patch8: gnutls-3.7.3-fix-tests-in-fips.patch -Patch9: gnutls-3.7.3-gost-ifdef.patch -Patch10: gnutls-3.7.3-max-algos.patch -Patch11: gnutls-3.7.3-allowlist-api.patch -Patch12: gnutls-3.7.3-libtss2-dlopen.patch +Version: 3.7.6 +Release: 1%{?dist} +# not upstreamed +Patch: gnutls-3.6.7-no-now-guile.patch +Patch: gnutls-3.2.7-rpath.patch +Patch: gnutls-3.7.2-enable-intel-cet.patch +Patch: gnutls-3.7.2-no-explicit-init.patch + +# upstreamed +Patch: gnutls-3.7.6-fips-run-selftests.patch # not upstreamed -Patch100: gnutls-3.7.3-disable-config-reload.patch -Patch101: gnutls-3.7.3-fips-dsa-post.patch +Patch: gnutls-3.7.3-disable-config-reload.patch +Patch: gnutls-3.7.3-fips-dsa-post.patch + +# to prevent ABI break; will be reverted in %%install +Patch: gnutls-3.7.6-libgnutlsxx-const.patch %bcond_without bootstrap %bcond_without dane @@ -43,6 +42,7 @@ Patch101: gnutls-3.7.3-fips-dsa-post.patch %bcond_with tpm12 %bcond_without tpm2 %bcond_with gost +%bcond_without tests Summary: A TLS protocol implementation Name: gnutls @@ -65,9 +65,7 @@ BuildRequires: libidn2-devel BuildRequires: libunistring-devel BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++ BuildRequires: gnupg2 -%if %{with fips} -BuildRequires: fipscheck -%endif +BuildRequires: git-core # for a sanity check on cert loading BuildRequires: p11-kit-trust, ca-certificates @@ -89,7 +87,7 @@ BuildRequires: make URL: http://www.gnutls.org/ Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig -Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +Source2: gnutls-release-keyring.gpg # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -184,9 +182,8 @@ This package contains Guile bindings for the library. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -p1 +%autosetup -p1 -S git %if %{with bootstrap} -rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h autoreconf -fi %endif @@ -260,22 +257,23 @@ export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" --disable-rpath \ --with-default-priority-string="@SYSTEM" -make %{?_smp_mflags} V=1 - -%if %{with fips} -%define __spec_install_post \ - %{?__debug_package:%{__debug_install_post}} \ - %{__arch_install_post} \ - %{__os_install_post} \ - rm -f $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.*.hmac \ - fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \ - file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \ -%{nil} -%endif +# build libgnutlsxx.so with older SONAME +make %{?_smp_mflags} V=1 CXX_LT_CURRENT=29 CXX_LT_REVISION=0 CXX_LT_AGE=1 %install make install DESTDIR=$RPM_BUILD_ROOT + +# build libgnutlsxx.so with newer SONAME +git show | patch -p1 -R +pushd lib +rm -f libgnutlsxx.la +make %{?_smp_mflags} V=1 CXX_LT_CURRENT=30 CXX_LT_REVISION=0 CXX_LT_AGE=0 +make install DESTDIR=$RPM_BUILD_ROOT +popd +touch doc/examples/ex-cxx + make -C doc install-html DESTDIR=$RPM_BUILD_ROOT + rm -f $RPM_BUILD_ROOT%{_infodir}/dir rm -f $RPM_BUILD_ROOT%{_libdir}/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.a @@ -284,15 +282,33 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.la rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc %endif +%if %{with fips} +# doing it twice should be a no-op the second time, +# and this way we avoid redefining it and missing a future change +%{__spec_install_post} +./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac +sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac +%endif + +%if %{with fips} +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ +%{nil} +%endif + %find_lang gnutls %check +%if %{with tests} make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null +%endif %files -f gnutls.lang %{_libdir}/libgnutls.so.30* %if %{with fips} -%{_libdir}/.libgnutls.so.30*.hmac +%{_libdir}/.gnutls.hmac %endif %doc README.md AUTHORS NEWS THANKS %license LICENSE doc/COPYING doc/COPYING.LESSER @@ -303,10 +319,6 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %files devel %{_includedir}/* %{_libdir}/libgnutls*.so -%if %{with fips} -%{_libdir}/.libgnutls.so.*.hmac -%endif - %{_libdir}/pkgconfig/*.pc %{_mandir}/man3/* %{_infodir}/gnutls* @@ -344,6 +356,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Fri Jul 1 2022 Daiki Ueno - 3.7.6-1 +- Update to gnutls 3.7.6 (#2097327) + * Thu Mar 31 2022 Daiki Ueno - 3.7.3-10 - Use only the first component of VERSION from /etc/os-release (#2070249) - Don't run power-on self-tests on DSA (#2061325) diff --git a/sources b/sources index 28ec0a1..f773bb2 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077 -SHA512 (gnutls-3.7.3.tar.xz.sig) = 93e62730570a6f65ec98538e812ed9c0bd35c25f0906b22f2ae3e762981b0e01bfb7ffcb747c64b42c586d6f0d5c90a7c3abfdc39088cc05f9975b865c309d50 -SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 +SHA512 (gnutls-3.7.6.tar.xz) = f872339df80ec31d292821ff00eaafbe50e0bd4cdbb86e21e4f78541cd0a26d843596d5e69c91de4db8ce7d027fc639ae6462b57d89fb116162ae63c5a97486a +SHA512 (gnutls-3.7.6.tar.xz.sig) = c969da9a938b9d29a70cea3b00cce337f9a4c4304aae7f501ef6263894f81a420395ddbe1b005f35dff2e900d3fac75e288f10bbfde0ebea034f7e257bb16d0e