Update to gnutls 3.7.6
Resolves: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
		
							parent
							
								
									8e01ff674e
								
							
						
					
					
						commit
						a7f3c0212c
					
				
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -137,3 +137,5 @@ gnutls-2.10.1-nosrp.tar.bz2 | ||||
| /gnutls-3.7.2.tar.xz.sig | ||||
| /gnutls-3.7.3.tar.xz | ||||
| /gnutls-3.7.3.tar.xz.sig | ||||
| /gnutls-3.7.6.tar.xz | ||||
| /gnutls-3.7.6.tar.xz.sig | ||||
|  | ||||
| @ -1,30 +1,29 @@ | ||||
| From fcef3404733e0839cc0f8d1fcdc5bc0f8edc7e76 Mon Sep 17 00:00:00 2001 | ||||
| From 0a29639ad24072afbd79b2ceede9976e51b9e2af Mon Sep 17 00:00:00 2001 | ||||
| From: rpm-build <rpm-build> | ||||
| Date: Thu, 31 Mar 2022 11:20:28 +0200 | ||||
| Date: Fri, 1 Jul 2022 16:46:07 +0900 | ||||
| Subject: [PATCH] fips: don't run POST for DSA | ||||
| 
 | ||||
| Signed-off-by: rpm-build <rpm-build> | ||||
| Signed-off-by: rpm-build <<rpm-build>> | ||||
| ---
 | ||||
|  lib/fips.c | 6 ------ | ||||
|  1 file changed, 6 deletions(-) | ||||
|  lib/fips.c | 5 ----- | ||||
|  1 file changed, 5 deletions(-) | ||||
| 
 | ||||
| diff --git a/lib/fips.c b/lib/fips.c
 | ||||
| index 457a8c0..074e8e1 100644
 | ||||
| index 656d43e..c776690 100644
 | ||||
| --- a/lib/fips.c
 | ||||
| +++ b/lib/fips.c
 | ||||
| @@ -419,12 +419,6 @@ int _gnutls_fips_perform_self_checks2(void)
 | ||||
|  		goto error; | ||||
| @@ -523,11 +523,6 @@ int _gnutls_fips_perform_self_checks2(void)
 | ||||
|  		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); | ||||
|  	} | ||||
|   | ||||
| -	ret = gnutls_pk_self_test(0, GNUTLS_PK_DSA);
 | ||||
| -	if (ret < 0) {
 | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| -		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
| -	}
 | ||||
| -
 | ||||
|  	ret = gnutls_pk_self_test(0, GNUTLS_PK_EC); | ||||
|  	if (ret < 0) { | ||||
|  		gnutls_assert(); | ||||
|  		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); | ||||
| -- 
 | ||||
| 2.34.1 | ||||
| 2.36.1 | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										442
									
								
								gnutls-3.7.6-fips-run-selftests.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										442
									
								
								gnutls-3.7.6-fips-run-selftests.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,442 @@ | ||||
| From 036fb360e5775f01ef25f5e712024a29930c462e Mon Sep 17 00:00:00 2001 | ||||
| From: Daiki Ueno <ueno@gnu.org> | ||||
| Date: Fri, 3 Jun 2022 15:43:00 +0900 | ||||
| Subject: [PATCH] fips: provide function to manually run FIPS self-tests | ||||
| 
 | ||||
| FIPS140-3 IG 10.3.E Periodic Self-Testing says: | ||||
| 
 | ||||
|   At security levels 1 and 2, acceptable means for initiating the | ||||
|   periodic self-tests include a provided service, resetting, rebooting | ||||
|   or power cycling. | ||||
| 
 | ||||
| Neither resetting, rebooting, nor power-cycling is suitable because | ||||
| those involve operations outside of the module.  Therefore this patch | ||||
| adds a new API to manually run the substance of FIPS140 self-tests. | ||||
| 
 | ||||
| Suggeested by Richard Costa and Stephan Mueller in: | ||||
| https://gitlab.com/gnutls/gnutls/-/issues/1364 | ||||
| 
 | ||||
| Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||||
| ---
 | ||||
|  NEWS                            |   5 ++ | ||||
|  devel/libgnutls.abignore        |   2 + | ||||
|  devel/symbols.last              |   2 + | ||||
|  doc/Makefile.am                 |   2 + | ||||
|  doc/manpages/Makefile.am        |   1 + | ||||
|  lib/fips.c                      | 139 ++++++++++++++++---------------- | ||||
|  lib/global.c                    |  14 +++- | ||||
|  lib/includes/gnutls/gnutls.h.in |   2 + | ||||
|  lib/libgnutls.map               |   8 ++ | ||||
|  tests/fips-test.c               |   7 ++ | ||||
|  10 files changed, 110 insertions(+), 72 deletions(-) | ||||
| 
 | ||||
| diff --git a/NEWS b/NEWS
 | ||||
| index 70dd8a12b5..389be8acaa 100644
 | ||||
| --- a/NEWS
 | ||||
| +++ b/NEWS
 | ||||
| @@ -5,6 +5,11 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 | ||||
|  Copyright (C) 2013-2019 Nikos Mavrogiannopoulos | ||||
|  See the end for copying conditions. | ||||
|   | ||||
| +* Version 3.7.7 (unreleased)
 | ||||
| +
 | ||||
| +** API and ABI modifications:
 | ||||
| +gnutls_fips140_run_self_tests: New function
 | ||||
| +
 | ||||
|  * Version 3.7.6 (released 2022-05-27) | ||||
|   | ||||
|  ** libgnutls: Fixed invalid write when gnutls_realloc_zero() | ||||
| diff --git a/doc/Makefile.am b/doc/Makefile.am
 | ||||
| index d20a021d97..34ef43866c 100644
 | ||||
| --- a/doc/Makefile.am
 | ||||
| +++ b/doc/Makefile.am
 | ||||
| @@ -1096,6 +1096,8 @@ FUNCS += functions/gnutls_fips140_pop_context
 | ||||
|  FUNCS += functions/gnutls_fips140_pop_context.short | ||||
|  FUNCS += functions/gnutls_fips140_push_context | ||||
|  FUNCS += functions/gnutls_fips140_push_context.short | ||||
| +FUNCS += functions/gnutls_fips140_run_self_tests
 | ||||
| +FUNCS += functions/gnutls_fips140_run_self_tests.short
 | ||||
|  FUNCS += functions/gnutls_fips140_set_mode | ||||
|  FUNCS += functions/gnutls_fips140_set_mode.short | ||||
|  FUNCS += functions/gnutls_get_library_config | ||||
| diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
 | ||||
| index d8c5f2854d..90906b0574 100644
 | ||||
| --- a/doc/manpages/Makefile.am
 | ||||
| +++ b/doc/manpages/Makefile.am
 | ||||
| @@ -380,6 +380,7 @@ APIMANS += gnutls_fips140_get_operation_state.3
 | ||||
|  APIMANS += gnutls_fips140_mode_enabled.3 | ||||
|  APIMANS += gnutls_fips140_pop_context.3 | ||||
|  APIMANS += gnutls_fips140_push_context.3 | ||||
| +APIMANS += gnutls_fips140_run_self_tests.3
 | ||||
|  APIMANS += gnutls_fips140_set_mode.3 | ||||
|  APIMANS += gnutls_get_library_config.3 | ||||
|  APIMANS += gnutls_get_system_config_file.3 | ||||
| diff --git a/lib/fips.c b/lib/fips.c
 | ||||
| index e9c27f6df6..656d43e74a 100644
 | ||||
| --- a/lib/fips.c
 | ||||
| +++ b/lib/fips.c
 | ||||
| @@ -419,8 +419,6 @@ int _gnutls_fips_perform_self_checks1(void)
 | ||||
|  { | ||||
|  	int ret; | ||||
|   | ||||
| -	_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
 | ||||
| -
 | ||||
|  	/* Tests the FIPS algorithms used by nettle internally. | ||||
|  	 * In our case we test AES-CBC since nettle's AES is used by | ||||
|  	 * the DRBG-AES. | ||||
| @@ -429,193 +427,153 @@ int _gnutls_fips_perform_self_checks1(void)
 | ||||
|  	/* ciphers - one test per cipher */ | ||||
|  	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_128_CBC); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	return 0; | ||||
| -
 | ||||
| -error:
 | ||||
| -	_gnutls_switch_lib_state(LIB_STATE_ERROR);
 | ||||
| -	_gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n");
 | ||||
| -
 | ||||
| -	return GNUTLS_E_SELF_TEST_ERROR;
 | ||||
|  } | ||||
|   | ||||
|  int _gnutls_fips_perform_self_checks2(void) | ||||
|  { | ||||
|  	int ret; | ||||
|   | ||||
| -	_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
 | ||||
| -
 | ||||
|  	/* Tests the FIPS algorithms */ | ||||
|   | ||||
|  	/* ciphers - one test per cipher */ | ||||
|  	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_3DES_CBC); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_XTS); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CFB8); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	/* Digest tests */ | ||||
|  	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_224); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_256); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_384); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_512); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	/* MAC (includes message digest test) */ | ||||
|  	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA1); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA224); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA256); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA384); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA512); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_mac_self_test(0, GNUTLS_MAC_AES_CMAC_256); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	/* PK */ | ||||
|  	ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_pk_self_test(0, GNUTLS_PK_DSA); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_pk_self_test(0, GNUTLS_PK_EC); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	ret = gnutls_pk_self_test(0, GNUTLS_PK_DH); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	/* HKDF */ | ||||
|  	ret = gnutls_hkdf_self_test(0, GNUTLS_MAC_SHA256); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	/* PBKDF2 */ | ||||
|  	ret = gnutls_pbkdf2_self_test(0, GNUTLS_MAC_SHA256); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	/* TLS-PRF */ | ||||
|  	ret = gnutls_tlsprf_self_test(0, GNUTLS_MAC_SHA256); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	if (_gnutls_rnd_ops.self_test == NULL) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	/* this does not require rng initialization */ | ||||
|  	ret = _gnutls_rnd_ops.self_test(); | ||||
|  	if (ret < 0) { | ||||
| -		gnutls_assert();
 | ||||
| -		goto error;
 | ||||
| +		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  	} | ||||
|   | ||||
|  	if (_skip_integrity_checks == 0) { | ||||
|  		ret = check_binary_integrity(); | ||||
|  		if (ret < 0) { | ||||
| -			gnutls_assert();
 | ||||
| -			goto error;
 | ||||
| +			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 | ||||
|  		} | ||||
|  	} | ||||
|   | ||||
|  	return 0; | ||||
| -
 | ||||
| -error:
 | ||||
| -	_gnutls_switch_lib_state(LIB_STATE_ERROR);
 | ||||
| -	_gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n");
 | ||||
| -
 | ||||
| -	return GNUTLS_E_SELF_TEST_ERROR;
 | ||||
|  } | ||||
|  #endif | ||||
|   | ||||
| @@ -894,3 +852,48 @@ _gnutls_switch_fips_state(gnutls_fips140_operation_state_t state)
 | ||||
|  	(void)state; | ||||
|  #endif | ||||
|  } | ||||
| +
 | ||||
| +/**
 | ||||
| + * gnutls_fips140_run_self_tests:
 | ||||
| + *
 | ||||
| + * Manually perform the second round of the FIPS140 self-tests,
 | ||||
| + * including:
 | ||||
| + *
 | ||||
| + * - Known answer tests (KAT) for the selected set of symmetric
 | ||||
| + *   cipher, MAC, public key, KDF, and DRBG
 | ||||
| + * - Library integrity checks
 | ||||
| + *
 | ||||
| + * Upon failure with FIPS140 mode enabled, it makes the library
 | ||||
| + * unusable.  This function is not thread-safe.
 | ||||
| + *
 | ||||
| + * Returns: 0 upon success, a negative error code otherwise
 | ||||
| + *
 | ||||
| + * Since: 3.7.7
 | ||||
| + */
 | ||||
| +int
 | ||||
| +gnutls_fips140_run_self_tests(void)
 | ||||
| +{
 | ||||
| +#ifdef ENABLE_FIPS140
 | ||||
| +	int ret;
 | ||||
| +	unsigned prev_lib_state;
 | ||||
| +
 | ||||
| +	/* Temporarily switch to LIB_STATE_SELFTEST as some of the
 | ||||
| +	 * algorithms are implemented using special constructs in
 | ||||
| +	 * self-tests (such as deterministic variants) */
 | ||||
| +	prev_lib_state = _gnutls_get_lib_state();
 | ||||
| +	_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
 | ||||
| +
 | ||||
| +	ret = _gnutls_fips_perform_self_checks2();
 | ||||
| +	if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED &&
 | ||||
| +	    ret < 0) {
 | ||||
| +		_gnutls_switch_lib_state(LIB_STATE_ERROR);
 | ||||
| +		_gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n");
 | ||||
| +	} else {
 | ||||
| +		/* Restore the previous library state */
 | ||||
| +		_gnutls_switch_lib_state(prev_lib_state);
 | ||||
| +	}
 | ||||
| +	return ret;
 | ||||
| +#else
 | ||||
| +	return 0;
 | ||||
| +#endif
 | ||||
| +}
 | ||||
| diff --git a/lib/global.c b/lib/global.c
 | ||||
| index faa7f0afb2..1b372c15bd 100644
 | ||||
| --- a/lib/global.c
 | ||||
| +++ b/lib/global.c
 | ||||
| @@ -336,9 +336,12 @@ static int _gnutls_global_init(unsigned constructor)
 | ||||
|   | ||||
|  		/* first round of self checks, these are done on the | ||||
|  		 * nettle algorithms which are used internally */ | ||||
| +		_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
 | ||||
|  		ret = _gnutls_fips_perform_self_checks1(); | ||||
| -		if (res != 2) {
 | ||||
| -			if (ret < 0) {
 | ||||
| +		if (ret < 0) {
 | ||||
| +			_gnutls_switch_lib_state(LIB_STATE_ERROR);
 | ||||
| +			_gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n");
 | ||||
| +			if (res != 2) {
 | ||||
|  				gnutls_assert(); | ||||
|  				goto out; | ||||
|  			} | ||||
| @@ -355,9 +358,12 @@ static int _gnutls_global_init(unsigned constructor)
 | ||||
|  	 * (e.g., AESNI overridden AES). They are after _gnutls_register_accel_crypto() | ||||
|  	 * intentionally */ | ||||
|  	if (res != 0) { | ||||
| +		_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
 | ||||
|  		ret = _gnutls_fips_perform_self_checks2(); | ||||
| -		if (res != 2) {
 | ||||
| -			if (ret < 0) {
 | ||||
| +		if (ret < 0) {
 | ||||
| +			_gnutls_switch_lib_state(LIB_STATE_ERROR);
 | ||||
| +			_gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n");
 | ||||
| +			if (res != 2) {
 | ||||
|  				gnutls_assert(); | ||||
|  				goto out; | ||||
|  			} | ||||
| diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
 | ||||
| index f7fc5d114a..5840f331e9 100644
 | ||||
| --- a/lib/includes/gnutls/gnutls.h.in
 | ||||
| +++ b/lib/includes/gnutls/gnutls.h.in
 | ||||
| @@ -3416,6 +3416,8 @@ gnutls_fips140_get_operation_state(gnutls_fips140_context_t context);
 | ||||
|  int gnutls_fips140_push_context(gnutls_fips140_context_t context); | ||||
|  int gnutls_fips140_pop_context(void); | ||||
|   | ||||
| +int gnutls_fips140_run_self_tests(void);
 | ||||
| +
 | ||||
|    /* Gnutls error codes. The mapping to a TLS alert is also shown in | ||||
|     * comments. | ||||
|     */ | ||||
| diff --git a/lib/libgnutls.map b/lib/libgnutls.map
 | ||||
| index 0241946c8a..f42d5f9fae 100644
 | ||||
| --- a/lib/libgnutls.map
 | ||||
| +++ b/lib/libgnutls.map
 | ||||
| @@ -1399,6 +1399,14 @@ GNUTLS_3_7_5
 | ||||
|  	*; | ||||
|  } GNUTLS_3_7_4; | ||||
|   | ||||
| +GNUTLS_3_7_7
 | ||||
| +{
 | ||||
| + global:
 | ||||
| +	gnutls_fips140_run_self_tests;
 | ||||
| + local:
 | ||||
| +	*;
 | ||||
| +} GNUTLS_3_7_5;
 | ||||
| +
 | ||||
|  GNUTLS_FIPS140_3_4 { | ||||
|    global: | ||||
|  	gnutls_cipher_self_test; | ||||
| diff --git a/tests/fips-test.c b/tests/fips-test.c
 | ||||
| index a6a283fa67..31a5e26111 100644
 | ||||
| --- a/tests/fips-test.c
 | ||||
| +++ b/tests/fips-test.c
 | ||||
| @@ -525,6 +525,13 @@ void doit(void)
 | ||||
|  	} | ||||
|   | ||||
|  	gnutls_fips140_context_deinit(fips_context); | ||||
| +
 | ||||
| +	/* run self-tests manually */
 | ||||
| +	ret = gnutls_fips140_run_self_tests();
 | ||||
| +	if (ret < 0) {
 | ||||
| +		fail("gnutls_fips140_run_self_tests failed\n");
 | ||||
| +	}
 | ||||
| +
 | ||||
|  	gnutls_global_deinit(); | ||||
|  	return; | ||||
|  } | ||||
| -- 
 | ||||
| 2.36.1 | ||||
| 
 | ||||
							
								
								
									
										105
									
								
								gnutls-3.7.6-libgnutlsxx-const.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										105
									
								
								gnutls-3.7.6-libgnutlsxx-const.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,105 @@ | ||||
| From 4a64e35cdc5ad438ab3bd256e7a4f5e8f7d6f21f Mon Sep 17 00:00:00 2001 | ||||
| From: Daiki Ueno <ueno@gnu.org> | ||||
| Date: Mon, 4 Jul 2022 09:49:09 +0900 | ||||
| Subject: [PATCH] libgnutlsxx: revert ABI incompatible change | ||||
| 
 | ||||
| This reverts 67cab96c1d59fec2e2b85ee054ec0015195cc35c. | ||||
| 
 | ||||
| Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||||
| ---
 | ||||
|  lib/gnutlsxx.cpp               |  4 ++-- | ||||
|  lib/includes/gnutls/gnutlsxx.h | 14 +++++++------- | ||||
|  2 files changed, 9 insertions(+), 9 deletions(-) | ||||
| 
 | ||||
| diff --git a/lib/gnutlsxx.cpp b/lib/gnutlsxx.cpp
 | ||||
| index f87490d371..3613502aba 100644
 | ||||
| --- a/lib/gnutlsxx.cpp
 | ||||
| +++ b/lib/gnutlsxx.cpp
 | ||||
| @@ -397,7 +397,7 @@ namespace gnutls
 | ||||
|      gnutls_db_remove_session (s); | ||||
|    } | ||||
|   | ||||
| -  bool server_session::db_check_entry (const gnutls_datum_t & session_data) const
 | ||||
| +  bool server_session::db_check_entry (gnutls_datum_t & session_data) const
 | ||||
|    { | ||||
|      int ret = gnutls_db_check_entry (s, session_data); | ||||
|   | ||||
| @@ -416,7 +416,7 @@ namespace gnutls
 | ||||
|      gnutls_credentials_clear (s); | ||||
|    } | ||||
|   | ||||
| -  void session::set_credentials (const credentials & cred)
 | ||||
| +  void session::set_credentials (credentials & cred)
 | ||||
|    { | ||||
|      RETWRAP (gnutls_credentials_set (s, cred.get_type (), cred.ptr ())); | ||||
|    } | ||||
| diff --git a/lib/includes/gnutls/gnutlsxx.h b/lib/includes/gnutls/gnutlsxx.h
 | ||||
| index 23bbd4ea36..eeefb798a3 100644
 | ||||
| --- a/lib/includes/gnutls/gnutlsxx.h
 | ||||
| +++ b/lib/includes/gnutls/gnutlsxx.h
 | ||||
| @@ -42,7 +42,7 @@ namespace gnutls {
 | ||||
|   | ||||
|  	class exception:public std::exception { | ||||
|  	      public: | ||||
| -		explicit exception(int x);
 | ||||
| +		exception(int x);
 | ||||
|  		const char *what() const throw(); | ||||
|  		int get_code(); | ||||
|  	      protected: | ||||
| @@ -104,7 +104,7 @@ namespace gnutls {
 | ||||
|  	      protected: | ||||
|  		gnutls_session_t s; | ||||
|  	      public: | ||||
| -		explicit session(unsigned int);
 | ||||
| +		session(unsigned int);
 | ||||
|  		 virtual ~ session(); | ||||
|   | ||||
|  		gnutls_session_t ptr(); | ||||
| @@ -173,7 +173,7 @@ namespace gnutls {
 | ||||
|  		void set_max_handshake_packet_length(size_t max); | ||||
|   | ||||
|  		void clear_credentials(); | ||||
| -		void set_credentials(const class credentials & cred);
 | ||||
| +		void set_credentials(class credentials & cred);
 | ||||
|   | ||||
|  		void set_transport_ptr(gnutls_transport_ptr_t ptr); | ||||
|  		void set_transport_ptr(gnutls_transport_ptr_t recv_ptr, | ||||
| @@ -239,7 +239,7 @@ namespace gnutls {
 | ||||
|  	class server_session:public session { | ||||
|  	      public: | ||||
|  		server_session(); | ||||
| -		explicit server_session(int flags);
 | ||||
| +		server_session(int flags);
 | ||||
|  		~server_session(); | ||||
|  		void db_remove() const; | ||||
|   | ||||
| @@ -247,7 +247,7 @@ namespace gnutls {
 | ||||
|  		void set_db(const DB & db); | ||||
|   | ||||
|  		// returns true if session is expired | ||||
| -		bool db_check_entry(const gnutls_datum_t & session_data) const;
 | ||||
| +		bool db_check_entry(gnutls_datum_t & session_data) const;
 | ||||
|   | ||||
|  		// server side only | ||||
|  		const char *get_srp_username() const; | ||||
| @@ -264,7 +264,7 @@ namespace gnutls {
 | ||||
|  	class client_session:public session { | ||||
|  	      public: | ||||
|  		client_session(); | ||||
| -		explicit client_session(int flags);
 | ||||
| +		client_session(int flags);
 | ||||
|  		~client_session(); | ||||
|   | ||||
|  		void set_verify_cert(const char *hostname, unsigned flags); | ||||
| @@ -281,7 +281,7 @@ namespace gnutls {
 | ||||
|  		} gnutls_credentials_type_t get_type() const; | ||||
|  	      protected: | ||||
|  		friend class session; | ||||
| -		explicit credentials(gnutls_credentials_type_t t);
 | ||||
| +		credentials(gnutls_credentials_type_t t);
 | ||||
|  		void *ptr() const; | ||||
|  		void set_ptr(void *ptr); | ||||
|  		gnutls_credentials_type_t type; | ||||
| -- 
 | ||||
| 2.36.1 | ||||
| 
 | ||||
							
								
								
									
										
											BIN
										
									
								
								gnutls-release-keyring.gpg
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								gnutls-release-keyring.gpg
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										93
									
								
								gnutls.spec
									
									
									
									
									
								
							
							
						
						
									
										93
									
								
								gnutls.spec
									
									
									
									
									
								
							| @ -12,24 +12,23 @@ sha256sum:close() | ||||
| print(string.sub(hash, 0, 16)) | ||||
| } | ||||
| 
 | ||||
| Version: 3.7.3 | ||||
| Release: 10%{?dist} | ||||
| Patch1:	gnutls-3.6.7-no-now-guile.patch | ||||
| Patch2:	gnutls-3.2.7-rpath.patch | ||||
| Patch3:	gnutls-3.7.2-enable-intel-cet.patch | ||||
| Patch4: gnutls-3.7.2-no-explicit-init.patch | ||||
| Patch5: gnutls-3.7.3-fips-rsa-keygen.patch | ||||
| Patch6: gnutls-3.7.3-ktls-stub.patch | ||||
| Patch7: gnutls-3.7.3-fips-pkcs12.patch | ||||
| Patch8: gnutls-3.7.3-fix-tests-in-fips.patch | ||||
| Patch9: gnutls-3.7.3-gost-ifdef.patch | ||||
| Patch10: gnutls-3.7.3-max-algos.patch | ||||
| Patch11: gnutls-3.7.3-allowlist-api.patch | ||||
| Patch12: gnutls-3.7.3-libtss2-dlopen.patch | ||||
| Version: 3.7.6 | ||||
| Release: 1%{?dist} | ||||
| # not upstreamed | ||||
| Patch: gnutls-3.6.7-no-now-guile.patch | ||||
| Patch: gnutls-3.2.7-rpath.patch | ||||
| Patch: gnutls-3.7.2-enable-intel-cet.patch | ||||
| Patch: gnutls-3.7.2-no-explicit-init.patch | ||||
| 
 | ||||
| # upstreamed | ||||
| Patch: gnutls-3.7.6-fips-run-selftests.patch | ||||
| 
 | ||||
| # not upstreamed | ||||
| Patch100: gnutls-3.7.3-disable-config-reload.patch | ||||
| Patch101: gnutls-3.7.3-fips-dsa-post.patch | ||||
| Patch: gnutls-3.7.3-disable-config-reload.patch | ||||
| Patch: gnutls-3.7.3-fips-dsa-post.patch | ||||
| 
 | ||||
| # to prevent ABI break; will be reverted in %%install | ||||
| Patch: gnutls-3.7.6-libgnutlsxx-const.patch | ||||
| 
 | ||||
| %bcond_without bootstrap | ||||
| %bcond_without dane | ||||
| @ -43,6 +42,7 @@ Patch101: gnutls-3.7.3-fips-dsa-post.patch | ||||
| %bcond_with tpm12 | ||||
| %bcond_without tpm2 | ||||
| %bcond_with gost | ||||
| %bcond_without tests | ||||
| 
 | ||||
| Summary: A TLS protocol implementation | ||||
| Name: gnutls | ||||
| @ -65,9 +65,7 @@ BuildRequires: libidn2-devel | ||||
| BuildRequires: libunistring-devel | ||||
| BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++ | ||||
| BuildRequires: gnupg2 | ||||
| %if %{with fips} | ||||
| BuildRequires: fipscheck | ||||
| %endif | ||||
| BuildRequires: git-core | ||||
| 
 | ||||
| # for a sanity check on cert loading | ||||
| BuildRequires: p11-kit-trust, ca-certificates | ||||
| @ -89,7 +87,7 @@ BuildRequires: make | ||||
| URL: http://www.gnutls.org/ | ||||
| Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz | ||||
| Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig | ||||
| Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg | ||||
| Source2: gnutls-release-keyring.gpg | ||||
| 
 | ||||
| # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 | ||||
| Provides: bundled(gnulib) = 20130424 | ||||
| @ -184,9 +182,8 @@ This package contains Guile bindings for the library. | ||||
| %prep | ||||
| %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' | ||||
| 
 | ||||
| %autosetup -p1 | ||||
| %autosetup -p1 -S git | ||||
| %if %{with bootstrap} | ||||
| rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h | ||||
| autoreconf -fi | ||||
| %endif | ||||
| 
 | ||||
| @ -260,22 +257,23 @@ export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" | ||||
|            --disable-rpath \ | ||||
|            --with-default-priority-string="@SYSTEM" | ||||
| 
 | ||||
| make %{?_smp_mflags} V=1 | ||||
| 
 | ||||
| %if %{with fips} | ||||
| %define __spec_install_post \ | ||||
| 	%{?__debug_package:%{__debug_install_post}} \ | ||||
| 	%{__arch_install_post} \ | ||||
| 	%{__os_install_post} \ | ||||
| 	rm -f $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.*.hmac \ | ||||
| 	fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \ | ||||
| 	file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \ | ||||
| %{nil} | ||||
| %endif | ||||
| # build libgnutlsxx.so with older SONAME | ||||
| make %{?_smp_mflags} V=1 CXX_LT_CURRENT=29 CXX_LT_REVISION=0 CXX_LT_AGE=1 | ||||
| 
 | ||||
| %install | ||||
| make install DESTDIR=$RPM_BUILD_ROOT | ||||
| 
 | ||||
| # build libgnutlsxx.so with newer SONAME | ||||
| git show | patch -p1 -R | ||||
| pushd lib | ||||
| rm -f libgnutlsxx.la | ||||
| make %{?_smp_mflags} V=1 CXX_LT_CURRENT=30 CXX_LT_REVISION=0 CXX_LT_AGE=0 | ||||
| make install DESTDIR=$RPM_BUILD_ROOT | ||||
| popd | ||||
| touch doc/examples/ex-cxx | ||||
| 
 | ||||
| make -C doc install-html DESTDIR=$RPM_BUILD_ROOT | ||||
| 
 | ||||
| rm -f $RPM_BUILD_ROOT%{_infodir}/dir | ||||
| rm -f $RPM_BUILD_ROOT%{_libdir}/*.la | ||||
| rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.a | ||||
| @ -284,15 +282,33 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.la | ||||
| rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc | ||||
| %endif | ||||
| 
 | ||||
| %if %{with fips} | ||||
| # doing it twice should be a no-op the second time, | ||||
| # and this way we avoid redefining it and missing a future change | ||||
| %{__spec_install_post} | ||||
| ./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac | ||||
| sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac | ||||
| %endif | ||||
| 
 | ||||
| %if %{with fips} | ||||
| %define __spec_install_post \ | ||||
| 	%{?__debug_package:%{__debug_install_post}} \ | ||||
| 	%{__arch_install_post} \ | ||||
| 	%{__os_install_post} \ | ||||
| %{nil} | ||||
| %endif | ||||
| 
 | ||||
| %find_lang gnutls | ||||
| 
 | ||||
| %check | ||||
| %if %{with tests} | ||||
| make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null | ||||
| %endif | ||||
| 
 | ||||
| %files -f gnutls.lang | ||||
| %{_libdir}/libgnutls.so.30* | ||||
| %if %{with fips} | ||||
| %{_libdir}/.libgnutls.so.30*.hmac | ||||
| %{_libdir}/.gnutls.hmac | ||||
| %endif | ||||
| %doc README.md AUTHORS NEWS THANKS | ||||
| %license LICENSE doc/COPYING doc/COPYING.LESSER | ||||
| @ -303,10 +319,6 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null | ||||
| %files devel | ||||
| %{_includedir}/* | ||||
| %{_libdir}/libgnutls*.so | ||||
| %if %{with fips} | ||||
| %{_libdir}/.libgnutls.so.*.hmac | ||||
| %endif | ||||
| 
 | ||||
| %{_libdir}/pkgconfig/*.pc | ||||
| %{_mandir}/man3/* | ||||
| %{_infodir}/gnutls* | ||||
| @ -344,6 +356,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null | ||||
| %endif | ||||
| 
 | ||||
| %changelog | ||||
| * Fri Jul  1 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-1 | ||||
| - Update to gnutls 3.7.6 (#2097327) | ||||
| 
 | ||||
| * Thu Mar 31 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-10 | ||||
| - Use only the first component of VERSION from /etc/os-release (#2070249) | ||||
| - Don't run power-on self-tests on DSA (#2061325) | ||||
|  | ||||
							
								
								
									
										5
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										5
									
								
								sources
									
									
									
									
									
								
							| @ -1,3 +1,2 @@ | ||||
| SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077 | ||||
| SHA512 (gnutls-3.7.3.tar.xz.sig) = 93e62730570a6f65ec98538e812ed9c0bd35c25f0906b22f2ae3e762981b0e01bfb7ffcb747c64b42c586d6f0d5c90a7c3abfdc39088cc05f9975b865c309d50 | ||||
| SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 | ||||
| SHA512 (gnutls-3.7.6.tar.xz) = f872339df80ec31d292821ff00eaafbe50e0bd4cdbb86e21e4f78541cd0a26d843596d5e69c91de4db8ce7d027fc639ae6462b57d89fb116162ae63c5a97486a | ||||
| SHA512 (gnutls-3.7.6.tar.xz.sig) = c969da9a938b9d29a70cea3b00cce337f9a4c4304aae7f501ef6263894f81a420395ddbe1b005f35dff2e900d3fac75e288f10bbfde0ebea034f7e257bb16d0e | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user