gnutls

Author	SHA1	Message	Date
Daiki Ueno	33dfec6681	Fix the previous change Resolves: #2175214 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2023-03-14 21:50:42 +09:00
Daiki Ueno	af25913da9	Bump release to ensure el9 package is greater than el9_* packages Resolves: #2175214 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2023-03-10 16:31:47 +09:00
Daiki Ueno	b7884a9359	Update gnutls-3.7.8-fips-pct-dh.patch to the upstream version Resolves: #2168143 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2023-02-28 11:15:06 +09:00
Daiki Ueno	f764d48554	Fix timing side-channel in TLS RSA key exchange Resolves: #2162601 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2023-02-10 15:10:06 +09:00
Daiki Ueno	bb8f9067ee	fips: extend PCT to DH key generation Resolves: #2168143 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2023-02-10 13:31:17 +09:00
Zoltan Fridrich	0efdf6a30a	fips: rename hmac file to its previous name Resolves: rhbz#2148269 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>	2022-12-15 11:32:25 +01:00
Zoltan Fridrich	9727693a0e	Revert manual test in gating.yaml Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>	2022-11-30 09:49:29 +01:00
Daiki Ueno	a529ca162b	nettle: mark non-compliant RSA-PSS salt length to be not-approved Resolves: #2143266 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-11-22 10:58:24 +09:00
Daiki Ueno	53a68f179c	cipher: add restriction on CCM tag length under FIPS mode Resolves: #2137807 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-11-22 10:58:23 +09:00
Zoltan Fridrich	7dd34fb86b	Remove library path checking from FIPS integrity check Resolves: rhbz#2140908 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>	2022-11-15 16:14:17 +01:00
Zoltan Fridrich	ec0dad9c1f	Add block cipher API with automatic padding Resolves: rhbz#2084161 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>	2022-11-15 14:26:00 +01:00
Zoltan Fridrich	2adea0884d	Clear server's session ticket indication at rehandshake Resolves: rhbz#2136072 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>	2022-11-15 14:25:56 +01:00
Zoltan Fridrich	036ccfaec5	Enable source archive verification again Resolves: rhbz#2127094 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>	2022-11-15 13:11:44 +01:00
Zoltan Fridrich	c6974b4fb4	Make XTS key check failure not fatal in FIPS Resolves: rhbz#2130971 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>	2022-11-07 15:40:02 +01:00
Daiki Ueno	ef1a5b9b4f	Fix FIPS140-3 service indicator transitions - fips: mark PBKDF2 with short key and output sizes non-approved - fips: only mark HMAC as approved in PBKDF2 - fips: mark gnutls_key_generate with short key sizes non-approved - fips: fix checking on hash algorithm used in ECDSA - fips: preserve operation context around FIPS selftests API Resolves: #2128229 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-09-29 21:30:20 +09:00
Daiki Ueno	e392f357d1	Supply --with{,out}-{zlib,brotli,zstd} explicitly Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-08-26 17:35:22 +09:00
Daiki Ueno	a5a5e06565	Revert nettle version pinning as it doesn't work well in side-tag This reverts commit `7fecd39c3d`. As there is a circular dependency between gnutls and gnupg2, that commit added some fragility to the build process. Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-08-26 06:48:46 +09:00
Daiki Ueno	7fecd39c3d	Pin nettle version in Requires when compiled with FIPS Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-08-26 00:41:50 +09:00
Daiki Ueno	6c2f661b1a	Disable certificate compression support by default It turnd out that it will introduce an RFC compliance issue: https://gitlab.com/gnutls/gnutls/-/issues/1397 This disables the feature by not linking to any compression library. Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-08-25 07:29:14 +09:00
Daiki Ueno	8be21cf2c4	Bundle GMP to privatize memory functions Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-08-23 22:35:01 +09:00
Daiki Ueno	2b8f733ff8	Update gnutls-3.7.6-cpuid-fixes.patch Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-08-23 20:25:52 +09:00
Daiki Ueno	fdc014428b	accelerated: clear AVX bits if it cannot be queried through XSAVE Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-08-20 10:40:55 +09:00
Daiki Ueno	1868932498	Mark RSA SigVer operation approved for known modulus sizes Resolves: #2091903 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-08-20 09:55:10 +09:00
Daiki Ueno	2a3fb25b16	sysrng: reseed source DRBG for prediction resistance Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-08-05 19:38:19 +09:00
Daiki Ueno	91b2da8826	Block DES-CBC usage in decrypting PKCS#12 bag under FIPS Resolves: #2115244 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-08-04 21:48:10 +09:00
Daiki Ueno	2a096a6a85	Fix double-free in gnutls_pkcs7_verify Resolves: #2109790 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-07-31 10:42:06 +09:00
Daiki Ueno	6b510e936b	Fix the previous patch enabling KTLS in gnutls-cli Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-07-29 21:43:26 +09:00
Daiki Ueno	cebd7e3874	Make gnutls-cli work with KTLS for testing Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-07-29 11:08:02 +09:00
Daiki Ueno	81119a5e7e	Remove gnutls-3.7.6-libgnutlsxx-const.patch As GnuTLS 3.7.3 included the change to the API while ABI hadn't been updated, we don't need to explicitly revert the API change. Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-07-25 14:24:04 +09:00
Daiki Ueno	095c10df28	Do not treat GPG verification errors as fatal When building the package under FIPS, EdDSA signature verification is not allowed. Related: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-07-25 14:17:35 +09:00
Daiki Ueno	526db24948	Limit input size for AES-GCM according to SP800-38D Resolves: #2095251 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-07-25 12:45:47 +09:00
Daiki Ueno	9c2a8c7a27	Allow enabling KTLS with config file Resolves: #2042009 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-07-19 14:17:23 +09:00
Daiki Ueno	a7f3c0212c	Update to gnutls 3.7.6 Resolves: #2097327 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-07-04 13:19:23 +09:00
Daiki Ueno	8e01ff674e	Enable manual gating Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-06-14 11:34:55 +09:00
Daiki Ueno	8f121242f9	Don't run power-on self-tests on DSA Resolves: #2061325 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-03-31 11:23:39 +02:00
Daiki Ueno	81d601383e	Use only the first component of VERSION from /etc/os-release Resolves: #2070249 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-03-31 09:33:42 +02:00
Daiki Ueno	3ee3f894e0	Ensure allowlist API is called before priority string construction Related: #1975421 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-02-25 19:55:31 +01:00
Daiki Ueno	c0068e3bc7	Stop using typeof keyword for tss2 function prototypes Resolves: #2057490 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-02-25 18:40:49 +01:00
Daiki Ueno	79ee77ae83	Fix previous change for loading libtss2* Resolves: #2057490 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-02-25 09:08:03 +01:00
Daiki Ueno	ce3e58a2d0	Use dlopen for loading libtss2* to avoid OpenSSL dependency Resolves: #2057490 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-02-24 14:09:33 +01:00
Daiki Ueno	89eb1823f0	Make allowlisting configuration robuster - Increase GNUTLS_MAX_ALGORITHM_NUM for allowlisting - Ensure allowlisting API is called before priority string is constructed Related: #2033220 Related: #2042532 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-02-24 13:15:12 +01:00
Daiki Ueno	7784eaae22	Compile out GOST algorithm IDs Resolves: #1945292 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-02-22 17:38:51 +01:00
Zoltan Fridrich	74d64f9b6a	Fix upstream testsuite in fips mode Resolves: #2051637 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>	2022-02-17 15:35:50 +01:00
Daiki Ueno	7c4fdadf07	Fix issues found after the rebase - fips: allow a few more primes in RSA key generation - fips: tighten PKCS#12 algorithm checks - Correct return value of KTLS stub API Resolves: #2033220 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-02-16 12:14:42 +01:00
Daiki Ueno	1454d59d19	Specify --with-fips140-module-name and --with-fips140-module-version Related: #2033220 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-02-16 11:01:25 +01:00
Zoltan Fridrich	8b49674631	Disable live config reload Resolves: rhbz#2042532 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>	2022-02-15 12:45:10 +01:00
Daiki Ueno	778c959c06	Build with TPM2 support Related: #2033220 Signed-off-by: Daiki Ueno <dueno@redhat.com> Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>	2022-02-02 13:01:18 +01:00
Daiki Ueno	4030e24b19	Update to gnutls 3.7.3 Resolves: #2033220 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2022-01-18 09:31:38 +01:00
Daiki Ueno	7089af2e2d	Update gnutls_{hash,hmac}_copy man-pages as well Related: #1999639 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2021-12-22 17:22:57 +01:00
Daiki Ueno	99deb50ba7	Drop support for GNUTLS_NO_EXPLICIT_INIT envvar Also expand documentation of gnutls_{hash,hmac}_copy, mentioning that those do not always work. Resolves: #1999639 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2021-12-22 08:54:15 +01:00

1 2

78 Commits