Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2023-05-26 20:15:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Fri May 26 20:15:10 2023 rev:148 rq:1089038 version:3.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2023-05-16 14:21:50.473825675 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new.1533/gnutls.changes 2023-05-26 20:15:16.268190299 +0200 @@ -1,0 +2,13 @@ +Wed May 24 11:01:10 UTC 2023 - Pedro Monreal <pmonr...@suse.com> + +- FIPS: Skip the fixed HMAC verification for nettle, hogweed and + gmp libraries. These calculated HMACs change for every build of + each of these packages, we only have to verify that for gnutls. + * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476] + +------------------------------------------------------------------- +Mon May 22 11:32:53 UTC 2023 - Pedro Monreal <pmonr...@suse.com> + +- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116] + +------------------------------------------------------------------- New: ---- gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.CCukVp/_old 2023-05-26 20:15:16.900194066 +0200 +++ /var/tmp/diff_new_pack.CCukVp/_new 2023-05-26 20:15:16.904194090 +0200 @@ -62,9 +62,11 @@ Patch101: gnutls-FIPS-PCT-ECDH.patch #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3 Patch102: gnutls-FIPS-140-3-references.patch +#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp +Patch103: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy -Patch103: gnutls-FIPS-jitterentropy.patch +Patch104: gnutls-FIPS-jitterentropy.patch %endif BuildRequires: autogen BuildRequires: automake @@ -118,10 +120,10 @@ %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library -# install libgnutls and libgnutls-hmac close together (bsc#1090765) License: LGPL-2.1-or-later Group: System/Libraries -Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} +Provides: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} +Obsoletes: libgnutls%{gnutls_sover}-hmac < %{version}-%{release} %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif @@ -131,15 +133,6 @@ layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. -%package -n libgnutls%{gnutls_sover}-hmac -Summary: Checksums of the GNU Transport Layer Security Library -License: LGPL-2.1-or-later -Group: System/Libraries -Requires: libgnutls%{gnutls_sover} = %{version}-%{release} - -%description -n libgnutls%{gnutls_sover}-hmac -FIPS SHA256 checksums of the libgnutls library. - %if %{with dane} %package -n libgnutls-dane%{gnutls_dane_sover} Summary: DANE support for the GNU Transport Layer Security Library @@ -339,9 +332,6 @@ %files -n libgnutls%{gnutls_sover} %license LICENSE %{_libdir}/libgnutls.so.%{gnutls_sover}* - -%files -n libgnutls%{gnutls_sover}-hmac -%license LICENSE %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac %if %{with dane} ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.CCukVp/_old 2023-05-26 20:15:16.932194257 +0200 +++ /var/tmp/diff_new_pack.CCukVp/_new 2023-05-26 20:15:16.936194280 +0200 @@ -1,8 +1,8 @@ libgnutls30 obsoletes "gnutls-<targettype>" + provides "libgnutls30-<targettype> = <version>-%release" + obsoletes "libgnutls30-<targettype> < <version>-%release" libgnutls-devel requires -libgnutls-<targettype> requires "libgnutls30-<targettype> = <version>" -libgnutls30-hmac - requires "libgnutls30-<targettype> = <version>-%release" ++++++ gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch ++++++ Index: gnutls-3.8.0/lib/fips.c =================================================================== --- gnutls-3.8.0.orig/lib/fips.c +++ gnutls-3.8.0/lib/fips.c @@ -467,6 +467,11 @@ static int check_binary_integrity(void) ret = check_lib_hmac(&hmac.gnutls, paths.gnutls); if (ret < 0) return ret; +# if 0 + /* Disable nettle, hogweed and gpm HMAC verification as + * they are calculated during build of the respective + * packages and can differ from the ones listed here. + */ ret = check_lib_hmac(&hmac.nettle, paths.nettle); if (ret < 0) return ret; @@ -476,6 +481,7 @@ static int check_binary_integrity(void) ret = check_lib_hmac(&hmac.gmp, paths.gmp); if (ret < 0) return ret; +# endif return 0; }