Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gnutls for openSUSE:Factory checked
in at 2023-05-26 20:15:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
and /work/SRC/openSUSE:Factory/.gnutls.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls"
Fri May 26 20:15:10 2023 rev:148 rq:1089038 version:3.8.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2023-05-16
14:21:50.473825675 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new.1533/gnutls.changes 2023-05-26
20:15:16.268190299 +0200
@@ -1,0 +2,13 @@
+Wed May 24 11:01:10 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: Skip the fixed HMAC verification for nettle, hogweed and
+ gmp libraries. These calculated HMACs change for every build of
+ each of these packages, we only have to verify that for gnutls.
+ * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476]
+
+-------------------------------------------------------------------
+Mon May 22 11:32:53 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116]
+
+-------------------------------------------------------------------
New:
----
gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gnutls.spec ++++++
--- /var/tmp/diff_new_pack.CCukVp/_old 2023-05-26 20:15:16.900194066 +0200
+++ /var/tmp/diff_new_pack.CCukVp/_new 2023-05-26 20:15:16.904194090 +0200
@@ -62,9 +62,11 @@
Patch101: gnutls-FIPS-PCT-ECDH.patch
#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
Patch102: gnutls-FIPS-140-3-references.patch
+#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle,
hogweed and gmp
+Patch103: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
-Patch103: gnutls-FIPS-jitterentropy.patch
+Patch104: gnutls-FIPS-jitterentropy.patch
%endif
BuildRequires: autogen
BuildRequires: automake
@@ -118,10 +120,10 @@
%package -n libgnutls%{gnutls_sover}
Summary: The GNU Transport Layer Security Library
-# install libgnutls and libgnutls-hmac close together (bsc#1090765)
License: LGPL-2.1-or-later
Group: System/Libraries
-Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Provides: libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Obsoletes: libgnutls%{gnutls_sover}-hmac < %{version}-%{release}
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
Requires: crypto-policies
%endif
@@ -131,15 +133,6 @@
layer. Currently the GnuTLS library implements the proposed standards
of the IETF's TLS working group.
-%package -n libgnutls%{gnutls_sover}-hmac
-Summary: Checksums of the GNU Transport Layer Security Library
-License: LGPL-2.1-or-later
-Group: System/Libraries
-Requires: libgnutls%{gnutls_sover} = %{version}-%{release}
-
-%description -n libgnutls%{gnutls_sover}-hmac
-FIPS SHA256 checksums of the libgnutls library.
-
%if %{with dane}
%package -n libgnutls-dane%{gnutls_dane_sover}
Summary: DANE support for the GNU Transport Layer Security Library
@@ -339,9 +332,6 @@
%files -n libgnutls%{gnutls_sover}
%license LICENSE
%{_libdir}/libgnutls.so.%{gnutls_sover}*
-
-%files -n libgnutls%{gnutls_sover}-hmac
-%license LICENSE
%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
%if %{with dane}
++++++ baselibs.conf ++++++
--- /var/tmp/diff_new_pack.CCukVp/_old 2023-05-26 20:15:16.932194257 +0200
+++ /var/tmp/diff_new_pack.CCukVp/_new 2023-05-26 20:15:16.936194280 +0200
@@ -1,8 +1,8 @@
libgnutls30
obsoletes "gnutls-<targettype>"
+ provides "libgnutls30-<targettype> = <version>-%release"
+ obsoletes "libgnutls30-<targettype> < <version>-%release"
libgnutls-devel
requires -libgnutls-<targettype>
requires "libgnutls30-<targettype> = <version>"
-libgnutls30-hmac
- requires "libgnutls30-<targettype> = <version>-%release"
++++++ gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch ++++++
Index: gnutls-3.8.0/lib/fips.c
===================================================================
--- gnutls-3.8.0.orig/lib/fips.c
+++ gnutls-3.8.0/lib/fips.c
@@ -467,6 +467,11 @@ static int check_binary_integrity(void)
ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
if (ret < 0)
return ret;
+# if 0
+ /* Disable nettle, hogweed and gpm HMAC verification as
+ * they are calculated during build of the respective
+ * packages and can differ from the ones listed here.
+ */
ret = check_lib_hmac(&hmac.nettle, paths.nettle);
if (ret < 0)
return ret;
@@ -476,6 +481,7 @@ static int check_binary_integrity(void)
ret = check_lib_hmac(&hmac.gmp, paths.gmp);
if (ret < 0)
return ret;
+# endif
return 0;
}
