Overview
Request 1033875 superseded
- Temporarily revert the jitterentropy patches in s390 and s390x
architectures until a fix is provided [bsc#1204937]
- Consolidate the FIPS .hmac files [bsc#1199881, bsc#1203245]
* Package the FIPS .hmac files
* Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch
- Update to 3.7.8:
* libgnutls: In FIPS140 mode, RSA signature verification is an
approved operation if the key has modulus with known sizes
(1024, 1280, 1536, and 1792 bits), in addition to any modulus
sizes larger than 2048 bits, according to SP800-131A rev2.
* libgnutls: gnutls_session_channel_binding performs additional
checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
RFC9622 4.2, the "tls-exporter" channel binding is only usable
when the handshake is bound to a unique master secret (i.e.,
either TLS 1.3 or extended master secret extension is
negotiated). Otherwise the function now returns error.
* libgnutls: usage of the following functions, which are designed
to loosen restrictions imposed by allowlisting mode of
configuration, has been additionally restricted. Invoking
them is now only allowed if system-wide TLS priority string
has not been initialized yet:
- gnutls_digest_set_secure
- gnutls_sign_set_secure
- gnutls_sign_set_secure_for_certs
- gnutls_protocol_set_enabled
* Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
--with-guile-extension-dir configure option to properly
handle the guile extension directory.
* Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
* Update gnutls.keyring
* Add a build depencency on gtk-doc required by autoreconf
- FIPS: Set error state when jent init failed in FIPS mode [bsc#1202146]
* Add patch gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
- FIPS: Make XTS key check failure not fatal [bsc#1203779]
* Add gnutls-Make-XTS-key-check-failure-not-fatal.patch
- Created by AdaLovelace
- In state superseded
- Superseded by 1087198
- Open review for security:tls / gnutls
- Open review for factory-staging
Request History
AdaLovelace created request
- Temporarily revert the jitterentropy patches in s390 and s390x
architectures until a fix is provided [bsc#1204937]
- Consolidate the FIPS .hmac files [bsc#1199881, bsc#1203245]
* Package the FIPS .hmac files
* Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch
- Update to 3.7.8:
* libgnutls: In FIPS140 mode, RSA signature verification is an
approved operation if the key has modulus with known sizes
(1024, 1280, 1536, and 1792 bits), in addition to any modulus
sizes larger than 2048 bits, according to SP800-131A rev2.
* libgnutls: gnutls_session_channel_binding performs additional
checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
RFC9622 4.2, the "tls-exporter" channel binding is only usable
when the handshake is bound to a unique master secret (i.e.,
either TLS 1.3 or extended master secret extension is
negotiated). Otherwise the function now returns error.
* libgnutls: usage of the following functions, which are designed
to loosen restrictions imposed by allowlisting mode of
configuration, has been additionally restricted. Invoking
them is now only allowed if system-wide TLS priority string
has not been initialized yet:
- gnutls_digest_set_secure
- gnutls_sign_set_secure
- gnutls_sign_set_secure_for_certs
- gnutls_protocol_set_enabled
* Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
--with-guile-extension-dir configure option to properly
handle the guile extension directory.
* Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
* Update gnutls.keyring
* Add a build depencency on gtk-doc required by autoreconf
- FIPS: Set error state when jent init failed in FIPS mode [bsc#1202146]
* Add patch gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
- FIPS: Make XTS key check failure not fatal [bsc#1203779]
* Add gnutls-Make-XTS-key-check-failure-not-fatal.patch
licensedigger accepted review
ok
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
dimstar declined review
%files -n libgnutls%{gnutls_sover}-hmac
90 %license LICENSE
91 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
92+%{_libdir}/.gnutls.hmac
SLPP violation. - save decline reason as the previous SRs
dimstar declined request
%files -n libgnutls%{gnutls_sover}-hmac
90 %license LICENSE
91 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
92+%{_libdir}/.gnutls.hmac
SLPP violation. - save decline reason as the previous SRs
superseded by 1087198
Sarah, thanks for the submission! We are working on having a versioned FIPS hmac calculation after a rework from upstream. We'll submit the fix soon.