From b03a087fcb0203a2ec80f00b15fae0a3ed08d397 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 12 2019 16:33:31 +0000 Subject: import gnutls-3.3.29-9.el7_6 --- diff --git a/SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch b/SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch new file mode 100644 index 0000000..02be442 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch @@ -0,0 +1,70 @@ +--- a/lib/crypto-selftests-pk.c 2019-02-06 14:49:44.807422315 +0100 ++++ b/lib/crypto-selftests-pk.c 2019-02-06 14:56:40.311049707 +0100 +@@ -731,30 +731,9 @@ + goto cleanup; + } + +- if (all == 0) +- return 0; + #endif + + /* Test ECDSA */ +-#ifdef ENABLE_NON_SUITEB_CURVES +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, +- ecdsa_secp192r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_DIG_SHA256); +- +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, +- ecdsa_secp224r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_DIG_SHA256); +-#endif + PK_KNOWN_TEST(GNUTLS_PK_EC, 0, + GNUTLS_CURVE_TO_BITS + (GNUTLS_ECC_CURVE_SECP256R1), +@@ -764,6 +743,9 @@ + GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), + GNUTLS_DIG_SHA256); + ++ if (all == 0) ++ return 0; ++ + PK_KNOWN_TEST(GNUTLS_PK_EC, 0, + GNUTLS_CURVE_TO_BITS + (GNUTLS_ECC_CURVE_SECP384R1), +@@ -782,6 +764,26 @@ + GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), + GNUTLS_DIG_SHA512); + ++#ifdef ENABLE_NON_SUITEB_CURVES ++ PK_KNOWN_TEST(GNUTLS_PK_EC, 0, ++ GNUTLS_CURVE_TO_BITS ++ (GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, ++ ecdsa_secp192r1_sig); ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_DIG_SHA256); ++ ++ PK_KNOWN_TEST(GNUTLS_PK_EC, 0, ++ GNUTLS_CURVE_TO_BITS ++ (GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, ++ ecdsa_secp224r1_sig); ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_DIG_SHA256); ++#endif ++ + break; + + default: diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec index a2a8f61..bf614f1 100644 --- a/SPECS/gnutls.spec +++ b/SPECS/gnutls.spec @@ -3,7 +3,7 @@ Summary: A TLS protocol implementation Name: gnutls Version: 3.3.29 -Release: 8%{?dist} +Release: 9%{?dist} # The libraries are LGPLv2.1+, utilities are GPLv3+ License: GPLv3+ and LGPLv2+ Group: System Environment/Libraries @@ -79,6 +79,8 @@ Patch23: gnutls-3.3.29-serv-large-key-resumption.patch # HMAC-SHA-256 cipher suites brought back downstream for compatibility # The priority was set below AEAD Patch24: gnutls-3.3.29-bring-back-hmac-sha256.patch +# Run KAT startup test for ECDSA (using secp256r1 curve) (rhbz#1673919) +Patch25: gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -201,6 +203,7 @@ This package contains Guile bindings for the library. %patch22 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 sed 's/gnutls_srp.c//g' -i lib/Makefile.in sed 's/gnutls_srp.lo//g' -i lib/Makefile.in @@ -359,6 +362,9 @@ fi %endif %changelog +* Tue Feb 12 2019 Anderson Sasaki 3.3.29-9 +- Make sure the FIPS startup KAT selftest run for ECDSA (#1673919) + * Fri Jul 20 2018 Anderson Sasaki 3.3.29-8 - Backported --sni-hostname option which allows overriding the hostname advertised to the peer (#1444792)