diff --git a/gnutls-2.12.20-fips-algorithms.patch b/gnutls-2.12.20-fips-algorithms.patch new file mode 100644 index 0000000..f714bd4 --- /dev/null +++ b/gnutls-2.12.20-fips-algorithms.patch @@ -0,0 +1,189 @@ +diff -up gnutls-2.12.20/lib/gcrypt/init.c.fips gnutls-2.12.20/lib/gcrypt/init.c +--- gnutls-2.12.20/lib/gcrypt/init.c.fips 2012-01-06 20:06:23.000000000 +0100 ++++ gnutls-2.12.20/lib/gcrypt/init.c 2012-11-01 11:00:34.954835974 +0100 +@@ -43,6 +43,8 @@ static struct gcry_thread_cbs gct = { + .recvmsg = NULL, + }; + ++int gnutls_gcrypt_fips; ++ + int + gnutls_crypto_init (void) + { +@@ -72,6 +74,8 @@ gnutls_crypto_init (void) + return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY; + } + ++ gnutls_gcrypt_fips = gcry_fips_mode_active(); ++ + /* for gcrypt in order to be able to allocate memory */ + gcry_control (GCRYCTL_DISABLE_SECMEM, NULL, 0); + +diff -up gnutls-2.12.20/lib/gnutls_priority.c.fips gnutls-2.12.20/lib/gnutls_priority.c +--- gnutls-2.12.20/lib/gnutls_priority.c.fips 2012-01-06 20:06:23.000000000 +0100 ++++ gnutls-2.12.20/lib/gnutls_priority.c 2012-11-01 11:02:52.505807199 +0100 +@@ -30,6 +30,7 @@ + #include "gnutls_algorithms.h" + #include "gnutls_errors.h" + #include ++#include + + static void + break_comma_list (char *etag, +@@ -223,6 +224,13 @@ static const int protocol_priority[] = { + 0 + }; + ++static const int protocol_priority_fips[] = { ++ GNUTLS_TLS1_2, ++ GNUTLS_TLS1_1, ++ GNUTLS_TLS1_0, ++ 0 ++}; ++ + static const int kx_priority_performance[] = { + GNUTLS_KX_RSA, + GNUTLS_KX_DHE_RSA, +@@ -269,6 +277,13 @@ static const int cipher_priority_perform + 0 + }; + ++static const int cipher_priority_performance_fips[] = { ++ GNUTLS_CIPHER_AES_128_CBC, ++ GNUTLS_CIPHER_3DES_CBC, ++ GNUTLS_CIPHER_AES_256_CBC, ++ 0 ++}; ++ + static const int cipher_priority_normal[] = { + GNUTLS_CIPHER_AES_128_CBC, + #ifdef ENABLE_CAMELLIA +@@ -284,6 +299,13 @@ static const int cipher_priority_normal[ + 0 + }; + ++static const int cipher_priority_normal_fips[] = { ++ GNUTLS_CIPHER_AES_128_CBC, ++ GNUTLS_CIPHER_AES_256_CBC, ++ GNUTLS_CIPHER_3DES_CBC, ++ 0 ++}; ++ + static const int cipher_priority_secure128[] = { + GNUTLS_CIPHER_AES_128_CBC, + #ifdef ENABLE_CAMELLIA +@@ -295,6 +317,11 @@ static const int cipher_priority_secure1 + 0 + }; + ++static const int cipher_priority_secure128_fips[] = { ++ GNUTLS_CIPHER_AES_128_CBC, ++ GNUTLS_CIPHER_3DES_CBC, ++ 0 ++}; + + static const int cipher_priority_secure256[] = { + GNUTLS_CIPHER_AES_256_CBC, +@@ -311,6 +338,13 @@ static const int cipher_priority_secure2 + 0 + }; + ++static const int cipher_priority_secure256_fips[] = { ++ GNUTLS_CIPHER_AES_256_CBC, ++ GNUTLS_CIPHER_AES_128_CBC, ++ GNUTLS_CIPHER_3DES_CBC, ++ 0 ++}; ++ + /* The same as cipher_priority_security_normal + arcfour-40. */ + static const int cipher_priority_export[] = { + GNUTLS_CIPHER_AES_128_CBC, +@@ -362,6 +396,12 @@ static const int mac_priority_normal[] = + 0 + }; + ++static const int mac_priority_normal_fips[] = { ++ GNUTLS_MAC_SHA1, ++ GNUTLS_MAC_SHA256, ++ 0 ++}; ++ + + static const int mac_priority_secure[] = { + GNUTLS_MAC_SHA256, +@@ -462,6 +502,8 @@ gnutls_priority_set (gnutls_session_t se + + #define MAX_ELEMENTS 48 + ++extern int gnutls_gcrypt_fips; ++ + /** + * gnutls_priority_init: + * @priority_cache: is a #gnutls_prioritity_t structure. +@@ -561,7 +603,7 @@ gnutls_priority_init (gnutls_priority_t + */ + if (strcasecmp (broken_list[0], "NONE") != 0) + { +- _set_priority (&(*priority_cache)->protocol, protocol_priority); ++ _set_priority (&(*priority_cache)->protocol, gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority); + _set_priority (&(*priority_cache)->compression, comp_priority); + _set_priority (&(*priority_cache)->cert_type, cert_type_priority_default); + _set_priority (&(*priority_cache)->sign_algo, sign_priority_default); +@@ -577,17 +619,17 @@ gnutls_priority_init (gnutls_priority_t + if (strcasecmp (broken_list[i], "PERFORMANCE") == 0) + { + _set_priority (&(*priority_cache)->cipher, +- cipher_priority_performance); ++ gnutls_gcrypt_fips?cipher_priority_performance_fips:cipher_priority_performance); + _set_priority (&(*priority_cache)->kx, kx_priority_performance); +- _set_priority (&(*priority_cache)->mac, mac_priority_normal); ++ _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal); + _set_priority (&(*priority_cache)->sign_algo, + sign_priority_default); + } + else if (strcasecmp (broken_list[i], "NORMAL") == 0) + { +- _set_priority (&(*priority_cache)->cipher, cipher_priority_normal); ++ _set_priority (&(*priority_cache)->cipher, gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal); + _set_priority (&(*priority_cache)->kx, kx_priority_secure); +- _set_priority (&(*priority_cache)->mac, mac_priority_normal); ++ _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal); + _set_priority (&(*priority_cache)->sign_algo, + sign_priority_default); + } +@@ -595,7 +637,7 @@ gnutls_priority_init (gnutls_priority_t + || strcasecmp (broken_list[i], "SECURE") == 0) + { + _set_priority (&(*priority_cache)->cipher, +- cipher_priority_secure256); ++ gnutls_gcrypt_fips?cipher_priority_secure256_fips:cipher_priority_secure256); + _set_priority (&(*priority_cache)->kx, kx_priority_secure); + _set_priority (&(*priority_cache)->mac, mac_priority_secure); + _set_priority (&(*priority_cache)->sign_algo, +@@ -604,7 +646,7 @@ gnutls_priority_init (gnutls_priority_t + else if (strcasecmp (broken_list[i], "SECURE128") == 0) + { + _set_priority (&(*priority_cache)->cipher, +- cipher_priority_secure128); ++ gnutls_gcrypt_fips?cipher_priority_secure128_fips:cipher_priority_secure128); + _set_priority (&(*priority_cache)->kx, kx_priority_secure); + _set_priority (&(*priority_cache)->mac, mac_priority_secure); + _set_priority (&(*priority_cache)->sign_algo, +@@ -646,7 +688,7 @@ gnutls_priority_init (gnutls_priority_t + if (strncasecmp (&broken_list[i][1], "VERS-TLS-ALL", 12) == 0) + { + bulk_fn (&(*priority_cache)->protocol, +- protocol_priority); ++ gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority); + } + else + { +@@ -718,7 +760,7 @@ gnutls_priority_init (gnutls_priority_t + else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 7) == 0) + { + bulk_fn (&(*priority_cache)->cipher, +- cipher_priority_normal); ++ gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal); + } + else + goto error; diff --git a/gnutls.spec b/gnutls.spec index 3b36d0c..9be0adc 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ Summary: A TLS protocol implementation Name: gnutls Version: 2.12.20 -Release: 3%{?dist} +Release: 4%{?dist} # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+ License: GPLv3+ and LGPLv2+ Group: System Environment/Libraries @@ -25,6 +25,8 @@ Patch4: gnutls-2.12.7-dsa-skiptests.patch Patch5: gnutls-2.12.20-build.patch # Fix the gnutls-cli-debug manpage Patch6: gnutls-2.12.20-cli-debug-manpage.patch +# Use only FIPS approved ciphers in the FIPS mode +Patch7: gnutls-2.12.20-fips-algorithms.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: libgcrypt >= 1.2.2 @@ -97,6 +99,7 @@ This package contains Guile bindings for the library. %patch4 -p1 -b .skiptests %patch5 -p1 -b .build %patch6 -p1 -b .cli-debug +%patch7 -p1 -b .fips for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do touch lib/$i @@ -198,6 +201,9 @@ fi %{_datadir}/guile/site/gnutls.scm %changelog +* Thu Nov 1 2012 Tomas Mraz 2.12.20-4 +- negotiate only FIPS approved algorithms in the FIPS mode (#871826) + * Wed Aug 8 2012 Tomas Mraz 2.12.20-3 - fix the gnutls-cli-debug manpage - patch by Peter Schiffer