2007-01-16 00:15:20 +01:00
|
|
|
#
|
2011-06-16 09:57:04 +02:00
|
|
|
# spec file for package gnutls
|
2007-01-16 00:15:20 +01:00
|
|
|
#
|
2023-01-20 21:17:13 +01:00
|
|
|
# Copyright (c) 2023 SUSE LLC
|
2007-01-16 00:15:20 +01:00
|
|
|
#
|
2008-11-02 15:41:35 +01:00
|
|
|
# All modifications and additions to the file contributed by third parties
|
|
|
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
|
|
|
# upon. The license for this file, and modifications and additions to the
|
|
|
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
|
|
|
# license for the pristine package is not an Open Source License, in which
|
|
|
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
|
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
|
|
|
# published by the Open Source Initiative.
|
|
|
|
|
|
2018-10-15 10:27:49 +02:00
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
2007-01-16 00:15:20 +01:00
|
|
|
#
|
|
|
|
|
|
2011-08-24 13:44:23 +02:00
|
|
|
|
Accepting request 295655 from Base:System
- updated to 3.4.0 (released 2015-04-08)
** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
ciphersuites. The former are enabled by default, the latter need to be
explicitly enabled, since they reduce the overall security level.
** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10.
That is currently provided as technology preview and is not enabled by
default, since there are no assigned ciphersuite points by IETF and there
is no guarrantee of compatibility between draft versions. The ciphersuite
priority string to enable it is "+CHACHA20-POLY1305".
** libgnutls: Added support for encrypt-then-authenticate in CBC
ciphersuites (RFC7366 -taking into account its errata text). This is
enabled by default and can be disabled using the %NO_ETM priority
string.
** libgnutls: Added support for the extended master secret
(triple-handshake fix) following draft-ietf-tls-session-hash-02.
** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).
** libgnutls: SSL 3.0 is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+VERS-SSL3.0".
** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+ARCFOUR-128".
** libgnutls: DSA signatures and DHE-DSS are no longer included in the
default priorities list. They have to be explicitly enabled, e.g., with
a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
DSA ciphersuites were dropped because they had no deployment at all
on the internet, to justify their inclusion.
** libgnutls: The priority string EXPORT was completely removed. The string
OBS-URL: https://build.opensuse.org/request/show/295655
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=83
2015-04-18 10:38:18 +02:00
|
|
|
%define gnutls_sover 30
|
2022-03-18 21:01:46 +01:00
|
|
|
%define gnutlsxx_sover 30
|
2017-08-29 11:40:38 +02:00
|
|
|
%define gnutls_dane_sover 0
|
2019-04-04 16:11:38 +02:00
|
|
|
# unbound isn't in SLE (bsc#1086428)
|
|
|
|
|
%if 0%{?is_opensuse}
|
2016-12-29 22:41:21 +01:00
|
|
|
%bcond_without dane
|
2018-04-10 09:48:38 +02:00
|
|
|
%else
|
|
|
|
|
%bcond_with dane
|
2018-03-30 11:56:05 +02:00
|
|
|
%endif
|
2021-06-01 14:42:43 +02:00
|
|
|
# Enable Linux kernel AF_ALG based acceleration
|
|
|
|
|
%if 0%{?suse_version} >= 1550
|
2022-05-16 10:07:25 +02:00
|
|
|
# disable for now, as our OBS builds do not work with it. Marcus 20220511
|
|
|
|
|
#bcond_without kcapi
|
|
|
|
|
%bcond_with kcapi
|
2021-06-01 14:42:43 +02:00
|
|
|
%else
|
|
|
|
|
%bcond_with kcapi
|
|
|
|
|
%endif
|
2016-12-29 22:41:21 +01:00
|
|
|
%bcond_with tpm
|
|
|
|
|
%bcond_without guile
|
2007-01-16 00:15:20 +01:00
|
|
|
Name: gnutls
|
2023-02-15 12:02:33 +01:00
|
|
|
Version: 3.7.9
|
2012-05-21 10:25:22 +02:00
|
|
|
Release: 0
|
2007-01-16 00:15:20 +01:00
|
|
|
Summary: The GNU Transport Layer Security Library
|
2021-05-14 16:01:30 +02:00
|
|
|
License: GPL-3.0-or-later AND LGPL-2.1-or-later
|
2007-01-16 00:15:20 +01:00
|
|
|
Group: Productivity/Networking/Security
|
2019-07-31 19:35:10 +02:00
|
|
|
URL: https://www.gnutls.org/
|
2021-02-02 18:34:55 +01:00
|
|
|
Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz
|
|
|
|
|
Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig
|
Accepting request 1009758 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.8:
* libgnutls: In FIPS140 mode, RSA signature verification is an
approved operation if the key has modulus with known sizes
(1024, 1280, 1536, and 1792 bits), in addition to any modulus
sizes larger than 2048 bits, according to SP800-131A rev2.
* libgnutls: gnutls_session_channel_binding performs additional
checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
RFC9622 4.2, the "tls-exporter" channel binding is only usable
when the handshake is bound to a unique master secret (i.e.,
either TLS 1.3 or extended master secret extension is
negotiated). Otherwise the function now returns error.
* libgnutls: usage of the following functions, which are designed
to loosen restrictions imposed by allowlisting mode of
configuration, has been additionally restricted. Invoking
them is now only allowed if system-wide TLS priority string
has not been initialized yet:
- gnutls_digest_set_secure
- gnutls_sign_set_secure
- gnutls_sign_set_secure_for_certs
- gnutls_protocol_set_enabled
* Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
--with-guile-extension-dir configure option to properly
handle the guile extension directory.
* Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
* Update gnutls.keyring
* Add a build depencency on gtk-doc required by autoreconf
OBS-URL: https://build.opensuse.org/request/show/1009758
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=77
2022-10-11 14:44:03 +02:00
|
|
|
# https://gnutls.org/gnutls-release-keyring.gpg
|
2021-02-02 18:34:55 +01:00
|
|
|
Source2: gnutls.keyring
|
2013-07-01 15:54:42 +02:00
|
|
|
Source3: baselibs.conf
|
2022-11-08 16:56:01 +01:00
|
|
|
# Suppress a false positive on the .hmac file
|
|
|
|
|
Source4: gnutls.rpmlintrc
|
2020-12-05 18:16:13 +01:00
|
|
|
Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
|
2022-10-17 12:12:56 +02:00
|
|
|
Patch1: gnutls-FIPS-TLS_KDF_selftest.patch
|
|
|
|
|
Patch2: gnutls-FIPS-disable-failing-tests.patch
|
|
|
|
|
Patch3: gnutls_ECDSA_signing.patch
|
2022-09-14 10:41:21 +02:00
|
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
2022-11-02 22:55:38 +01:00
|
|
|
%ifnarch s390 s390x
|
2022-09-14 10:41:21 +02:00
|
|
|
#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
|
2022-10-17 12:12:56 +02:00
|
|
|
Patch4: gnutls-FIPS-jitterentropy.patch
|
|
|
|
|
#PATCH-FIX-SUSE bsc#1202146 FIPS: Set error state when jent init failed in FIPS mode
|
|
|
|
|
Patch5: gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
|
2022-09-14 10:41:21 +02:00
|
|
|
%endif
|
2022-11-02 22:55:38 +01:00
|
|
|
%endif
|
2022-09-14 10:41:21 +02:00
|
|
|
#PATCH-FIX-SUSE bsc#1190698 FIPS: SLI gnutls_pbkdf2: verify keylengths and allow SHA only
|
|
|
|
|
Patch6: gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
|
2022-10-04 16:51:03 +02:00
|
|
|
#PATCH-FIX-UPSTREAM bsc#1203779 Make XTS key check failure not fatal
|
2022-10-17 12:12:56 +02:00
|
|
|
Patch7: gnutls-Make-XTS-key-check-failure-not-fatal.patch
|
2022-11-08 16:56:01 +01:00
|
|
|
Patch8: gnutls-disable-flaky-test-dtls-resume.patch
|
|
|
|
|
#PATCH-FIX-OPENSUSE bsc#1199881 Verify only the libgnutls library HMAC
|
|
|
|
|
Patch9: gnutls-verify-library-HMAC.patch
|
2023-01-20 21:17:13 +01:00
|
|
|
#PATCH-FIX-SUSE bsc#1207183 FIPS: DH/ECDH PCT public key regeneration
|
|
|
|
|
Patch10: gnutls-FIPS-PCT-DH.patch
|
|
|
|
|
Patch11: gnutls-FIPS-PCT-ECDH.patch
|
|
|
|
|
#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
|
|
|
|
|
Patch12: gnutls-FIPS-140-3-references.patch
|
2015-08-25 07:17:02 +02:00
|
|
|
BuildRequires: autogen
|
2011-12-02 16:25:49 +01:00
|
|
|
BuildRequires: automake
|
2016-07-09 09:21:14 +02:00
|
|
|
BuildRequires: datefudge
|
2016-05-04 08:17:29 +02:00
|
|
|
BuildRequires: fdupes
|
2022-11-02 22:55:38 +01:00
|
|
|
BuildRequires: fipscheck
|
2011-08-24 13:44:12 +02:00
|
|
|
BuildRequires: gcc-c++
|
Accepting request 1009758 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.8:
* libgnutls: In FIPS140 mode, RSA signature verification is an
approved operation if the key has modulus with known sizes
(1024, 1280, 1536, and 1792 bits), in addition to any modulus
sizes larger than 2048 bits, according to SP800-131A rev2.
* libgnutls: gnutls_session_channel_binding performs additional
checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
RFC9622 4.2, the "tls-exporter" channel binding is only usable
when the handshake is bound to a unique master secret (i.e.,
either TLS 1.3 or extended master secret extension is
negotiated). Otherwise the function now returns error.
* libgnutls: usage of the following functions, which are designed
to loosen restrictions imposed by allowlisting mode of
configuration, has been additionally restricted. Invoking
them is now only allowed if system-wide TLS priority string
has not been initialized yet:
- gnutls_digest_set_secure
- gnutls_sign_set_secure
- gnutls_sign_set_secure_for_certs
- gnutls_protocol_set_enabled
* Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
--with-guile-extension-dir configure option to properly
handle the guile extension directory.
* Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
* Update gnutls.keyring
* Add a build depencency on gtk-doc required by autoreconf
OBS-URL: https://build.opensuse.org/request/show/1009758
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=77
2022-10-11 14:44:03 +02:00
|
|
|
BuildRequires: gtk-doc
|
2017-09-12 19:38:08 +02:00
|
|
|
# The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
|
|
|
|
|
BuildRequires: iproute2
|
2017-02-22 13:50:20 +01:00
|
|
|
BuildRequires: libidn2-devel
|
2021-02-02 18:34:55 +01:00
|
|
|
BuildRequires: libnettle-devel >= 3.6
|
2016-12-29 22:41:21 +01:00
|
|
|
BuildRequires: libtasn1-devel >= 4.9
|
2012-05-31 17:04:51 +02:00
|
|
|
BuildRequires: libtool
|
2016-12-29 22:41:21 +01:00
|
|
|
BuildRequires: libunistring-devel
|
2017-08-29 11:40:38 +02:00
|
|
|
BuildRequires: makeinfo
|
2016-12-29 22:41:21 +01:00
|
|
|
BuildRequires: p11-kit-devel >= 0.23.1
|
|
|
|
|
BuildRequires: pkgconfig
|
|
|
|
|
BuildRequires: xz
|
2019-07-31 19:35:10 +02:00
|
|
|
BuildRequires: pkgconfig(autoopts)
|
2022-12-15 11:39:07 +01:00
|
|
|
BuildRequires: pkgconfig(zlib)
|
2021-06-01 14:42:43 +02:00
|
|
|
%if %{with kcapi}
|
|
|
|
|
BuildRequires: pkgconfig(libkcapi)
|
|
|
|
|
%endif
|
2016-10-10 16:16:31 +02:00
|
|
|
%if 0%{?suse_version} <= 1320
|
|
|
|
|
BuildRequires: net-tools
|
|
|
|
|
%else
|
2016-07-09 09:21:14 +02:00
|
|
|
BuildRequires: net-tools-deprecated
|
2016-10-10 16:16:31 +02:00
|
|
|
%endif
|
2015-03-30 19:32:11 +02:00
|
|
|
%if %{with tpm}
|
|
|
|
|
BuildRequires: trousers-devel
|
|
|
|
|
%endif
|
|
|
|
|
%if %{with dane}
|
2016-12-29 22:41:21 +01:00
|
|
|
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
|
2016-10-10 16:16:31 +02:00
|
|
|
%if 0%{?suse_version} <= 1320
|
|
|
|
|
BuildRequires: unbound-devel
|
|
|
|
|
%else
|
2016-02-24 14:25:15 +01:00
|
|
|
BuildRequires: libunbound-devel
|
2016-10-10 16:16:31 +02:00
|
|
|
%endif
|
2015-03-30 19:32:11 +02:00
|
|
|
%endif
|
2016-05-04 08:17:29 +02:00
|
|
|
%if %{with guile}
|
2022-08-01 10:36:39 +02:00
|
|
|
BuildRequires: guile-devel > 1.8
|
2016-05-04 08:17:29 +02:00
|
|
|
%endif
|
Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 12:47:02 +01:00
|
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
|
|
|
BuildRequires: crypto-policies
|
2020-12-22 10:48:35 +01:00
|
|
|
Requires: crypto-policies
|
2022-09-14 10:41:21 +02:00
|
|
|
BuildRequires: jitterentropy-devel >= 3.4.0
|
|
|
|
|
Requires: libjitterentropy3 >= 3.4.0
|
2021-02-02 18:34:55 +01:00
|
|
|
%endif
|
2007-01-16 00:15:20 +01:00
|
|
|
|
|
|
|
|
%description
|
2017-08-29 11:40:38 +02:00
|
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
|
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
2019-04-08 11:25:11 +02:00
|
|
|
of the IETF's TLS working group.
|
2007-01-16 00:15:20 +01:00
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
%package -n libgnutls%{gnutls_sover}
|
2008-02-28 01:56:17 +01:00
|
|
|
Summary: The GNU Transport Layer Security Library
|
2022-05-16 10:07:25 +02:00
|
|
|
# install libgnutls and libgnutls-hmac close together (bsc#1090765)
|
2018-03-30 11:56:05 +02:00
|
|
|
License: LGPL-2.1-or-later
|
2017-08-29 11:40:38 +02:00
|
|
|
Group: System/Libraries
|
Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 12:47:02 +01:00
|
|
|
Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
|
|
|
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
2021-05-31 11:16:21 +02:00
|
|
|
Requires: crypto-policies
|
|
|
|
|
%endif
|
2008-02-28 01:56:17 +01:00
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
%description -n libgnutls%{gnutls_sover}
|
2017-08-29 11:40:38 +02:00
|
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
|
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
2019-04-08 11:25:11 +02:00
|
|
|
of the IETF's TLS working group.
|
2008-02-28 01:56:17 +01:00
|
|
|
|
2020-04-02 12:58:27 +02:00
|
|
|
%package -n libgnutls%{gnutls_sover}-hmac
|
|
|
|
|
Summary: Checksums of the GNU Transport Layer Security Library
|
|
|
|
|
License: LGPL-2.1-or-later
|
|
|
|
|
Group: System/Libraries
|
|
|
|
|
Requires: libgnutls%{gnutls_sover} = %{version}-%{release}
|
|
|
|
|
|
|
|
|
|
%description -n libgnutls%{gnutls_sover}-hmac
|
|
|
|
|
FIPS SHA256 checksums of the libgnutls library.
|
|
|
|
|
|
Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 12:47:02 +01:00
|
|
|
%if %{with dane}
|
2015-03-30 19:32:11 +02:00
|
|
|
%package -n libgnutls-dane%{gnutls_dane_sover}
|
2018-04-10 09:48:38 +02:00
|
|
|
Summary: DANE support for the GNU Transport Layer Security Library
|
2018-03-30 11:56:05 +02:00
|
|
|
License: LGPL-2.1-or-later
|
2018-04-10 09:48:38 +02:00
|
|
|
Group: System/Libraries
|
2015-03-30 19:32:11 +02:00
|
|
|
|
|
|
|
|
%description -n libgnutls-dane%{gnutls_dane_sover}
|
|
|
|
|
The GnuTLS project aims to develop a library that provides a secure
|
2016-12-29 22:41:21 +01:00
|
|
|
layer over a reliable transport layer.
|
2015-03-30 19:32:11 +02:00
|
|
|
This package contains the "DANE" part of gnutls.
|
Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 12:47:02 +01:00
|
|
|
%endif
|
2015-03-30 19:32:11 +02:00
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
%package -n libgnutlsxx%{gnutlsxx_sover}
|
2017-08-29 11:40:38 +02:00
|
|
|
Summary: C++ API for the GNU Transport Layer Security Library
|
2018-03-30 11:56:05 +02:00
|
|
|
License: LGPL-2.1-or-later
|
2017-08-29 11:40:38 +02:00
|
|
|
Group: System/Libraries
|
Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 12:47:02 +01:00
|
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
2021-05-31 11:16:21 +02:00
|
|
|
Requires: crypto-policies
|
|
|
|
|
%endif
|
2008-02-28 01:56:17 +01:00
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
%description -n libgnutlsxx%{gnutlsxx_sover}
|
2017-08-29 11:40:38 +02:00
|
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
2019-04-08 11:25:11 +02:00
|
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
|
|
|
|
of the IETF's TLS working group.
|
2007-10-25 18:10:26 +02:00
|
|
|
|
|
|
|
|
%package -n libgnutls-devel
|
2017-08-29 11:40:38 +02:00
|
|
|
Summary: Development package for the GnuTLS C API
|
2018-03-30 11:56:05 +02:00
|
|
|
License: LGPL-2.1-or-later
|
2007-08-03 16:29:06 +02:00
|
|
|
Group: Development/Libraries/C and C++
|
2011-08-24 13:44:12 +02:00
|
|
|
Requires: glibc-devel
|
2021-05-31 11:16:21 +02:00
|
|
|
Requires: gnutls = %{version}
|
2011-08-24 13:44:12 +02:00
|
|
|
Requires: libgnutls%{gnutls_sover} = %{version}
|
2012-05-22 10:11:29 +02:00
|
|
|
Provides: gnutls-devel = %{version}-%{release}
|
2022-03-09 11:49:43 +01:00
|
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
|
|
|
Requires: crypto-policies
|
|
|
|
|
%endif
|
2008-02-28 01:56:17 +01:00
|
|
|
|
|
|
|
|
%description -n libgnutls-devel
|
|
|
|
|
Files needed for software development using gnutls.
|
|
|
|
|
|
Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 12:47:02 +01:00
|
|
|
%if %{with dane}
|
2016-02-24 14:25:15 +01:00
|
|
|
%package -n libgnutls-dane-devel
|
2017-08-29 11:40:38 +02:00
|
|
|
Summary: Development package for GnuTLS DANE component
|
2018-03-30 11:56:05 +02:00
|
|
|
License: LGPL-2.1-or-later
|
2016-02-24 14:25:15 +01:00
|
|
|
Group: Development/Libraries/C and C++
|
|
|
|
|
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
|
|
|
|
|
|
|
|
|
|
%description -n libgnutls-dane-devel
|
|
|
|
|
Files needed for software development using gnutls.
|
Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 12:47:02 +01:00
|
|
|
%endif
|
2016-02-24 14:25:15 +01:00
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
%package -n libgnutlsxx-devel
|
2017-08-29 11:40:38 +02:00
|
|
|
Summary: Development package for the GnuTLS C++ API
|
2018-03-30 11:56:05 +02:00
|
|
|
License: LGPL-2.1-or-later
|
2011-08-24 13:44:12 +02:00
|
|
|
Group: Development/Libraries/C and C++
|
|
|
|
|
Requires: libgnutls-devel = %{version}
|
2012-05-21 10:25:22 +02:00
|
|
|
Requires: libgnutlsxx%{gnutlsxx_sover} = %{version}
|
2011-08-24 13:44:12 +02:00
|
|
|
Requires: libstdc++-devel
|
|
|
|
|
|
|
|
|
|
%description -n libgnutlsxx-devel
|
|
|
|
|
Files needed for software development using gnutls.
|
|
|
|
|
|
2021-02-02 18:34:55 +01:00
|
|
|
%if %{with guile}
|
2016-05-04 08:17:29 +02:00
|
|
|
%package guile
|
|
|
|
|
Summary: Guile wrappers for gnutls
|
2018-03-30 11:56:05 +02:00
|
|
|
License: LGPL-2.1-or-later
|
2016-05-04 08:17:29 +02:00
|
|
|
Group: Development/Libraries/Other
|
2022-08-01 10:36:39 +02:00
|
|
|
Requires: guile > 1.8
|
2016-05-04 08:17:29 +02:00
|
|
|
|
|
|
|
|
%description guile
|
2017-08-29 11:40:38 +02:00
|
|
|
GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
|
2021-02-02 18:34:55 +01:00
|
|
|
%endif
|
2008-02-28 01:56:17 +01:00
|
|
|
|
2007-01-16 00:15:20 +01:00
|
|
|
%prep
|
2020-04-02 12:58:27 +02:00
|
|
|
%autosetup -p1
|
2007-01-16 00:15:20 +01:00
|
|
|
|
2021-02-02 18:34:55 +01:00
|
|
|
echo "SYSTEM=NORMAL" >> tests/system.prio
|
|
|
|
|
|
2007-01-16 00:15:20 +01:00
|
|
|
%build
|
2022-03-09 11:49:43 +01:00
|
|
|
export LDFLAGS="-pie -Wl,-z,now -Wl,-z,relro"
|
2016-12-29 22:41:21 +01:00
|
|
|
export CFLAGS="%{optflags} -fPIE"
|
|
|
|
|
export CXXFLAGS="%{optflags} -fPIE"
|
Accepting request 1009758 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.8:
* libgnutls: In FIPS140 mode, RSA signature verification is an
approved operation if the key has modulus with known sizes
(1024, 1280, 1536, and 1792 bits), in addition to any modulus
sizes larger than 2048 bits, according to SP800-131A rev2.
* libgnutls: gnutls_session_channel_binding performs additional
checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
RFC9622 4.2, the "tls-exporter" channel binding is only usable
when the handshake is bound to a unique master secret (i.e.,
either TLS 1.3 or extended master secret extension is
negotiated). Otherwise the function now returns error.
* libgnutls: usage of the following functions, which are designed
to loosen restrictions imposed by allowlisting mode of
configuration, has been additionally restricted. Invoking
them is now only allowed if system-wide TLS priority string
has not been initialized yet:
- gnutls_digest_set_secure
- gnutls_sign_set_secure
- gnutls_sign_set_secure_for_certs
- gnutls_protocol_set_enabled
* Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
--with-guile-extension-dir configure option to properly
handle the guile extension directory.
* Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
* Update gnutls.keyring
* Add a build depencency on gtk-doc required by autoreconf
OBS-URL: https://build.opensuse.org/request/show/1009758
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=77
2022-10-11 14:44:03 +02:00
|
|
|
autoreconf -fiv
|
2022-11-08 16:56:01 +01:00
|
|
|
|
|
|
|
|
# Rename the internal .hmac file to include the so library version
|
|
|
|
|
sed -i "s/\.gnutls\.hmac/\.libgnutls\.so\.%{gnutls_sover}\.hmac/g" lib/Makefile.am lib/Makefile.in lib/fips.c
|
|
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
%configure \
|
2013-07-09 20:49:54 +02:00
|
|
|
gl_cv_func_printf_directive_n=yes \
|
|
|
|
|
gl_cv_func_printf_infinite_long_double=yes \
|
2011-08-24 13:44:12 +02:00
|
|
|
--disable-static \
|
2011-10-11 17:16:18 +02:00
|
|
|
--disable-rpath \
|
2022-03-09 11:49:43 +01:00
|
|
|
--disable-gcc-warnings \
|
2011-10-11 17:16:18 +02:00
|
|
|
--disable-silent-rules \
|
2021-06-01 14:42:43 +02:00
|
|
|
%{?with_kcapi:--enable-afalg} \
|
2020-12-22 10:48:35 +01:00
|
|
|
--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
|
2020-12-05 18:16:13 +01:00
|
|
|
--with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
|
|
|
|
|
--with-default-priority-string="@SYSTEM" \
|
2015-03-30 19:32:11 +02:00
|
|
|
--with-sysroot=/%{?_sysroot} \
|
|
|
|
|
%if %{without tpm}
|
|
|
|
|
--without-tpm \
|
|
|
|
|
%endif
|
|
|
|
|
%if %{with dane}
|
2016-12-29 22:41:21 +01:00
|
|
|
--with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \
|
2015-03-30 19:32:11 +02:00
|
|
|
%else
|
|
|
|
|
--disable-libdane \
|
Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 12:47:02 +01:00
|
|
|
%endif
|
|
|
|
|
%if %{with guile}
|
|
|
|
|
--enable-guile \
|
Accepting request 1009758 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.8:
* libgnutls: In FIPS140 mode, RSA signature verification is an
approved operation if the key has modulus with known sizes
(1024, 1280, 1536, and 1792 bits), in addition to any modulus
sizes larger than 2048 bits, according to SP800-131A rev2.
* libgnutls: gnutls_session_channel_binding performs additional
checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
RFC9622 4.2, the "tls-exporter" channel binding is only usable
when the handshake is bound to a unique master secret (i.e.,
either TLS 1.3 or extended master secret extension is
negotiated). Otherwise the function now returns error.
* libgnutls: usage of the following functions, which are designed
to loosen restrictions imposed by allowlisting mode of
configuration, has been additionally restricted. Invoking
them is now only allowed if system-wide TLS priority string
has not been initialized yet:
- gnutls_digest_set_secure
- gnutls_sign_set_secure
- gnutls_sign_set_secure_for_certs
- gnutls_protocol_set_enabled
* Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
--with-guile-extension-dir configure option to properly
handle the guile extension directory.
* Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
* Update gnutls.keyring
* Add a build depencency on gtk-doc required by autoreconf
OBS-URL: https://build.opensuse.org/request/show/1009758
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=77
2022-10-11 14:44:03 +02:00
|
|
|
--with-guile-extension-dir=%{_libdir}/guile/3.0 \
|
Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 12:47:02 +01:00
|
|
|
%else
|
|
|
|
|
--disable-guile \
|
Accepting request 295655 from Base:System
- updated to 3.4.0 (released 2015-04-08)
** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
ciphersuites. The former are enabled by default, the latter need to be
explicitly enabled, since they reduce the overall security level.
** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10.
That is currently provided as technology preview and is not enabled by
default, since there are no assigned ciphersuite points by IETF and there
is no guarrantee of compatibility between draft versions. The ciphersuite
priority string to enable it is "+CHACHA20-POLY1305".
** libgnutls: Added support for encrypt-then-authenticate in CBC
ciphersuites (RFC7366 -taking into account its errata text). This is
enabled by default and can be disabled using the %NO_ETM priority
string.
** libgnutls: Added support for the extended master secret
(triple-handshake fix) following draft-ietf-tls-session-hash-02.
** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).
** libgnutls: SSL 3.0 is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+VERS-SSL3.0".
** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+ARCFOUR-128".
** libgnutls: DSA signatures and DHE-DSS are no longer included in the
default priorities list. They have to be explicitly enabled, e.g., with
a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
DSA ciphersuites were dropped because they had no deployment at all
on the internet, to justify their inclusion.
** libgnutls: The priority string EXPORT was completely removed. The string
OBS-URL: https://build.opensuse.org/request/show/295655
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=83
2015-04-18 10:38:18 +02:00
|
|
|
%endif
|
2017-09-25 13:50:29 +02:00
|
|
|
--enable-fips140-mode \
|
Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 12:47:02 +01:00
|
|
|
--with-fips140-module-name="GnuTLS version" \
|
|
|
|
|
--with-fips140-module-version="%{version}-%{release}" \
|
2020-12-22 10:48:35 +01:00
|
|
|
%{nil}
|
2022-05-30 10:08:31 +02:00
|
|
|
%make_build
|
2007-01-16 00:15:20 +01:00
|
|
|
|
|
|
|
|
%install
|
2011-08-24 13:44:12 +02:00
|
|
|
%make_install
|
2022-11-02 22:55:38 +01:00
|
|
|
|
2022-11-08 16:56:01 +01:00
|
|
|
# Compute the FIPS hmac using the brp-50-generate-fips-hmac script
|
|
|
|
|
# export BRP_FIPSHMAC_FILES=%%{buildroot}%%{_libdir}/libgnutls.so.%%{gnutls_sover}
|
2022-11-02 22:55:38 +01:00
|
|
|
|
2022-11-08 16:56:01 +01:00
|
|
|
# the hmac hashes:
|
|
|
|
|
#
|
|
|
|
|
# this is a hack that re-defines the __os_install_post macro
|
|
|
|
|
# for a simple reason: the macro strips the binaries and thereby
|
|
|
|
|
# invalidates a HMAC that may have been created earlier.
|
|
|
|
|
# solution: create the hashes _after_ the macro runs.
|
|
|
|
|
#
|
|
|
|
|
# this shows up earlier because otherwise the %%expand of
|
|
|
|
|
# the macro is too late.
|
|
|
|
|
# remark: This is the same as running
|
|
|
|
|
# openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
|
|
|
|
|
# note: The FIPS hmac is now calculated with an internal tool since
|
|
|
|
|
# commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed
|
|
|
|
|
%{expand:%%global __os_install_post {%__os_install_post
|
|
|
|
|
./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > %{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac
|
|
|
|
|
sed -i "s^%{buildroot}/usr^^" %{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac
|
|
|
|
|
}}
|
2022-11-02 22:55:38 +01:00
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
|
2007-10-25 18:10:26 +02:00
|
|
|
# Do not package static libs and libtool files
|
2016-12-29 22:41:21 +01:00
|
|
|
find %{buildroot} -type f -name "*.la" -delete -print
|
2012-11-28 10:29:35 +01:00
|
|
|
|
|
|
|
|
# install docs
|
2016-12-29 22:41:21 +01:00
|
|
|
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
|
2019-07-31 19:35:10 +02:00
|
|
|
cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/
|
2016-12-29 22:41:21 +01:00
|
|
|
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples
|
|
|
|
|
cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
|
2012-11-28 10:29:35 +01:00
|
|
|
|
2016-05-04 08:17:29 +02:00
|
|
|
# PNG files are replaced with the compressed files and that breaks
|
|
|
|
|
# deduplication, this is workaround
|
2017-05-06 18:25:05 +02:00
|
|
|
find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} +
|
2017-08-29 11:40:38 +02:00
|
|
|
rm -rf %{buildroot}%{_datadir}/doc/gnutls
|
2016-05-04 08:17:29 +02:00
|
|
|
%fdupes -s %{buildroot}%{_datadir}
|
|
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
%find_lang libgnutls --all-name
|
2007-01-16 00:15:20 +01:00
|
|
|
|
2012-11-28 10:29:35 +01:00
|
|
|
%check
|
2012-12-03 09:36:19 +01:00
|
|
|
%if ! 0%{?qemu_user_space_build}
|
2022-05-30 10:08:31 +02:00
|
|
|
%make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
|
2017-08-29 11:40:38 +02:00
|
|
|
find -name test-suite.log -print -exec cat {} +
|
2015-04-28 20:42:20 +02:00
|
|
|
exit 1
|
|
|
|
|
}
|
2022-03-24 13:48:13 +01:00
|
|
|
#Run the regression tests also in FIPS mode
|
|
|
|
|
GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
|
|
|
|
|
find -name test-suite.log -print -exec cat {} +
|
|
|
|
|
exit 1
|
|
|
|
|
}
|
2012-12-03 09:36:19 +01:00
|
|
|
%endif
|
2012-11-28 10:29:35 +01:00
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
|
|
|
|
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
|
|
|
|
|
2015-03-30 19:32:11 +02:00
|
|
|
%if %{with dane}
|
|
|
|
|
%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
|
|
|
|
%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
|
|
|
|
%endif
|
|
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
|
|
|
|
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
2021-05-14 16:01:30 +02:00
|
|
|
|
2010-02-05 14:05:07 +01:00
|
|
|
%files -f libgnutls.lang
|
2018-02-28 19:55:27 +01:00
|
|
|
%license LICENSE
|
|
|
|
|
%doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
|
2011-08-24 13:44:12 +02:00
|
|
|
%{_bindir}/certtool
|
|
|
|
|
%{_bindir}/gnutls-cli
|
|
|
|
|
%{_bindir}/gnutls-cli-debug
|
|
|
|
|
%{_bindir}/gnutls-serv
|
2012-05-21 10:25:22 +02:00
|
|
|
%{_bindir}/ocsptool
|
2011-08-24 13:44:12 +02:00
|
|
|
%{_bindir}/psktool
|
|
|
|
|
%{_bindir}/p11tool
|
|
|
|
|
%{_bindir}/srptool
|
2015-03-30 19:32:11 +02:00
|
|
|
%if %{with dane}
|
2013-07-01 15:54:42 +02:00
|
|
|
%{_bindir}/danetool
|
2015-03-30 19:32:11 +02:00
|
|
|
%endif
|
|
|
|
|
%if %{with tpm}
|
|
|
|
|
%{_bindir}/tpmtool
|
|
|
|
|
%endif
|
2011-08-24 13:44:12 +02:00
|
|
|
%{_mandir}/man1/*
|
|
|
|
|
|
|
|
|
|
%files -n libgnutls%{gnutls_sover}
|
2022-05-30 10:08:31 +02:00
|
|
|
%license LICENSE
|
2011-08-24 13:44:12 +02:00
|
|
|
%{_libdir}/libgnutls.so.%{gnutls_sover}*
|
2020-04-02 12:58:27 +02:00
|
|
|
|
|
|
|
|
%files -n libgnutls%{gnutls_sover}-hmac
|
2022-05-30 10:08:31 +02:00
|
|
|
%license LICENSE
|
2022-11-02 22:55:38 +01:00
|
|
|
%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
|
2015-03-30 19:32:11 +02:00
|
|
|
|
|
|
|
|
%if %{with dane}
|
|
|
|
|
%files -n libgnutls-dane%{gnutls_dane_sover}
|
2022-05-30 10:08:31 +02:00
|
|
|
%license LICENSE
|
2015-03-30 19:32:11 +02:00
|
|
|
%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
|
|
|
|
|
%endif
|
2011-08-24 13:44:12 +02:00
|
|
|
|
|
|
|
|
%files -n libgnutlsxx%{gnutlsxx_sover}
|
2022-05-30 10:08:31 +02:00
|
|
|
%license LICENSE
|
2011-08-24 13:44:12 +02:00
|
|
|
%{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
|
|
|
|
|
|
2007-10-25 18:10:26 +02:00
|
|
|
%files -n libgnutls-devel
|
2022-05-30 10:08:31 +02:00
|
|
|
%license LICENSE
|
2011-08-24 13:44:12 +02:00
|
|
|
%dir %{_includedir}/%{name}
|
|
|
|
|
%{_includedir}/%{name}/abstract.h
|
|
|
|
|
%{_includedir}/%{name}/crypto.h
|
|
|
|
|
%{_includedir}/%{name}/compat.h
|
|
|
|
|
%{_includedir}/%{name}/dtls.h
|
|
|
|
|
%{_includedir}/%{name}/gnutls.h
|
|
|
|
|
%{_includedir}/%{name}/openpgp.h
|
2012-05-21 10:25:22 +02:00
|
|
|
%{_includedir}/%{name}/ocsp.h
|
2015-08-25 07:17:02 +02:00
|
|
|
%{_includedir}/%{name}/pkcs7.h
|
2011-08-24 13:44:12 +02:00
|
|
|
%{_includedir}/%{name}/pkcs11.h
|
|
|
|
|
%{_includedir}/%{name}/pkcs12.h
|
2015-03-30 19:32:11 +02:00
|
|
|
%{_includedir}/%{name}/self-test.h
|
2016-12-29 22:41:21 +01:00
|
|
|
%{_includedir}/%{name}/socket.h
|
2011-08-24 13:44:12 +02:00
|
|
|
%{_includedir}/%{name}/x509.h
|
2015-03-30 19:32:11 +02:00
|
|
|
%{_includedir}/%{name}/x509-ext.h
|
2013-07-01 15:54:42 +02:00
|
|
|
%{_includedir}/%{name}/tpm.h
|
Accepting request 295655 from Base:System
- updated to 3.4.0 (released 2015-04-08)
** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
ciphersuites. The former are enabled by default, the latter need to be
explicitly enabled, since they reduce the overall security level.
** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10.
That is currently provided as technology preview and is not enabled by
default, since there are no assigned ciphersuite points by IETF and there
is no guarrantee of compatibility between draft versions. The ciphersuite
priority string to enable it is "+CHACHA20-POLY1305".
** libgnutls: Added support for encrypt-then-authenticate in CBC
ciphersuites (RFC7366 -taking into account its errata text). This is
enabled by default and can be disabled using the %NO_ETM priority
string.
** libgnutls: Added support for the extended master secret
(triple-handshake fix) following draft-ietf-tls-session-hash-02.
** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).
** libgnutls: SSL 3.0 is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+VERS-SSL3.0".
** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+ARCFOUR-128".
** libgnutls: DSA signatures and DHE-DSS are no longer included in the
default priorities list. They have to be explicitly enabled, e.g., with
a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
DSA ciphersuites were dropped because they had no deployment at all
on the internet, to justify their inclusion.
** libgnutls: The priority string EXPORT was completely removed. The string
OBS-URL: https://build.opensuse.org/request/show/295655
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=83
2015-04-18 10:38:18 +02:00
|
|
|
%{_includedir}/%{name}/system-keys.h
|
|
|
|
|
%{_includedir}/%{name}/urls.h
|
2011-08-24 13:44:12 +02:00
|
|
|
%{_libdir}/libgnutls.so
|
|
|
|
|
%{_libdir}/pkgconfig/gnutls.pc
|
|
|
|
|
%{_mandir}/man3/*
|
2016-12-29 22:41:21 +01:00
|
|
|
%{_infodir}/*%{ext_info}
|
2012-11-28 10:29:35 +01:00
|
|
|
%doc %{_docdir}/libgnutls-devel
|
2008-02-28 01:56:17 +01:00
|
|
|
|
2016-02-24 14:25:15 +01:00
|
|
|
%if %{with dane}
|
|
|
|
|
%files -n libgnutls-dane-devel
|
2022-05-30 10:08:31 +02:00
|
|
|
%license LICENSE
|
2016-02-24 14:25:15 +01:00
|
|
|
%dir %{_includedir}/%{name}
|
|
|
|
|
%{_includedir}/%{name}/dane.h
|
|
|
|
|
%{_libdir}/pkgconfig/gnutls-dane.pc
|
|
|
|
|
%{_libdir}/libgnutls-dane.so
|
|
|
|
|
%endif
|
|
|
|
|
|
2011-08-24 13:44:12 +02:00
|
|
|
%files -n libgnutlsxx-devel
|
2022-05-30 10:08:31 +02:00
|
|
|
%license LICENSE
|
2011-08-24 13:44:12 +02:00
|
|
|
%{_libdir}/libgnutlsxx.so
|
|
|
|
|
%dir %{_includedir}/%{name}
|
|
|
|
|
%{_includedir}/%{name}/gnutlsxx.h
|
|
|
|
|
|
2016-05-04 08:17:29 +02:00
|
|
|
%if %{with guile}
|
|
|
|
|
%files guile
|
2022-05-30 10:08:31 +02:00
|
|
|
%license LICENSE
|
2021-02-10 17:11:35 +01:00
|
|
|
%{_libdir}/guile/*
|
Accepting request 1009758 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.8:
* libgnutls: In FIPS140 mode, RSA signature verification is an
approved operation if the key has modulus with known sizes
(1024, 1280, 1536, and 1792 bits), in addition to any modulus
sizes larger than 2048 bits, according to SP800-131A rev2.
* libgnutls: gnutls_session_channel_binding performs additional
checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
RFC9622 4.2, the "tls-exporter" channel binding is only usable
when the handshake is bound to a unique master secret (i.e.,
either TLS 1.3 or extended master secret extension is
negotiated). Otherwise the function now returns error.
* libgnutls: usage of the following functions, which are designed
to loosen restrictions imposed by allowlisting mode of
configuration, has been additionally restricted. Invoking
them is now only allowed if system-wide TLS priority string
has not been initialized yet:
- gnutls_digest_set_secure
- gnutls_sign_set_secure
- gnutls_sign_set_secure_for_certs
- gnutls_protocol_set_enabled
* Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
--with-guile-extension-dir configure option to properly
handle the guile extension directory.
* Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
* Update gnutls.keyring
* Add a build depencency on gtk-doc required by autoreconf
OBS-URL: https://build.opensuse.org/request/show/1009758
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=77
2022-10-11 14:44:03 +02:00
|
|
|
%{_datadir}/guile/site/*
|
2021-02-10 17:11:35 +01:00
|
|
|
%endif
|
2016-05-04 08:17:29 +02:00
|
|
|
|
2007-04-17 00:33:13 +02:00
|
|
|
%changelog
|
