Accepting request 850542 from home:vitezslav_cizek:branches:security:tls

- Don't forward to Factory yet, the policy needs more testing. - Use the centralized crypto policy profile (jsc#SLE-15832) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - FIPS: Add TLS KDF selftest (bsc#1176671) * add gnutls-FIPS-TLS_KDF_selftest.patch OBS-URL: https://build.opensuse.org/request/show/850542 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=43
2020-12-05 17:16:13 +00:00
parent f0593f0832
commit 2d2be530a7
4 changed files with 164 additions and 4 deletions
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -38,9 +38,11 @@ Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.x
 Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
-Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
-Patch4:         gnutls-3.6.6-set_guile_site_dir.patch
-Patch6:         gnutls-temporarily_disable_broken_guile_reauth_test.patch
+Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
+Patch1:         gnutls-3.6.6-set_guile_site_dir.patch
+Patch2:         gnutls-temporarily_disable_broken_guile_reauth_test.patch
+Patch3:         gnutls-FIPS-TLS_KDF_selftest.patch
+Patch4:         gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -183,6 +185,8 @@ export CXXFLAGS="%{optflags} -fPIE"
        --disable-rpath \
        --disable-silent-rules \
 	--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
+        --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
+        --with-default-priority-string="@SYSTEM" \
        --with-sysroot=/%{?_sysroot} \
 %if %{without tpm}
        --without-tpm \
@@ -194,6 +198,9 @@ export CXXFLAGS="%{optflags} -fPIE"
 %endif
        --enable-fips140-mode \
 	%{nil}
+
+echo "SYSTEM=NORMAL" >> tests/system.prio
+
 make %{?_smp_mflags}

 # the hmac hashes:
@@ -235,7 +242,8 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls

 %check
 %if ! 0%{?qemu_user_space_build}
-make %{?_smp_mflags} check || {
+#make %{?_smp_mflags} check || {
+make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
    find -name test-suite.log -print -exec cat {} +
    exit 1
 }