forked from pool/gnutls
Pedro Monreal Gonzalez
3ecf24776c
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
371 lines
11 KiB
RPMSpec
371 lines
11 KiB
RPMSpec
#
|
|
# spec file for package gnutls
|
|
#
|
|
# Copyright (c) 2022 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define gnutls_sover 30
|
|
%define gnutlsxx_sover 28
|
|
%define gnutls_dane_sover 0
|
|
# unbound isn't in SLE (bsc#1086428)
|
|
%if 0%{?is_opensuse}
|
|
%bcond_without dane
|
|
%else
|
|
%bcond_with dane
|
|
%endif
|
|
# Enable Linux kernel AF_ALG based acceleration
|
|
%if 0%{?suse_version} >= 1550
|
|
%bcond_without kcapi
|
|
%else
|
|
%bcond_with kcapi
|
|
%endif
|
|
%bcond_with tpm
|
|
%bcond_without guile
|
|
Name: gnutls
|
|
Version: 3.7.3
|
|
Release: 0
|
|
Summary: The GNU Transport Layer Security Library
|
|
License: GPL-3.0-or-later AND LGPL-2.1-or-later
|
|
Group: Productivity/Networking/Security
|
|
URL: https://www.gnutls.org/
|
|
Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz
|
|
Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig
|
|
Source2: gnutls.keyring
|
|
Source3: baselibs.conf
|
|
Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
|
|
Patch1: gnutls-3.6.6-set_guile_site_dir.patch
|
|
Patch2: gnutls-FIPS-TLS_KDF_selftest.patch
|
|
BuildRequires: autogen
|
|
BuildRequires: automake
|
|
BuildRequires: datefudge
|
|
BuildRequires: fdupes
|
|
BuildRequires: fipscheck
|
|
BuildRequires: gcc-c++
|
|
# The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
|
|
BuildRequires: iproute2
|
|
BuildRequires: libidn2-devel
|
|
BuildRequires: libnettle-devel >= 3.6
|
|
BuildRequires: libtasn1-devel >= 4.9
|
|
BuildRequires: libtool
|
|
BuildRequires: libunistring-devel
|
|
BuildRequires: makeinfo
|
|
BuildRequires: p11-kit-devel >= 0.23.1
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: xz
|
|
BuildRequires: zlib-devel
|
|
BuildRequires: pkgconfig(autoopts)
|
|
%if %{with kcapi}
|
|
BuildRequires: pkgconfig(libkcapi)
|
|
%endif
|
|
%if 0%{?suse_version} <= 1320
|
|
BuildRequires: net-tools
|
|
%else
|
|
BuildRequires: net-tools-deprecated
|
|
%endif
|
|
%if %{with tpm}
|
|
BuildRequires: trousers-devel
|
|
%endif
|
|
%if %{with dane}
|
|
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
|
|
%if 0%{?suse_version} <= 1320
|
|
BuildRequires: unbound-devel
|
|
%else
|
|
BuildRequires: libunbound-devel
|
|
%endif
|
|
%endif
|
|
%if %{with guile}
|
|
BuildRequires: guile-devel
|
|
%endif
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
BuildRequires: crypto-policies
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
|
of the IETF's TLS working group.
|
|
|
|
%package -n libgnutls%{gnutls_sover}
|
|
Summary: The GNU Transport Layer Security Library
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
# install libgnutls and libgnutls-hmac close together (bsc#1090765)
|
|
Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description -n libgnutls%{gnutls_sover}
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
|
of the IETF's TLS working group.
|
|
|
|
%package -n libgnutls%{gnutls_sover}-hmac
|
|
Summary: Checksums of the GNU Transport Layer Security Library
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
Requires: libgnutls%{gnutls_sover} = %{version}-%{release}
|
|
|
|
%description -n libgnutls%{gnutls_sover}-hmac
|
|
FIPS SHA256 checksums of the libgnutls library.
|
|
|
|
%if %{with dane}
|
|
%package -n libgnutls-dane%{gnutls_dane_sover}
|
|
Summary: DANE support for the GNU Transport Layer Security Library
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
|
|
%description -n libgnutls-dane%{gnutls_dane_sover}
|
|
The GnuTLS project aims to develop a library that provides a secure
|
|
layer over a reliable transport layer.
|
|
This package contains the "DANE" part of gnutls.
|
|
%endif
|
|
|
|
%package -n libgnutlsxx%{gnutlsxx_sover}
|
|
Summary: C++ API for the GNU Transport Layer Security Library
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description -n libgnutlsxx%{gnutlsxx_sover}
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
|
of the IETF's TLS working group.
|
|
|
|
%package -n libgnutls-devel
|
|
Summary: Development package for the GnuTLS C API
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/C and C++
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
Requires: crypto-policies
|
|
%endif
|
|
Requires: glibc-devel
|
|
Requires: gnutls = %{version}
|
|
Requires: libgnutls%{gnutls_sover} = %{version}
|
|
Requires(pre): %{install_info_prereq}
|
|
Provides: gnutls-devel = %{version}-%{release}
|
|
|
|
%description -n libgnutls-devel
|
|
Files needed for software development using gnutls.
|
|
|
|
%if %{with dane}
|
|
%package -n libgnutls-dane-devel
|
|
Summary: Development package for GnuTLS DANE component
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/C and C++
|
|
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
|
|
|
|
%description -n libgnutls-dane-devel
|
|
Files needed for software development using gnutls.
|
|
%endif
|
|
|
|
%package -n libgnutlsxx-devel
|
|
Summary: Development package for the GnuTLS C++ API
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/C and C++
|
|
Requires: libgnutls-devel = %{version}
|
|
Requires: libgnutlsxx%{gnutlsxx_sover} = %{version}
|
|
Requires: libstdc++-devel
|
|
Requires(pre): %{install_info_prereq}
|
|
|
|
%description -n libgnutlsxx-devel
|
|
Files needed for software development using gnutls.
|
|
|
|
%if %{with guile}
|
|
%package guile
|
|
Summary: Guile wrappers for gnutls
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/Other
|
|
Requires: guile
|
|
|
|
%description guile
|
|
GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
|
|
%endif
|
|
|
|
%prep
|
|
%autosetup -p1
|
|
|
|
echo "SYSTEM=NORMAL" >> tests/system.prio
|
|
|
|
%build
|
|
%define _lto_cflags %{nil}
|
|
export LDFLAGS="-pie"
|
|
export CFLAGS="%{optflags} -fPIE"
|
|
export CXXFLAGS="%{optflags} -fPIE"
|
|
#autoreconf -fiv
|
|
%configure \
|
|
gl_cv_func_printf_directive_n=yes \
|
|
gl_cv_func_printf_infinite_long_double=yes \
|
|
--disable-static \
|
|
--disable-rpath \
|
|
--disable-silent-rules \
|
|
%{?with_kcapi:--enable-afalg} \
|
|
--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
|
|
--with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
|
|
--with-default-priority-string="@SYSTEM" \
|
|
--with-sysroot=/%{?_sysroot} \
|
|
%if %{without tpm}
|
|
--without-tpm \
|
|
%endif
|
|
%if %{with dane}
|
|
--with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \
|
|
%else
|
|
--disable-libdane \
|
|
%endif
|
|
%if %{with guile}
|
|
--enable-guile \
|
|
%else
|
|
--disable-guile \
|
|
%endif
|
|
--enable-fips140-mode \
|
|
--with-fips140-module-name="GnuTLS version" \
|
|
--with-fips140-module-version="%{version}-%{release}" \
|
|
%{nil}
|
|
|
|
make %{?_smp_mflags}
|
|
|
|
%install
|
|
%make_install
|
|
rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
|
|
# Do not package static libs and libtool files
|
|
find %{buildroot} -type f -name "*.la" -delete -print
|
|
|
|
# Compute FIPS hmac using the brp-50-generate-fips-hmac script
|
|
export BRP_FIPSHMAC_FILES=%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
|
|
|
|
# install docs
|
|
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
|
|
cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/
|
|
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference
|
|
cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/
|
|
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples
|
|
cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
|
|
|
|
# PNG files are replaced with the compressed files and that breaks
|
|
# deduplication, this is workaround
|
|
find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} +
|
|
rm -rf %{buildroot}%{_datadir}/doc/gnutls
|
|
%fdupes -s %{buildroot}%{_datadir}
|
|
|
|
%find_lang libgnutls --all-name
|
|
|
|
%check
|
|
%if ! 0%{?qemu_user_space_build}
|
|
# export GNUTLS_FORCE_FIPS_MODE=1
|
|
make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
|
|
find -name test-suite.log -print -exec cat {} +
|
|
exit 1
|
|
}
|
|
%endif
|
|
|
|
%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
|
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
|
|
|
%if %{with dane}
|
|
%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
|
%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
|
%endif
|
|
|
|
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
|
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
|
|
|
%post -n libgnutls-devel
|
|
%install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
|
|
|
|
%preun -n libgnutls-devel
|
|
%install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
|
|
|
|
%files -f libgnutls.lang
|
|
%license LICENSE
|
|
%doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
|
|
%{_bindir}/certtool
|
|
%{_bindir}/gnutls-cli
|
|
%{_bindir}/gnutls-cli-debug
|
|
%{_bindir}/gnutls-serv
|
|
%{_bindir}/ocsptool
|
|
%{_bindir}/psktool
|
|
%{_bindir}/p11tool
|
|
%{_bindir}/srptool
|
|
%if %{with dane}
|
|
%{_bindir}/danetool
|
|
%endif
|
|
%if %{with tpm}
|
|
%{_bindir}/tpmtool
|
|
%endif
|
|
%{_mandir}/man1/*
|
|
|
|
%files -n libgnutls%{gnutls_sover}
|
|
%{_libdir}/libgnutls.so.%{gnutls_sover}*
|
|
|
|
%files -n libgnutls%{gnutls_sover}-hmac
|
|
%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
|
|
|
|
%if %{with dane}
|
|
%files -n libgnutls-dane%{gnutls_dane_sover}
|
|
%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
|
|
%endif
|
|
|
|
%files -n libgnutlsxx%{gnutlsxx_sover}
|
|
%{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
|
|
|
|
%files -n libgnutls-devel
|
|
%dir %{_includedir}/%{name}
|
|
%{_includedir}/%{name}/abstract.h
|
|
%{_includedir}/%{name}/crypto.h
|
|
%{_includedir}/%{name}/compat.h
|
|
%{_includedir}/%{name}/dtls.h
|
|
%{_includedir}/%{name}/gnutls.h
|
|
%{_includedir}/%{name}/openpgp.h
|
|
%{_includedir}/%{name}/ocsp.h
|
|
%{_includedir}/%{name}/pkcs7.h
|
|
%{_includedir}/%{name}/pkcs11.h
|
|
%{_includedir}/%{name}/pkcs12.h
|
|
%{_includedir}/%{name}/self-test.h
|
|
%{_includedir}/%{name}/socket.h
|
|
%{_includedir}/%{name}/x509.h
|
|
%{_includedir}/%{name}/x509-ext.h
|
|
%{_includedir}/%{name}/tpm.h
|
|
%{_includedir}/%{name}/system-keys.h
|
|
%{_includedir}/%{name}/urls.h
|
|
%{_libdir}/libgnutls.so
|
|
%{_libdir}/pkgconfig/gnutls.pc
|
|
%{_mandir}/man3/*
|
|
%{_infodir}/*%{ext_info}
|
|
%doc %{_docdir}/libgnutls-devel
|
|
|
|
%if %{with dane}
|
|
%files -n libgnutls-dane-devel
|
|
%dir %{_includedir}/%{name}
|
|
%{_includedir}/%{name}/dane.h
|
|
%{_libdir}/pkgconfig/gnutls-dane.pc
|
|
%{_libdir}/libgnutls-dane.so
|
|
%endif
|
|
|
|
%files -n libgnutlsxx-devel
|
|
%{_libdir}/libgnutlsxx.so
|
|
%dir %{_includedir}/%{name}
|
|
%{_includedir}/%{name}/gnutlsxx.h
|
|
|
|
%if %{with guile}
|
|
%files guile
|
|
%{_libdir}/guile/*
|
|
%{_datadir}/guile/gnutls*
|
|
%endif
|
|
|
|
%changelog
|