forked from pool/gnutls
Pedro Monreal Gonzalez
3796933089
- Update to 3.7.7:
* libgnutls: Fixed double free during verification of pkcs7
signatures. CVE-2022-2509
* libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument
less than or equal to 255 times hash digest size, to comply with
RFC 5869 2.3.
* libgnutls: Length limit for TLS PSK usernames has been increased
from 128 to 65535 characters
* libgnutls: AES-GCM encryption function now limits plaintext
length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
* libgnutls: New block cipher functions have been added to
transparently handle padding. gnutls_cipher_encrypt3 and
gnutls_cipher_decrypt3 can be used in combination of
GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove
padding if the length of the original plaintext is not a multiple
of the block size.
* libgnutls: New function for manual FIPS self-testing.
* API and ABI modifications:
- gnutls_fips140_run_self_tests: New function
- gnutls_cipher_encrypt3: New function
- gnutls_cipher_decrypt3: New function
- gnutls_cipher_padding_flags_t: New enum
* guile: Guile 1.8 is no longer supported
* guile: Session record port treats premature termination as EOF Previously,
a 'gnutls-error' exception with the 'error/premature-termination' value
would be thrown while reading from a session record port when the
underlying session was terminated prematurely. This was inconvenient
since users of the port may not be prepared to handle such an exception.
Reading from the session record port now returns the end-of-file object
instead of throwing an exception, just like it would for a proper
OBS-URL: https://build.opensuse.org/request/show/991873
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=69
375 lines
11 KiB
RPMSpec
375 lines
11 KiB
RPMSpec
#
|
|
# spec file for package gnutls
|
|
#
|
|
# Copyright (c) 2022 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define gnutls_sover 30
|
|
%define gnutlsxx_sover 30
|
|
%define gnutls_dane_sover 0
|
|
# unbound isn't in SLE (bsc#1086428)
|
|
%if 0%{?is_opensuse}
|
|
%bcond_without dane
|
|
%else
|
|
%bcond_with dane
|
|
%endif
|
|
# Enable Linux kernel AF_ALG based acceleration
|
|
%if 0%{?suse_version} >= 1550
|
|
# disable for now, as our OBS builds do not work with it. Marcus 20220511
|
|
#bcond_without kcapi
|
|
%bcond_with kcapi
|
|
%else
|
|
%bcond_with kcapi
|
|
%endif
|
|
%bcond_with tpm
|
|
%bcond_without guile
|
|
Name: gnutls
|
|
Version: 3.7.7
|
|
Release: 0
|
|
Summary: The GNU Transport Layer Security Library
|
|
License: GPL-3.0-or-later AND LGPL-2.1-or-later
|
|
Group: Productivity/Networking/Security
|
|
URL: https://www.gnutls.org/
|
|
Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz
|
|
Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig
|
|
Source2: gnutls.keyring
|
|
Source3: baselibs.conf
|
|
Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
|
|
Patch1: gnutls-3.6.6-set_guile_site_dir.patch
|
|
Patch2: gnutls-FIPS-TLS_KDF_selftest.patch
|
|
Patch3: gnutls-FIPS-disable-failing-tests.patch
|
|
BuildRequires: autogen
|
|
BuildRequires: automake
|
|
BuildRequires: datefudge
|
|
BuildRequires: fdupes
|
|
BuildRequires: fipscheck
|
|
BuildRequires: gcc-c++
|
|
# The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
|
|
BuildRequires: iproute2
|
|
BuildRequires: libidn2-devel
|
|
BuildRequires: libnettle-devel >= 3.6
|
|
BuildRequires: libtasn1-devel >= 4.9
|
|
BuildRequires: libtool
|
|
BuildRequires: libunistring-devel
|
|
BuildRequires: makeinfo
|
|
BuildRequires: p11-kit-devel >= 0.23.1
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: xz
|
|
BuildRequires: zlib-devel
|
|
BuildRequires: pkgconfig(autoopts)
|
|
%if %{with kcapi}
|
|
BuildRequires: pkgconfig(libkcapi)
|
|
%endif
|
|
%if 0%{?suse_version} <= 1320
|
|
BuildRequires: net-tools
|
|
%else
|
|
BuildRequires: net-tools-deprecated
|
|
%endif
|
|
%if %{with tpm}
|
|
BuildRequires: trousers-devel
|
|
%endif
|
|
%if %{with dane}
|
|
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
|
|
%if 0%{?suse_version} <= 1320
|
|
BuildRequires: unbound-devel
|
|
%else
|
|
BuildRequires: libunbound-devel
|
|
%endif
|
|
%endif
|
|
%if %{with guile}
|
|
BuildRequires: guile-devel > 1.8
|
|
%endif
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
BuildRequires: crypto-policies
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
|
of the IETF's TLS working group.
|
|
|
|
%package -n libgnutls%{gnutls_sover}
|
|
Summary: The GNU Transport Layer Security Library
|
|
# install libgnutls and libgnutls-hmac close together (bsc#1090765)
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description -n libgnutls%{gnutls_sover}
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
|
of the IETF's TLS working group.
|
|
|
|
%package -n libgnutls%{gnutls_sover}-hmac
|
|
Summary: Checksums of the GNU Transport Layer Security Library
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
Requires: libgnutls%{gnutls_sover} = %{version}-%{release}
|
|
|
|
%description -n libgnutls%{gnutls_sover}-hmac
|
|
FIPS SHA256 checksums of the libgnutls library.
|
|
|
|
%if %{with dane}
|
|
%package -n libgnutls-dane%{gnutls_dane_sover}
|
|
Summary: DANE support for the GNU Transport Layer Security Library
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
|
|
%description -n libgnutls-dane%{gnutls_dane_sover}
|
|
The GnuTLS project aims to develop a library that provides a secure
|
|
layer over a reliable transport layer.
|
|
This package contains the "DANE" part of gnutls.
|
|
%endif
|
|
|
|
%package -n libgnutlsxx%{gnutlsxx_sover}
|
|
Summary: C++ API for the GNU Transport Layer Security Library
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description -n libgnutlsxx%{gnutlsxx_sover}
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
|
of the IETF's TLS working group.
|
|
|
|
%package -n libgnutls-devel
|
|
Summary: Development package for the GnuTLS C API
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/C and C++
|
|
Requires: glibc-devel
|
|
Requires: gnutls = %{version}
|
|
Requires: libgnutls%{gnutls_sover} = %{version}
|
|
Provides: gnutls-devel = %{version}-%{release}
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description -n libgnutls-devel
|
|
Files needed for software development using gnutls.
|
|
|
|
%if %{with dane}
|
|
%package -n libgnutls-dane-devel
|
|
Summary: Development package for GnuTLS DANE component
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/C and C++
|
|
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
|
|
|
|
%description -n libgnutls-dane-devel
|
|
Files needed for software development using gnutls.
|
|
%endif
|
|
|
|
%package -n libgnutlsxx-devel
|
|
Summary: Development package for the GnuTLS C++ API
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/C and C++
|
|
Requires: libgnutls-devel = %{version}
|
|
Requires: libgnutlsxx%{gnutlsxx_sover} = %{version}
|
|
Requires: libstdc++-devel
|
|
|
|
%description -n libgnutlsxx-devel
|
|
Files needed for software development using gnutls.
|
|
|
|
%if %{with guile}
|
|
%package guile
|
|
Summary: Guile wrappers for gnutls
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/Other
|
|
Requires: guile > 1.8
|
|
|
|
%description guile
|
|
GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
|
|
%endif
|
|
|
|
%prep
|
|
%autosetup -p1
|
|
|
|
echo "SYSTEM=NORMAL" >> tests/system.prio
|
|
|
|
%build
|
|
export LDFLAGS="-pie -Wl,-z,now -Wl,-z,relro"
|
|
export CFLAGS="%{optflags} -fPIE"
|
|
export CXXFLAGS="%{optflags} -fPIE"
|
|
#autoreconf -fiv
|
|
%configure \
|
|
gl_cv_func_printf_directive_n=yes \
|
|
gl_cv_func_printf_infinite_long_double=yes \
|
|
--disable-static \
|
|
--disable-rpath \
|
|
--disable-gcc-warnings \
|
|
--disable-silent-rules \
|
|
%{?with_kcapi:--enable-afalg} \
|
|
--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
|
|
--with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
|
|
--with-default-priority-string="@SYSTEM" \
|
|
--with-sysroot=/%{?_sysroot} \
|
|
%if %{without tpm}
|
|
--without-tpm \
|
|
%endif
|
|
%if %{with dane}
|
|
--with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \
|
|
%else
|
|
--disable-libdane \
|
|
%endif
|
|
%if %{with guile}
|
|
--enable-guile \
|
|
%else
|
|
--disable-guile \
|
|
%endif
|
|
--enable-fips140-mode \
|
|
--with-fips140-module-name="GnuTLS version" \
|
|
--with-fips140-module-version="%{version}-%{release}" \
|
|
%{nil}
|
|
%make_build
|
|
|
|
%install
|
|
%make_install
|
|
rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
|
|
# Do not package static libs and libtool files
|
|
find %{buildroot} -type f -name "*.la" -delete -print
|
|
|
|
# Compute FIPS hmac using the brp-50-generate-fips-hmac script
|
|
export BRP_FIPSHMAC_FILES=%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
|
|
|
|
# install docs
|
|
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
|
|
cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/
|
|
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples
|
|
cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
|
|
|
|
# PNG files are replaced with the compressed files and that breaks
|
|
# deduplication, this is workaround
|
|
find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} +
|
|
rm -rf %{buildroot}%{_datadir}/doc/gnutls
|
|
%fdupes -s %{buildroot}%{_datadir}
|
|
|
|
%find_lang libgnutls --all-name
|
|
|
|
%check
|
|
%if ! 0%{?qemu_user_space_build}
|
|
%make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
|
|
find -name test-suite.log -print -exec cat {} +
|
|
exit 1
|
|
}
|
|
#Run the regression tests also in FIPS mode
|
|
GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
|
|
find -name test-suite.log -print -exec cat {} +
|
|
exit 1
|
|
}
|
|
%endif
|
|
|
|
%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
|
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
|
|
|
%if %{with dane}
|
|
%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
|
%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
|
%endif
|
|
|
|
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
|
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
|
|
|
%files -f libgnutls.lang
|
|
%license LICENSE
|
|
%doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
|
|
%{_bindir}/certtool
|
|
%{_bindir}/gnutls-cli
|
|
%{_bindir}/gnutls-cli-debug
|
|
%{_bindir}/gnutls-serv
|
|
%{_bindir}/ocsptool
|
|
%{_bindir}/psktool
|
|
%{_bindir}/p11tool
|
|
%{_bindir}/srptool
|
|
%if %{with dane}
|
|
%{_bindir}/danetool
|
|
%endif
|
|
%if %{with tpm}
|
|
%{_bindir}/tpmtool
|
|
%endif
|
|
%{_mandir}/man1/*
|
|
|
|
%files -n libgnutls%{gnutls_sover}
|
|
%license LICENSE
|
|
%{_libdir}/libgnutls.so.%{gnutls_sover}*
|
|
|
|
%files -n libgnutls%{gnutls_sover}-hmac
|
|
%license LICENSE
|
|
%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
|
|
|
|
%if %{with dane}
|
|
%files -n libgnutls-dane%{gnutls_dane_sover}
|
|
%license LICENSE
|
|
%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
|
|
%endif
|
|
|
|
%files -n libgnutlsxx%{gnutlsxx_sover}
|
|
%license LICENSE
|
|
%{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
|
|
|
|
%files -n libgnutls-devel
|
|
%license LICENSE
|
|
%dir %{_includedir}/%{name}
|
|
%{_includedir}/%{name}/abstract.h
|
|
%{_includedir}/%{name}/crypto.h
|
|
%{_includedir}/%{name}/compat.h
|
|
%{_includedir}/%{name}/dtls.h
|
|
%{_includedir}/%{name}/gnutls.h
|
|
%{_includedir}/%{name}/openpgp.h
|
|
%{_includedir}/%{name}/ocsp.h
|
|
%{_includedir}/%{name}/pkcs7.h
|
|
%{_includedir}/%{name}/pkcs11.h
|
|
%{_includedir}/%{name}/pkcs12.h
|
|
%{_includedir}/%{name}/self-test.h
|
|
%{_includedir}/%{name}/socket.h
|
|
%{_includedir}/%{name}/x509.h
|
|
%{_includedir}/%{name}/x509-ext.h
|
|
%{_includedir}/%{name}/tpm.h
|
|
%{_includedir}/%{name}/system-keys.h
|
|
%{_includedir}/%{name}/urls.h
|
|
%{_libdir}/libgnutls.so
|
|
%{_libdir}/pkgconfig/gnutls.pc
|
|
%{_mandir}/man3/*
|
|
%{_infodir}/*%{ext_info}
|
|
%doc %{_docdir}/libgnutls-devel
|
|
|
|
%if %{with dane}
|
|
%files -n libgnutls-dane-devel
|
|
%license LICENSE
|
|
%dir %{_includedir}/%{name}
|
|
%{_includedir}/%{name}/dane.h
|
|
%{_libdir}/pkgconfig/gnutls-dane.pc
|
|
%{_libdir}/libgnutls-dane.so
|
|
%endif
|
|
|
|
%files -n libgnutlsxx-devel
|
|
%license LICENSE
|
|
%{_libdir}/libgnutlsxx.so
|
|
%dir %{_includedir}/%{name}
|
|
%{_includedir}/%{name}/gnutlsxx.h
|
|
|
|
%if %{with guile}
|
|
%files guile
|
|
%license LICENSE
|
|
%{_libdir}/guile/*
|
|
%{_datadir}/guile/gnutls*
|
|
%endif
|
|
|
|
%changelog
|