forked from pool/gnutls
Pedro Monreal Gonzalez
c7bc1d9ee7
- FIPS: Skip the fixed HMAC verification for nettle, hogweed and gmp libraries. These calculated HMACs change for every build of each of these packages, we only have to verify that for gnutls. * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476] - FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116] OBS-URL: https://build.opensuse.org/request/show/1088822 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=93
389 lines
12 KiB
RPMSpec
389 lines
12 KiB
RPMSpec
#
|
|
# spec file for package gnutls
|
|
#
|
|
# Copyright (c) 2023 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define gnutls_sover 30
|
|
%define gnutlsxx_sover 30
|
|
%define gnutls_dane_sover 0
|
|
# unbound isn't in SLE (bsc#1086428)
|
|
%if 0%{?is_opensuse}
|
|
%bcond_without dane
|
|
%else
|
|
%bcond_with dane
|
|
%endif
|
|
%if 0%{?suse_version} >= 1550
|
|
%bcond_without srp
|
|
%else
|
|
%bcond_with srp
|
|
%endif
|
|
# Enable Linux kernel AF_ALG based acceleration
|
|
%if 0%{?suse_version} >= 1550
|
|
# disable for now, as our OBS builds do not work with it. Marcus 20220511
|
|
#bcond_without kcapi
|
|
%bcond_with kcapi
|
|
%else
|
|
%bcond_with kcapi
|
|
%endif
|
|
%bcond_with tpm
|
|
Name: gnutls
|
|
Version: 3.8.0
|
|
Release: 0
|
|
Summary: The GNU Transport Layer Security Library
|
|
License: GPL-3.0-or-later AND LGPL-2.1-or-later
|
|
Group: Productivity/Networking/Security
|
|
URL: https://www.gnutls.org/
|
|
Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz
|
|
Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz.sig
|
|
# https://gnutls.org/gnutls-release-keyring.gpg
|
|
Source2: https://gnutls.org/gnutls-release-keyring.gpg#/gnutls.keyring
|
|
Source3: baselibs.conf
|
|
# Suppress a false positive on the .hmac file
|
|
Source4: gnutls.rpmlintrc
|
|
Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
|
|
Patch1: gnutls-FIPS-TLS_KDF_selftest.patch
|
|
Patch2: gnutls-disable-flaky-test-dtls-resume.patch
|
|
# FIPS 140-3 patches:
|
|
#PATCH-FIX-SUSE bsc#1207183 FIPS: DH/ECDH PCT public key regeneration
|
|
Patch100: gnutls-FIPS-PCT-DH.patch
|
|
Patch101: gnutls-FIPS-PCT-ECDH.patch
|
|
#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
|
|
Patch102: gnutls-FIPS-140-3-references.patch
|
|
#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp
|
|
Patch103: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
|
|
Patch104: gnutls-FIPS-jitterentropy.patch
|
|
%endif
|
|
BuildRequires: autogen
|
|
BuildRequires: automake
|
|
BuildRequires: datefudge
|
|
BuildRequires: fdupes
|
|
BuildRequires: gcc-c++
|
|
BuildRequires: gtk-doc
|
|
# The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
|
|
BuildRequires: iproute2
|
|
BuildRequires: libidn2-devel
|
|
BuildRequires: libnettle-devel >= 3.6
|
|
BuildRequires: libtasn1-devel >= 4.9
|
|
BuildRequires: libtool
|
|
BuildRequires: libunistring-devel
|
|
BuildRequires: makeinfo
|
|
BuildRequires: p11-kit-devel >= 0.23.1
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: xz
|
|
BuildRequires: pkgconfig(autoopts)
|
|
BuildRequires: pkgconfig(zlib)
|
|
%if %{with kcapi}
|
|
BuildRequires: pkgconfig(libkcapi)
|
|
%endif
|
|
%if 0%{?suse_version} <= 1320
|
|
BuildRequires: net-tools
|
|
%else
|
|
BuildRequires: net-tools-deprecated
|
|
%endif
|
|
%if %{with tpm}
|
|
BuildRequires: trousers-devel
|
|
%endif
|
|
%if %{with dane}
|
|
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
|
|
%if 0%{?suse_version} <= 1320
|
|
BuildRequires: unbound-devel
|
|
%else
|
|
BuildRequires: libunbound-devel
|
|
%endif
|
|
%endif
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
BuildRequires: crypto-policies
|
|
Requires: crypto-policies
|
|
BuildRequires: jitterentropy-devel >= 3.4.0
|
|
Requires: libjitterentropy3 >= 3.4.0
|
|
%endif
|
|
|
|
%description
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
|
of the IETF's TLS working group.
|
|
|
|
%package -n libgnutls%{gnutls_sover}
|
|
Summary: The GNU Transport Layer Security Library
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
Provides: libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
|
|
Obsoletes: libgnutls%{gnutls_sover}-hmac < %{version}-%{release}
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description -n libgnutls%{gnutls_sover}
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
|
of the IETF's TLS working group.
|
|
|
|
%if %{with dane}
|
|
%package -n libgnutls-dane%{gnutls_dane_sover}
|
|
Summary: DANE support for the GNU Transport Layer Security Library
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
|
|
%description -n libgnutls-dane%{gnutls_dane_sover}
|
|
The GnuTLS project aims to develop a library that provides a secure
|
|
layer over a reliable transport layer.
|
|
This package contains the "DANE" part of gnutls.
|
|
%endif
|
|
|
|
%package -n libgnutlsxx%{gnutlsxx_sover}
|
|
Summary: C++ API for the GNU Transport Layer Security Library
|
|
License: LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description -n libgnutlsxx%{gnutlsxx_sover}
|
|
The GnuTLS library provides a secure layer over a reliable transport
|
|
layer. Currently the GnuTLS library implements the proposed standards
|
|
of the IETF's TLS working group.
|
|
|
|
%package -n libgnutls-devel
|
|
Summary: Development package for the GnuTLS C API
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/C and C++
|
|
Requires: glibc-devel
|
|
Requires: gnutls = %{version}
|
|
Requires: libgnutls%{gnutls_sover} = %{version}
|
|
Provides: gnutls-devel = %{version}-%{release}
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description -n libgnutls-devel
|
|
Files needed for software development using gnutls.
|
|
|
|
%if %{with dane}
|
|
%package -n libgnutls-dane-devel
|
|
Summary: Development package for GnuTLS DANE component
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/C and C++
|
|
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
|
|
|
|
%description -n libgnutls-dane-devel
|
|
Files needed for software development using gnutls.
|
|
%endif
|
|
|
|
%package -n libgnutlsxx-devel
|
|
Summary: Development package for the GnuTLS C++ API
|
|
License: LGPL-2.1-or-later
|
|
Group: Development/Libraries/C and C++
|
|
Requires: libgnutls-devel = %{version}
|
|
Requires: libgnutlsxx%{gnutlsxx_sover} = %{version}
|
|
Requires: libstdc++-devel
|
|
|
|
%description -n libgnutlsxx-devel
|
|
Files needed for software development using gnutls.
|
|
|
|
%prep
|
|
%autosetup -p1
|
|
|
|
echo "SYSTEM=NORMAL" >> tests/system.prio
|
|
|
|
%build
|
|
export LDFLAGS="-pie -Wl,-z,now -Wl,-z,relro"
|
|
export CFLAGS="%{optflags} -fPIE"
|
|
export CXXFLAGS="%{optflags} -fPIE"
|
|
|
|
autoreconf -fiv
|
|
|
|
%configure \
|
|
gl_cv_func_printf_directive_n=yes \
|
|
gl_cv_func_printf_infinite_long_double=yes \
|
|
--disable-static \
|
|
--disable-rpath \
|
|
--disable-gcc-warnings \
|
|
--disable-silent-rules \
|
|
%{?with_kcapi:--enable-afalg} \
|
|
--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
|
|
--with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
|
|
--with-default-priority-string="@SYSTEM" \
|
|
--with-sysroot=/%{?_sysroot} \
|
|
%if %{without tpm}
|
|
--without-tpm \
|
|
%endif
|
|
%if %{with dane}
|
|
--with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \
|
|
%else
|
|
--disable-libdane \
|
|
%endif
|
|
%if %{with srp}
|
|
--enable-srp-authentication \
|
|
%endif
|
|
%ifarch %{ix86} %{arm}
|
|
--disable-year2038 \
|
|
%endif
|
|
--enable-shared \
|
|
--enable-fips140-mode \
|
|
--with-fips140-module-name="GnuTLS version" \
|
|
--with-fips140-module-version="%{version}-%{release}" \
|
|
%{nil}
|
|
|
|
%make_build
|
|
|
|
%install
|
|
%make_install
|
|
|
|
# Compute the FIPS hmac using the brp-50-generate-fips-hmac script
|
|
# export BRP_FIPSHMAC_FILES=%%{buildroot}%%{_libdir}/libgnutls.so.%%{gnutls_sover}
|
|
|
|
# the hmac hashes:
|
|
#
|
|
# this is a hack that re-defines the __os_install_post macro
|
|
# for a simple reason: the macro strips the binaries and thereby
|
|
# invalidates a HMAC that may have been created earlier.
|
|
# solution: create the hashes _after_ the macro runs.
|
|
#
|
|
# this shows up earlier because otherwise the %%expand of
|
|
# the macro is too late.
|
|
# remark: This is the same as running
|
|
# openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
|
|
# Note: The FIPS hmac is now calculated with an internal tool since
|
|
# commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed
|
|
%{expand:%%global __os_install_post {%__os_install_post
|
|
./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > "%{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac"
|
|
sed -i "s^%{buildroot}/usr^^" "%{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac"
|
|
}}
|
|
|
|
rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
|
|
# Do not package static libs and libtool files
|
|
find %{buildroot} -type f -name "*.la" -delete -print
|
|
|
|
# install docs
|
|
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
|
|
cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/
|
|
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples
|
|
cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
|
|
|
|
# PNG files are replaced with the compressed files and that breaks
|
|
# deduplication, this is workaround
|
|
find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} +
|
|
rm -rf %{buildroot}%{_datadir}/doc/gnutls
|
|
%fdupes -s %{buildroot}%{_datadir}
|
|
|
|
%find_lang libgnutls --all-name
|
|
|
|
%check
|
|
%if ! 0%{?qemu_user_space_build}
|
|
%make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
|
|
find -name test-suite.log -print -exec cat {} +
|
|
exit 1
|
|
}
|
|
|
|
# Run the regression tests also in forced FIPS mode
|
|
GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
|
|
find -name test-suite.log -print -exec cat {} +
|
|
exit 1
|
|
}
|
|
%endif
|
|
|
|
%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
|
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
|
|
|
%if %{with dane}
|
|
%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
|
%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
|
%endif
|
|
|
|
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
|
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
|
|
|
%files -f libgnutls.lang
|
|
%license LICENSE
|
|
%doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
|
|
%{_bindir}/certtool
|
|
%{_bindir}/gnutls-cli
|
|
%{_bindir}/gnutls-cli-debug
|
|
%{_bindir}/gnutls-serv
|
|
%{_bindir}/ocsptool
|
|
%{_bindir}/psktool
|
|
%{_bindir}/p11tool
|
|
%if %{with srp}
|
|
%{_bindir}/srptool
|
|
%endif
|
|
%if %{with dane}
|
|
%{_bindir}/danetool
|
|
%endif
|
|
%if %{with tpm}
|
|
%{_bindir}/tpmtool
|
|
%endif
|
|
%{_mandir}/man1/*
|
|
|
|
%files -n libgnutls%{gnutls_sover}
|
|
%license LICENSE
|
|
%{_libdir}/libgnutls.so.%{gnutls_sover}*
|
|
%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
|
|
|
|
%if %{with dane}
|
|
%files -n libgnutls-dane%{gnutls_dane_sover}
|
|
%license LICENSE
|
|
%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
|
|
%endif
|
|
|
|
%files -n libgnutlsxx%{gnutlsxx_sover}
|
|
%license LICENSE
|
|
%{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
|
|
|
|
%files -n libgnutls-devel
|
|
%license LICENSE
|
|
%dir %{_includedir}/%{name}
|
|
%{_includedir}/%{name}/abstract.h
|
|
%{_includedir}/%{name}/crypto.h
|
|
%{_includedir}/%{name}/compat.h
|
|
%{_includedir}/%{name}/dtls.h
|
|
%{_includedir}/%{name}/gnutls.h
|
|
%{_includedir}/%{name}/openpgp.h
|
|
%{_includedir}/%{name}/ocsp.h
|
|
%{_includedir}/%{name}/pkcs7.h
|
|
%{_includedir}/%{name}/pkcs11.h
|
|
%{_includedir}/%{name}/pkcs12.h
|
|
%{_includedir}/%{name}/self-test.h
|
|
%{_includedir}/%{name}/socket.h
|
|
%{_includedir}/%{name}/x509.h
|
|
%{_includedir}/%{name}/x509-ext.h
|
|
%{_includedir}/%{name}/tpm.h
|
|
%{_includedir}/%{name}/system-keys.h
|
|
%{_includedir}/%{name}/urls.h
|
|
%{_libdir}/libgnutls.so
|
|
%{_libdir}/pkgconfig/gnutls.pc
|
|
%{_mandir}/man3/*
|
|
%{_infodir}/*%{ext_info}
|
|
%doc %{_docdir}/libgnutls-devel
|
|
|
|
%if %{with dane}
|
|
%files -n libgnutls-dane-devel
|
|
%license LICENSE
|
|
%dir %{_includedir}/%{name}
|
|
%{_includedir}/%{name}/dane.h
|
|
%{_libdir}/pkgconfig/gnutls-dane.pc
|
|
%{_libdir}/libgnutls-dane.so
|
|
%endif
|
|
|
|
%files -n libgnutlsxx-devel
|
|
%license LICENSE
|
|
%{_libdir}/libgnutlsxx.so
|
|
%dir %{_includedir}/%{name}
|
|
%{_includedir}/%{name}/gnutlsxx.h
|
|
|
|
%changelog
|