forked from pool/libgcrypt
Pedro Monreal Gonzalez
82bc8eba9a
Sync the FIPS changes to be added in SLE-15-SP4 OBS-URL: https://build.opensuse.org/request/show/1001247 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=156
291 lines
11 KiB
RPMSpec
291 lines
11 KiB
RPMSpec
#
|
|
# spec file for package libgcrypt
|
|
#
|
|
# Copyright (c) 2022 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define build_hmac256 1
|
|
%define separate_hmac256_binary 0
|
|
%define libsover 20
|
|
%define libsoname %{name}%{libsover}
|
|
%define cavs_dir %{_libexecdir}/%{name}/cavs
|
|
Name: libgcrypt
|
|
Version: 1.9.4
|
|
Release: 0
|
|
Summary: The GNU Crypto Library
|
|
License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
|
|
Group: Development/Libraries/C and C++
|
|
URL: https://gnupg.org/software/libgcrypt
|
|
Source: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
|
|
Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
|
|
Source2: baselibs.conf
|
|
Source3: random.conf
|
|
# https://www.gnupg.org/signature_key.en.html
|
|
Source4: libgcrypt.keyring
|
|
# cavs test framework
|
|
Source5: cavs-test.sh
|
|
Source6: cavs_driver.pl
|
|
Source99: libgcrypt.changes
|
|
Patch1: libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch
|
|
Patch3: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
|
|
Patch4: libgcrypt-1.6.1-use-fipscheck.patch
|
|
Patch5: libgcrypt-1.6.1-fips-cavs.patch
|
|
Patch6: libgcrypt-fix-rng.patch
|
|
#PATCH-FIX-SUSE add FIPS CAVS test app for DRBG
|
|
Patch7: drbg_test.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign
|
|
Patch8: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
|
|
Patch9: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
|
|
Patch10: libgcrypt-1.8.3-fips-ctor.patch
|
|
Patch11: libgcrypt-1.8.4-use_xfree.patch
|
|
Patch12: libgcrypt-1.8.4-allow_FSM_same_state.patch
|
|
Patch13: libgcrypt-1.8.4-getrandom.patch
|
|
Patch14: libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch
|
|
#PATCH-FIX-SUSE Fix test in FIPS mode
|
|
Patch15: libgcrypt-dsa-rfc6979-test-fix.patch
|
|
Patch16: libgcrypt-fix-tests-fipsmode.patch
|
|
#PATCH-FIX-SUSE bsc#1155337 FIPS: RSA/DSA/ECDSA are missing hashing operation
|
|
Patch17: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch
|
|
#PATCH-FIX-SUSE bsc#1161220 FIPS: libgcrypt RSA siggen/keygen: 4k not supported
|
|
Patch18: libgcrypt-1.8.4-fips-keygen.patch
|
|
#PATCH-FIX-SUSE bsc#1164950 Run self-tests from the constructor
|
|
Patch19: libgcrypt-invoke-global_init-from-constructor.patch
|
|
#PATCH-FIX-SUSE bsc#1164950 Restore the self-tests from the constructor
|
|
Patch20: libgcrypt-Restore-self-tests-from-constructor.patch
|
|
Patch21: libgcrypt-FIPS-GMAC_AES-benckmark.patch
|
|
Patch22: libgcrypt-global_init-constructor.patch
|
|
Patch23: libgcrypt-random_selftests-testentropy.patch
|
|
Patch24: libgcrypt-rsa-no-blinding.patch
|
|
Patch25: libgcrypt-ecc-ecdsa-no-blinding.patch
|
|
#PATCH-FIX-SUSE bsc#1165539 FIPS: Use the new signature operation in PCT
|
|
Patch26: libgcrypt-PCT-RSA.patch
|
|
Patch27: libgcrypt-PCT-DSA.patch
|
|
Patch28: libgcrypt-PCT-ECC.patch
|
|
Patch29: libgcrypt-fips_selftest_trigger_file.patch
|
|
#PATCH-FIX-SUSE bsc#1189745 The t-lock test is not build with phtread in gcc7, works in gcc11
|
|
Patch30: libgcrypt-pthread-in-t-lock-test.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1187110 FIPS: Enable hardware support also in FIPS mode
|
|
Patch31: libgcrypt-FIPS-hw-optimizations.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1190706 FIPS: Provide module name/identifier and version
|
|
Patch32: libgcrypt-FIPS-module-version.patch
|
|
#PATCH-FIX-SUSE bsc#1185138 FIPS: Disable 3DES/Triple-DES in FIPS mode
|
|
Patch33: libgcrypt-FIPS-disable-3DES.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1192131 FIPS: Fix regression tests in FIPS mode
|
|
Patch34: libgcrypt-FIPS-fix-regression-tests.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1192240 FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes
|
|
Patch35: libgcrypt-FIPS-RSA-keylen.patch
|
|
Patch36: libgcrypt-FIPS-RSA-keylen-tests.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1193480 FIPS: gcry_mpi_sub_ui: fix subtracting from negative value
|
|
Patch37: libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator
|
|
Patch38: libgcrypt-FIPS-verify-unsupported-KDF-test.patch
|
|
Patch39: libgcrypt-FIPS-HMAC-short-keylen.patch
|
|
Patch40: libgcrypt-FIPS-service-indicators.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1195385 FIPS: Disable DSA in FIPS mode
|
|
Patch41: libgcrypt-FIPS-disable-DSA.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK
|
|
Patch42: libgcrypt-FIPS-SLI-pk.patch
|
|
#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
|
|
Patch43: libgcrypt_indicators_changes.patch
|
|
#PATCH-FIX-SUSE bsc#1190700 FIPS allow shake
|
|
Patch44: libgcrypt-indicate-shake.patch
|
|
#PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy
|
|
Patch45: libgcrypt-jitterentropy-3.3.0.patch
|
|
Patch46: libgcrypt-jitterentropy-3.4.0.patch
|
|
#PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion
|
|
Patch47: libgcrypt-out-of-core-handler.patch
|
|
BuildRequires: automake >= 1.14
|
|
BuildRequires: fipscheck
|
|
BuildRequires: libgpg-error-devel >= 1.27
|
|
BuildRequires: libtool
|
|
BuildRequires: makeinfo
|
|
BuildRequires: pkgconfig
|
|
|
|
%description
|
|
Libgcrypt is a general purpose library of cryptographic building
|
|
blocks. It is originally based on code used by GnuPG. It does not
|
|
provide any implementation of OpenPGP or other protocols. Thorough
|
|
understanding of applied cryptography is required to use Libgcrypt.
|
|
|
|
%package -n %{libsoname}
|
|
Summary: The GNU Crypto Library
|
|
License: GPL-2.0-or-later AND LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
Suggests: %{libsoname}-hmac = %{version}-%{release}
|
|
|
|
%description -n %{libsoname}
|
|
Libgcrypt is a general purpose crypto library based on the code used in
|
|
GnuPG (alpha version).
|
|
|
|
%package -n %{libsoname}-hmac
|
|
Summary: HMAC checksums for the GNU Crypto Library
|
|
License: GPL-2.0-or-later AND LGPL-2.1-or-later
|
|
Group: System/Libraries
|
|
Requires: %{libsoname} = %{version}-%{release}
|
|
|
|
%description -n %{libsoname}-hmac
|
|
Libgcrypt is a general purpose crypto library based on the code used in
|
|
GnuPG (alpha version). This package contains the HMAC checksum files
|
|
for integrity checking the library, as required by FIPS 140-2.
|
|
|
|
%package devel
|
|
Summary: The GNU Crypto Library
|
|
License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
|
|
Group: Development/Libraries/C and C++
|
|
Requires: %{libsoname} = %{version}
|
|
Requires: glibc-devel
|
|
Requires: libgpg-error-devel >= 1.27
|
|
|
|
%description devel
|
|
Libgcrypt is a general purpose library of cryptographic building
|
|
blocks. It is originally based on code used by GnuPG. It does not
|
|
provide any implementation of OpenPGP or other protocols. Thorough
|
|
understanding of applied cryptography is required to use Libgcrypt.
|
|
|
|
This package contains needed files to compile and link against the
|
|
library.
|
|
|
|
%package cavs
|
|
Summary: The GNU Crypto Library
|
|
License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
|
|
Group: Development/Libraries/C and C++
|
|
Requires: %{libsoname} = %{version}
|
|
Requires: %{libsoname}-hmac
|
|
|
|
%description cavs
|
|
CAVS testing framework for libgcrypt
|
|
|
|
%if 0%{?separate_hmac256_binary}
|
|
%package hmac256
|
|
Summary: The GNU Crypto Library
|
|
License: GPL-2.0-or-later AND LGPL-2.1-or-later
|
|
Group: Development/Libraries/C and C++
|
|
Requires: %{libsoname} = %{version}
|
|
Requires: libgpg-error-devel >= 1.27
|
|
|
|
%description hmac256
|
|
Libgcrypt is a general purpose library of cryptographic building
|
|
blocks. It is originally based on code used by GnuPG. It does not
|
|
provide any implementation of OpenPGP or other protocols. Thorough
|
|
understanding of applied cryptography is required to use Libgcrypt.
|
|
%endif
|
|
|
|
%prep
|
|
%setup -q
|
|
%autopatch -p1
|
|
|
|
%build
|
|
echo building with build_hmac256 set to %{build_hmac256}
|
|
autoreconf -fi
|
|
date=$(date -u '+%%Y-%%m-%%dT%%H:%%M+0000' -r %{SOURCE99})
|
|
sed -e "s,BUILD_TIMESTAMP=.*,BUILD_TIMESTAMP=$date," -i configure
|
|
export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
|
|
%configure \
|
|
--with-fips-module-version="Libgcrypt version %{version}-$SOURCE_DATE_EPOCH" \
|
|
--enable-noexecstack \
|
|
--disable-static \
|
|
--enable-m-guard \
|
|
%ifarch %{sparc}
|
|
--disable-asm \
|
|
%endif
|
|
--enable-hmac-binary-check \
|
|
--enable-random=linux
|
|
|
|
%make_build
|
|
|
|
%if 0%{?build_hmac256}
|
|
# this is a hack that re-defines the __os_install_post macro
|
|
# for a simple reason: the macro strips the binaries and thereby
|
|
# invalidates a HMAC that may have been created earlier.
|
|
# solution: create the hashes _after_ the macro runs.
|
|
#
|
|
# this shows up earlier because otherwise the %%expand of
|
|
# the macro is too late.
|
|
%{expand:%%global __os_install_post {%__os_install_post
|
|
fipshmac %{buildroot}/%{_bindir}/hmac256
|
|
fipshmac %{buildroot}/%{_libdir}/*.so.??
|
|
}}
|
|
%endif
|
|
|
|
%check
|
|
fipshmac src/.libs/libgcrypt.so.??
|
|
%make_build check
|
|
|
|
# run the regression tests also in FIPS mode
|
|
LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check VERBOSE=1 || true
|
|
|
|
%install
|
|
%make_install
|
|
rm %{buildroot}%{_libdir}/%{name}.la
|
|
|
|
# cavs
|
|
install -m 0755 -d %{buildroot}%{cavs_dir}
|
|
install -m 0755 %{SOURCE5} %{buildroot}%{cavs_dir}
|
|
install -m 0755 %{SOURCE6} %{buildroot}%{cavs_dir}
|
|
|
|
mv %{buildroot}%{_bindir}/fipsdrv %{buildroot}%{cavs_dir}
|
|
mv %{buildroot}%{_bindir}/drbg_test %{buildroot}%{cavs_dir}
|
|
|
|
# create the FIPS "module is complete" trigger file
|
|
%if 0%{?build_hmac256}
|
|
touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips
|
|
%endif
|
|
|
|
# Create /etc/gcrypt directory and install random.conf
|
|
mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt
|
|
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
|
|
|
|
%post -n %{libsoname} -p /sbin/ldconfig
|
|
%postun -n %{libsoname} -p /sbin/ldconfig
|
|
|
|
%files -n %{libsoname}
|
|
%license COPYING.LIB
|
|
%{_libdir}/%{name}.so.*
|
|
%dir %{_sysconfdir}/gcrypt
|
|
%config(noreplace) %{_sysconfdir}/gcrypt/random.conf
|
|
%if 0%{?build_hmac256}
|
|
%{_libdir}/.libgcrypt.so.*.hmac
|
|
%endif
|
|
|
|
%files -n %{libsoname}-hmac
|
|
%if 0%{?build_hmac256}
|
|
%{_libdir}/.libgcrypt.so.*.fips
|
|
%endif
|
|
|
|
%files devel
|
|
%license COPYING COPYING.LIB
|
|
%doc AUTHORS ChangeLog NEWS README THANKS TODO
|
|
%{_infodir}/gcrypt.info*%{ext_info}
|
|
%{_bindir}/dumpsexp
|
|
%{_bindir}/mpicalc
|
|
%{_bindir}/%{name}-config
|
|
%{_libdir}/%{name}.so
|
|
%{_includedir}/gcrypt*.h
|
|
%{_datadir}/aclocal/%{name}.m4
|
|
%{_libdir}/pkgconfig/libgcrypt.pc
|
|
|
|
%if 0%{?separate_hmac256_binary}
|
|
%files hmac256
|
|
%endif
|
|
%{_bindir}/hmac256
|
|
%{_bindir}/.hmac256.hmac
|
|
%doc %{_mandir}/man1/hmac256.1*
|
|
|
|
%files cavs
|
|
%{_libexecdir}/%{name}
|
|
|
|
%changelog
|