Add bcond to statically link to GMP

In CentOS Stream 9 and RHEL 9, we link to libgmp statically to ensure zeroization of internally allocated memory areas according to FIPS 140-3. This ports the ability to Fedora, in a way it is configured with a `--with bundled_gmp` build conditional. Resolves: RHEL-35857 Signed-off-by: Daiki Ueno <dueno@redhat.com>
2024-05-10 09:59:00 +09:00 · 2024-05-10 09:59:00 +09:00 · c8d0a15246
commit c8d0a15246
parent e49ae825cb
1 changed files with 33 additions and 0 deletions
--- a/gnutls.spec
+++ b/gnutls.spec
@ -40,6 +40,12 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch
 %bcond_with mingw
 %endif

+%if 0%{?rhel} >= 9 && %{with fips}
+%bcond_without bundled_gmp
+%else
+%bcond_with bundled_gmp
+%endif
+

 %define fips_requires() %{lua:
 local f = assert(io.popen("rpm -q --queryformat '%{EVR}' --whatprovides "..rpm.expand("'%1%{?_isa}'")))
@ -114,6 +120,12 @@ Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{ver
 Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz.sig
 Source2: https://gnutls.org/gnutls-release-keyring.gpg

+%if %{with bundled_gmp}
+Source100:	gmp-6.2.1.tar.xz
+# Taken from the main gmp package
+Source101:	gmp-6.2.1-intel-cet.patch
+%endif
+
 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424

@ -149,8 +161,10 @@ Requires: %{name}%{?_isa} = %{version}-%{release}
 Summary: Virtual package to install packages required to use %{name} under FIPS mode
 Requires: %{name}%{?_isa} = %{version}-%{release}
 %{fips_requires nettle}
+%if !%{with bundled_gmp}
 %{fips_requires gmp}
 %endif
+%endif

 %description
 GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
@ -235,9 +249,28 @@ for MinGW.

 %autosetup -p1 -S git

+%if %{with bundled_gmp}
+mkdir -p bundled_gmp
+pushd bundled_gmp
+tar --strip-components=1 -xf %{SOURCE100}
+patch -p1 < %{SOURCE101}
+popd
+%endif
+
 %build
 %define _lto_cflags %{nil}

+%if %{with bundled_gmp}
+pushd bundled_gmp
+autoreconf -ifv
+%configure --disable-cxx --disable-shared --enable-fat --with-pic
+%make_build
+popd
+
+export GMP_CFLAGS="-I$PWD/bundled_gmp"
+export GMP_LIBS="$PWD/bundled_gmp/.libs/libgmp.a"
+%endif
+
 %if %{with bootstrap}
 autoreconf -fi
 %endif