From c8d0a15246eb9af74b4bfb56ce355ab6f6ab81bb Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 10 May 2024 09:59:00 +0900 Subject: [PATCH] Add bcond to statically link to GMP In CentOS Stream 9 and RHEL 9, we link to libgmp statically to ensure zeroization of internally allocated memory areas according to FIPS 140-3. This ports the ability to Fedora, in a way it is configured with a `--with bundled_gmp` build conditional. Resolves: RHEL-35857 Signed-off-by: Daiki Ueno --- gnutls.spec | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index e5be06e..67479b8 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -40,6 +40,12 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch %bcond_with mingw %endif +%if 0%{?rhel} >= 9 && %{with fips} +%bcond_without bundled_gmp +%else +%bcond_with bundled_gmp +%endif + %define fips_requires() %{lua: local f = assert(io.popen("rpm -q --queryformat '%{EVR}' --whatprovides "..rpm.expand("'%1%{?_isa}'"))) @@ -114,6 +120,12 @@ Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{ver Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz.sig Source2: https://gnutls.org/gnutls-release-keyring.gpg +%if %{with bundled_gmp} +Source100: gmp-6.2.1.tar.xz +# Taken from the main gmp package +Source101: gmp-6.2.1-intel-cet.patch +%endif + # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -149,8 +161,10 @@ Requires: %{name}%{?_isa} = %{version}-%{release} Summary: Virtual package to install packages required to use %{name} under FIPS mode Requires: %{name}%{?_isa} = %{version}-%{release} %{fips_requires nettle} +%if !%{with bundled_gmp} %{fips_requires gmp} %endif +%endif %description GnuTLS is a secure communications library implementing the SSL, TLS and DTLS @@ -235,9 +249,28 @@ for MinGW. %autosetup -p1 -S git +%if %{with bundled_gmp} +mkdir -p bundled_gmp +pushd bundled_gmp +tar --strip-components=1 -xf %{SOURCE100} +patch -p1 < %{SOURCE101} +popd +%endif + %build %define _lto_cflags %{nil} +%if %{with bundled_gmp} +pushd bundled_gmp +autoreconf -ifv +%configure --disable-cxx --disable-shared --enable-fat --with-pic +%make_build +popd + +export GMP_CFLAGS="-I$PWD/bundled_gmp" +export GMP_LIBS="$PWD/bundled_gmp/.libs/libgmp.a" +%endif + %if %{with bootstrap} autoreconf -fi %endif