From e49ae825cb57966abcbcea602539c519cc0f88b6 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 19 Jul 2022 09:10:22 +0900 Subject: [PATCH] Add virtual package to pull in nettle/gmp dependencies for FIPS This adds a new subpackage `gnutls-fips` with strict version requirements to nettle and gmp under FIPS, as gnutls now calculates library integrity (HMAC) over those libraries. Related: RHEL-35857 Signed-off-by: Daiki Ueno --- gnutls.spec | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index fed17c5..e5be06e 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -41,6 +41,13 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch %endif +%define fips_requires() %{lua: +local f = assert(io.popen("rpm -q --queryformat '%{EVR}' --whatprovides "..rpm.expand("'%1%{?_isa}'"))) +local v = f:read("*all") +f:close() +print("Requires: "..rpm.expand("%1%{?_isa}").." = "..v.."\\n") +} + Summary: A TLS protocol implementation Name: gnutls # The libraries are LGPLv2.1+, utilities are GPLv3+ @@ -71,6 +78,7 @@ BuildRequires: p11-kit-trust, ca-certificates Requires: crypto-policies Requires: p11-kit-trust Requires: libtasn1 >= 4.3 +# always bump when a nettle release is packaged Requires: nettle >= 3.9.1 %if %{with tpm12} Recommends: trousers >= 0.3.11.2 @@ -136,6 +144,14 @@ Summary: A DANE protocol implementation for GnuTLS Requires: %{name}%{?_isa} = %{version}-%{release} %endif +%if %{with fips} +%package fips +Summary: Virtual package to install packages required to use %{name} under FIPS mode +Requires: %{name}%{?_isa} = %{version}-%{release} +%{fips_requires nettle} +%{fips_requires gmp} +%endif + %description GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language @@ -179,6 +195,17 @@ This package contains library that implements the DANE protocol for verifying TLS certificates through DNSSEC. %endif +%if %{with fips} +%description fips +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package does not contain any file, but installs required packages +to use GnuTLS under FIPS mode. +%endif + %if %{with mingw} %package -n mingw32-%{name} Summary: MinGW GnuTLS TLS/SSL encryption library @@ -433,6 +460,10 @@ popd %{_libdir}/libgnutls-dane.so.* %endif +%if %{with fips} +%files fips +%endif + %if %{with mingw} %files -n mingw32-%{name} %license LICENSE doc/COPYING doc/COPYING.LESSER