This unbreaks FIPS integrity checks against missing Nettle libs, as
well as stop exposing them through gnutls.pc.
Related: RHEL-50011
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Like GMP, this changes the package build process so the libnettle and
libhogweed are built and linked statically to libgnutls. That makes it
a little simpler to handle FIPS installation, so the users don't need
to install a specific version of the nettle package by themselves, at
the cost of duplicating cryptography implementation provided by
Nettle.
Related: RHEL-50011
Signed-off-by: Daiki Ueno <dueno@redhat.com>
The FIPS build runs *_install_post commands early during %install so that
the binaries will not be modified after running fipshmac, since those
commands are supposed to be no-op if re-run. However, __debug_install_post
is only run if __debug_package is defined, which is triggered by the
automatic creation of the debuginfo subpackage where appropriate.
Previously, a hack in redhat-rpm-config caused this to be enabled by
%install, but with RPM 4.20 this is no longer needed, and the hack was
removed from redhat-rpm-config for F41. On Fedora builds,
%mingw_debug_package triggers this and therefore it still builds, but ELN
is build without mingw and therefore there now is nothing to trigger the
debuginfo generation during %install. As a result, the binaries would just
be stripped without any debuginfo generation during the first run, leaving
nothing to detect in the second run, and the build would fail for lack of
debug symbols/sources.
https://github.com/rpm-software-management/rpm/issues/22047a1571ee80
Related: RHEL-50011
In CentOS Stream 9 and RHEL 9, we link to libgmp statically to ensure
zeroization of internally allocated memory areas according to FIPS
140-3. This ports the ability to Fedora, in a way it is configured
with a `--with bundled_gmp` build conditional.
Resolves: RHEL-35857
Signed-off-by: Daiki Ueno <dueno@redhat.com>
This adds a new subpackage `gnutls-fips` with strict version
requirements to nettle and gmp under FIPS, as gnutls now calculates
library integrity (HMAC) over those libraries.
Related: RHEL-35857
Signed-off-by: Daiki Ueno <dueno@redhat.com>
The ktls.sh test currently only supports kernel 5.11+. This needs to
be checked at run time, as the koji builder might be using a different
version of kernel on the host than the one indicated by the
kernel-devel package.
Resolves: #2247135
Signed-off-by: Daiki Ueno <dueno@redhat.com>
This makes it possible to build the package with/without those
features, through rpmbuild --with/--without.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
There seems to be a kernel specific issues with CHACHA20-POLY1305 for
TLS 1.2 [1]
The test fails without a needed kernel patch
[1] https://gitlab.com/gnutls/gnutls/-/issues/1443
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Their contents should be identical (bar timestamps) regardless of which
host build arch is used, since we're cross compiling.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This adds the following cleanups:
- Conditionalize features with bcond: tpm2, certificate_compression, and tests
- Remove leftover libopts cleanup
- Move autoreconf invocation from %prep to %build, to speed up fedpkg prep
- Switch to using %autosetup -S git
- Ignore errors in gpgverify to work around build under FIPS
- Support FIPS module version
Signed-off-by: Daiki Ueno <dueno@redhat.com>
KTLS is now supported/included by default.
gnutls-3.7.6-ktls-disabled-by-default.patch:
KTLS is disabled by default and can be enabled by adding
`ktls = true` in [global] section of system-wide configuration file.
gnutls-3.7.6-ktls-minor-fixes.patch: minor fixes
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
* use the new format/location
* do not redefine __spec_install_post which we should not have visibility into,
instead call it twice, which should be safe
