%define srpmhash() %{lua: local files = rpm.expand("%_specdir/gnutls.spec") for i, p in ipairs(patches) do files = files.." "..p end for i, p in ipairs(sources) do files = files.." "..p end local sha256sum = assert(io.popen("cat "..files.."| sha256sum")) local hash = sha256sum:read("*a") sha256sum:close() print(string.sub(hash, 0, 16)) } Version: 3.8.7 Release: %{?autorelease}%{!?autorelease:1%{?dist}} # not upstreamed: can we drop this as configure is regenerated when bootstrappign? Patch: gnutls-3.2.7-rpath.patch # not upstreamed: modifies the generated code Patch: gnutls-3.7.2-enable-intel-cet.patch # not upstreamed: to ignore GNUTLS_NO_EXPLICIT_INIT, for long-term support purposes Patch: gnutls-3.7.2-no-explicit-init.patch # not upstreamed: to avoid any inconsistency between algorithms enabled through API vs the ones enabled through config file, for long-term support purposes Patch: gnutls-3.7.3-disable-config-reload.patch # not upstreamed: should be removed once --disable-dsa is ported Patch: gnutls-3.7.3-fips-dsa-post.patch # not upstreamed, reseed source DRBG for prediction resistance Patch: gnutls-3.7.6-drbg-reseed.patch # not upstreamed, hard blocking SHA-1 signature verification, for long-term support purposes Patch: gnutls-3.7.6-fips-sha1-sigver.patch # not upstreamed: see https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch # upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1867 Patch: gnutls-3.8.7-pkgconf-dlopen.patch # upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1868 Patch: gnutls-3.8.7-nettle-static.patch %bcond_without bootstrap %bcond_without dane %bcond_without fips %bcond_with tpm12 %bcond_without tpm2 %if 0%{?rhel} >= 9 %bcond_with gost %else %bcond_without gost %endif %bcond_without certificate_compression %bcond_without liboqs %bcond_without tests %if 0%{?fedora} && 0%{?fedora} < 38 %bcond_without srp %else %bcond_with srp %endif %if 0%{?fedora} %bcond_without mingw %else %bcond_with mingw %endif %if 0%{?rhel} >= 9 && %{with fips} %bcond_without bundled_gmp %else %bcond_with bundled_gmp %endif %if 0%{?rhel} >= 10 && %{with fips} %bcond_without bundled_nettle %else %bcond_with bundled_nettle %endif %define fips_requires() %{lua: local f = assert(io.popen("rpm -q --queryformat '%{EVR}' --whatprovides "..rpm.expand("'%1%{?_isa}'"))) local v = f:read("*all") f:close() print("Requires: "..rpm.expand("%1%{?_isa}").." = "..v.."\\n") } Summary: A TLS protocol implementation Name: gnutls # The libraries are LGPLv2.1+, utilities are GPLv3+ License: GPL-3.0-or-later AND LGPL-2.1-or-later BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel BuildRequires: readline-devel, libtasn1-devel >= 4.3 %if %{with certificate_compression} BuildRequires: zlib-devel, brotli-devel, libzstd-devel %endif %if %{with liboqs} BuildRequires: liboqs-devel %endif %if %{with bootstrap} BuildRequires: automake, autoconf, gperf, libtool, texinfo %endif %if !%{with bundled_nettle} BuildRequires: nettle-devel >= 3.9.1 %endif %if %{with tpm12} BuildRequires: trousers-devel >= %endif %if %{with tpm2} BuildRequires: tpm2-tss-devel >= 3.0.3 %endif BuildRequires: libidn2-devel BuildRequires: libunistring-devel BuildRequires: net-tools, softhsm, gcc, gcc-c++ BuildRequires: gnupg2 BuildRequires: git-core # for a sanity check on cert loading BuildRequires: p11-kit-trust, ca-certificates Requires: crypto-policies Requires: p11-kit-trust Requires: libtasn1 >= 4.3 %if !%{with bundled_nettle} # always bump when a nettle release is packaged Requires: nettle >= 3.9.1 %endif %if %{with tpm12} Recommends: trousers >= %endif %if %{with dane} BuildRequires: unbound-devel unbound-libs %endif BuildRequires: make gtk-doc %if %{with mingw} BuildRequires: mingw32-filesystem >= 95 BuildRequires: mingw32-gcc BuildRequires: mingw32-gcc-c++ BuildRequires: mingw32-libtasn1 >= 4.3 BuildRequires: mingw32-readline BuildRequires: mingw32-zlib BuildRequires: mingw32-p11-kit >= 0.23.1 BuildRequires: mingw32-nettle >= 3.6 BuildRequires: mingw64-filesystem >= 95 BuildRequires: mingw64-gcc BuildRequires: mingw64-gcc-c++ BuildRequires: mingw64-libtasn1 >= 4.3 BuildRequires: mingw64-readline BuildRequires: mingw64-zlib BuildRequires: mingw64-p11-kit >= 0.23.1 BuildRequires: mingw64-nettle >= 3.6 %endif URL: http://www.gnutls.org/ %define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1) Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.1.tar.xz Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.1.tar.xz.sig Source2: https://gnutls.org/gnutls-release-keyring.gpg %if %{with bundled_gmp} Source100: gmp-6.2.1.tar.xz # Taken from the main gmp package Source101: gmp-6.2.1-intel-cet.patch %endif %if %{with bundled_nettle} Source200: nettle-3.10-hobbled.tar.xz # Taken from the main nettle package Source201: nettle-3.8-zeroize-stack.patch %endif # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 %package c++ Summary: The C++ interface to GnuTLS Requires: %{name}%{?_isa} = %{version}-%{release} %package devel Summary: Development files for the %{name} package Requires: %{name}%{?_isa} = %{version}-%{release} Requires: %{name}-c++%{?_isa} = %{version}-%{release} %if %{with dane} Requires: %{name}-dane%{?_isa} = %{version}-%{release} %endif Requires: pkgconfig %package utils License: GPL-3.0-or-later Summary: Command line tools for TLS protocol Requires: %{name}%{?_isa} = %{version}-%{release} %if %{with dane} Requires: %{name}-dane%{?_isa} = %{version}-%{release} %endif %if %{with dane} %package dane Summary: A DANE protocol implementation for GnuTLS Requires: %{name}%{?_isa} = %{version}-%{release} %endif %if %{with fips} %package fips Summary: Virtual package to install packages required to use %{name} under FIPS mode Requires: %{name}%{?_isa} = %{version}-%{release} %if !%{with bundled_nettle} %{fips_requires nettle} %endif %if !%{with bundled_gmp} %{fips_requires gmp} %endif %endif %description GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. %description c++ GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. %description devel GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains files needed for developing applications with the GnuTLS library. %description utils GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools. %if %{with dane} %description dane GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains library that implements the DANE protocol for verifying TLS certificates through DNSSEC. %endif %if %{with fips} %description fips GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package does not contain any file, but installs required packages to use GnuTLS under FIPS mode. %endif %if %{with mingw} %package -n mingw32-%{name} Summary: MinGW GnuTLS TLS/SSL encryption library Requires: pkgconfig Requires: mingw32-libtasn1 >= 4.3 BuildArch: noarch %description -n mingw32-gnutls GnuTLS TLS/SSL encryption library. This library is cross-compiled for MinGW. %package -n mingw64-%{name} Summary: MinGW GnuTLS TLS/SSL encryption library Requires: pkgconfig Requires: mingw64-libtasn1 >= 4.3 BuildArch: noarch %description -n mingw64-gnutls GnuTLS TLS/SSL encryption library. This library is cross-compiled for MinGW. %{?mingw_debug_package} %endif %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -S git %if %{with bundled_gmp} mkdir -p bundled_gmp pushd bundled_gmp tar --strip-components=1 -xf %{SOURCE100} patch -p1 < %{SOURCE101} popd %endif %if %{with bundled_nettle} mkdir -p bundled_nettle pushd bundled_nettle tar --strip-components=1 -xf %{SOURCE200} patch -p1 < %{SOURCE201} popd %endif %if %{with bundled_gmp} sed -i 's/@GMP_LIBS@//' lib/gnutls.pc.in %endif %build %define _lto_cflags %{nil} %if %{with bundled_gmp} pushd bundled_gmp autoreconf -ifv %configure --disable-cxx --disable-shared --enable-fat --with-pic %make_build popd export GMP_DIR="$PWD/bundled_gmp" export GMP_CFLAGS="-I$GMP_DIR" export GMP_LIBS="$GMP_DIR/.libs/libgmp.a" %endif %if %{with bundled_nettle} pushd bundled_nettle ./.bootstrap # Disable -ggdb3 which makes debugedit unhappy sed s/ggdb3/g/ -i configure sed 's/ecc-secp192r1.c//g' -i Makefile.in sed 's/ecc-secp224r1.c//g' -i Makefile.in autoreconf -ifv # For annocheck export ASM_FLAGS="-Wa,--generate-missing-build-notes=yes" %configure --disable-shared --enable-fat --disable-documentation \ --with-include-path="$GMP_DIR" \ --with-lib-path="$GMP_DIR/.libs" \ %{nil} %make_build ln -s . nettle popd export NETTLE_DIR="$PWD/bundled_nettle" export NETTLE_CFLAGS="-I$NETTLE_DIR" export NETTLE_LIBS="$NETTLE_DIR/libnettle.a" export HOGWEED_CFLAGS="-I$NETTLE_DIR" export HOGWEED_LIBS="$NETTLE_DIR/libhogweed.a" %endif %if %{with bootstrap} autoreconf -fi %endif sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure rm -f lib/minitasn1/*.c lib/minitasn1/*.h echo "SYSTEM=NORMAL" >> tests/system.prio CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes" export CCASFLAGS %if %{with fips} eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release) export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" %endif mkdir native_build pushd native_build %global _configure ../configure %configure \ %if %{with fips} --enable-fips140-mode \ --with-fips140-module-name="$FIPS_MODULE_NAME" \ --with-fips140-module-version=%{version}-%{srpmhash} \ %endif %if %{with gost} --enable-gost \ %else --disable-gost \ %endif %if %{with srp} --enable-srp-authentication \ %endif %ifarch %{ix86} --disable-year2038 \ %endif --enable-sha1-support \ --disable-static \ --disable-openssl-compatibility \ --disable-non-suiteb-curves \ --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \ --with-default-trust-store-pkcs11="pkcs11:" \ %if %{with tpm12} --with-trousers-lib=%{_libdir}/libtspi.so.1 \ %else --without-tpm \ %endif %if %{with tpm2} --with-tpm2 \ %else --without-tpm2 \ %endif --enable-ktls \ --htmldir=%{_docdir}/manual \ %if %{with dane} --with-unbound-root-key-file=/var/lib/unbound/root.key \ --enable-libdane \ %else --disable-libdane \ %endif %if %{with certificate_compression} --with-zlib --with-brotli --with-zstd \ %else --without-zlib --without-brotli --without-zstd \ %endif %if %{with liboqs} --with-liboqs \ %else --without-liboqs \ %endif --disable-rpath \ --with-default-priority-string="@SYSTEM" %make_build %if %{with bundled_nettle} sed -i '/^Requires.private:/s/\(nettle\|hogweed\)[ ,]*//g' lib/gnutls.pc %endif popd %if %{with mingw} # MinGW does not support CCASFLAGS export CCASFLAGS="" %mingw_configure \ %if %{with srp} --enable-srp-authentication \ %endif --enable-sha1-support \ --disable-static \ --disable-openssl-compatibility \ --disable-non-suiteb-curves \ --disable-libdane \ --disable-rpath \ --disable-nls \ --disable-cxx \ --enable-local-libopts \ --enable-shared \ --without-tpm \ --with-included-unistring \ --disable-doc \ --with-default-priority-string="@SYSTEM" %mingw_make %{?_smp_mflags} %endif %install %make_install -C native_build pushd native_build make -C doc install-html DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_infodir}/dir rm -f $RPM_BUILD_ROOT%{_libdir}/*.la %if %{without dane} rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc %endif %if %{with fips} # doing it twice should be a no-op the second time, # and this way we avoid redefining it and missing a future change %global __debug_package 1 %{__spec_install_post} fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*` ./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac" sed -i "s^$RPM_BUILD_ROOT/usr^^" "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac" ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac" %endif %if %{with fips} %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ %{nil} %endif %find_lang gnutls popd %if %{with mingw} %mingw_make_install # Remove .la files rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/*.la rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/*.la # The .def files aren't interesting for other binaries rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.def rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.def # Remove info and man pages which duplicate stuff in Fedora already. rm -rf $RPM_BUILD_ROOT%{mingw32_infodir} rm -rf $RPM_BUILD_ROOT%{mingw32_mandir} rm -rf $RPM_BUILD_ROOT%{mingw32_docdir}/gnutls rm -rf $RPM_BUILD_ROOT%{mingw64_infodir} rm -rf $RPM_BUILD_ROOT%{mingw64_mandir} rm -rf $RPM_BUILD_ROOT%{mingw64_docdir}/gnutls # Remove test libraries rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/crypt32.dll* rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/ncrypt.dll* rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/crypt32.dll* rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/ncrypt.dll* %mingw_debug_install_post %endif %check %if %{with tests} pushd native_build # KeyUpdate is not yet supported in the kernel. xfail_tests=ktls_keyupdate.sh # The ktls.sh test currently only supports kernel 5.11+. This needs to # be checked at run time, as the koji builder might be using a different # version of kernel on the host than the one indicated by the # kernel-devel package. case "$(uname -r)" in 4.* | 5.[0-9].* | 5.10.* ) xfail_tests="$xfail_tests ktls.sh" ;; esac make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$xfail_tests" popd %endif %files -f native_build/gnutls.lang %{_libdir}/libgnutls.so.30* %if %{with fips} %{_libdir}/.libgnutls.so.30*.hmac %endif %doc README.md AUTHORS NEWS THANKS %license LICENSE doc/COPYING doc/COPYING.LESSER %files c++ %{_libdir}/libgnutlsxx.so.* %files devel %{_includedir}/* %{_libdir}/libgnutls*.so %{_libdir}/pkgconfig/*.pc %{_mandir}/man3/* %{_infodir}/gnutls* %{_infodir}/pkcs11-vision* %{_docdir}/manual/* %files utils %{_bindir}/certtool %if %{with tpm12} %{_bindir}/tpmtool %endif %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool %if %{with srp} %{_bindir}/srptool %endif %if %{with dane} %{_bindir}/danetool %endif %{_bindir}/gnutls* %{_mandir}/man1/* %doc doc/certtool.cfg %if %{with dane} %files dane %{_libdir}/libgnutls-dane.so.* %endif %if %{with fips} %files fips %endif %if %{with mingw} %files -n mingw32-%{name} %license LICENSE doc/COPYING doc/COPYING.LESSER %{mingw32_bindir}/certtool.exe %{mingw32_bindir}/gnutls-cli-debug.exe %{mingw32_bindir}/gnutls-cli.exe %{mingw32_bindir}/gnutls-serv.exe %{mingw32_bindir}/libgnutls-30.dll %{mingw32_bindir}/ocsptool.exe %{mingw32_bindir}/p11tool.exe %{mingw32_bindir}/psktool.exe %if %{with srp} %{mingw32_bindir}/srptool.exe %endif %{mingw32_libdir}/libgnutls.dll.a %{mingw32_libdir}/libgnutls-30.def %{mingw32_libdir}/pkgconfig/gnutls.pc %{mingw32_includedir}/gnutls/ %files -n mingw64-%{name} %license LICENSE doc/COPYING doc/COPYING.LESSER %{mingw64_bindir}/certtool.exe %{mingw64_bindir}/gnutls-cli-debug.exe %{mingw64_bindir}/gnutls-cli.exe %{mingw64_bindir}/gnutls-serv.exe %{mingw64_bindir}/libgnutls-30.dll %{mingw64_bindir}/ocsptool.exe %{mingw64_bindir}/p11tool.exe %{mingw64_bindir}/psktool.exe %if %{with srp} %{mingw64_bindir}/srptool.exe %endif %{mingw64_libdir}/libgnutls.dll.a %{mingw64_libdir}/libgnutls-30.def %{mingw64_libdir}/pkgconfig/gnutls.pc %{mingw64_includedir}/gnutls/ %endif %changelog %autochangelog