rpms/gnutls
7
0
Fork 0
Code Issues Pull Requests Releases Activity
112336b5f6
gnutls/gnutls.spec
Daiki Ueno 112336b5f6 Statically link to Nettle libraries 
Like GMP, this changes the package build process so the libnettle and
libhogweed are built and linked statically to libgnutls. That makes it
a little simpler to handle FIPS installation, so the users don't need
to install a specific version of the nettle package by themselves, at
the cost of duplicating cryptography implementation provided by
Nettle.

Related: RHEL-50011
Signed-off-by: Daiki Ueno <dueno@redhat.com>
2024-08-20 19:46:47 +09:00

620 lines
17 KiB
RPMSpec
Raw Blame History

%define srpmhash() %{lua:
local files = rpm.expand("%_specdir/gnutls.spec")
for i, p in ipairs(patches) do
files = files.." "..p
end
for i, p in ipairs(sources) do
files = files.." "..p
end
local sha256sum = assert(io.popen("cat "..files.."| sha256sum"))
local hash = sha256sum:read("*a")
sha256sum:close()
print(string.sub(hash, 0, 16))
}
Version: 3.8.7
Release: %{?autorelease}%{!?autorelease:1%{?dist}}
# not upstreamed: can we drop this as configure is regenerated when bootstrappign?
Patch: gnutls-3.2.7-rpath.patch
# not upstreamed: modifies the generated code
Patch: gnutls-3.7.2-enable-intel-cet.patch
# not upstreamed: to ignore GNUTLS_NO_EXPLICIT_INIT, for long-term support purposes
Patch: gnutls-3.7.2-no-explicit-init.patch
# not upstreamed: to avoid any inconsistency between algorithms enabled through API vs the ones enabled through config file, for long-term support purposes
Patch: gnutls-3.7.3-disable-config-reload.patch
# not upstreamed: should be removed once --disable-dsa is ported
Patch: gnutls-3.7.3-fips-dsa-post.patch
# not upstreamed, reseed source DRBG for prediction resistance
Patch: gnutls-3.7.6-drbg-reseed.patch
# not upstreamed, hard blocking SHA-1 signature verification, for long-term support purposes
Patch: gnutls-3.7.6-fips-sha1-sigver.patch
# not upstreamed: see https://gitlab.com/gnutls/gnutls/-/issues/1443
Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch
# upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1867
Patch: gnutls-3.8.7-pkgconf-dlopen.patch
%bcond_without bootstrap
%bcond_without dane
%bcond_without fips
%bcond_with tpm12
%bcond_without tpm2
%bcond_without gost
%bcond_without certificate_compression
%bcond_without liboqs
%bcond_without tests
%if 0%{?fedora} && 0%{?fedora} < 38
%bcond_without srp
%else
%bcond_with srp
%endif
%if 0%{?fedora}
%bcond_without mingw
%else
%bcond_with mingw
%endif
%if 0%{?rhel} >= 9 && %{with fips}
%bcond_without bundled_gmp
%else
%bcond_with bundled_gmp
%endif
%if 0%{?rhel} >= 10 && %{with fips}
%bcond_without bundled_nettle
%else
%bcond_with bundled_nettle
%endif
%define fips_requires() %{lua:
local f = assert(io.popen("rpm -q --queryformat '%{EVR}' --whatprovides "..rpm.expand("'%1%{?_isa}'")))
local v = f:read("*all")
f:close()
print("Requires: "..rpm.expand("%1%{?_isa}").." = "..v.."\\n")
}
Summary: A TLS protocol implementation
Name: gnutls
# The libraries are LGPLv2.1+, utilities are GPLv3+
License: GPL-3.0-or-later AND LGPL-2.1-or-later
BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
BuildRequires: readline-devel, libtasn1-devel >= 4.3
%if %{with certificate_compression}
BuildRequires: zlib-devel, brotli-devel, libzstd-devel
%endif
%if %{with liboqs}
BuildRequires: liboqs-devel
%endif
%if %{with bootstrap}
BuildRequires: automake, autoconf, gperf, libtool, texinfo
%endif
%if !%{with bundled_nettle}
BuildRequires: nettle-devel >= 3.9.1
%endif
%if %{with tpm12}
BuildRequires: trousers-devel >= 0.3.11.2
%endif
%if %{with tpm2}
BuildRequires: tpm2-tss-devel >= 3.0.3
%endif
BuildRequires: libidn2-devel
BuildRequires: libunistring-devel
BuildRequires: net-tools, softhsm, gcc, gcc-c++
BuildRequires: gnupg2
BuildRequires: git-core
# for a sanity check on cert loading
BuildRequires: p11-kit-trust, ca-certificates
Requires: crypto-policies
Requires: p11-kit-trust
Requires: libtasn1 >= 4.3
%if !%{with bundled_nettle}
# always bump when a nettle release is packaged
Requires: nettle >= 3.9.1
%endif
%if %{with tpm12}
Recommends: trousers >= 0.3.11.2
%endif
%if %{with dane}
BuildRequires: unbound-devel unbound-libs
%endif
BuildRequires: make gtk-doc
%if %{with mingw}
BuildRequires: mingw32-filesystem >= 95
BuildRequires: mingw32-gcc
BuildRequires: mingw32-gcc-c++
BuildRequires: mingw32-libtasn1 >= 4.3
BuildRequires: mingw32-readline
BuildRequires: mingw32-zlib
BuildRequires: mingw32-p11-kit >= 0.23.1
BuildRequires: mingw32-nettle >= 3.6
BuildRequires: mingw64-filesystem >= 95
BuildRequires: mingw64-gcc
BuildRequires: mingw64-gcc-c++
BuildRequires: mingw64-libtasn1 >= 4.3
BuildRequires: mingw64-readline
BuildRequires: mingw64-zlib
BuildRequires: mingw64-p11-kit >= 0.23.1
BuildRequires: mingw64-nettle >= 3.6
%endif
URL: http://www.gnutls.org/
%define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1)
Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.1.tar.xz
Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.1.tar.xz.sig
Source2: https://gnutls.org/gnutls-release-keyring.gpg
%if %{with bundled_gmp}
Source100: gmp-6.2.1.tar.xz
# Taken from the main gmp package
Source101: gmp-6.2.1-intel-cet.patch
%endif
%if %{with bundled_nettle}
Source200: nettle-3.10-hobbled.tar.xz
# Taken from the main nettle package
Source201: nettle-3.8-zeroize-stack.patch
%endif
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib) = 20130424
%package c++
Summary: The C++ interface to GnuTLS
Requires: %{name}%{?_isa} = %{version}-%{release}
%package devel
Summary: Development files for the %{name} package
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-c++%{?_isa} = %{version}-%{release}
%if %{with dane}
Requires: %{name}-dane%{?_isa} = %{version}-%{release}
%endif
Requires: pkgconfig
%package utils
License: GPL-3.0-or-later
Summary: Command line tools for TLS protocol
Requires: %{name}%{?_isa} = %{version}-%{release}
%if %{with dane}
Requires: %{name}-dane%{?_isa} = %{version}-%{release}
%endif
%if %{with dane}
%package dane
Summary: A DANE protocol implementation for GnuTLS
Requires: %{name}%{?_isa} = %{version}-%{release}
%endif
%if %{with fips}
%package fips
Summary: Virtual package to install packages required to use %{name} under FIPS mode
Requires: %{name}%{?_isa} = %{version}-%{release}
%if !%{with bundled_nettle}
%{fips_requires nettle}
%endif
%if !%{with bundled_gmp}
%{fips_requires gmp}
%endif
%endif
%description
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
%description c++
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
%description devel
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains files needed for developing applications with
the GnuTLS library.
%description utils
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains command line TLS client and server and certificate
manipulation tools.
%if %{with dane}
%description dane
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains library that implements the DANE protocol for verifying
TLS certificates through DNSSEC.
%endif
%if %{with fips}
%description fips
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package does not contain any file, but installs required packages
to use GnuTLS under FIPS mode.
%endif
%if %{with mingw}
%package -n mingw32-%{name}
Summary: MinGW GnuTLS TLS/SSL encryption library
Requires: pkgconfig
Requires: mingw32-libtasn1 >= 4.3
BuildArch: noarch
%description -n mingw32-gnutls
GnuTLS TLS/SSL encryption library. This library is cross-compiled
for MinGW.
%package -n mingw64-%{name}
Summary: MinGW GnuTLS TLS/SSL encryption library
Requires: pkgconfig
Requires: mingw64-libtasn1 >= 4.3
BuildArch: noarch
%description -n mingw64-gnutls
GnuTLS TLS/SSL encryption library. This library is cross-compiled
for MinGW.
%{?mingw_debug_package}
%endif
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -p1 -S git
%if %{with bundled_gmp}
mkdir -p bundled_gmp
pushd bundled_gmp
tar --strip-components=1 -xf %{SOURCE100}
patch -p1 < %{SOURCE101}
popd
%endif
%if %{with bundled_nettle}
mkdir -p bundled_nettle
pushd bundled_nettle
tar --strip-components=1 -xf %{SOURCE200}
patch -p1 < %{SOURCE201}
popd
%endif
%build
%define _lto_cflags %{nil}
%if %{with bundled_gmp}
pushd bundled_gmp
autoreconf -ifv
%configure --disable-cxx --disable-shared --enable-fat --with-pic
%make_build
popd
export GMP_DIR="$PWD/bundled_gmp"
export GMP_CFLAGS="-I$GMP_DIR"
export GMP_LIBS="$GMP_DIR/.libs/libgmp.a"
%endif
%if %{with bundled_nettle}
pushd bundled_nettle
./.bootstrap
# Disable -ggdb3 which makes debugedit unhappy
sed s/ggdb3/g/ -i configure
sed 's/ecc-secp192r1.c//g' -i Makefile.in
sed 's/ecc-secp224r1.c//g' -i Makefile.in
autoreconf -ifv
# For annocheck
export ASM_FLAGS="-Wa,--generate-missing-build-notes=yes"
%configure --disable-shared --enable-fat --disable-documentation \
--with-include-path="$GMP_DIR" \
--with-lib-path="$GMP_DIR/.libs" \
%{nil}
%make_build
ln -s . nettle
popd
export NETTLE_DIR="$PWD/bundled_nettle"
export NETTLE_CFLAGS="-I$NETTLE_DIR"
export NETTLE_LIBS="$NETTLE_DIR/libnettle.a"
export HOGWEED_CFLAGS="-I$NETTLE_DIR"
export HOGWEED_LIBS="$NETTLE_DIR/libhogweed.a"
%endif
%if %{with bootstrap}
autoreconf -fi
%endif
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
echo "SYSTEM=NORMAL" >> tests/system.prio
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
export CCASFLAGS
%if %{with fips}
eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
%endif
mkdir native_build
pushd native_build
%global _configure ../configure
%configure \
%if %{with fips}
--enable-fips140-mode \
--with-fips140-module-name="$FIPS_MODULE_NAME" \
--with-fips140-module-version=%{version}-%{srpmhash} \
%endif
%if %{with gost}
--enable-gost \
%else
--disable-gost \
%endif
%if %{with srp}
--enable-srp-authentication \
%endif
%ifarch %{ix86}
--disable-year2038 \
%endif
--enable-sha1-support \
--disable-static \
--disable-openssl-compatibility \
--disable-non-suiteb-curves \
--with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
--with-default-trust-store-pkcs11="pkcs11:" \
%if %{with tpm12}
--with-trousers-lib=%{_libdir}/libtspi.so.1 \
%else
--without-tpm \
%endif
%if %{with tpm2}
--with-tpm2 \
%else
--without-tpm2 \
%endif
--enable-ktls \
--htmldir=%{_docdir}/manual \
%if %{with dane}
--with-unbound-root-key-file=/var/lib/unbound/root.key \
--enable-libdane \
%else
--disable-libdane \
%endif
%if %{with certificate_compression}
--with-zlib --with-brotli --with-zstd \
%else
--without-zlib --without-brotli --without-zstd \
%endif
%if %{with liboqs}
--with-liboqs \
%else
--without-liboqs \
%endif
--disable-rpath \
--with-default-priority-string="@SYSTEM"
%make_build
popd
%if %{with mingw}
# MinGW does not support CCASFLAGS
export CCASFLAGS=""
%mingw_configure \
%if %{with srp}
--enable-srp-authentication \
%endif
--enable-sha1-support \
--disable-static \
--disable-openssl-compatibility \
--disable-non-suiteb-curves \
--disable-libdane \
--disable-rpath \
--disable-nls \
--disable-cxx \
--enable-local-libopts \
--enable-shared \
--without-tpm \
--with-included-unistring \
--disable-doc \
--with-default-priority-string="@SYSTEM"
%mingw_make %{?_smp_mflags}
%endif
%install
%make_install -C native_build
pushd native_build
make -C doc install-html DESTDIR=$RPM_BUILD_ROOT
rm -f $RPM_BUILD_ROOT%{_infodir}/dir
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
%if %{without dane}
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
%endif
%if %{with fips}
# doing it twice should be a no-op the second time,
# and this way we avoid redefining it and missing a future change
%global __debug_package 1
%{__spec_install_post}
fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*`
./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
sed -i "s^$RPM_BUILD_ROOT/usr^^" "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac"
%endif
%if %{with fips}
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
%{nil}
%endif
%find_lang gnutls
popd
%if %{with mingw}
%mingw_make_install
# Remove .la files
rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/*.la
# The .def files aren't interesting for other binaries
rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.def
rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.def
# Remove info and man pages which duplicate stuff in Fedora already.
rm -rf $RPM_BUILD_ROOT%{mingw32_infodir}
rm -rf $RPM_BUILD_ROOT%{mingw32_mandir}
rm -rf $RPM_BUILD_ROOT%{mingw32_docdir}/gnutls
rm -rf $RPM_BUILD_ROOT%{mingw64_infodir}
rm -rf $RPM_BUILD_ROOT%{mingw64_mandir}
rm -rf $RPM_BUILD_ROOT%{mingw64_docdir}/gnutls
# Remove test libraries
rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/crypt32.dll*
rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/ncrypt.dll*
rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/crypt32.dll*
rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/ncrypt.dll*
%mingw_debug_install_post
%endif
%check
%if %{with tests}
pushd native_build
# KeyUpdate is not yet supported in the kernel.
xfail_tests=ktls_keyupdate.sh
# The ktls.sh test currently only supports kernel 5.11+. This needs to
# be checked at run time, as the koji builder might be using a different
# version of kernel on the host than the one indicated by the
# kernel-devel package.
case "$(uname -r)" in
4.* | 5.[0-9].* | 5.10.* )
xfail_tests="$xfail_tests ktls.sh"
;;
esac
make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$xfail_tests"
popd
%endif
%files -f native_build/gnutls.lang
%{_libdir}/libgnutls.so.30*
%if %{with fips}
%{_libdir}/.libgnutls.so.30*.hmac
%endif
%doc README.md AUTHORS NEWS THANKS
%license LICENSE doc/COPYING doc/COPYING.LESSER
%files c++
%{_libdir}/libgnutlsxx.so.*
%files devel
%{_includedir}/*
%{_libdir}/libgnutls*.so
%{_libdir}/pkgconfig/*.pc
%{_mandir}/man3/*
%{_infodir}/gnutls*
%{_infodir}/pkcs11-vision*
%{_docdir}/manual/*
%files utils
%{_bindir}/certtool
%if %{with tpm12}
%{_bindir}/tpmtool
%endif
%{_bindir}/ocsptool
%{_bindir}/psktool
%{_bindir}/p11tool
%if %{with srp}
%{_bindir}/srptool
%endif
%if %{with dane}
%{_bindir}/danetool
%endif
%{_bindir}/gnutls*
%{_mandir}/man1/*
%doc doc/certtool.cfg
%if %{with dane}
%files dane
%{_libdir}/libgnutls-dane.so.*
%endif
%if %{with fips}
%files fips
%endif
%if %{with mingw}
%files -n mingw32-%{name}
%license LICENSE doc/COPYING doc/COPYING.LESSER
%{mingw32_bindir}/certtool.exe
%{mingw32_bindir}/gnutls-cli-debug.exe
%{mingw32_bindir}/gnutls-cli.exe
%{mingw32_bindir}/gnutls-serv.exe
%{mingw32_bindir}/libgnutls-30.dll
%{mingw32_bindir}/ocsptool.exe
%{mingw32_bindir}/p11tool.exe
%{mingw32_bindir}/psktool.exe
%if %{with srp}
%{mingw32_bindir}/srptool.exe
%endif
%{mingw32_libdir}/libgnutls.dll.a
%{mingw32_libdir}/libgnutls-30.def
%{mingw32_libdir}/pkgconfig/gnutls.pc
%{mingw32_includedir}/gnutls/
%files -n mingw64-%{name}
%license LICENSE doc/COPYING doc/COPYING.LESSER
%{mingw64_bindir}/certtool.exe
%{mingw64_bindir}/gnutls-cli-debug.exe
%{mingw64_bindir}/gnutls-cli.exe
%{mingw64_bindir}/gnutls-serv.exe
%{mingw64_bindir}/libgnutls-30.dll
%{mingw64_bindir}/ocsptool.exe
%{mingw64_bindir}/p11tool.exe
%{mingw64_bindir}/psktool.exe
%if %{with srp}
%{mingw64_bindir}/srptool.exe
%endif
%{mingw64_libdir}/libgnutls.dll.a
%{mingw64_libdir}/libgnutls-30.def
%{mingw64_libdir}/pkgconfig/gnutls.pc
%{mingw64_includedir}/gnutls/
%endif
%changelog
%autochangelog
Reference in New Issue View Git Blame Copy Permalink