4c1c3c53e3
Let the build fail, if the minimum kernel version cannot be met Conditionalize the sysctl.d tweak on version of the kernel Conditionalize the name of README.distro on the distro
473 lines
14 KiB
RPMSpec
473 lines
14 KiB
RPMSpec
# Shared object version of libkcapi.
|
|
%global vmajor 1
|
|
%global vminor 0
|
|
%global vpatch 3
|
|
|
|
# Do we build the replacements package?
|
|
%bcond_with replacements
|
|
|
|
# This package needs at least Linux Kernel v4.10.0.
|
|
%global min_kernel_ver 4.10.0
|
|
|
|
# Do we need to tweak sysctl.d? In newer versions of the Linux
|
|
# Kernel the default ancillary buffer size is set high enough.
|
|
# TODO: Adapt this when the patch for net/core/sock.c is merged.
|
|
%if %{lua:print(rpm.vercmp('99.0.0', posix.uname('%r')));} >= 0
|
|
%global with_sysctl_tweak 1
|
|
%else
|
|
%global with_sysctl_tweak 0
|
|
%endif
|
|
|
|
%if %{with_sysctl_tweak}
|
|
# Priority for the sysctl.d preset.
|
|
%global sysctl_prio 50
|
|
|
|
# Value used for the sysctl.d preset.
|
|
%global sysctl_optmem_max 40960
|
|
|
|
# Extension for the README.distro file.
|
|
%global distroname_ext %{?fedora:fedora}%{?rhel:redhat}
|
|
%endif
|
|
|
|
# Lowest limit to run the testsuite. If we cannot obtain this
|
|
# value, we asume the testsuite cannot be run.
|
|
%global test_optmem_max %(%{__cat} /proc/sys/net/core/optmem_max || echo 0)
|
|
|
|
# For picking patches from upstream commits or pull requests.
|
|
%global giturl https://github.com/smuellerDD/%{name}
|
|
|
|
# Do we replace some coreutils?
|
|
%if %{with replacements}
|
|
%bcond_with replace_coreutils
|
|
%if %{with replace_coreutils}
|
|
# TODO: Adapt this when replacing some coreutils initially.
|
|
%global coreutils_evr 8.29-1
|
|
%endif
|
|
%endif
|
|
|
|
# Do we replace fipscheck?
|
|
%if %{with replacements}
|
|
%bcond_with replace_fipscheck
|
|
%if %{with replace_fipscheck}
|
|
# TODO: Adapt this when replacing fipscheck initially.
|
|
%global fipscheck_evr 1.5.0-3
|
|
%endif
|
|
%endif
|
|
|
|
# Do we replace hmaccalc?
|
|
%if %{with replacements}
|
|
%bcond_with replace_hmaccalc
|
|
%if %{with replace_hmaccalc}
|
|
# TODO: Adapt this when replacing hmaccalc initially.
|
|
%global hmaccalc_evr 0.9.14-8
|
|
%endif
|
|
%endif
|
|
|
|
# Add generation of HMAC checksums of the final stripped
|
|
# binaries. %%define with lazy globbing is used here
|
|
# intentionally, because using %%global does not work.
|
|
%define __spec_install_post \
|
|
%{?__debug_package:%{__debug_install_post}} \
|
|
%{__arch_install_post} \
|
|
%{__os_install_post} \
|
|
%{_bindir}/fipshmac %{buildroot}%{_bindir}/* \
|
|
%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \
|
|
%{_bindir}/fipshmac %{buildroot}/%{_lib}/libkcapi.so.%{version} \
|
|
%{__ln_s} .libkcapi.so.%{version}.hmac \\\
|
|
%{buildroot}/%{_lib}/.libkcapi.so.%{vmajor}.hmac \
|
|
%{nil}
|
|
|
|
|
|
Name: libkcapi
|
|
Version: %{vmajor}.%{vminor}.%{vpatch}
|
|
Release: 2%{?dist}
|
|
Summary: User space interface to the Linux Kernel Crypto API
|
|
|
|
License: BSD or GPLv2
|
|
URL: http://www.chronox.de/%{name}.html
|
|
Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
|
|
Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
|
|
|
|
Patch0: %{giturl}/commit/ee348492dfdd2df1d7e1c431d106dfe11edfcd86.patch#/%{name}-1.0.3-Makefile_absolute_path_docproc.patch
|
|
Patch1: %{giturl}/commit/176c6e3d47ff63a6f51b92a05ce19857099ba74a.patch#/%{name}-1.0.3-Makefile_pdftex_custom_homedir.patch
|
|
Patch2: %{giturl}/commit/63855e3e2414afbe232e5ea2e4bdfb03b786344a.patch#/%{name}-1.0.3-libtool_pic_pie.patch
|
|
Patch3: %{giturl}/commit/b9bced05dae319c6a00c2adce8953d468404a95c.patch#/%{name}-1.0.3-autotools_full_path.patch
|
|
Patch4: %{giturl}/commit/ba147c9cce460c29076968c9e9e1a3828c0e9143.patch#/%{name}-1.0.3-hasher_test_hmaccalc_path.patch
|
|
Patch5: %{giturl}/commit/bc7c26efe5ab5c7644fac421b2fb6b1b687c4d0e.patch#/%{name}-1.0.3-test_invocation_fix_bash_coding_error.patch
|
|
|
|
BuildRequires: clang
|
|
BuildRequires: coreutils
|
|
BuildRequires: cppcheck
|
|
BuildRequires: docbook-utils-pdf
|
|
BuildRequires: fipscheck
|
|
BuildRequires: gcc
|
|
BuildRequires: hardlink
|
|
BuildRequires: hmaccalc
|
|
BuildRequires: libtool
|
|
BuildRequires: openssl
|
|
BuildRequires: systemd
|
|
BuildRequires: xmlto
|
|
|
|
# To make sure this is not buildable nor installable if the
|
|
# available Linux Kernel does not support the Linux Kernel
|
|
# Crypto API User Space Interface.
|
|
BuildRequires: kernel-headers >= %{min_kernel_ver}
|
|
Requires: kernel >= %{min_kernel_ver}
|
|
|
|
# For ownership of %%{_sysctldir}.
|
|
Requires: systemd
|
|
|
|
%if !%{with replacements}
|
|
Obsoletes: %{name}-replacements%{?_isa} <= %{version}-%{release}
|
|
%endif
|
|
|
|
%description
|
|
libkcapi allows user-space to access the Linux kernel crypto API.
|
|
|
|
This library uses the netlink interface and exports easy to use APIs
|
|
so that a developer does not need to consider the low-level netlink
|
|
interface handling.
|
|
|
|
The library does not implement any cipher algorithms. All consumer
|
|
requests are sent to the kernel for processing. Results from the
|
|
kernel crypto API are returned to the consumer via the library API.
|
|
|
|
The kernel interface and therefore this library can be used by
|
|
unprivileged processes.
|
|
|
|
|
|
%package devel
|
|
Summary: Development files for the %{name} package
|
|
Requires: %{name}%{?_isa} == %{version}-%{release}
|
|
|
|
%description devel
|
|
Header files for applications that use %{name}.
|
|
|
|
|
|
%package doc
|
|
Summary: User documentation for the %{name} package
|
|
BuildArch: noarch
|
|
|
|
%description doc
|
|
User documentation for %{name}.
|
|
|
|
|
|
%if %{with replacements}
|
|
%package replacements
|
|
Summary: Drop-in replacements provided by the %{name} package
|
|
Requires: %{name}%{?_isa} == %{version}-%{release}
|
|
|
|
%if %{with replace_coreutils}
|
|
Requires: coreutils%{?_isa} >= %{coreutils_evr}
|
|
|
|
Conflicts: coreutils < %{coreutils_evr}
|
|
Conflicts: coreutils-single
|
|
%endif
|
|
%if %{with replace_fipscheck}
|
|
Obsoletes: fipscheck <= %{fipscheck_evr}
|
|
|
|
Provides: fipscheck == %{fipscheck_evr}.1
|
|
Provides: fipscheck%{?_isa} == %{fipscheck_evr}.1
|
|
%endif
|
|
%if %{with replace_hmaccalc}
|
|
Obsoletes: hmaccalc <= %{hmaccalc_evr}
|
|
|
|
Provides: hmaccalc == %{hmaccalc_evr}.1
|
|
Provides: hmaccalc%{?_isa} == %{hmaccalc_evr}.1
|
|
%endif
|
|
|
|
%description replacements
|
|
Provides drop-in replacements for
|
|
%if %{with replace_fipscheck}
|
|
* fipscheck and fipshmac (fipscheck)
|
|
%endif
|
|
%if %{with replace_hmaccalc}
|
|
* sha*hmac (hmaccalc)
|
|
%endif
|
|
%if %{with replace_coreutils}
|
|
* sha*sum (coreutils)
|
|
%endif
|
|
tools using %{name}.
|
|
%endif
|
|
|
|
|
|
%package static
|
|
Summary: Static library for -static linking with %{name}
|
|
Requires: %{name}-devel%{?_isa} == %{version}-%{release}
|
|
|
|
%description static
|
|
This package contains the %{name} static libraries for -static
|
|
linking. You don't need this, unless you link statically, which
|
|
is highly discouraged.
|
|
|
|
|
|
%package tools
|
|
Summary: Utility applications for the %{name} package
|
|
Requires: %{name}%{?_isa} == %{version}-%{release}
|
|
|
|
%description tools
|
|
Utility applications that are provided with %{name}. This includes
|
|
tools to use message digests, symmetric ciphers and random number
|
|
generators implemented in the Linux kernel from command line.
|
|
|
|
|
|
%prep
|
|
%autosetup -p 1
|
|
|
|
%if %{with_sysctl_tweak}
|
|
%{__cat} << EOF > README.%{distroname_ext}
|
|
This package increases the default limit of the ancillary buffer size
|
|
per kernel socket defined in \`net.core.optmem_max\` to %{sysctl_optmem_max} bytes.
|
|
|
|
For this preset to become active it requires a reboot after the
|
|
installation of this package. You can also manually increase this
|
|
limit by invocing \`sysctl net.core.optmem_max=%{sysctl_optmem_max}\` as the
|
|
super-user, e.g. using \`su\` or \`sudo\` on the terminal.
|
|
|
|
This is done to provide consumers of the new Linux Kernel Crypto API
|
|
User Space Interface a well sufficient and reasonable maximum limit
|
|
by default, especially when using AIO with a larger amount of IOVECs.
|
|
|
|
For further information about the AF_ALG kernel socket and AIO, see
|
|
the discussion at the kernel-crypto mailing-list:
|
|
https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg30417.html
|
|
|
|
See the instructions given in '%{_sysctldir}/50-default.conf',
|
|
if you need or want to override the preset made by this package.
|
|
EOF
|
|
|
|
%{__cat} << EOF > %{sysctl_prio}-%{name}-optmem_max.conf
|
|
# See the 'README.%{distroname_ext}' file shipped in %%doc
|
|
# with the %{name} package.
|
|
#
|
|
# See '%{_sysctldir}/50-default.conf',
|
|
# if you need or want to override this preset.
|
|
|
|
# Increase the ancillary buffer size per socket.
|
|
net.core.optmem_max = %{sysctl_optmem_max}
|
|
EOF
|
|
%endif
|
|
|
|
%{_bindir}/autoreconf -fiv
|
|
|
|
|
|
%build
|
|
%configure \
|
|
--libdir=/%{_lib} \
|
|
--disable-silent-rules \
|
|
--enable-kcapi-encapp \
|
|
--enable-kcapi-dgstapp \
|
|
--enable-kcapi-hasher \
|
|
--enable-kcapi-rngapp \
|
|
--enable-kcapi-speed \
|
|
--enable-kcapi-test \
|
|
--enable-shared \
|
|
--enable-static \
|
|
--with-pkgconfigdir=%{_libdir}/pkgconfig
|
|
%make_build all doc
|
|
|
|
|
|
%install
|
|
%make_install
|
|
|
|
# Install sysctl.d preset.
|
|
%{__mkdir_p} %{buildroot}%{_sysctldir}
|
|
%{__install} -Dpm 0644 -t %{buildroot}%{_sysctldir} \
|
|
%{sysctl_prio}-%{name}-optmem_max.conf
|
|
|
|
# Install into proper location for inclusion by %%doc.
|
|
%{__mkdir_p} %{buildroot}%{_pkgdocdir}
|
|
%{__install} -Dpm 0644 -t %{buildroot}%{_pkgdocdir} \
|
|
%if %{with_sysctl_tweak}
|
|
README.%{distroname_ext} \
|
|
%endif
|
|
README.md CHANGES TODO doc/%{name}.p{df,s}
|
|
%{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir}
|
|
|
|
%if !%{with replacements}
|
|
%{__rm} -f \
|
|
%{buildroot}%{_bindir}/fips* \
|
|
%{buildroot}%{_bindir}/kcapi-hasher \
|
|
%{buildroot}%{_bindir}/md5sum \
|
|
%{buildroot}%{_bindir}/sha*hmac \
|
|
%{buildroot}%{_bindir}/sha*sum
|
|
%endif
|
|
|
|
# We don't ship autocrap dumplings.
|
|
%{_bindir}/find %{buildroot} -type f -name '*.la' -print -delete
|
|
|
|
# HMAC checksums are generated during __spec_install_post.
|
|
%{_bindir}/find %{buildroot} -type f -name '*.hmac' -print -delete
|
|
|
|
# Remove 0-size files.
|
|
%{_bindir}/find %{buildroot} -type f -size 0 -print -delete
|
|
|
|
# Make sure all docs have non-exec permissions, except for the dirs.
|
|
%{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \
|
|
%{_bindir}/xargs %{__chmod} -c 0644
|
|
%{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \
|
|
%{_bindir}/xargs %{__chmod} -c 0755
|
|
|
|
# Possibly save some space by hardlinking.
|
|
for d in %{_mandir} %{_pkgdocdir}; do
|
|
%{_sbindir}/hardlink -cfv %{buildroot}$d
|
|
done
|
|
|
|
|
|
%check
|
|
# Some basic sanity checks.
|
|
for t in cppcheck scan; do
|
|
%make_build $t
|
|
done
|
|
|
|
# On some arches `/proc/sys/net/core/optmem_max` is lower than 20480,
|
|
# which is the lowest limit needed to run the testsuite. If that limit
|
|
# is not met, we do not run it.
|
|
%if %{test_optmem_max} >= 20480
|
|
# Real testsuite.
|
|
pushd test
|
|
ENABLE_FUZZ_TEST=1 \
|
|
NO_32BIT_TEST=1 \
|
|
./test-invocation.sh
|
|
popd
|
|
%endif
|
|
|
|
|
|
%post -p /sbin/ldconfig
|
|
|
|
|
|
%postun -p /sbin/ldconfig
|
|
|
|
|
|
%files
|
|
%doc %dir %{_pkgdocdir}
|
|
%doc %{_pkgdocdir}/README.md
|
|
%license COPYING*
|
|
/%{_lib}/%{name}.so.%{vmajor}
|
|
/%{_lib}/%{name}.so.%{version}
|
|
/%{_lib}/.%{name}.so.%{vmajor}.hmac
|
|
/%{_lib}/.%{name}.so.%{version}.hmac
|
|
%if %{with_sysctl_tweak}
|
|
%doc %{_pkgdocdir}/README.%{distroname_ext}
|
|
%{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf
|
|
%endif
|
|
|
|
|
|
%files devel
|
|
%doc %{_pkgdocdir}/CHANGES
|
|
%doc %{_pkgdocdir}/TODO
|
|
%{_includedir}/kcapi.h
|
|
%{_mandir}/man3/kcapi_*.3.*
|
|
/%{_lib}/%{name}.so
|
|
%{_libdir}/pkgconfig/%{name}.pc
|
|
|
|
|
|
%files doc
|
|
%doc %{_pkgdocdir}
|
|
%license %{_datadir}/licenses/%{name}*
|
|
|
|
|
|
%if %{with replacements}
|
|
%files replacements
|
|
%{_bindir}/kcapi-hasher
|
|
%{_bindir}/.kcapi-hasher.hmac
|
|
%if %{with replace_coreutils}
|
|
%{_bindir}/md5sum
|
|
%{_bindir}/.md5sum.hmac
|
|
%{_bindir}/sha*sum
|
|
%{_bindir}/.sha*sum.hmac
|
|
%else
|
|
%exclude %{_bindir}/md5sum
|
|
%exclude %{_bindir}/.md5sum.hmac
|
|
%exclude %{_bindir}/sha*sum
|
|
%exclude %{_bindir}/.sha*sum.hmac
|
|
%endif
|
|
%if %{with replace_fipscheck}
|
|
%{_bindir}/fips*
|
|
%{_bindir}/.fips*.hmac
|
|
%else
|
|
%exclude %{_bindir}/fips*
|
|
%exclude %{_bindir}/.fips*.hmac
|
|
%endif
|
|
%if %{with replace_hmaccalc}
|
|
%{_bindir}/sha*hmac
|
|
%{_bindir}/.sha*hmac.hmac
|
|
%else
|
|
%exclude %{_bindir}/sha*hmac
|
|
%exclude %{_bindir}/.sha*hmac.hmac
|
|
%endif
|
|
%endif
|
|
|
|
|
|
%files static
|
|
/%{_lib}/%{name}.a
|
|
|
|
|
|
%files tools
|
|
%if %{with replacements}
|
|
%exclude %{_bindir}/kcapi-hasher
|
|
%exclude %{_bindir}/.kcapi-hasher.hmac
|
|
%endif
|
|
%{_bindir}/kcapi*
|
|
%{_bindir}/.kcapi*.hmac
|
|
%{_mandir}/man1/kcapi*.1.*
|
|
|
|
|
|
%changelog
|
|
* Wed Jan 17 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-2
|
|
- Decrease optmem_max preset to 40960
|
|
- Let the build fail, if the minimum kernel version cannot be met
|
|
- Conditionalize the sysctl.d tweak on version of the kernel
|
|
- Conditionalize the name of README.distro on the distro
|
|
|
|
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-1
|
|
- Initial import (rhbz#1533929)
|
|
|
|
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.13
|
|
- Increase optmem_max preset to 81920
|
|
|
|
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.12
|
|
- Add sysctl.d preset and README.fedora
|
|
|
|
* Mon Jan 15 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.11
|
|
- Make the contents of the -replacements package configurable
|
|
|
|
* Mon Jan 15 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.10
|
|
- Fix Obsoletes of the -replacements package
|
|
|
|
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.9
|
|
- Disable the -replacements package until we have a plan for it
|
|
|
|
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.8
|
|
- Move the kcapi-hasher binary to -replacements package, since it is
|
|
not of much use without the linked invocation names and saves the
|
|
extra Requires on the -tools package
|
|
|
|
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.7
|
|
- Fix internal Requires of sub-packages
|
|
- Hardlink files in %%{_bindir}
|
|
|
|
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.6
|
|
- Add patches from upstream
|
|
|
|
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.5
|
|
- Add patches from upstream
|
|
|
|
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.4
|
|
- Asume the testsuite cannot be run, if the value of optmem_max cannot
|
|
be obtained
|
|
|
|
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.3
|
|
- Move libraries to /%%{_lib} instead of %%{_libdir}, which is useful
|
|
during boot when the library might be needed before a potentially
|
|
seperate /usr partition is mounted
|
|
|
|
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.2
|
|
- Asume optmem_max is at least 20480, if the real value cannot be obtained
|
|
|
|
* Fri Jan 12 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.1
|
|
- New upstream release
|
|
|
|
* Wed Jan 10 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.2-0.1
|
|
- Initial rpm release (rhbz#1533929)
|