diff --git a/nettle.spec b/nettle.spec index 4249469..4032054 100644 --- a/nettle.spec +++ b/nettle.spec @@ -11,10 +11,17 @@ %global hogweed_so_ver_old 5 %endif -# RHEL 9 and later include nettle in the gnutls module boundary, -# and HMAC is calculated there with its own tool. -%if %{defined rhel} && 0%{?rhel} < 9 -%bcond_without fips +%if %{defined rhel} +# * RHEL 9 and later include nettle in the gnutls module boundary, +# and HMAC is calculated there with its own tool. +# * RHEL 9 and later statically links to gmp to ensure zeroization of CSP. +%if 0%{?rhel} < 9 +%bcond_without fipshmac +%bcond_with bundle_gmp +%else +%bcond_with fipshmac +%bcond_without bundle_gmp +%endif %endif Name: nettle @@ -39,12 +46,12 @@ Source102: gmp-6.2.1-zeroize-allocator.patch BuildRequires: make BuildRequires: gcc -%if !%{with fips} +%if !%{with bundle_gmp} BuildRequires: gmp-devel %endif BuildRequires: m4 BuildRequires: libtool, automake, autoconf, gettext-devel -%if %{with fips} +%if %{with fipshmac} BuildRequires: fipscheck %endif @@ -70,7 +77,7 @@ applications with nettle. %prep %autosetup -Tb 0 -p1 -%if %{with fips} +%if %{with bundle_gmp} mkdir -p bundled_gmp pushd bundled_gmp tar --strip-components=1 -xf %{SOURCE100} @@ -101,7 +108,7 @@ sed 's/ecc-secp192r1.c//g' -i Makefile.in sed 's/ecc-secp224r1.c//g' -i Makefile.in %build -%if %{with fips} +%if %{with bundle_gmp} pushd bundled_gmp autoreconf -ifv %configure --disable-cxx --disable-shared --enable-fat --with-pic @@ -113,7 +120,7 @@ autoreconf -ifv # For annocheck export ASM_FLAGS="-Wa,--generate-missing-build-notes=yes" %configure --enable-shared --enable-fat \ -%if %{with fips} +%if %{with bundle_gmp} --with-include-path=$PWD/bundled_gmp --with-lib-path=$PWD/bundled_gmp/.libs \ %endif %{nil} @@ -127,7 +134,7 @@ autoconf popd %endif -%if %{with fips} +%if %{with fipshmac} %define fipshmac() \ fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/%1.* \ file=`basename $RPM_BUILD_ROOT%{_libdir}/%1.*.hmac` && \ @@ -191,7 +198,7 @@ make check %{_libdir}/libhogweed.so.%{hogweed_so_ver_old} %{_libdir}/libhogweed.so.%{hogweed_so_ver_old}.* %endif -%if %{with fips} +%if %{with fipshmac} %{_libdir}/.libhogweed.so.*.hmac %{_libdir}/.libnettle.so.*.hmac %endif