File libgcrypt.spec of Package libgcrypt
#
# spec file for package libgcrypt
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define build_hmac256 1
%define separate_hmac256_binary 0
%define libsoname %{name}20
%define sosuffix 20.0.1
%define cavs_dir %{_libexecdir}/%{name}/cavs
Name: libgcrypt
Version: 1.6.1
Release: 0
Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
Group: Development/Libraries/C and C++
Url: http://directory.fsf.org/wiki/Libgcrypt
Source: ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
Source2: baselibs.conf
# http://www.gnupg.org/signature_key.en.html
Source4: %{name}.keyring
# cavs test framework
Source5: cavs-test.sh
Source6: cavs_driver.pl
Patch0: %{name}-ppc64.patch
Patch1: %{name}-strict-aliasing.patch
Patch3: %{name}-1.4.1-rijndael_no_strict_aliasing.patch
Patch4: %{name}-sparcv9.diff
#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS)
#was: libgcrypt-1.5.0-as-needed.patch
Patch5: libgcrypt-unresolved-dladdr.patch
#PATCH-FIX-SUSE: N/A
Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
#PATCH-FIX-UPSTREAM: internal functions are supposed to be used inside libgcrypt, mvyskocil@suse.com
Patch8: libgcrypt-1.6.0-use-intenal-functions.patch
Patch11: libgcrypt-fixed-sizet.patch
Patch12: libgcrypt-1.6.1-use-fipscheck.patch
Patch13: libgcrypt-1.6.1-fips-cavs.patch
#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
Patch14: libgcrypt-1.6.1-fips-cfgrandom.patch
# add support for SP800-90A DRBG (fate#316929, bnc#856312)
Patch21: v10-0001-SP800-90A-Deterministic-Random-Bit-Generator.patch
Patch28: libgcrypt-fix-rng.patch
Patch29: libgcrypt-init-at-elf-load-fips.patch
Patch30: libgcrypt-fips_add_drbg_cavs_test.patch
Patch31: libgcrypt-fips-dsa.patch
Patch33: libgcrypt-fips_ecdsa.patch
Patch34: libgcrypt-fips_PKBKDF_missing_step1.patch
Patch32: libgcrypt-fips_run_selftest_at_constructor.patch
Patch35: calculate-fips-checksum-after-build.patch
Patch36: disable-algorithms-that-are-not-allowed-in-fips.patch
Patch37: RSA-FIPS-186-4-adjustments.patch
Patch38: skip-GCM-for-FIPS.patch
Patch39: fix-test-suite-for-RSA-in-fips-mode.patch
Patch41: libgcrypt-fips_enable_hardware_support.patch
Patch42: libgcrypt-fips_fipsdrv.patch
Patch43: libgcrypt-fips_cavs_rsa_keygen.patch
Patch50: libgcrypt-fips_rsa_keygen.patch
Patch51: libgcrypt-fips_KAT_keygen_test.patch
Patch52: libgcrypt-fips_testsuite.patch
Patch53: libgcrypt-fips_handle_priming_error_in_drbg.patch
Patch54: libgcrypt-fips_pss.patch
Patch55: libgcrypt-fips_rsa_p_less_than_q.patch
Patch60: libgcrypt-CVE-2014-3591.patch
Patch61: libgcrypt-1.6.1-drbg-reseeding.patch
Patch62: drbg_test-reseeding.patch
Patch63: libgcrypt-secmem_dont_drop_privilege.patch
Patch64: libgcrypt-CVE-2015-0837-1.patch
Patch65: libgcrypt-CVE-2015-0837-2.patch
Patch66: libgcrypt-CVE-2015-0837-3.patch
Patch67: libgcrypt-bsc932232-avoid-drbg-crash-with-fips.patch
Patch68: libgcrypt-CVE-2015-7511.patch
Patch69: libgcrypt-CVE-2016-6313-1.patch
Patch70: libgcrypt-CVE-2016-6313-2.patch
#PATCH-FIX-UPSTREAM -- pmonrealgonzalez@suse.com bsc#1042326 timing attack on EdDSA session key
Patch71: libgcrypt-secure-EdDSA-session-key.patch
#PATCH-FIX-UPSTREAM -- pmonrealgonzalez@suse.com bsc#1046607 Hardening against local side-channel attack
Patch72: libgcrypt-CVE-2017-7526-1.6.1-1.patch
Patch73: libgcrypt-CVE-2017-7526-1.6.1-2.patch
Patch74: libgcrypt-fips-use_dlopen_to_get_hmac_path.patch
Patch75: libgcrypt-fips_dont_seed_drbg_in_selftests.patch
Patch76: libgcrypt-fips_drbg_healthcheck_sanity_bug.patch
Patch77: libgcrypt-fips_avoid_clash_with_gkd.patch
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign
Patch78: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
Patch79: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
#PATCH-FIX-UPSTREAM bsc#1097410 fix novel side-channel attack
Patch80: CVE-2018-0495.patch
Patch81: libgcrypt-binary_integrity_in_non-FIPS.patch
BuildRequires: automake >= 1.11
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.11
BuildRequires: libtool
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt.
%package -n %{libsoname}
Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Suggests: %{libsoname}-hmac = %{version}-%{release}
%description -n %{libsoname}
Libgcrypt is a general purpose crypto library based on the code used in
GnuPG (alpha version).
%package -n %{libsoname}-hmac
Summary: HMAC checksums for the GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version}-%{release}
%description -n %{libsoname}-hmac
Libgcrypt is a general purpose crypto library based on the code used in
GnuPG (alpha version). This package contains the HMAC checksum files
for integrity checking the library, as required by FIPS 140-2.
%package devel
Summary: The GNU Crypto Library
License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version}
Requires: glibc-devel
Requires: libgpg-error-devel >= 1.8
Requires(post): %{install_info_prereq}
%description devel
Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt.
This package contains needed files to compile and link against the
library.
%package cavs
Summary: The GNU Crypto Library
License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version}
Requires: %{libsoname}-hmac
%description cavs
CAVS testing framework for libgcrypt
%if 0%{?separate_hmac256_binary}
%package hmac256
Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version}
Requires: libgpg-error-devel
Requires(post): %{install_info_prereq}
%description hmac256
Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt.
%endif # #if separate_hmac256_binary
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch7 -p1
%patch8 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch21 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch33 -p1
%patch34 -p1
%patch32 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
%patch71 -p1
%patch72 -p1
%patch73 -p1
%patch74 -p1
%patch75 -p1
%patch76 -p1
%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
%patch81 -p1
%build
echo building with build_hmac256 set to %{build_hmac256}
%{?suse_update_config}
autoreconf -fi
export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
%configure --with-pic \
--enable-noexecstack \
--disable-static \
--enable-m-guard \
%ifarch %{sparc}
--disable-asm \
%endif
--enable-hmac-binary-check \
--enable-random=linux
make %{?_smp_mflags}
%if 0%{?build_hmac256}
# this is a hack that re-defines the __os_install_post macro
# for a simple reason: the macro strips the binaries and thereby
# invalidates a HMAC that may have been created earlier.
# solution: create the hashes _after_ the macro runs.
#
# this shows up earlier because otherwise the %expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
fipshmac %{buildroot}/%{_bindir}/hmac256
fipshmac %{buildroot}/%{_libdir}/*.so.??
}}
%endif
%check
fipshmac src/.libs/libgcrypt.so.??
# Nice idea. however this uses /dev/random, which hangs
# on hardware without random feeds.
# so lets not run it inside OBS
#make -k check || true
#export LIBGCRYPT_FORCE_FIPS_MODE=1
#make -k check || true
#export -n LIBGCRYPT_FORCE_FIPS_MODE
%install
make DESTDIR=%{buildroot} install %{?_smp_mflags}
rm %{buildroot}%{_libdir}/%{name}.la
# cavs
install -m 0755 -d %{buildroot}%{cavs_dir}
install -m 0755 %{SOURCE5} %{buildroot}%{cavs_dir}
install -m 0755 %{SOURCE6} %{buildroot}%{cavs_dir}
mv %{buildroot}%{_bindir}/fipsdrv %{buildroot}%{cavs_dir}
mv %{buildroot}%{_bindir}/gcrypt_rsagtest %{buildroot}%{cavs_dir}
mv %{buildroot}%{_bindir}/drbg_test %{buildroot}%{cavs_dir}
%post -n %{libsoname} -p /sbin/ldconfig
%postun -n %{libsoname} -p /sbin/ldconfig
%post devel
%install_info --info-dir=%{_infodir} %{_infodir}/gcrypt.info.gz
%install_info --info-dir=%{_infodir} %{_infodir}/gcrypt.info-1.gz
%install_info --info-dir=%{_infodir} %{_infodir}/gcrypt.info-2.gz
%postun devel
%install_info_delete --info-dir=%{_infodir} %{_infodir}/gcrypt.info.gz
%install_info_delete --info-dir=%{_infodir} %{_infodir}/gcrypt.info-1.gz
%install_info_delete --info-dir=%{_infodir} %{_infodir}/gcrypt.info-2.gz
%files -n %{libsoname}
%defattr(-,root,root)
%doc COPYING.LIB
%{_libdir}/%{name}.so.*
%files -n %{libsoname}-hmac
%defattr(-,root,root)
%if 0%{?build_hmac256}
%{_libdir}/.libgcrypt.so.*.hmac
%endif # %if 0%{?build_hmac256}
%files devel
%defattr(-,root,root)
%doc AUTHORS COPYING COPYING.LIB ChangeLog NEWS README THANKS TODO
%{_infodir}/gcrypt.info.gz
%{_infodir}/gcrypt.info-1.gz
%{_infodir}/gcrypt.info-2.gz
%{_bindir}/dumpsexp
%{_bindir}/mpicalc
%{_bindir}/%{name}-config
%{_libdir}/%{name}.so
%{_includedir}/gcrypt*.h
%{_datadir}/aclocal/%{name}.m4
%if 0%{?separate_hmac256_binary}
%files hmac256
%defattr(-,root,root)
%endif # %if 0%{?separate_hmac256_binary}
%{_bindir}/hmac256
%{_bindir}/.hmac256.hmac
%doc %{_mandir}/man1/hmac256.1*
%files cavs
%defattr(-,root,root)
%{_libexecdir}/%{name}
%changelog
