File gnutls.spec of Package gnutls.31638
#
# spec file for package gnutls
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define gnutls_sover 30
%define gnutlsxx_sover 28
%define gnutls_dane_sover 0
# unbound isn't in SLE (bsc#1086428)
%if 0%{?is_opensuse}
%bcond_without dane
%else
%bcond_with dane
%endif
%bcond_with tpm
%bcond_without guile
Name: gnutls
Version: 3.6.7
Release: 0
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1-or-later AND GPL-3.0-or-later
Group: Productivity/Networking/Security
URL: https://www.gnutls.org/
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
Source2: %{name}.keyring
Source3: baselibs.conf
Patch1: gnutls-3.5.11-skip-trust-store-tests.patch
Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
Patch3: disable-psk-file-test.patch
Patch4: gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch
Patch6: gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
Patch7: gnutls-CVE-2020-11501.patch
Patch8: 0001-Vendor-in-XTS-functionality-from-Nettle.patch
Patch9: gnutls-fips_XTS_key_check.patch
Patch10: gnutls-fips_mode_enabled.patch
Patch11: gnutls-3.6.7-fips-rsa-4096.patch
Patch12: gnutls-CVE-2020-13777.patch
# PATCH-FIX-UPSTREAM bsc#1172461
Patch13: 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch
Patch14: 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
Patch15: 0003-x509-trigger-fallback-verification-path-when-cert-is.patch
Patch16: 0004-tests-add-test-case-for-certificate-chain-supersedin.patch
# (EC)DH changes required by SP800-56A rev 3 (bsc#1176086)
Patch17: 0001-Add-Full-Public-Key-Check-for-DH.patch
Patch18: 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch
Patch19: 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch
Patch20: 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch
Patch21: 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch
Patch22: 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch
Patch23: 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch
Patch24: 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch
Patch25: 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch
Patch26: 0001-dh-check-validity-of-Z-before-export.patch
Patch27: 0002-ecdh-check-validity-of-P-before-export.patch
Patch28: 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch
Patch29: 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch
Patch30: 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch
# TLS KDF selftest
Patch31: gnutls-FIPS-TLS_KDF_selftest.patch
Patch32: gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
Patch33: gnutls-CVE-2020-24659.patch
Patch34: 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch
# PATCH-FIX-UPSTREAM bsc#1183457 CVE-2021-20231 Use after free in client key_share extension
Patch35: gnutls-CVE-2021-20231.patch
# PATCH-FIX-UPSTREAM bsc#1183456 CVE-2021-20232 Use after free in client_send_params
Patch36: gnutls-CVE-2021-20232.patch
# PATCH-FIX-UPSTREAM https://gitlab.com/gnutls/gnutls/-/merge_requests/979
Patch37: gnutls-3.6.7-fix-FTBFS-2024.patch
# PATCH-FIX-UPSTREAM https://gitlab.com/gnutls/gnutls/-/merge_requests/928
Patch38: gnutls-3.6.7-reproducible-date.patch
# PATCH-FIX-UPSTREAM bsc#1196167 CVE-2021-4209 Null pointer dereference in MD_UPDATE
Patch39: gnutls-CVE-2021-4209.patch
# PATCH-FIX-UPSTREAM bsc#1202020 CVE-2022-2509 Double free during gnutls_pkcs7_verify
Patch40: gnutls-CVE-2022-2509.patch
# PATCH-FIX-SUSE bsc#1204511 Validate input when calling fmemopen()
Patch41: gnutls-check-system_priority_buf-input.patch
#PATCH-FIX-UPSTREAM bsc#1208143 CVE-2023-0361: Bleichenbacher oracle in TLS RSA key exchange
Patch42: gnutls-CVE-2023-0361.patch
#PATCH-FIX-UPSTREAM bsc#1217277 CVE-2023-5981: Fix timing side-channel inside RSA-PSK key exchange
Patch43: curl-CVE-2023-5981.patch
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge
BuildRequires: fdupes
BuildRequires: fipscheck
BuildRequires: gcc-c++
# The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
BuildRequires: iproute2
BuildRequires: libidn2-devel
BuildRequires: libnettle-devel >= 3.4.1
BuildRequires: libtasn1-devel >= 4.9
BuildRequires: libtool
BuildRequires: libunistring-devel
BuildRequires: makeinfo
BuildRequires: p11-kit-devel >= 0.23.1
BuildRequires: pkgconfig
BuildRequires: xz
BuildRequires: zlib-devel
BuildRequires: pkgconfig(autoopts)
# CVE-2018-16868 (bsc#1118087) fix requires rsa_sec_decrypt which was added in 3.4.1 (bsc#1134856)
Requires: libnettle6 >= 3.4.1
%if 0%{?suse_version} <= 1320
BuildRequires: net-tools
%else
BuildRequires: net-tools-deprecated
%endif
%if %{with tpm}
BuildRequires: trousers-devel
%endif
%if %{with dane}
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
%if 0%{?suse_version} <= 1320
BuildRequires: unbound-devel
%else
BuildRequires: libunbound-devel
%endif
%endif
%if %{with guile}
BuildRequires: guile-devel
%endif
%description
The GnuTLS library provides a secure layer over a reliable transport
layer. Currently the GnuTLS library implements the proposed standards
of the IETFs TLS working group.
%package -n libgnutls%{gnutls_sover}
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1-or-later
Group: System/Libraries
# install libgnutls and libgnutls-hmac close together (bsc#1090765)
Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
%description -n libgnutls%{gnutls_sover}
The GnuTLS library provides a secure layer over a reliable transport
layer. Currently the GnuTLS library implements the proposed standards
of the IETFs TLS working group.
%package -n libgnutls%{gnutls_sover}-hmac
Summary: Checksums of the GNU Transport Layer Security Library
License: LGPL-2.1-or-later
Group: System/Libraries
Requires: libgnutls%{gnutls_sover} = %{version}-%{release}
%description -n libgnutls%{gnutls_sover}-hmac
FIPS SHA256 checksums of the libgnutls library.
%if %{with dane}
%package -n libgnutls-dane%{gnutls_dane_sover}
Summary: DANE support for the GNU Transport Layer Security Library
License: LGPL-2.1-or-later
Group: System/Libraries
%description -n libgnutls-dane%{gnutls_dane_sover}
The GnuTLS project aims to develop a library that provides a secure
layer over a reliable transport layer.
This package contains the "DANE" part of gnutls.
%endif
%package -n libgnutlsxx%{gnutlsxx_sover}
Summary: C++ API for the GNU Transport Layer Security Library
License: LGPL-2.1-or-later
Group: System/Libraries
%description -n libgnutlsxx%{gnutlsxx_sover}
The GnuTLS library provides a secure layer over a reliable transport
layer.
implements the proposed standards of the IETF TLS working group.
%package -n libgnutls-devel
Summary: Development package for the GnuTLS C API
License: LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libgnutls%{gnutls_sover} = %{version}
Requires(pre): %{install_info_prereq}
Provides: gnutls-devel = %{version}-%{release}
%description -n libgnutls-devel
Files needed for software development using gnutls.
%if %{with dane}
%package -n libgnutls-dane-devel
Summary: Development package for GnuTLS DANE component
License: LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
%description -n libgnutls-dane-devel
Files needed for software development using gnutls.
%endif
%package -n libgnutlsxx-devel
Summary: Development package for the GnuTLS C++ API
License: LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Requires: libgnutls-devel = %{version}
Requires: libgnutlsxx%{gnutlsxx_sover} = %{version}
Requires: libstdc++-devel
Requires(pre): %{install_info_prereq}
%description -n libgnutlsxx-devel
Files needed for software development using gnutls.
%package guile
Summary: Guile wrappers for gnutls
License: LGPL-2.1-or-later
Group: Development/Libraries/Other
Requires: guile
%description guile
GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
%prep
%setup -q
%patch1 -p1
%patch3 -p1
%patch4 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
# dtls-resume test fails on PPC
%ifarch ppc64 ppc64le ppc
%patch2 -p1
%endif
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%build
export LDFLAGS="-pie"
export CFLAGS="%{optflags} -fPIE"
export CXXFLAGS="%{optflags} -fPIE"
autoreconf -fiv
%configure \
gl_cv_func_printf_directive_n=yes \
gl_cv_func_printf_infinite_long_double=yes \
--disable-static \
--disable-rpath \
--disable-silent-rules \
--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
--with-sysroot=/%{?_sysroot} \
%if %{without tpm}
--without-tpm \
%endif
%if %{with dane}
--with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \
%else
--disable-libdane \
%endif
--enable-fips140-mode \
%{nil}
make %{?_smp_mflags}
# the hmac hashes:
#
# this is a hack that re-defines the __os_install_post macro
# for a simple reason: the macro strips the binaries and thereby
# invalidates a HMAC that may have been created earlier.
# solution: create the hashes _after_ the macro runs.
#
# this shows up earlier because otherwise the %%expand of
# the macro is too late.
# remark: This is the same as running
# openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
%{expand:%%global __os_install_post {%__os_install_post
%{_bindir}/fipshmac %{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
}}
%install
%make_install
rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
# Do not package static libs and libtool files
find %{buildroot} -type f -name "*.la" -delete -print
# install docs
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
cp doc/gnutls.html doc/*.png doc/gnutls.pdf %{buildroot}%{_docdir}/libgnutls-devel/
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference
cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/
mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples
cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
# PNG files are replaced with the compressed files and that breaks
# deduplication, this is workaround
find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} +
rm -rf %{buildroot}%{_datadir}/doc/gnutls
%fdupes -s %{buildroot}%{_datadir}
%find_lang libgnutls --all-name
%check
# created by 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch,
# but without the executable permissions
chmod a+x tests/server-weak-keys.sh
chmod a+x tests//dh-fips-approved.sh
%if ! 0%{?qemu_user_space_build}
make %{?_smp_mflags} check || {
find -name test-suite.log -print -exec cat {} +
exit 1
}
%endif
%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
%if %{with dane}
%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
%endif
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
%post -n libgnutls-devel
%install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
%preun -n libgnutls-devel
%install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
%files -f libgnutls.lang
%license LICENSE
%doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
%{_bindir}/certtool
%{_bindir}/gnutls-cli
%{_bindir}/gnutls-cli-debug
%{_bindir}/gnutls-serv
%{_bindir}/ocsptool
%{_bindir}/psktool
%{_bindir}/p11tool
%{_bindir}/srptool
%if %{with dane}
%{_bindir}/danetool
%endif
%if %{with tpm}
%{_bindir}/tpmtool
%endif
%{_mandir}/man1/*
%files -n libgnutls%{gnutls_sover}
%{_libdir}/libgnutls.so.%{gnutls_sover}*
%files -n libgnutls%{gnutls_sover}-hmac
%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
%if %{with dane}
%files -n libgnutls-dane%{gnutls_dane_sover}
%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
%endif
%files -n libgnutlsxx%{gnutlsxx_sover}
%{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
%files -n libgnutls-devel
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/abstract.h
%{_includedir}/%{name}/crypto.h
%{_includedir}/%{name}/compat.h
%{_includedir}/%{name}/dtls.h
%{_includedir}/%{name}/gnutls.h
%{_includedir}/%{name}/openpgp.h
%{_includedir}/%{name}/ocsp.h
%{_includedir}/%{name}/pkcs7.h
%{_includedir}/%{name}/pkcs11.h
%{_includedir}/%{name}/pkcs12.h
%{_includedir}/%{name}/self-test.h
%{_includedir}/%{name}/socket.h
%{_includedir}/%{name}/x509.h
%{_includedir}/%{name}/x509-ext.h
%{_includedir}/%{name}/tpm.h
%{_includedir}/%{name}/system-keys.h
%{_includedir}/%{name}/urls.h
%{_libdir}/libgnutls.so
%{_libdir}/pkgconfig/gnutls.pc
%{_mandir}/man3/*
%{_infodir}/*%{ext_info}
%doc %{_docdir}/libgnutls-devel
%if %{with dane}
%files -n libgnutls-dane-devel
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/dane.h
%{_libdir}/pkgconfig/gnutls-dane.pc
%{_libdir}/libgnutls-dane.so
%endif
%files -n libgnutlsxx-devel
%{_libdir}/libgnutlsxx.so
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/gnutlsxx.h
%if %{with guile}
%files guile
%{_libdir}/guile/*
%{_datadir}/guile/gnutls*
%endif
%changelog