File libgcrypt.spec of Package libgcrypt.38414
#
# spec file for package libgcrypt
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define libsover 20
%define libsoname %{name}%{libsover}
%define hmac_key orboDeJITITejsirpADONivirpUkvarP
Name: libgcrypt
Version: 1.10.3
Release: 0
Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
Group: Development/Libraries/C and C++
URL: https://gnupg.org/software/libgcrypt
Source: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
Source2: baselibs.conf
Source3: random.conf
Source4: hwf.deny
# https://gnupg.org/signature_key.asc
Source5: libgcrypt.keyring
Source99: libgcrypt.changes
Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch
#PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run
Patch2: libgcrypt-nobetasuffix.patch
# https://dev.gnupg.org/T6964
Patch3: libgcrypt-no-deprecated-grep-alias.patch
# FIPS patches:
# PATCH-FIX-UPSTREAM: Missing decls for FIPS SLI
Patch100: libgcrypt-FIPS-SLI-Factor-out-data-SEXP-preparation.patch
#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
Patch104: libgcrypt-FIPS-rndjent_poll.patch
#PATCH-FIX-SUSE bsc#1220896 FIPS: Replace the built-in jitter rng with standalone version
Patch105: libgcrypt-FIPS-jitter-standalone.patch
#PATCH-FIX-SUSE bsc#1220895 FIPS: Enforce the interpretation and use of jitter rng
Patch106: libgcrypt-FIPS-jitter-errorcodes.patch
#PATCH-FIX-SUSE bsc#1220893 FIPS: Use Jitter RNG for the whole length entropy buffer
Patch107: libgcrypt-FIPS-jitter-whole-entropy.patch
#PATCH-FIX-SUSE bsc#1220893 FIPS: Disable setting the library in non-FIPS mode
Patch108: libgcrypt-FIPS-disable-GCRYCTL_NO_FIPS_MODE.patch
#PATCH-FIX-SUSE bsc#1225936 FIPS: Unnecessary KAT Encryption/Decryption
Patch109: libgcrypt-FIPS-SLI-Do-not-run-RSA-encryption-selftest-by-default.patch
# POWER patches [jsc#PED-5088] POWER performance enhancements for cryptography
Patch200: libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
Patch201: libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch
# PATCH-FIX-SUSE bsc#1225939 FIPS: Service level indicator
Patch300: libgcrypt-FIPS-SLI-Only-allow-defined-digest-algo-for-EdDSA.patch
Patch301: libgcrypt-FIPS-SLI-Reject-use-of-SHAKE-when-its-ECDSA-with-RFC6979.patch
Patch302: libgcrypt-FIPS-SLI-Introduce-an-internal-API-for-FIPS-service-indicator.patch
Patch303: libgcrypt-FIPS-SLI-Introduce-GCRYCTL_FIPS_SERVICE_INDICATOR-and-the-macro.patch
Patch304: libgcrypt-FIPS-SLI-Implement-new-FIPS-service-indicator-for-gcry_kdf_derive.patch
Patch305: libgcrypt-FIPS-SLI-Implement-new-FIPS-service-indicator-for-gcry_md_hash_*.patch
Patch306: libgcrypt-FIPS-SLI-Add-t-digest.patch
Patch307: libgcrypt-FIPS-SLI-Fix-t-digest-for-a-minimal-configuration.patch
Patch308: libgcrypt-FIPS-SLI-Extend-tests-t-digest-to-test-hmac-too.patch
Patch309: libgcrypt-FIPS-SLI-Fix-comment-in-t-thread-local.patch
Patch311: libgcrypt-FIPS-SLI-Change-the-internal-API-for-new-FIPS-service-indicator.patch
Patch312: libgcrypt-FIPS-SLI-Implement-new-FIPS-service-indicator-for-gcry_md_open-API.patch
Patch313: libgcrypt-FIPS-SLI-Add-tests-for-md_open-write-read-close-for-t-digest.patch
Patch314: libgcrypt-FIPS-SLI-Implement-new-FIPS-service-indicator-for-gcry_mac_open.patch
Patch315: libgcrypt-FIPS-SLI-Implement-new-FIPS-service-indicator-for-cipher_open.patch
Patch316: libgcrypt-FIPS-SLI-Add-gcry_mac_open-tests.patch
Patch317: libgcrypt-FIPS-SLI-Rename-t-fips-service-ind.patch
Patch318: libgcrypt-FIPS-SLI-Move-KDF-tests-to-t-fips-service-ind.patch
Patch319: libgcrypt-FIPS-SLI-Add-gcry_cipher_open-tests.patch
Patch320: libgcrypt-FIPS-SLI-gcry_md_copy-should-care-about-FIPS-service-indicator.patch
Patch321: libgcrypt-FIPS-SLI-Implement-FIPS-service-indicator-for-gcry_pk_hash_API.patch
Patch322: libgcrypt-FIPS-SLI-Introduce-GCRYCTL_FIPS_REJECT_NON_FIPS.patch
Patch323: libgcrypt-FIPS-SLI-Fix-the-previous-change.patch
Patch324: libgcrypt-FIPS-SLI-Rejection-by-GCRYCTL_FIPS_REJECT_NON_FIPS-not-by-open-flags.patch
# PATCH-FIX-UPSTREAM: Missing decls for FIPS SLI testing
Patch325: hex2buffer-Factor-from-existing-uses.patch
# PATCH-FIX-SUSE bsc#1225939 FIPS: Service level indicator
Patch326: libgcrypt-FIPS-SLI-Add-behavior-not-to-reject-but-mark-non-compliant.patch
Patch327: libgcrypt-FIPS-SLI-Add-rejecting-or-marking-for-gcry_pk_get_curve.patch
Patch328: libgcrypt-FIPS-SLI-Add-more-tests-to-tests-t-fips-service-ind.patch
Patch329: libgcrypt-FIPS-SLI-Check-DATA-in-gcry_pk_sign-verify-in-FIPS-mode.patch
Patch330: libgcrypt-FIPS-SLI-Fix-memory-leak-for-gcry_pk_hash_sign.patch
Patch331: libgcrypt-FIPS-SLI-Improve-__thread-specifier-check.patch
# PATCH-FIX-SUSE bsc#1225939: Mark non-compliant cipher modes in the SLI
Patch332: libgcrypt-FIPS-SLI-mark-non-compliant-cipher-modes-as-non-approved-in-the-SLI.patch
Patch333: libgcrypt-FIPS-SLI-cipher-Rename-_gcry_cipher_is_mode_fips_compliant.patch
Patch334: libgcrypt-FIPS-SLI-cipher-Don-t-differentiate-GCRY_CIPHER_MODE_CMAC-in-.patch
# PATCH-FIX-SUSE bsc#1225942: Mark SHA1 as non approved in the SLI
Patch335: libgcrypt-FIPS-SLI-md-Make-SHA1-non-FIPS-and-differentiate-in-the-SLI.patch
Patch336: libgcrypt-FIPS-SLI-cipher-Differentiate-SHA1-with-GCRY_FIPS_FLAG_REJECT_MD_SHA1.patch
# PATCH-FIX-SUSE bsc#1225939: Implement KAT for non-deterministic ECDSA
Patch337: libgcrypt-FIPS-SLI-cipher-Add-KAT-for-non-rfc6979-ECDSA-with-fixed-k.patch
# PATCH-FIX-SUSE bsc#1225939: Differentiate non-compliant flags in the SLI
Patch338: libgcrypt-FIPS-SLI-Differentiate-non-compliant-flags-in-the-SLI.patch
# PATCH-FIX-SUSE bsc#1225941 FIPS: disallow rsa < 2048
Patch400: libgcrypt-FIPS-SLI-Disallow-RSA-keys-with-size-lt-2048.patch
# PATCH-FIX-UPSTREAM bsc#1241605 FIPS: SHA3 usage in sign operation has an issue
Patch401: libgcrypt-FIPS-sha3-asn.patch
BuildRequires: automake >= 1.14
BuildRequires: jitterentropy-devel >= 3.4.0
BuildRequires: libjitterentropy3 >= 3.4.0
BuildRequires: libgpg-error-devel >= 1.27
BuildRequires: libtool
BuildRequires: makeinfo
BuildRequires: pkgconfig
%{?suse_build_hwcaps_libs}
%description
Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt.
%package -n %{libsoname}
Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: System/Libraries
BuildRequires: jitterentropy-devel >= 3.4.0
Requires: libjitterentropy3 >= 3.4.0
Provides: %{libsoname}-hmac = %{version}-%{release}
Obsoletes: %{libsoname}-hmac < %{version}-%{release}
%description -n %{libsoname}
Libgcrypt is a general purpose crypto library based on the code used in
GnuPG (alpha version).
%package devel
Summary: The GNU Crypto Library
License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version}
Requires: glibc-devel
Requires: jitterentropy-devel >= 3.4.0
Requires: libgpg-error-devel >= 1.27
%description devel
Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt.
This package contains needed files to compile and link against the
library.
%prep
%autosetup -p1
# Rename the internal .hmac file to include the so library version
sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g" src/Makefile.am src/Makefile.in
# Replace the built-in jitter rng with the standalone version [bsc#1220896]
find . -type f -name "jitterentropy*" -print -delete
%build
export PUBKEYS="dsa elgamal rsa ecc"
export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4"
export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3"
export KDFS="s2k pkdf2 scrypt"
autoreconf -fi
date=$(date -u '+%%Y-%%m-%%dT%%H:%%M+0000' -r %{SOURCE99})
sed -e "s,BUILD_TIMESTAMP=.*,BUILD_TIMESTAMP=$date," -i configure
export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
%configure \
--with-fips-module-version="Libgcrypt version %{version}-%{release}" \
--enable-hmac-binary-check="%{hmac_key}" \
--enable-ciphers="$CIPHERS" \
--enable-pubkey-ciphers="$PUBKEYS" \
--enable-digests="$DIGESTS" \
--enable-kdfs="$KDFS" \
--enable-noexecstack \
--disable-static \
--enable-m-guard \
%ifarch %{sparc}
--disable-asm \
%endif
--enable-random=getentropy \
--enable-jent-support \
%{nil}
%make_build
%check
make -k check
# run the regression tests also in FIPS mode
LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check
%install
%make_install
# this is a hack that re-defines the __spec_install_post macro
# for a simple reason: the macro strips the binaries and thereby
# invalidates a HMAC that may have been created earlier.
# solution: create the hashes _after_ the macro runs.
%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.?
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
cd src \
sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \
READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath} > %{libpath}.hmac \
objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath} %{libpath}.new \
mv -f %{libpath}.new %{libpath} \
rm -f %{libpath}.hmac \
%{nil}
rm %{buildroot}%{_libdir}/%{name}.la
# Create /etc/gcrypt directory and install random.conf
mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/gcrypt/hwf.deny
%post -n %{libsoname} -p /sbin/ldconfig
%postun -n %{libsoname} -p /sbin/ldconfig
%files -n %{libsoname}
%license COPYING COPYING.LIB LICENSES
%doc AUTHORS ChangeLog NEWS README THANKS TODO
%{_libdir}/%{name}.so.*
%dir %{_sysconfdir}/gcrypt
%config(noreplace) %{_sysconfdir}/gcrypt/random.conf
%config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny
%files devel
%license COPYING COPYING.LIB LICENSES
%{_bindir}/dumpsexp
%{_bindir}/hmac256
%{_bindir}/mpicalc
%{_bindir}/%{name}-config
%{_libdir}/%{name}.so
%{_libdir}/pkgconfig/libgcrypt.pc
%{_datadir}/aclocal/%{name}.m4
%{_includedir}/gcrypt*.h
%{_infodir}/gcrypt.info*%{ext_info}*
%{_mandir}/man1/*
%changelog
