Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
gnutls.31677
gnutls.spec
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gnutls.spec of Package gnutls.31677
# # spec file for package gnutls # # Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define gnutls_sover 30 %define gnutlsxx_sover 28 %define gnutls_dane_sover 0 # unbound isn't in SLE (bsc#1086428) %if 0%{?is_opensuse} %bcond_without dane %else %bcond_with dane %endif # Enable Linux kernel AF_ALG based acceleration %if 0%{?suse_version} >= 1550 %bcond_without kcapi %else %bcond_with kcapi %endif %bcond_with tpm %bcond_without guile Name: gnutls Version: 3.7.3 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later Group: Productivity/Networking/Security URL: https://www.gnutls.org/ Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig Source2: gnutls.keyring Source3: baselibs.conf Patch1: gnutls-3.5.11-skip-trust-store-tests.patch Patch2: gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch Patch3: gnutls-fips_mode_enabled.patch Patch4: gnutls-FIPS-TLS_KDF_selftest.patch Patch5: gnutls-FIPS-disable-failing-tests.patch #PATCH-FIX-UPSTREAM bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT Patch6: gnutls-FIPS-PBKDF2-KAT-requirements.patch #PATCH-FIX-UPSTREAM bsc#1194907 FIPS: Mark AES-GCM and HKDF as approved in the TLS context Patch7: gnutls-FIPS-Mark-HKDF-and-AES-GCM-as-approved-when-used-in-TLS.patch #PATCH-FIX-UPSTREAM bsc#1190698 FIPS: Add more requirements for the service-level indicator Patch8: gnutls-Remove-3DES-from-FIPS-approved-algos.patch Patch9: gnutls-Add-missing-FIPS-service-indicator-transitions.patch Patch10: gnutls-Add-missing-FIPS-service-indicator-transitions-tests.patch Patch11: gnutls-pkcs12-tighten-algorithm-checks-under-FIPS.patch #PATCH-FIX-UPSTREAM bsc#1191021 FIPS: Make sure zeroization is performed in all API functions Patch12: gnutls-zeroization-API-functions.patch Patch13: gnutls_ECDSA_signing.patch Patch14: gnutls-FIPS-force-self-test.patch #PATCH-FIX-UPSTREAM bsc#1202020 CVE-2022-2509 Double free during gnutls_pkcs7_verify Patch15: gnutls-CVE-2022-2509.patch #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy Patch16: gnutls-FIPS-jitterentropy.patch #PATCH-FIX-SUSE bsc#1190698 FIPS: SLI gnutls_pbkdf2: verify keylengths and allow SHA only Patch17: gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch #PATCH-FIX-SUSE bsc#1191021 FIPS: Zeroize calculated hmac in check_binary_integrity Patch18: gnutls-FIPS-Zeroize-check_binary_integrity.patch #PATCH-FIX-UPSTREAM bsc#1203779 Make XTS key check failure not fatal Patch19: gnutls-Make-XTS-key-check-failure-not-fatal.patch #PATCH-FIX-SUSE bsc#1202146 FIPS: Set error state when jent init failed in FIPS mode Patch20: gnutls-FIPS-Set-error-state-when-jent-init-failed.patch #PATCH-FIX-UPSTREAM bsc#1203299 Fix AVX CPU feature detection for OSXSAVE Patch21: gnutls-clear-AVX-bits-if-it-cannot-be-queried-XSAVE.patch #PATCH-FIX-SUSE bsc#1207183 FIPS: DH/ECDH PCT public key regeneration Patch22: gnutls-FIPS-PCT-DH.patch Patch23: gnutls-FIPS-PCT-ECDH.patch #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3 Patch24: gnutls-FIPS-140-3-references.patch #PATCH-FIX-UPSTREAM bsc#1208143 CVE-2023-0361: Bleichenbacher oracle in TLS RSA key exchange Patch25: gnutls-CVE-2023-0361.patch #PATCH-FIX-SUSE bsc#1208146 FIPS: Make jitterentropy calls thread-safe Patch26: gnutls-FIPS-jitterentropy-threadsafe.patch #PATCH-FIX-UPSTREAM bsc#1208237 jsc#PED-1562 Increase TLS PSK username limit Patch27: gnutls-increase-TLS-PSK-username-limit.patch #PATCH-FIX-SUSE bsc#1209001 FIPS: PBKDF2 additional requirements Patch28: gnutls-FIPS-pbkdf2-additional-requirements.patch #PATCH-FIX-UPSTREAM bsc#1217277 CVE-2023-5981: Fix timing side-channel inside RSA-PSK key exchange Patch29: curl-CVE-2023-5981.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge BuildRequires: fdupes BuildRequires: fipscheck BuildRequires: gcc-c++ # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present BuildRequires: iproute2 BuildRequires: libidn2-devel BuildRequires: libnettle-devel >= 3.6 BuildRequires: libtasn1-devel >= 4.9 BuildRequires: libtool BuildRequires: libunistring-devel BuildRequires: makeinfo BuildRequires: p11-kit-devel >= 0.23.1 BuildRequires: pkgconfig BuildRequires: xz BuildRequires: zlib-devel BuildRequires: pkgconfig(autoopts) Requires: libnettle8 >= 3.6 %if %{with kcapi} BuildRequires: pkgconfig(libkcapi) %endif %if 0%{?suse_version} <= 1320 BuildRequires: net-tools %else BuildRequires: net-tools-deprecated %endif %if %{with tpm} BuildRequires: trousers-devel %endif %if %{with dane} Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %if 0%{?suse_version} <= 1320 BuildRequires: unbound-devel %else BuildRequires: libunbound-devel %endif %endif %if %{with guile} BuildRequires: guile-devel %endif %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 BuildRequires: crypto-policies Requires: crypto-policies BuildRequires: jitterentropy-devel >= 3.4.0 Requires: libjitterentropy3 >= 3.4.0 %endif %description The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries # install libgnutls and libgnutls-hmac close together (bsc#1090765) Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif %description -n libgnutls%{gnutls_sover} The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover}-hmac Summary: Checksums of the GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries Requires: libgnutls%{gnutls_sover} = %{version}-%{release} %description -n libgnutls%{gnutls_sover}-hmac FIPS SHA256 checksums of the libgnutls library. %if %{with dane} %package -n libgnutls-dane%{gnutls_dane_sover} Summary: DANE support for the GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries %description -n libgnutls-dane%{gnutls_dane_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. This package contains the "DANE" part of gnutls. %endif %package -n libgnutlsxx%{gnutlsxx_sover} Summary: C++ API for the GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif %description -n libgnutlsxx%{gnutlsxx_sover} The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls-devel Summary: Development package for the GnuTLS C API License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif Requires: glibc-devel Requires: gnutls = %{version} Requires: libgnutls%{gnutls_sover} = %{version} Requires(pre): %{install_info_prereq} Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. %if %{with dane} %package -n libgnutls-dane-devel Summary: Development package for GnuTLS DANE component License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %description -n libgnutls-dane-devel Files needed for software development using gnutls. %endif %package -n libgnutlsxx-devel Summary: Development package for the GnuTLS C++ API License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ Requires: libgnutls-devel = %{version} Requires: libgnutlsxx%{gnutlsxx_sover} = %{version} Requires: libstdc++-devel Requires(pre): %{install_info_prereq} %description -n libgnutlsxx-devel Files needed for software development using gnutls. %if %{with guile} %package guile Summary: Guile wrappers for gnutls License: LGPL-2.1-or-later Group: Development/Libraries/Other Requires: guile %description guile GnuTLS Wrappers for GNU Guile, a dialect of Scheme. %endif %prep %autosetup -p1 echo "SYSTEM=NORMAL" >> tests/system.prio %build export LDFLAGS="-pie" export CFLAGS="%{optflags} -fPIE" export CXXFLAGS="%{optflags} -fPIE" autoreconf -fiv %configure \ gl_cv_func_printf_directive_n=yes \ gl_cv_func_printf_infinite_long_double=yes \ --disable-static \ --disable-rpath \ --disable-silent-rules \ %{?with_kcapi:--enable-afalg} \ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \ --with-default-priority-string="@SYSTEM" \ --with-sysroot=/%{?_sysroot} \ %if %{without tpm} --without-tpm \ %endif %if %{with dane} --with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \ %else --disable-libdane \ %endif %if %{with guile} --enable-guile \ %else --disable-guile \ %endif --enable-fips140-mode \ --with-fips140-module-name="GnuTLS version" \ --with-fips140-module-version="%{version}-%{release}" \ %{nil} make %{?_smp_mflags} # the hmac hashes: # # this is a hack that re-defines the __os_install_post macro # for a simple reason: the macro strips the binaries and thereby # invalidates a HMAC that may have been created earlier. # solution: create the hashes _after_ the macro runs. # # this shows up earlier because otherwise the %%expand of # the macro is too late. # remark: This is the same as running # openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP' %{expand:%%global __os_install_post {%__os_install_post %{_bindir}/fipshmac %{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover} }} %install %make_install rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot # Do not package static libs and libtool files find %{buildroot} -type f -name "*.la" -delete -print # install docs mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/ cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/ mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/ mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/ # PNG files are replaced with the compressed files and that breaks # deduplication, this is workaround find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} + rm -rf %{buildroot}%{_datadir}/doc/gnutls %fdupes -s %{buildroot}%{_datadir} %find_lang libgnutls --all-name %check %if ! 0%{?qemu_user_space_build} make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { find -name test-suite.log -print -exec cat {} + exit 1 } #Run the regression tests also in FIPS mode GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { find -name test-suite.log -print -exec cat {} + exit 1 } %endif %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %if %{with dane} %post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig %postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig %endif %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %post -n libgnutls-devel %install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %preun -n libgnutls-devel %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %files -f libgnutls.lang %license LICENSE %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO %{_bindir}/certtool %{_bindir}/gnutls-cli %{_bindir}/gnutls-cli-debug %{_bindir}/gnutls-serv %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool %if %{with dane} %{_bindir}/danetool %endif %if %{with tpm} %{_bindir}/tpmtool %endif %{_mandir}/man1/* %files -n libgnutls%{gnutls_sover} %{_libdir}/libgnutls.so.%{gnutls_sover}* %files -n libgnutls%{gnutls_sover}-hmac %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac %if %{with dane} %files -n libgnutls-dane%{gnutls_dane_sover} %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}* %endif %files -n libgnutlsxx%{gnutlsxx_sover} %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}* %files -n libgnutls-devel %dir %{_includedir}/%{name} %{_includedir}/%{name}/abstract.h %{_includedir}/%{name}/crypto.h %{_includedir}/%{name}/compat.h %{_includedir}/%{name}/dtls.h %{_includedir}/%{name}/gnutls.h %{_includedir}/%{name}/openpgp.h %{_includedir}/%{name}/ocsp.h %{_includedir}/%{name}/pkcs7.h %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h %{_includedir}/%{name}/self-test.h %{_includedir}/%{name}/socket.h %{_includedir}/%{name}/x509.h %{_includedir}/%{name}/x509-ext.h %{_includedir}/%{name}/tpm.h %{_includedir}/%{name}/system-keys.h %{_includedir}/%{name}/urls.h %{_libdir}/libgnutls.so %{_libdir}/pkgconfig/gnutls.pc %{_mandir}/man3/* %{_infodir}/*%{ext_info} %doc %{_docdir}/libgnutls-devel %if %{with dane} %files -n libgnutls-dane-devel %dir %{_includedir}/%{name} %{_includedir}/%{name}/dane.h %{_libdir}/pkgconfig/gnutls-dane.pc %{_libdir}/libgnutls-dane.so %endif %files -n libgnutlsxx-devel %{_libdir}/libgnutlsxx.so %dir %{_includedir}/%{name} %{_includedir}/%{name}/gnutlsxx.h %if %{with guile} %files guile %{_libdir}/guile/* %{_datadir}/guile/gnutls* %endif %changelog
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor