File libgcrypt.spec of Package libgcrypt

Overview Repositories Revisions Requests Users Attributes Meta

File libgcrypt.spec of Package libgcrypt

#
# spec file for package libgcrypt
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#

%define build_hmac256 1
%define separate_hmac256_binary 0
%define libsover 20
%define libsoname %{name}%{libsover}
%define cavs_dir %{_libexecdir}/%{name}/cavs
Name:           libgcrypt
Version:        1.8.2
Release:        0
Summary:        The GNU Crypto Library
License:        GPL-2.0+ AND LGPL-2.1+ AND GPL-3.0+
Group:          Development/Libraries/C and C++
Url:            http://directory.fsf.org/wiki/Libgcrypt
Source:         ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
Source1:        ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
Source2:        baselibs.conf
Source4:        %{name}.keyring
# https://www.gnupg.org/signature_key.en.html
# cavs test framework
Source5:        cavs-test.sh
Source6:        cavs_driver.pl
Source99:       %{name}.changes
Patch0:         %{name}-ppc64.patch
Patch1:         %{name}-strict-aliasing.patch
Patch3:         %{name}-1.4.1-rijndael_no_strict_aliasing.patch
Patch4:         %{name}-sparcv9.diff
#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS)
#was: libgcrypt-1.5.0-as-needed.patch
Patch5:         libgcrypt-unresolved-dladdr.patch
#PATCH-FIX-SUSE: N/A
Patch7:         libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
Patch12:        libgcrypt-1.6.1-use-fipscheck.patch
Patch13:        libgcrypt-1.6.1-fips-cavs.patch
#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
Patch14:        libgcrypt-1.6.1-fips-cfgrandom.patch
Patch28:        libgcrypt-fix-rng.patch
#PATCH-FIX-SUSE add FIPS CAVS test app for DRBG
Patch30:        drbg_test.patch
Patch34:        libgcrypt-1.6.3-aliasing.patch
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign
Patch35:        libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
Patch36:        libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
#PATCH-FIX-UPSTREAM bsc#1097410 fix novel side-channel attack
Patch37:        CVE-2018-0495.patch
Patch39:        libgcrypt-1.8.3-fips-ctor.patch
Patch42:        libgcrypt-fips_rsa_no_enforced_mode.patch
Patch43:        libgcrypt-1.8.4-allow_FSM_same_state.patch
#PATCH-FIX-UPSTREAM bsc#1138939 CVE-2019-12904 C implementation of AES is
#vulnerable to a flush-and-reload side-channel attack
Patch44:        libgcrypt-CVE-2019-12904-GCM-Prefetch.patch
Patch45:        libgcrypt-CVE-2019-12904-GCM.patch
Patch46:        libgcrypt-CVE-2019-12904-AES.patch
Patch47:        libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch
#PATCH-FIX-UPSTREAM bsc#1148987 CVE-2019-13627 Mitigation against an ECDSA timing attack
Patch48:        libgcrypt-CVE-2019-13627.patch
#PATCH-FIX-SUSE bsc#1155338 bsc#1155338 FIPS: CMAC AES and TDES self tests missing
Patch49:        libgcrypt-CMAC-AES-TDES-selftest.patch
#PATCH-FIX-SUSE Fix test in FIPS mode
Patch50:        libgcrypt-dsa-rfc6979-test-fix.patch
Patch51:        libgcrypt-fix-tests-fipsmode.patch
#PATCH-FIX-SUSE bsc#1155337 FIPS: RSA/DSA/ECDSA are missing hashing operation
Patch52:        libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch
#PATCH-FIX-UPSTREAM bsc#1161218 FIPS: libgcrypt keywrap gives incorrect results
Patch53:        libgcrypt-AES-KW-fix-in-place-encryption.patch
#PATCH-FIX-SUSE bsc#1161220 FIPS: libgcrypt RSA siggen/keygen: 4k not supported
Patch54:        libgcrypt-1.8.4-fips-keygen.patch
#PATCH-FIX-UPSTREAM bsc#1161216 Check range of EC coordinates
Patch55:        libgcrypt-ECDSA_check_coordinates_range.patch
#PATCH-FIX-SUSE bsc#1164950 Run self-tests from the constructor
Patch56:        libgcrypt-invoke-global_init-from-constructor.patch
#PATCH-FIX-SUSE bsc#1164950 Restore the self-tests from the constructor
Patch57:        libgcrypt-Restore-self-tests-from-constructor.patch
Patch58:        libgcrypt-FIPS-GMAC_AES-benckmark.patch
Patch59:        libgcrypt-global_init-constructor.patch
Patch60:        libgcrypt-random_selftests-testentropy.patch
Patch61:        libgcrypt-rsa-no-blinding.patch
Patch62:        libgcrypt-ecc-ecdsa-no-blinding.patch
#PATCH-FIX-UPSTREAM bsc#1167674 FIPS: Fix drbg to be threadsafe
Patch63:        libgcrypt-check-re-open-dev_random-after-fork.patch
#PATCH-FIX-SUSE bsc#1165539 FIPS: Use the new signature operation in PCT
Patch64:        libgcrypt-PCT-RSA.patch
Patch65:        libgcrypt-PCT-DSA.patch
Patch66:        libgcrypt-PCT-ECC.patch
Patch67:        libgcrypt-fips_selftest_trigger_file.patch
BuildRequires:  automake >= 1.14
BuildRequires:  fipscheck
BuildRequires:  libgpg-error-devel >= 1.25
BuildRequires:  libtool

%description
Libgcrypt is a general purpose library of cryptographic building
blocks.  It is originally based on code used by GnuPG.  It does not
provide any implementation of OpenPGP or other protocols.  Thorough
understanding of applied cryptography is required to use Libgcrypt.

%package -n %{libsoname}
Summary:        The GNU Crypto Library
License:        GPL-2.0+ AND LGPL-2.1+
Group:          System/Libraries
Suggests:       %{libsoname}-hmac = %{version}-%{release}

%description -n %{libsoname}
Libgcrypt is a general purpose crypto library based on the code used in
GnuPG (alpha version).

%package -n %{libsoname}-hmac
Summary:        HMAC checksums for the GNU Crypto Library
License:        GPL-2.0+ AND LGPL-2.1+
Group:          System/Libraries
Requires:       %{libsoname} = %{version}-%{release}

%description -n %{libsoname}-hmac
Libgcrypt is a general purpose crypto library based on the code used in
GnuPG (alpha version). This package contains the HMAC checksum files
for integrity checking the library, as required by FIPS 140-2.

%package devel
Summary:        The GNU Crypto Library
License:        GFDL-1.1 AND GPL-2.0+ AND LGPL-2.1+ AND MIT
Group:          Development/Libraries/C and C++
Requires:       %{libsoname} = %{version}
Requires:       glibc-devel
Requires:       libgpg-error-devel >= 1.13
Requires(post): %{install_info_prereq}

%description devel
Libgcrypt is a general purpose library of cryptographic building
blocks.  It is originally based on code used by GnuPG.  It does not
provide any implementation of OpenPGP or other protocols.  Thorough
understanding of applied cryptography is required to use Libgcrypt.

This package contains needed files to compile and link against the
library.

%package cavs
Summary:        The GNU Crypto Library
License:        GFDL-1.1 AND GPL-2.0+ AND LGPL-2.1+ AND MIT
Group:          Development/Libraries/C and C++
Requires:       %{libsoname} = %{version}
Requires:       %{libsoname}-hmac

%description cavs
CAVS testing framework for libgcrypt

%if 0%{?separate_hmac256_binary}
%package hmac256
Summary:        The GNU Crypto Library
License:        GPL-2.0+ AND LGPL-2.1+
Group:          Development/Libraries/C and C++
Requires:       %{libsoname} = %{version}
Requires:       libgpg-error-devel
Requires(post): %{install_info_prereq}

%description hmac256
Libgcrypt is a general purpose library of cryptographic building
blocks.  It is originally based on code used by GnuPG.  It does not
provide any implementation of OpenPGP or other protocols.  Thorough
understanding of applied cryptography is required to use Libgcrypt.

%endif  # #if separate_hmac256_binary

%prep
%setup -q
%patch0 -p1
%patch1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch7 -p1
%patch12 -p1
%patch28 -p1
%patch30 -p1
# This patch breaks x86_64 builds but is needed for big-endian
# architectures
%ifarch ppc ppc64 s390 s390x
%patch34 -p1
%endif
%patch13 -p1
%patch14 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch39 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%patch45 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1

%build
echo building with build_hmac256 set to %{build_hmac256}
%{?suse_update_config}
autoreconf -fi
date=$(date -u +%{Y}-%{m}-%{dT}%{H}:%{M}+0000 -r %{SOURCE99})
sed -e "s,BUILD_TIMESTAMP=.*,BUILD_TIMESTAMP=$date," -i configure
export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
%configure \
           --enable-noexecstack \
           --disable-static \
           --enable-m-guard \
%ifarch %{sparc}
           --disable-asm \
%endif
           --enable-hmac-binary-check \
           --enable-random=linux
make %{?_smp_mflags}

%if 0%{?build_hmac256}
# this is a hack that re-defines the __os_install_post macro
# for a simple reason: the macro strips the binaries and thereby
# invalidates a HMAC that may have been created earlier.
# solution: create the hashes _after_ the macro runs.
#
# this shows up earlier because otherwise the %%expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
    fipshmac %{buildroot}/%{_bindir}/hmac256
    fipshmac %{buildroot}/%{_libdir}/*.so.??
}}
%endif

%check
fipshmac src/.libs/libgcrypt.so.??
# Nice idea. however this uses /dev/random, which hangs
# on hardware without random feeds.
# so lets not run it inside OBS
make %{?_smp_mflags} check
# export LIBGCRYPT_FORCE_FIPS_MODE=1
# make -k check || true
# export -n LIBGCRYPT_FORCE_FIPS_MODE

%install
%make_install
rm %{buildroot}%{_libdir}/%{name}.la

# cavs
install -m 0755 -d %{buildroot}%{cavs_dir}
install -m 0755 %{SOURCE5} %{buildroot}%{cavs_dir}
install -m 0755 %{SOURCE6} %{buildroot}%{cavs_dir}

mv %{buildroot}%{_bindir}/fipsdrv %{buildroot}%{cavs_dir}
mv %{buildroot}%{_bindir}/drbg_test %{buildroot}%{cavs_dir}

# create the FIPS "module is complete" trigger file
%if 0%{?build_hmac256}
touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips
%endif

%post -n %{libsoname} -p /sbin/ldconfig
%postun -n %{libsoname} -p /sbin/ldconfig
%post devel
%install_info --info-dir=%{_infodir} %{_infodir}/gcrypt.info.gz

%preun devel
%install_info_delete --info-dir=%{_infodir} %{_infodir}/gcrypt.info.gz

%files -n %{libsoname}
%license COPYING.LIB
%{_libdir}/%{name}.so.*
%if 0%{?build_hmac256}
%{_libdir}/.libgcrypt.so.*.hmac
%endif # %%if 0%%{?build_hmac256}

%files -n %{libsoname}-hmac
%if 0%{?build_hmac256}
%{_libdir}/.libgcrypt.so.*.fips
%endif # %%if 0%%{?build_hmac256}

%files devel
%license COPYING COPYING.LIB
%doc AUTHORS ChangeLog NEWS README THANKS TODO
%{_infodir}/gcrypt.info%{ext_info}
%{_bindir}/dumpsexp
%{_bindir}/mpicalc
%{_bindir}/%{name}-config
%{_libdir}/%{name}.so
%{_includedir}/gcrypt*.h
%{_datadir}/aclocal/%{name}.m4

%if 0%{?separate_hmac256_binary}
%files hmac256
%endif # %%if 0%%{?separate_hmac256_binary}
%{_bindir}/hmac256
%{_bindir}/.hmac256.hmac
%doc %{_mandir}/man1/hmac256.1*

%files cavs
%{_libexecdir}/%{name}

%changelog

Places

File libgcrypt.spec of Package libgcrypt

Places