# # spec file for package libgcrypt # # Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define build_hmac256 1 %define separate_hmac256_binary 0 %define libsoname %{name}20 %define sosuffix 20.0.1 %define cavs_dir %{_libexecdir}/%{name}/cavs Name: libgcrypt Version: 1.6.1 Release: 0 Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later Group: Development/Libraries/C and C++ URL: http://directory.fsf.org/wiki/Libgcrypt Source: ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2 Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig Source2: baselibs.conf # http://www.gnupg.org/signature_key.en.html Source4: %{name}.keyring # cavs test framework Source5: cavs-test.sh Source6: cavs_driver.pl Patch0: %{name}-ppc64.patch Patch1: %{name}-strict-aliasing.patch Patch3: %{name}-1.4.1-rijndael_no_strict_aliasing.patch Patch4: %{name}-sparcv9.diff #PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS) #was: libgcrypt-1.5.0-as-needed.patch Patch5: libgcrypt-unresolved-dladdr.patch #PATCH-FIX-SUSE: N/A Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff #PATCH-FIX-UPSTREAM: internal functions are supposed to be used inside libgcrypt, mvyskocil@suse.com Patch8: libgcrypt-1.6.0-use-intenal-functions.patch Patch11: libgcrypt-fixed-sizet.patch Patch12: libgcrypt-1.6.1-use-fipscheck.patch Patch13: libgcrypt-1.6.1-fips-cavs.patch #PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine Patch14: libgcrypt-1.6.1-fips-cfgrandom.patch # add support for SP800-90A DRBG (fate#316929, bnc#856312) Patch21: v10-0001-SP800-90A-Deterministic-Random-Bit-Generator.patch Patch28: libgcrypt-fix-rng.patch Patch29: libgcrypt-init-at-elf-load-fips.patch Patch30: libgcrypt-fips_add_drbg_cavs_test.patch Patch31: libgcrypt-fips-dsa.patch Patch33: libgcrypt-fips_ecdsa.patch Patch34: libgcrypt-fips_PKBKDF_missing_step1.patch Patch32: libgcrypt-fips_run_selftest_at_constructor.patch Patch35: calculate-fips-checksum-after-build.patch Patch36: disable-algorithms-that-are-not-allowed-in-fips.patch Patch37: RSA-FIPS-186-4-adjustments.patch Patch38: skip-GCM-for-FIPS.patch Patch39: fix-test-suite-for-RSA-in-fips-mode.patch Patch41: libgcrypt-fips_enable_hardware_support.patch Patch42: libgcrypt-fips_fipsdrv.patch Patch43: libgcrypt-fips_cavs_rsa_keygen.patch Patch50: libgcrypt-fips_rsa_keygen.patch Patch51: libgcrypt-fips_KAT_keygen_test.patch Patch52: libgcrypt-fips_testsuite.patch Patch53: libgcrypt-fips_handle_priming_error_in_drbg.patch Patch54: libgcrypt-fips_pss.patch Patch55: libgcrypt-fips_rsa_p_less_than_q.patch Patch60: libgcrypt-CVE-2014-3591.patch Patch61: libgcrypt-1.6.1-drbg-reseeding.patch Patch62: drbg_test-reseeding.patch Patch63: libgcrypt-secmem_dont_drop_privilege.patch Patch64: libgcrypt-CVE-2015-0837-1.patch Patch65: libgcrypt-CVE-2015-0837-2.patch Patch66: libgcrypt-CVE-2015-0837-3.patch Patch67: libgcrypt-bsc932232-avoid-drbg-crash-with-fips.patch Patch68: libgcrypt-CVE-2015-7511.patch Patch69: libgcrypt-CVE-2016-6313-1.patch Patch70: libgcrypt-CVE-2016-6313-2.patch #PATCH-FIX-UPSTREAM -- pmonrealgonzalez@suse.com bsc#1042326 timing attack on EdDSA session key Patch71: libgcrypt-secure-EdDSA-session-key.patch #PATCH-FIX-UPSTREAM -- pmonrealgonzalez@suse.com bsc#1046607 Hardening against local side-channel attack Patch72: libgcrypt-CVE-2017-7526-1.6.1-1.patch Patch73: libgcrypt-CVE-2017-7526-1.6.1-2.patch Patch74: libgcrypt-fips-use_dlopen_to_get_hmac_path.patch Patch75: libgcrypt-fips_dont_seed_drbg_in_selftests.patch Patch76: libgcrypt-fips_drbg_healthcheck_sanity_bug.patch Patch77: libgcrypt-fips_avoid_clash_with_gkd.patch #PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign Patch78: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch #PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify Patch79: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch #PATCH-FIX-UPSTREAM bsc#1097410 fix novel side-channel attack Patch80: CVE-2018-0495.patch Patch81: libgcrypt-binary_integrity_in_non-FIPS.patch #PATCH-FIX-UPSTREAM bsc#1148987 CVE-2019-13627 Mitigation against an ECDSA timing attack Patch82: libgcrypt-CVE-2019-13627.patch #PATCH-FIX-SUSE bsc#1155338 bsc#1155338 FIPS: CMAC AES and TDES self tests missing Patch83: libgcrypt-CMAC-AES-TDES-selftest.patch #PATCH-FIX-SUSE bsc#1162879 Relax the entropy requirements on selftests during boot Patch84: libgcrypt-rsa-no-blinding.patch Patch85: libgcrypt-ecc-ecdsa-no-blinding.patch BuildRequires: automake >= 1.11 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.11 BuildRequires: libtool BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. %package -n %{libsoname} Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Development/Libraries/C and C++ Suggests: %{libsoname}-hmac = %{version}-%{release} %description -n %{libsoname} Libgcrypt is a general purpose crypto library based on the code used in GnuPG (alpha version). %package -n %{libsoname}-hmac Summary: HMAC checksums for the GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Development/Libraries/C and C++ Requires: %{libsoname} = %{version}-%{release} %description -n %{libsoname}-hmac Libgcrypt is a general purpose crypto library based on the code used in GnuPG (alpha version). This package contains the HMAC checksum files for integrity checking the library, as required by FIPS 140-2. %package devel Summary: The GNU Crypto Library License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT Group: Development/Libraries/C and C++ Requires: %{libsoname} = %{version} Requires: glibc-devel Requires: libgpg-error-devel >= 1.8 Requires(post): %{install_info_prereq} %description devel Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. This package contains needed files to compile and link against the library. %package cavs Summary: The GNU Crypto Library License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT Group: Development/Libraries/C and C++ Requires: %{libsoname} = %{version} Requires: %{libsoname}-hmac %description cavs CAVS testing framework for libgcrypt %if 0%{?separate_hmac256_binary} %package hmac256 Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Development/Libraries/C and C++ Requires: %{libsoname} = %{version} Requires: libgpg-error-devel Requires(post): %{install_info_prereq} %description hmac256 Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. %endif # #if separate_hmac256_binary %prep %setup -q %patch0 -p1 %patch1 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch7 -p1 %patch8 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch21 -p1 %patch28 -p1 %patch29 -p1 %patch30 -p1 %patch31 -p1 %patch33 -p1 %patch34 -p1 %patch32 -p1 %patch35 -p1 %patch36 -p1 %patch37 -p1 %patch38 -p1 %patch39 -p1 %patch41 -p1 %patch42 -p1 %patch43 -p1 %patch50 -p1 %patch51 -p1 %patch52 -p1 %patch53 -p1 %patch54 -p1 %patch55 -p1 %patch60 -p1 %patch61 -p1 %patch62 -p1 %patch63 -p1 %patch64 -p1 %patch65 -p1 %patch66 -p1 %patch67 -p1 %patch68 -p1 %patch69 -p1 %patch70 -p1 %patch71 -p1 %patch72 -p1 %patch73 -p1 %patch74 -p1 %patch75 -p1 %patch76 -p1 %patch77 -p1 %patch78 -p1 %patch79 -p1 %patch80 -p1 %patch81 -p1 %patch82 -p1 %patch83 -p1 %patch84 -p1 %patch85 -p1 %build echo building with build_hmac256 set to %{build_hmac256} %{?suse_update_config} autoreconf -fi export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)" %configure --with-pic \ --enable-noexecstack \ --disable-static \ --enable-m-guard \ %ifarch %{sparc} --disable-asm \ %endif --enable-hmac-binary-check \ --enable-random=linux make %{?_smp_mflags} %if 0%{?build_hmac256} # this is a hack that re-defines the __os_install_post macro # for a simple reason: the macro strips the binaries and thereby # invalidates a HMAC that may have been created earlier. # solution: create the hashes _after_ the macro runs. # # this shows up earlier because otherwise the %expand of # the macro is too late. %{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_bindir}/hmac256 fipshmac %{buildroot}/%{_libdir}/*.so.?? }} %endif %check fipshmac src/.libs/libgcrypt.so.?? # Nice idea. however this uses /dev/random, which hangs # on hardware without random feeds. # so lets not run it inside OBS # make check || true # export LIBGCRYPT_FORCE_FIPS_MODE=1 # make -k check || true # export -n LIBGCRYPT_FORCE_FIPS_MODE %install make DESTDIR=%{buildroot} install %{?_smp_mflags} rm %{buildroot}%{_libdir}/%{name}.la # cavs install -m 0755 -d %{buildroot}%{cavs_dir} install -m 0755 %{SOURCE5} %{buildroot}%{cavs_dir} install -m 0755 %{SOURCE6} %{buildroot}%{cavs_dir} mv %{buildroot}%{_bindir}/fipsdrv %{buildroot}%{cavs_dir} mv %{buildroot}%{_bindir}/gcrypt_rsagtest %{buildroot}%{cavs_dir} mv %{buildroot}%{_bindir}/drbg_test %{buildroot}%{cavs_dir} %post -n %{libsoname} -p /sbin/ldconfig %postun -n %{libsoname} -p /sbin/ldconfig %post devel %install_info --info-dir=%{_infodir} %{_infodir}/gcrypt.info.gz %install_info --info-dir=%{_infodir} %{_infodir}/gcrypt.info-1.gz %install_info --info-dir=%{_infodir} %{_infodir}/gcrypt.info-2.gz %postun devel %install_info_delete --info-dir=%{_infodir} %{_infodir}/gcrypt.info.gz %install_info_delete --info-dir=%{_infodir} %{_infodir}/gcrypt.info-1.gz %install_info_delete --info-dir=%{_infodir} %{_infodir}/gcrypt.info-2.gz %files -n %{libsoname} %defattr(-,root,root) %doc COPYING.LIB %{_libdir}/%{name}.so.* %files -n %{libsoname}-hmac %defattr(-,root,root) %if 0%{?build_hmac256} %{_libdir}/.libgcrypt.so.*.hmac %endif # %if 0%{?build_hmac256} %files devel %defattr(-,root,root) %doc AUTHORS COPYING COPYING.LIB ChangeLog NEWS README THANKS TODO %{_infodir}/gcrypt.info.gz %{_infodir}/gcrypt.info-1.gz %{_infodir}/gcrypt.info-2.gz %{_bindir}/dumpsexp %{_bindir}/mpicalc %{_bindir}/%{name}-config %{_libdir}/%{name}.so %{_includedir}/gcrypt*.h %{_datadir}/aclocal/%{name}.m4 %if 0%{?separate_hmac256_binary} %files hmac256 %defattr(-,root,root) %endif # %if 0%{?separate_hmac256_binary} %{_bindir}/hmac256 %{_bindir}/.hmac256.hmac %doc %{_mandir}/man1/hmac256.1* %files cavs %defattr(-,root,root) %{_libexecdir}/%{name} %changelog