rpms / gnutls

Clone
Source Code
GIT

#46 Add virtual package to pull in nettle/gmp dependencies for FIPS
Merged 7 days ago by ueno. Opened 2 years ago by ueno.
rpms/ ueno/gnutls wip/rawhide/generate-requires  into  rawhide

file modified
+31 
@@ -41,6 +41,13 @@ 
 

  %endif
 

  

  

+ %define fips_requires() %{lua:
 

+ local f = assert(io.popen("rpm -q --queryformat '%{EVR}' --whatprovides "..rpm.expand("'%1%{?_isa}'")))
 

+ local v = f:read("*all")
 

+ f:close()
 

+ print("Requires: "..rpm.expand("%1%{?_isa}").." = "..v.."\\n")
 

+ }
 

+ 

  Summary: A TLS protocol implementation
 

  Name: gnutls
 

  # The libraries are LGPLv2.1+, utilities are GPLv3+
 
@@ -71,6 +78,7 @@ 
 

  Requires: crypto-policies
 

  Requires: p11-kit-trust
 

  Requires: libtasn1 >= 4.3
 

+ # always bump when a nettle release is packaged
 

  Requires: nettle >= 3.9.1
 

  %if %{with tpm12}
 

  Recommends: trousers >= 0.3.11.2
 
@@ -136,6 +144,14 @@ 
 

  Requires: %{name}%{?_isa} = %{version}-%{release}
 

  %endif
 

  

+ %if %{with fips}
 

+ %package fips
 

+ Summary: Virtual package to install packages required to use %{name} under FIPS mode
 

+ Requires: %{name}%{?_isa} = %{version}-%{release}
 

+ %{fips_requires nettle}
 

+ %{fips_requires gmp}
 

+ %endif
 

+ 

  %description
 

  GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 

  protocols and technologies around them. It provides a simple C language 
@@ -179,6 +195,17 @@ 
 

  TLS certificates through DNSSEC.
 

  %endif
 

  

+ %if %{with fips}
 

+ %description fips
 

+ GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 

+ protocols and technologies around them. It provides a simple C language 

+ application programming interface (API) to access the secure communications 

+ protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 

+ other required structures.
 

+ This package does not contain any file, but installs required packages
 

+ to use GnuTLS under FIPS mode.
 

+ %endif
 

+ 

  %if %{with mingw}
 

  %package -n mingw32-%{name}
 

  Summary:        MinGW GnuTLS TLS/SSL encryption library
 
@@ -433,6 +460,10 @@ 
 

  %{_libdir}/libgnutls-dane.so.*
 

  %endif
 

  

+ %if %{with fips}
 

+ %files fips
 

+ %endif
 

+ 

  %if %{with mingw}
 

  %files -n mingw32-%{name}
 

  %license LICENSE doc/COPYING doc/COPYING.LESSER

This adds a new subpackage gnutls-fips with strict version
requirements to nettle and gmp under FIPS, as gnutls now calculates
library integrity (HMAC) over those libraries.

rebased onto b8b18b6cb27fb1c4acf65919d92d9b055583bfee
2 years ago

[citest]

On current rawhide, it generates:

rpm -qR results_gnutls/3.7.6/6.fc37/gnutls-3.7.6-6.fc36.x86_64.rpm | grep '^\(nettle\|gmp\)'
gmp(x86-64) = 6.2.1-1.fc36
nettle(x86-64) = 3.8-1.fc37

Neat, didn't know it was possible. Less explicit to the reader, but I like the foolprofing. r+

Wait no, I take it back...

If a builder happens to be a multiarch machine, rpm will list the package version twice, resulting in an invalid version.

(a multiarch machine with two versions of the package coinstalled)

rebased onto 1e09d22
2 years ago

Yeah, good point; I've changed the selection option from -qa to -q --whatprovides 'nettle(x86-64)'.

Should be fine now, r+

rebased onto d925431
a month ago

Ah, so the idea is that bodhi/installability tests etc. won't import a new package into -updates or CentOS/RHEL as long as gnutls-fips is uninstallable? That could help indeed.

I just have to ask: Why not simply tighten the dependencies on gnutls itself? It already depends on gmp and nettle, so this doesn't reduce the dependencies that way. (If the above works that seems ok to me, I'm just curious why this is better)

Thanks!

(Build failed with error: Package has no %description: gnutls-fips, BTW)

rebased onto 392edaa
a month ago

rebased onto 70ac3cf
a month ago

rebased onto 086be23
a month ago

rebased onto 5afb6dd
a month ago

I just have to ask: Why not simply tighten the dependencies on gnutls itself? It already depends on gmp and nettle, so this doesn't reduce the dependencies that way. (If the above works that seems ok to me, I'm just curious why this is better)

That was actually the original approach here, though I wanted to start with a limited scope (i.e., non-FIPS consumers are not affected), because I find it quite hackish to generate Requires: with lua/rpm during rpmbuild. If it turns out reliable, we could merge it into the main package.

(Build failed with error: Package has no %description: gnutls-fips, BTW)

Thank you for spotting this; I've fixed it along with a couple of other issues.

rebased onto a1c8d53
a month ago

rebased onto 42b1096
21 days ago

Minor update: @hkario suggested keeping "Requires: nettle >= 3.9.1" in the base package as it wouldn't hurt to have multiple Requires as long as they are treated as AND. I updated the PR along that line.

r+

r+

Not much differs from 1e09d22, so I've focused on the aspect of not locking the package with hmacs directly to the referenced nettle and gmp, but rather binding the three together with an fourth, newly introduced package. That seems to hold.

Scenarios I've tested:

  1. an attempt to update nettle with gnutls-fips installed is inhibited with package gnutls-fips-3.8.5-1.fc40_fingertip.x86_64 from @System requires nettle(x86-64) = 3.9.1-6.fc40, but none of the providers can be installed

  2. an attempt to install a mismatching gnutls alongside a gnutls-fips of a different version is installed is inhibited with

- package gnutls-fips-3.8.5-1.fc40_fingertip.x86_64 from @System requires gnutls(x86-64) = 3.8.5-1.fc40_fingertip, but none of the providers can be installed
- package gnutls-fips-3.8.5-1.fc40_fingertip.x86_64 from fingertip-local-gnutls requires gnutls(x86-64) = 3.8.5-1.fc40_fingertip, but none of the providers can be installed

Thanks for checking; merging this now!

Pull-Request has been merged by ueno
7 days ago
Metadata
None
No Tags
Changes Summary 1
+31 -0
file changed
gnutls.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.