Accepting request 1088864 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- FIPS: Merge the libgcrypt20-hmac package into the library and remove the "module is complete" trigger file .fips [bsc#1185116] * Remove libgcrypt-1.10.0-use-fipscheck.patch OBS-URL: https://build.opensuse.org/request/show/1088864 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=168
2023-05-25 10:47:22 +00:00 · 2023-05-25 10:47:22 +00:00 · 20cf449281
commit 20cf449281
parent d2525ea576
5 changed files with 16 additions and 148 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@ -1,7 +1,8 @@
 libgcrypt20
-  obsoletes "libgcrypt-<targettype> <= <version>"
  provides "libgcrypt-<targettype> = <version>"
-libgcrypt20-hmac
+  obsoletes "libgcrypt-<targettype> <= <version>"
+  provides "libgcrypt20-hmac-<targettype> = <version>-%release"
+  obsoletes "libgcrypt20-hmac-<targettype> < <version>-%release"
 libgcrypt-devel
- requires -libgcrypt-<targettype>
- requires "libgcrypt20-<targettype> = <version>"
+  requires -libgcrypt-<targettype>
+  requires "libgcrypt20-<targettype> = <version>"
--- a/hwf.deny
+++ b/hwf.deny
@ -1,6 +1,5 @@
 # This file can be used to globally disable the use of hardware
 # based optimizations. Supported options are:
-
 # padlock-rng
 # padlock-aes
 # padlock-sha
--- a/libgcrypt-1.10.0-use-fipscheck.patch
+++ b/libgcrypt-1.10.0-use-fipscheck.patch
@ -1,114 +0,0 @@
-Index: libgcrypt-1.10.1/src/fips.c
-===================================================================
--- libgcrypt-1.10.1.orig/src/fips.c
-+++ libgcrypt-1.10.1/src/fips.c
-@@ -949,6 +949,65 @@ hmac256_check (const char *filename, con
-   return err;
- }
- 
-+static int
-+get_library_path(const char *libname, const char *symbolname,
-+                 char *path, size_t pathlen)
-+{
-+  Dl_info info;
-+  void *dl, *sym;
-+  int rv = -1;
-+
-+  dl = dlopen(libname, RTLD_LAZY);
-+  if (dl == NULL)
-+    return -1;
-+
-+  sym = dlsym(dl, symbolname);
-+  if (sym != NULL && dladdr(sym, &info))
-+    {
-+      strncpy(path, info.dli_fname, pathlen-1);
-+      path[pathlen-1] = '\0';
-+      rv = 0;
-+    }
-+
-+  dlclose(dl);
-+
-+  return rv;
-+}
-+
-+static gpg_error_t
-+get_hmac_path(char **fname, char *suffix)
-+{
-+  char libpath[4096];
-+  gpg_error_t err;
-+
-+  if (get_library_path ("libgcrypt.so.20", "gcry_check_version",
-+                        libpath, sizeof(libpath)))
-+    err = gpg_error_from_syserror ();
-+  else
-+    {
-+      *fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
-+      if (!*fname)
-+        err = gpg_error_from_syserror ();
-+      else
-+        {
-+          char *p;
-+
-+          /* Prefix the basename with a dot.  */
-+          strcpy (*fname, libpath);
-+          p = strrchr (*fname, '/');
-+          if (p)
-+            p++;
-+          else
-+            p = *fname;
-+          memmove (p+1, p, strlen (p)+1);
-+          *p = '.';
-+          strcat (*fname, suffix);
-+          err = 0;
-+      }
-+    }
-+  return err;
-+}
-+
- /* Run an integrity check on the binary.  Returns 0 on success.  */
- static int
- check_binary_integrity (void)
-@@ -997,6 +1056,33 @@ run_hmac_sha256_selftests (int extended)
- }
- #endif
- 
-+int
-+can_skip_selftests(void)
-+{
-+  char *fname = NULL;
-+  int ret = 0;
-+
-+  if (fips_mode())
-+    return 0;
-+
-+  if (get_hmac_path(&fname, ".fips"))
-+    return 0;
-+
-+  /* check the hmac presence */
-+  if (access(fname, F_OK))
-+    /* no hmac file is present, don't run the tests */
-+    if (errno == ENOENT)
-+      ret = 1;
-+  /* otherwise one of these events happened:
-+   * access() returned 0
-+   *   -> run the tests
-+   * some error other than ENOENT occurred
-+   *   -> run the tests anyway and let them fail
-+   */
-+
-+  xfree(fname);
-+  return ret;
-+}
- 
- /* Run the self-tests.  If EXTENDED is true, extended versions of the
-    selftest are run, that is more tests than required by FIPS.  */
-@@ -1006,6 +1092,9 @@ _gcry_fips_run_selftests (int extended)
-   enum module_states result = STATE_ERROR;
-   gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED;
- 
-+  if (can_skip_selftests())
-+    return 0;
-+
-   if (fips_mode ())
-     fips_new_state (STATE_SELFTEST);
- 
--- a/libgcrypt.changes
+++ b/libgcrypt.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon May 22 11:32:53 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Merge the libgcrypt20-hmac package into the library and
+  remove the "module is complete" trigger file .fips [bsc#1185116]
+  * Remove libgcrypt-1.10.0-use-fipscheck.patch
+
 -------------------------------------------------------------------
 Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@ -16,7 +16,6 @@
 #


-%define build_hmac256 1
 %define libsover 20
 %define libsoname %{name}%{libsover}
 %define hmac_key orboDeJITITejsirpADONivirpUkvarP
@ -49,8 +48,6 @@ Patch102:       libgcrypt-FIPS-SLI-hash-mac.patch
 Patch103:       libgcrypt-jitterentropy-3.4.0.patch
 #PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
 Patch104:       libgcrypt-FIPS-rndjent_poll.patch
-#PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips
-Patch105:       libgcrypt-1.10.0-use-fipscheck.patch
 BuildRequires:  automake >= 1.14
 BuildRequires:  libgpg-error-devel >= 1.27
 BuildRequires:  libtool
@ -68,23 +65,13 @@ understanding of applied cryptography is required to use Libgcrypt.
 Summary:        The GNU Crypto Library
 License:        GPL-2.0-or-later AND LGPL-2.1-or-later
 Group:          System/Libraries
-Suggests:       %{libsoname}-hmac = %{version}-%{release}
+Provides:       %{libsoname}-hmac = %{version}-%{release}
+Obsoletes:      %{libsoname}-hmac < %{version}-%{release}

 %description -n %{libsoname}
 Libgcrypt is a general purpose crypto library based on the code used in
 GnuPG (alpha version).

-%package -n %{libsoname}-hmac
-Summary:        HMAC checksums for the GNU Crypto Library
-License:        GPL-2.0-or-later AND LGPL-2.1-or-later
-Group:          System/Libraries
-Requires:       %{libsoname} = %{version}-%{release}
-
-%description -n %{libsoname}-hmac
-Libgcrypt is a general purpose crypto library based on the code used in
-GnuPG (alpha version). This package contains the HMAC checksum files
-for integrity checking the library, as required by FIPS 140-2.
-
 %package devel
 Summary:        The GNU Crypto Library
 License:        GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
@ -109,8 +96,6 @@ library.
 sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g" src/Makefile.am src/Makefile.in

 %build
-echo building with build_hmac256 set to %{build_hmac256}
-
 export PUBKEYS="dsa elgamal rsa ecc"
 export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4"
 export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3"
@ -139,18 +124,13 @@ export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
 %make_build

 %check
-%make_build check
+make -k check
 # run the regression tests also in FIPS mode
-LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check VERBOSE=1 || true
+LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true

 # Install the FIPS hmac file
 cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/

-# create the FIPS "module is complete" trigger file
-%if 0%{?build_hmac256}
-touch %{buildroot}%{_libdir}/.%{name}.so.%{libsover}.fips
-%endif
-
 %install
 %make_install
 rm %{buildroot}%{_libdir}/%{name}.la
@ -170,12 +150,7 @@ install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/gcrypt/hwf.deny
 %dir %{_sysconfdir}/gcrypt
 %config(noreplace) %{_sysconfdir}/gcrypt/random.conf
 %config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny
-
-%files -n %{libsoname}-hmac
 %{_libdir}/.libgcrypt.so.*.hmac
-%if 0%{?build_hmac256}
-%{_libdir}/.libgcrypt.so.*.fips
-%endif

 %files devel
 %license COPYING COPYING.LIB LICENSES