diff --git a/baselibs.conf b/baselibs.conf index 166beb0..a018a0a 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,7 +1,8 @@ libgcrypt20 - obsoletes "libgcrypt- <= " provides "libgcrypt- = " -libgcrypt20-hmac + obsoletes "libgcrypt- <= " + provides "libgcrypt20-hmac- = -%release" + obsoletes "libgcrypt20-hmac- < -%release" libgcrypt-devel - requires -libgcrypt- - requires "libgcrypt20- = " + requires -libgcrypt- + requires "libgcrypt20- = " diff --git a/hwf.deny b/hwf.deny index c030ceb..2236468 100644 --- a/hwf.deny +++ b/hwf.deny @@ -1,6 +1,5 @@ # This file can be used to globally disable the use of hardware # based optimizations. Supported options are: - # padlock-rng # padlock-aes # padlock-sha diff --git a/libgcrypt-1.10.0-use-fipscheck.patch b/libgcrypt-1.10.0-use-fipscheck.patch deleted file mode 100644 index ef1d5f9..0000000 --- a/libgcrypt-1.10.0-use-fipscheck.patch +++ /dev/null @@ -1,114 +0,0 @@ -Index: libgcrypt-1.10.1/src/fips.c -=================================================================== ---- libgcrypt-1.10.1.orig/src/fips.c -+++ libgcrypt-1.10.1/src/fips.c -@@ -949,6 +949,65 @@ hmac256_check (const char *filename, con - return err; - } - -+static int -+get_library_path(const char *libname, const char *symbolname, -+ char *path, size_t pathlen) -+{ -+ Dl_info info; -+ void *dl, *sym; -+ int rv = -1; -+ -+ dl = dlopen(libname, RTLD_LAZY); -+ if (dl == NULL) -+ return -1; -+ -+ sym = dlsym(dl, symbolname); -+ if (sym != NULL && dladdr(sym, &info)) -+ { -+ strncpy(path, info.dli_fname, pathlen-1); -+ path[pathlen-1] = '\0'; -+ rv = 0; -+ } -+ -+ dlclose(dl); -+ -+ return rv; -+} -+ -+static gpg_error_t -+get_hmac_path(char **fname, char *suffix) -+{ -+ char libpath[4096]; -+ gpg_error_t err; -+ -+ if (get_library_path ("libgcrypt.so.20", "gcry_check_version", -+ libpath, sizeof(libpath))) -+ err = gpg_error_from_syserror (); -+ else -+ { -+ *fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 ); -+ if (!*fname) -+ err = gpg_error_from_syserror (); -+ else -+ { -+ char *p; -+ -+ /* Prefix the basename with a dot. */ -+ strcpy (*fname, libpath); -+ p = strrchr (*fname, '/'); -+ if (p) -+ p++; -+ else -+ p = *fname; -+ memmove (p+1, p, strlen (p)+1); -+ *p = '.'; -+ strcat (*fname, suffix); -+ err = 0; -+ } -+ } -+ return err; -+} -+ - /* Run an integrity check on the binary. Returns 0 on success. */ - static int - check_binary_integrity (void) -@@ -997,6 +1056,33 @@ run_hmac_sha256_selftests (int extended) - } - #endif - -+int -+can_skip_selftests(void) -+{ -+ char *fname = NULL; -+ int ret = 0; -+ -+ if (fips_mode()) -+ return 0; -+ -+ if (get_hmac_path(&fname, ".fips")) -+ return 0; -+ -+ /* check the hmac presence */ -+ if (access(fname, F_OK)) -+ /* no hmac file is present, don't run the tests */ -+ if (errno == ENOENT) -+ ret = 1; -+ /* otherwise one of these events happened: -+ * access() returned 0 -+ * -> run the tests -+ * some error other than ENOENT occurred -+ * -> run the tests anyway and let them fail -+ */ -+ -+ xfree(fname); -+ return ret; -+} - - /* Run the self-tests. If EXTENDED is true, extended versions of the - selftest are run, that is more tests than required by FIPS. */ -@@ -1006,6 +1092,9 @@ _gcry_fips_run_selftests (int extended) - enum module_states result = STATE_ERROR; - gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED; - -+ if (can_skip_selftests()) -+ return 0; -+ - if (fips_mode ()) - fips_new_state (STATE_SELFTEST); - diff --git a/libgcrypt.changes b/libgcrypt.changes index f36a23a..80dbdd7 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon May 22 11:32:53 UTC 2023 - Pedro Monreal + +- FIPS: Merge the libgcrypt20-hmac package into the library and + remove the "module is complete" trigger file .fips [bsc#1185116] + * Remove libgcrypt-1.10.0-use-fipscheck.patch + ------------------------------------------------------------------- Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal diff --git a/libgcrypt.spec b/libgcrypt.spec index 9ffc528..3d7ea32 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -16,7 +16,6 @@ # -%define build_hmac256 1 %define libsover 20 %define libsoname %{name}%{libsover} %define hmac_key orboDeJITITejsirpADONivirpUkvarP @@ -49,8 +48,6 @@ Patch102: libgcrypt-FIPS-SLI-hash-mac.patch Patch103: libgcrypt-jitterentropy-3.4.0.patch #PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll Patch104: libgcrypt-FIPS-rndjent_poll.patch -#PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips -Patch105: libgcrypt-1.10.0-use-fipscheck.patch BuildRequires: automake >= 1.14 BuildRequires: libgpg-error-devel >= 1.27 BuildRequires: libtool @@ -68,23 +65,13 @@ understanding of applied cryptography is required to use Libgcrypt. Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: System/Libraries -Suggests: %{libsoname}-hmac = %{version}-%{release} +Provides: %{libsoname}-hmac = %{version}-%{release} +Obsoletes: %{libsoname}-hmac < %{version}-%{release} %description -n %{libsoname} Libgcrypt is a general purpose crypto library based on the code used in GnuPG (alpha version). -%package -n %{libsoname}-hmac -Summary: HMAC checksums for the GNU Crypto Library -License: GPL-2.0-or-later AND LGPL-2.1-or-later -Group: System/Libraries -Requires: %{libsoname} = %{version}-%{release} - -%description -n %{libsoname}-hmac -Libgcrypt is a general purpose crypto library based on the code used in -GnuPG (alpha version). This package contains the HMAC checksum files -for integrity checking the library, as required by FIPS 140-2. - %package devel Summary: The GNU Crypto Library License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT @@ -109,8 +96,6 @@ library. sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g" src/Makefile.am src/Makefile.in %build -echo building with build_hmac256 set to %{build_hmac256} - export PUBKEYS="dsa elgamal rsa ecc" export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4" export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3" @@ -139,18 +124,13 @@ export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)" %make_build %check -%make_build check +make -k check # run the regression tests also in FIPS mode -LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check VERBOSE=1 || true +LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true # Install the FIPS hmac file cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/ -# create the FIPS "module is complete" trigger file -%if 0%{?build_hmac256} -touch %{buildroot}%{_libdir}/.%{name}.so.%{libsover}.fips -%endif - %install %make_install rm %{buildroot}%{_libdir}/%{name}.la @@ -170,12 +150,7 @@ install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/gcrypt/hwf.deny %dir %{_sysconfdir}/gcrypt %config(noreplace) %{_sysconfdir}/gcrypt/random.conf %config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny - -%files -n %{libsoname}-hmac %{_libdir}/.libgcrypt.so.*.hmac -%if 0%{?build_hmac256} -%{_libdir}/.libgcrypt.so.*.fips -%endif %files devel %license COPYING COPYING.LIB LICENSES