diff --git a/libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch b/libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch new file mode 100644 index 0000000..80710ce --- /dev/null +++ b/libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch @@ -0,0 +1,65 @@ +Index: libgcrypt-1.6.1/tests/fipsdrv.c +=================================================================== +--- libgcrypt-1.6.1.orig/tests/fipsdrv.c ++++ libgcrypt-1.6.1/tests/fipsdrv.c +@@ -2190,11 +2190,12 @@ dsa_hash_from_key(gcry_sexp_t s_key) + return GCRY_MD_NONE; + } + +- ++ + /* Sign DATA of length DATALEN using the key taken from the S-expression + encoded KEYFILE. */ + static void +-run_dsa_sign (const void *data, size_t datalen, const char *keyfile) ++run_dsa_sign (const void *data, size_t datalen, ++ int hashalgo, const char *keyfile) + + { + gpg_error_t err; +@@ -2202,13 +2203,20 @@ run_dsa_sign (const void *data, size_t d + char hash[128]; + gcry_mpi_t tmpmpi; + int algo; ++ int algo_len; ++ int hashalgo_len; + + s_key = read_sexp_from_file (keyfile); + algo = dsa_hash_from_key(s_key); ++ algo_len = gcry_md_get_algo_dlen(algo); ++ hashalgo_len = gcry_md_get_algo_dlen(hashalgo); + +- gcry_md_hash_buffer (algo, hash, data, datalen); ++ if (hashalgo_len < algo_len) ++ algo_len = hashalgo_len; ++ ++ gcry_md_hash_buffer (hashalgo, hash, data, datalen); + err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, +- gcry_md_get_algo_dlen(algo), NULL); ++ algo_len, NULL); + if (!err) + { + err = gcry_sexp_build (&s_data, NULL, +@@ -3000,14 +3008,21 @@ main (int argc, char **argv) + } + else if (!strcmp (mode_string, "dsa-sign")) + { ++ int algo; ++ + if (!key_string) + die ("option --key is required in this mode\n"); + if (access (key_string, R_OK)) + die ("option --key needs to specify an existing keyfile\n"); ++ if (!algo_string) ++ die ("option --algo is required in this mode\n"); ++ algo = gcry_md_map_name (algo_string); ++ if (!algo) ++ die ("digest algorithm `%s' is not supported\n", algo_string); + if (!data) + die ("no data available (do not use --chunk)\n"); + +- run_dsa_sign (data, datalen, key_string); ++ run_dsa_sign (data, datalen, algo, key_string); + } + else if (!strcmp (mode_string, "dsa-verify")) + { diff --git a/libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch b/libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch new file mode 100644 index 0000000..2fb06f3 --- /dev/null +++ b/libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch @@ -0,0 +1,64 @@ +--- libgcrypt-1.6.1-orig/tests/fipsdrv.c 2017-10-20 10:39:56.080098385 +0000 ++++ libgcrypt-1.6.1-orig/tests/fipsdrv.c 2017-10-20 10:41:15.780098385 +0000 +@@ -2288,7 +2288,7 @@ run_dsa_sign (const void *data, size_t d + S-expression in KEYFILE against the S-expression formatted + signature in SIGFILE. */ + static void +-run_dsa_verify (const void *data, size_t datalen, ++run_dsa_verify (const void *data, size_t datalen, int hashalgo, + const char *keyfile, const char *sigfile) + + { +@@ -2297,15 +2297,23 @@ run_dsa_verify (const void *data, size_t + char hash[128]; + gcry_mpi_t tmpmpi; + int algo; ++ int algo_len; ++ int hashalgo_len; + + s_key = read_sexp_from_file (keyfile); + algo = dsa_hash_from_key(s_key); + +- gcry_md_hash_buffer (algo, hash, data, datalen); ++ algo_len = gcry_md_get_algo_dlen(algo); ++ hashalgo_len = gcry_md_get_algo_dlen(hashalgo); ++ ++ if (hashalgo_len < algo_len) ++ algo_len = hashalgo_len; ++ ++ gcry_md_hash_buffer (hashalgo, hash, data, datalen); + /* Note that we can't simply use %b with HASH to build the + S-expression, because that might yield a negative value. */ + err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, +- gcry_md_get_algo_dlen(algo), NULL); ++ algo_len, NULL); + if (!err) + { + err = gcry_sexp_build (&s_data, NULL, +@@ -3011,10 +3019,17 @@ main (int argc, char **argv) + } + else if (!strcmp (mode_string, "dsa-verify")) + { ++ int algo; ++ + if (!key_string) + die ("option --key is required in this mode\n"); + if (access (key_string, R_OK)) + die ("option --key needs to specify an existing keyfile\n"); ++ if (!algo_string) ++ die ("option --algo is required in this mode\n"); ++ algo = gcry_md_map_name (algo_string); ++ if (!algo) ++ die ("digest algorithm `%s' is not supported\n", algo_string); + if (!data) + die ("no data available (do not use --chunk)\n"); + if (!signature_string) +@@ -3022,7 +3037,7 @@ main (int argc, char **argv) + if (access (signature_string, R_OK)) + die ("option --signature needs to specify an existing file\n"); + +- run_dsa_verify (data, datalen, key_string, signature_string); ++ run_dsa_verify (data, datalen, algo, key_string, signature_string); + } + else if (!strcmp (mode_string, "ecdsa-gen-key")) + { diff --git a/libgcrypt.changes b/libgcrypt.changes index 52f258e..732ca6d 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Mar 29 06:37:44 UTC 2018 - pmonrealgonzalez@suse.com + +- Extended the fipsdrv dsa-sign and dsa-verify commands with the + --algo parameter for the FIPS testing of DSA SigVer and SigGen + (bsc#1064455). + * Added libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch + * Added libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch + ------------------------------------------------------------------- Thu Feb 22 15:10:36 UTC 2018 - fvogt@suse.com diff --git a/libgcrypt.spec b/libgcrypt.spec index 066d554..dc27c5f 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -56,6 +56,10 @@ Patch30: drbg_test.patch #PATCH-FIX-SUSE run FIPS self-test from constructor Patch32: libgcrypt-fips_run_selftest_at_constructor.patch Patch34: libgcrypt-1.6.3-aliasing.patch +#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign +Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch +#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify +Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.25 @@ -152,6 +156,8 @@ understanding of applied cryptography is required to use Libgcrypt. %endif %patch13 -p1 %patch14 -p1 +%patch35 -p1 +%patch36 -p1 %build echo building with build_hmac256 set to %{build_hmac256}