From 7da0c092f1e6d6e68dd353f9dfc45aeecbbe7e5025ac67cf67114d68475497b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Thu, 29 Mar 2018 09:57:58 +0000
Subject: [PATCH] Accepting request 592205 from
 home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Extended the fipsdrv dsa-sign and dsa-verify commands with the
  --algo parameter for the FIPS testing of DSA SigVer and SigGen
  (bsc#1064455).
  * Added libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
  * Added libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch

OBS-URL: https://build.opensuse.org/request/show/592205
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=108
---
 ...ypt-fipsdrv-enable-algo-for-dsa-sign.patch | 65 +++++++++++++++++++
 ...t-fipsdrv-enable-algo-for-dsa-verify.patch | 64 ++++++++++++++++++
 libgcrypt.changes                             |  9 +++
 libgcrypt.spec                                |  6 ++
 4 files changed, 144 insertions(+)
 create mode 100644 libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
 create mode 100644 libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch

diff --git a/libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch b/libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
new file mode 100644
index 0000000..80710ce
--- /dev/null
+++ b/libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
@@ -0,0 +1,65 @@
+Index: libgcrypt-1.6.1/tests/fipsdrv.c
+===================================================================
+--- libgcrypt-1.6.1.orig/tests/fipsdrv.c
++++ libgcrypt-1.6.1/tests/fipsdrv.c
+@@ -2190,11 +2190,12 @@ dsa_hash_from_key(gcry_sexp_t s_key)
+   return GCRY_MD_NONE;
+ }
+ 
+-
++
+ /* Sign DATA of length DATALEN using the key taken from the S-expression
+    encoded KEYFILE. */
+ static void
+-run_dsa_sign (const void *data, size_t datalen, const char *keyfile)
++run_dsa_sign (const void *data, size_t datalen,
++	      int hashalgo, const char *keyfile)
+ 
+ {
+   gpg_error_t err;
+@@ -2202,13 +2203,20 @@ run_dsa_sign (const void *data, size_t d
+   char hash[128];
+   gcry_mpi_t tmpmpi;
+   int algo;
++  int algo_len;
++  int hashalgo_len;
+ 
+   s_key = read_sexp_from_file (keyfile);
+   algo = dsa_hash_from_key(s_key);
++  algo_len = gcry_md_get_algo_dlen(algo);
++  hashalgo_len = gcry_md_get_algo_dlen(hashalgo);
+ 
+-  gcry_md_hash_buffer (algo, hash, data, datalen);
++  if (hashalgo_len < algo_len)
++  algo_len = hashalgo_len;
++
++  gcry_md_hash_buffer (hashalgo, hash, data, datalen);
+   err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash,
+-                       gcry_md_get_algo_dlen(algo), NULL);
++                       algo_len, NULL);
+   if (!err)
+     {
+       err = gcry_sexp_build (&s_data, NULL,
+@@ -3000,14 +3008,21 @@ main (int argc, char **argv)
+     }
+   else if (!strcmp (mode_string, "dsa-sign"))
+     {
++      int algo;
++
+       if (!key_string)
+         die ("option --key is required in this mode\n");
+       if (access (key_string, R_OK))
+         die ("option --key needs to specify an existing keyfile\n");
++      if (!algo_string)
++        die ("option --algo is required in this mode\n");
++      algo = gcry_md_map_name (algo_string);
++      if (!algo)
++        die ("digest algorithm `%s' is not supported\n", algo_string); 
+       if (!data)
+         die ("no data available (do not use --chunk)\n");
+ 
+-      run_dsa_sign (data, datalen, key_string);
++      run_dsa_sign (data, datalen, algo, key_string);
+     }
+   else if (!strcmp (mode_string, "dsa-verify"))
+     {
diff --git a/libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch b/libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
new file mode 100644
index 0000000..2fb06f3
--- /dev/null
+++ b/libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
@@ -0,0 +1,64 @@
+--- libgcrypt-1.6.1-orig/tests/fipsdrv.c	2017-10-20 10:39:56.080098385 +0000
++++ libgcrypt-1.6.1-orig/tests/fipsdrv.c	2017-10-20 10:41:15.780098385 +0000
+@@ -2288,7 +2288,7 @@ run_dsa_sign (const void *data, size_t d
+    S-expression in KEYFILE against the S-expression formatted
+    signature in SIGFILE.  */
+ static void
+-run_dsa_verify (const void *data, size_t datalen,
++run_dsa_verify (const void *data, size_t datalen, int hashalgo,
+                 const char *keyfile, const char *sigfile)
+ 
+ {
+@@ -2297,15 +2297,23 @@ run_dsa_verify (const void *data, size_t
+   char hash[128];
+   gcry_mpi_t tmpmpi;
+   int algo;
++  int algo_len;
++  int hashalgo_len;
+ 
+   s_key = read_sexp_from_file (keyfile);
+   algo = dsa_hash_from_key(s_key);
+ 
+-  gcry_md_hash_buffer (algo, hash, data, datalen);
++  algo_len = gcry_md_get_algo_dlen(algo);
++  hashalgo_len = gcry_md_get_algo_dlen(hashalgo);
++
++  if (hashalgo_len < algo_len)
++  algo_len = hashalgo_len;
++
++  gcry_md_hash_buffer (hashalgo, hash, data, datalen);
+   /* Note that we can't simply use %b with HASH to build the
+      S-expression, because that might yield a negative value.  */
+   err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash,
+-                       gcry_md_get_algo_dlen(algo), NULL);
++                       algo_len, NULL);
+   if (!err)
+     {
+       err = gcry_sexp_build (&s_data, NULL,
+@@ -3011,10 +3019,17 @@ main (int argc, char **argv)
+     }
+   else if (!strcmp (mode_string, "dsa-verify"))
+     {
++      int algo;
++
+       if (!key_string)
+         die ("option --key is required in this mode\n");
+       if (access (key_string, R_OK))
+         die ("option --key needs to specify an existing keyfile\n");
++      if (!algo_string)
++        die ("option --algo is required in this mode\n");
++      algo = gcry_md_map_name (algo_string);
++      if (!algo)
++        die ("digest algorithm `%s' is not supported\n", algo_string); 
+       if (!data)
+         die ("no data available (do not use --chunk)\n");
+       if (!signature_string)
+@@ -3022,7 +3037,7 @@ main (int argc, char **argv)
+       if (access (signature_string, R_OK))
+         die ("option --signature needs to specify an existing file\n");
+ 
+-      run_dsa_verify (data, datalen, key_string, signature_string);
++      run_dsa_verify (data, datalen, algo, key_string, signature_string);
+     }
+   else if (!strcmp (mode_string, "ecdsa-gen-key"))
+     {
diff --git a/libgcrypt.changes b/libgcrypt.changes
index 52f258e..732ca6d 100644
--- a/libgcrypt.changes
+++ b/libgcrypt.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Mar 29 06:37:44 UTC 2018 - pmonrealgonzalez@suse.com
+
+- Extended the fipsdrv dsa-sign and dsa-verify commands with the
+  --algo parameter for the FIPS testing of DSA SigVer and SigGen
+  (bsc#1064455).
+  * Added libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
+  * Added libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
+
 -------------------------------------------------------------------
 Thu Feb 22 15:10:36 UTC 2018 - fvogt@suse.com
 
diff --git a/libgcrypt.spec b/libgcrypt.spec
index 066d554..dc27c5f 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -56,6 +56,10 @@ Patch30:        drbg_test.patch
 #PATCH-FIX-SUSE run FIPS self-test from constructor
 Patch32:        libgcrypt-fips_run_selftest_at_constructor.patch
 Patch34:        libgcrypt-1.6.3-aliasing.patch
+#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign
+Patch35:        libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
+#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
+Patch36:        libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
 BuildRequires:  automake >= 1.14
 BuildRequires:  fipscheck
 BuildRequires:  libgpg-error-devel >= 1.25
@@ -152,6 +156,8 @@ understanding of applied cryptography is required to use Libgcrypt.
 %endif
 %patch13 -p1
 %patch14 -p1
+%patch35 -p1
+%patch36 -p1
 
 %build
 echo building with build_hmac256 set to %{build_hmac256}