pool/libgcrypt
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 698628 from devel:libraries:c_c++

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/698628
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libgcrypt?expand=0&rev=76
This commit is contained in:
Dominique Leuenberger 2019-06-07 16:00:42 +00:00 committed by Git OBS Bridge
commit 8d3c3ab6bd
10 changed files with 601 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

260
libgcrypt-1.8.3-fips-ctor.patch Normal file
View File

@ -0,0 +1,260 @@
Index: libgcrypt-1.8.4/cipher/md.c
===================================================================
--- libgcrypt-1.8.4.orig/cipher/md.c 2019-03-25 16:58:52.844354398 +0100
+++ libgcrypt-1.8.4/cipher/md.c 2019-03-25 16:58:53.512358321 +0100
@@ -411,11 +411,8 @@ md_enable (gcry_md_hd_t hd, int algorith
if (!err && algorithm == GCRY_MD_MD5 && fips_mode ())
{
- _gcry_inactivate_fips_mode ("MD5 used");
if (_gcry_enforced_fips_mode () )
{
- /* We should never get to here because we do not register
- MD5 in enforced fips mode. But better throw an error. */
err = GPG_ERR_DIGEST_ALGO;
}
}
Index: libgcrypt-1.8.4/src/fips.c
===================================================================
--- libgcrypt-1.8.4.orig/src/fips.c 2019-03-25 16:58:52.844354398 +0100
+++ libgcrypt-1.8.4/src/fips.c 2019-03-25 16:58:53.516358344 +0100
@@ -91,6 +91,31 @@ static void fips_new_state (enum module_
+/* Initialize the FSM lock - this function may only
+ be called once and is intended to be run from the library
+ constructor */
+void
+_gcry_initialize_fsm_lock (void)
+{
+ gpg_error_t err;
+ /* Intitialize the lock to protect the FSM. */
+ err = gpgrt_lock_init (&fsm_lock);
+ if (err)
+ {
+ /* If that fails we can't do anything but abort the
+ process. We need to use log_info so that the FSM won't
+ get involved. */
+ log_info ("FATAL: failed to create the FSM lock in libgcrypt: %s\n",
+ gpg_strerror (err));
+#ifdef HAVE_SYSLOG
+ syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
+ "creating FSM lock failed: %s - abort",
+ gpg_strerror (err));
+#endif /*HAVE_SYSLOG*/
+ abort ();
+ }
+}
+
/* Check whether the OS is in FIPS mode and record that in a module
local variable. If FORCE is passed as true, fips mode will be
enabled anyway. Note: This function is not thread-safe and should
@@ -100,7 +125,6 @@ void
_gcry_initialize_fips_mode (int force)
{
static int done;
- gpg_error_t err;
/* Make sure we are not accidentally called twice. */
if (done)
@@ -190,24 +214,6 @@ _gcry_initialize_fips_mode (int force)
/* Yes, we are in FIPS mode. */
FILE *fp;
- /* Intitialize the lock to protect the FSM. */
- err = gpgrt_lock_init (&fsm_lock);
- if (err)
- {
- /* If that fails we can't do anything but abort the
- process. We need to use log_info so that the FSM won't
- get involved. */
- log_info ("FATAL: failed to create the FSM lock in libgcrypt: %s\n",
- gpg_strerror (err));
-#ifdef HAVE_SYSLOG
- syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
- "creating FSM lock failed: %s - abort",
- gpg_strerror (err));
-#endif /*HAVE_SYSLOG*/
- abort ();
- }
-
-
/* If the FIPS force files exists, is readable and has a number
!= 0 on its first line, we enable the enforced fips mode. */
fp = fopen (FIPS_FORCE_FILE, "r");
@@ -370,16 +376,20 @@ _gcry_fips_is_operational (void)
{
int result;
- if (!fips_mode ())
+ lock_fsm ();
+ if (current_state == STATE_POWERON && !fips_mode ())
+ /* If we are at this point in POWERON state it means the FIPS
+ module installation was not completed. (/etc/system-fips
+ is not present.) */
result = 1;
else
{
- lock_fsm ();
- if (current_state == STATE_INIT)
+ if (current_state == STATE_INIT || current_state == STATE_SELFTEST)
{
- /* If we are still in the INIT state, we need to run the
- selftests so that the FSM can eventually get into
- operational state. Given that we would need a 2-phase
+ /* If we are still in the INIT (or SELFTEST) state,
+ we need to run (or finish) the selftests so
+ that the FSM can eventually get into operational
+ state. Given that we would need a 2-phase
initialization of libgcrypt, but that has traditionally
not been enforced, we use this on demand self-test
checking. Note that Proper applications would do the
@@ -395,9 +405,11 @@ _gcry_fips_is_operational (void)
lock_fsm ();
}
- result = (current_state == STATE_OPERATIONAL);
- unlock_fsm ();
+ result = (current_state == STATE_OPERATIONAL) || !fips_mode ();
+ /* We always run the selftests but ignore the result
+ in non-FIPS mode. */
}
+ unlock_fsm ();
return result;
}
@@ -722,9 +734,25 @@ _gcry_fips_run_selftests (int extended)
{
enum module_states result = STATE_ERROR;
gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED;
+ int in_poweron;
- if (fips_mode ())
- fips_new_state (STATE_SELFTEST);
+ lock_fsm ();
+ in_poweron = (current_state == STATE_POWERON);
+ unlock_fsm ();
+
+ fips_new_state (STATE_SELFTEST);
+
+ /* We first check the integrity of the binary.
+ If run from the constructor we are in POWERON state,
+ we return and finish the remaining selftests before
+ real use of the library. It will be in the POWERON
+ state meanwhile. */
+ if (in_poweron)
+ if (check_binary_integrity ())
+ goto leave;
+
+ if (in_poweron)
+ return 0;
if (run_cipher_selftests (extended))
goto leave;
@@ -743,18 +771,12 @@ _gcry_fips_run_selftests (int extended)
if (run_pubkey_selftests (extended))
goto leave;
- /* Now check the integrity of the binary. We do this this after
- having checked the HMAC code. */
- if (check_binary_integrity ())
- goto leave;
-
/* All selftests passed. */
result = STATE_OPERATIONAL;
ec = 0;
leave:
- if (fips_mode ())
- fips_new_state (result);
+ fips_new_state (result);
return ec;
}
@@ -810,6 +832,7 @@ fips_new_state (enum module_states new_s
{
case STATE_POWERON:
if (new_state == STATE_INIT
+ || new_state == STATE_SELFTEST
|| new_state == STATE_ERROR
|| new_state == STATE_FATALERROR)
ok = 1;
@@ -824,6 +847,8 @@ fips_new_state (enum module_states new_s
case STATE_SELFTEST:
if (new_state == STATE_OPERATIONAL
+ || new_state == STATE_INIT
+ || new_state == STATE_SELFTEST
|| new_state == STATE_ERROR
|| new_state == STATE_FATALERROR)
ok = 1;
Index: libgcrypt-1.8.4/src/global.c
===================================================================
--- libgcrypt-1.8.4.orig/src/global.c 2019-03-25 16:58:52.844354398 +0100
+++ libgcrypt-1.8.4/src/global.c 2019-03-25 16:58:53.516358344 +0100
@@ -145,6 +145,29 @@ global_init (void)
}
+#ifndef FIPS_MODULE_PATH
+#define FIPS_MODULE_PATH "/etc/system-fips"
+#endif
+
+void __attribute__ ((constructor)) _gcry_global_constructor (void)
+{
+ int rv;
+
+ /* We always need the FSM lock to be functional. */
+ _gcry_initialize_fsm_lock ();
+
+ rv = access (FIPS_MODULE_PATH, F_OK);
+ if (rv < 0 && errno != ENOENT)
+ rv = 0;
+
+ if (!rv)
+ {
+ /* We run the integrity check at this point. The remaining
+ selftests are run before use of the library by application. */
+ _gcry_fips_run_selftests (0);
+ }
+}
+
/* This function is called by the macro fips_is_operational and makes
sure that the minimal initialization has been done. This is far
from a perfect solution and hides problems with an improper
@@ -675,8 +698,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
case GCRYCTL_FIPS_MODE_P:
if (fips_mode ()
- && !_gcry_is_fips_mode_inactive ()
- && !no_secure_memory)
+ && !_gcry_is_fips_mode_inactive ())
rc = GPG_ERR_GENERAL; /* Used as TRUE value */
break;
@@ -753,9 +775,9 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
break;
case GCRYCTL_SET_ENFORCED_FIPS_FLAG:
- if (!any_init_done)
+ if (fips_mode ())
{
- /* Not yet initialized at all. Set the enforced fips mode flag */
+ /* We are in FIPS mode, we can set the enforced fips mode flag. */
_gcry_set_preferred_rng_type (0);
_gcry_set_enforced_fips_mode ();
}
Index: libgcrypt-1.8.4/src/g10lib.h
===================================================================
--- libgcrypt-1.8.4.orig/src/g10lib.h 2019-03-25 16:58:52.844354398 +0100
+++ libgcrypt-1.8.4/src/g10lib.h 2019-03-25 16:58:53.516358344 +0100
@@ -422,6 +422,8 @@ gpg_err_code_t _gcry_sexp_vextract_param
/*-- fips.c --*/
+void _gcry_initialize_fsm_lock (void);
+
void _gcry_initialize_fips_mode (int force);
int _gcry_fips_mode (void);

15
libgcrypt-1.8.4-allow_FSM_same_state.patch Normal file
View File

@ -0,0 +1,15 @@
Index: libgcrypt-1.8.4/src/fips.c
===================================================================
--- libgcrypt-1.8.4.orig/src/fips.c
+++ libgcrypt-1.8.4/src/fips.c
@@ -930,6 +930,10 @@ fips_new_state (enum module_states new_s
}
+ /* Allow a transition to the current state */
+ if (current_state == new_state)
+ ok = 1;
+
if (ok)
{
current_state = new_state;

103
libgcrypt-1.8.4-getrandom.patch Normal file
View File

@ -0,0 +1,103 @@
Index: libgcrypt-1.8.4/random/random-csprng.c
===================================================================
--- libgcrypt-1.8.4.orig/random/random-csprng.c
+++ libgcrypt-1.8.4/random/random-csprng.c
@@ -55,6 +55,10 @@
#ifdef __MINGW32__
#include <process.h>
#endif
+#if defined(__linux__) && defined(HAVE_SYSCALL)
+# include <sys/syscall.h>
+# include <linux/random.h>
+#endif
#include "g10lib.h"
#include "random.h"
#include "rand-internal.h"
@@ -1116,6 +1120,22 @@ getfnc_gather_random (void))(void (*)(co
enum random_origins, size_t, int);
#if USE_RNDLINUX
+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
+ long ret;
+ char buffer[1];
+
+ _gcry_pre_syscall ();
+ ret = syscall (__NR_getrandom,
+ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK);
+ _gcry_post_syscall ();
+ if (ret != -1 || errno != ENOSYS)
+ {
+ fnc = _gcry_rndlinux_gather_random;
+ return fnc;
+ }
+ else
+ /* The syscall is not supported - fallback to /dev/urandom. */
+#endif
if ( !access (NAME_OF_DEV_RANDOM, R_OK)
&& !access (NAME_OF_DEV_URANDOM, R_OK))
{
Index: libgcrypt-1.8.4/random/random.c
===================================================================
--- libgcrypt-1.8.4.orig/random/random.c
+++ libgcrypt-1.8.4/random/random.c
@@ -110,8 +110,8 @@ _gcry_random_read_conf (void)
unsigned int result = 0;
fp = fopen (fname, "r");
- if (!fp)
- return result;
+ if (!fp) /* We make only_urandom the default. */
+ return RANDOM_CONF_ONLY_URANDOM;
for (;;)
{
Index: libgcrypt-1.8.4/random/rndlinux.c
===================================================================
--- libgcrypt-1.8.4.orig/random/rndlinux.c
+++ libgcrypt-1.8.4/random/rndlinux.c
@@ -34,6 +34,7 @@
#include <fcntl.h>
#if defined(__linux__) && defined(HAVE_SYSCALL)
# include <sys/syscall.h>
+# include <linux/random.h>
#endif
#include "types.h"
@@ -248,6 +249,18 @@ _gcry_rndlinux_gather_random (void (*add
{
if (fd_urandom == -1)
{
+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
+ long ret;
+
+ _gcry_pre_syscall ();
+ ret = syscall (__NR_getrandom,
+ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK);
+ _gcry_post_syscall ();
+ if (ret > -1 || errno == EAGAIN || errno == EINTR)
+ fd_urandom = -2;
+ else
+ /* The syscall is not supported - fallback to /dev/urandom. */
+#endif
fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1);
ever_opened |= 2;
}
@@ -275,6 +288,7 @@ _gcry_rndlinux_gather_random (void (*add
* syscall and not a new device and thus we are not able to use
* select(2) to have a timeout. */
#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
+ if (fd == -2)
{
long ret;
size_t nbytes;
@@ -290,9 +304,7 @@ _gcry_rndlinux_gather_random (void (*add
_gcry_post_syscall ();
}
while (ret == -1 && errno == EINTR);
- if (ret == -1 && errno == ENOSYS)
- ; /* The syscall is not supported - fallback to pulling from fd. */
- else
+ if (1)
{ /* The syscall is supported. Some sanity checks. */
if (ret == -1)
log_fatal ("unexpected error from getrandom: %s\n",

39
libgcrypt-1.8.4-use_xfree.patch Normal file
View File

@ -0,0 +1,39 @@
Index: libgcrypt-1.8.4/src/hmac256.c
===================================================================
--- libgcrypt-1.8.4.orig/src/hmac256.c
+++ libgcrypt-1.8.4/src/hmac256.c
@@ -69,6 +69,7 @@ typedef uint32_t u32;
#ifdef STANDALONE
#define xtrymalloc(a) malloc((a))
+#define xfree(a) free((a))
#define gpg_err_set_errno(a) (errno = (a))
#else
#include "g10lib.h"
@@ -341,7 +342,7 @@ _gcry_hmac256_new (const void *key, size
tmphd = _gcry_hmac256_new (NULL, 0);
if (!tmphd)
{
- free (hd);
+ xfree (hd);
return NULL;
}
_gcry_hmac256_update (tmphd, key, keylen);
@@ -373,7 +374,7 @@ _gcry_hmac256_release (hmac256_context_t
/* Note: We need to take care not to modify errno. */
if (ctx->use_hmac)
my_wipememory (ctx->opad, 64);
- free (ctx);
+ xfree (ctx);
}
}
@@ -489,7 +490,7 @@ _gcry_hmac256_file (void *result, size_t
while ( (nread = fread (buffer, 1, buffer_size, fp)))
_gcry_hmac256_update (hd, buffer, nread);
- free (buffer);
+ xfree (buffer);
if (ferror (fp))
{

79
libgcrypt-binary_integrity_in_non-FIPS.patch
View File

@ -1,15 +1,82 @@
Index: libgcrypt-1.8.4/src/fips.c
Index: libgcrypt-1.8.2/src/fips.c
===================================================================
--- libgcrypt-1.8.4.orig/src/fips.c 2018-11-26 17:30:28.040692529 +0100
+++ libgcrypt-1.8.4/src/fips.c 2018-11-26 17:59:04.130934181 +0100
@@ -663,7 +663,11 @@ check_binary_integrity (void)
--- libgcrypt-1.8.2.orig/src/fips.c 2019-03-27 13:15:14.190987624 +0100
+++ libgcrypt-1.8.2/src/fips.c 2019-03-27 13:18:07.047986428 +0100
@@ -115,6 +115,50 @@ _gcry_initialize_fsm_lock (void)
abort ();
}
}
+
+/* Checks whether the library will enter the FIPS mode.
+ Uses the same logic as _gcry_initialize_fips_mode */
+static int
+will_enter_fips (void)
+{
+ /* for convenience, so that a process can run fips-enabled, but
+ not necessarily all of them, enable FIPS mode via environment
+ variable LIBGCRYPT_FORCE_FIPS_MODE. */
+ if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL)
+ return 1;
+
+ /* For testing the system it is useful to override the system
+ provided detection of the FIPS mode and force FIPS mode using a
+ file. The filename is hardwired so that there won't be any
+ confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
+ actually used. The file itself may be empty. */
+ if ( !access (FIPS_FORCE_FILE, F_OK) )
+ return 1;
+
+ /* Checking based on /proc file properties. */
+ {
+ static const char procfname[] = "/proc/sys/crypto/fips_enabled";
+ FILE *fp;
+
+ fp = fopen (procfname, "r");
+ if (fp)
+ {
+ char line[256];
+
+ if (fgets (line, sizeof line, fp) && atoi (line))
+ {
+ /* System is in fips mode. */
+ fclose (fp);
+ return 1;
+ }
+ fclose (fp);
+ }
+ }
+
+ return 0;
+}
+
+
/* Check whether the OS is in FIPS mode and record that in a module
local variable. If FORCE is passed as true, fips mode will be
@@ -631,10 +675,10 @@ get_library_path(const char *libname, co
/* Run an integrity check on the binary. Returns 0 on success. */
static int
-check_binary_integrity (void)
+check_binary_integrity ()
{
#ifdef ENABLE_HMAC_BINARY_CHECK
- gpg_error_t err;
+ gpg_error_t err = 0;
char libpath[4096];
unsigned char digest[32];
int dlen;
@@ -675,7 +719,14 @@ check_binary_integrity (void)
/* Open the file. */
fp = fopen (fname, "r");
if (!fp)
- err = gpg_error_from_syserror ();
+ {
+ /* Missing checksum is a problem only in FIPS mode */
+ if (fips_mode() || errno != ENOENT)
+ /* Missing checksum is a problem only in FIPS mode.
+ As the integrity check was moved to the POWERON state,
+ we no longer can rely on fips_mode(). Because at the point,
+ the library is not yet initialized. */
+ if (will_enter_fips() || errno != ENOENT)
+ err = gpg_error_from_syserror ();
+ }
else

28
libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch Normal file
View File

@ -0,0 +1,28 @@
Index: libgcrypt-1.8.4/src/global.c
===================================================================
--- libgcrypt-1.8.4.orig/src/global.c 2019-03-25 16:58:45.880313488 +0100
+++ libgcrypt-1.8.4/src/global.c 2019-03-25 16:58:45.896313582 +0100
@@ -144,11 +144,6 @@ global_init (void)
BUG ();
}
-
-#ifndef FIPS_MODULE_PATH
-#define FIPS_MODULE_PATH "/etc/system-fips"
-#endif
-
void __attribute__ ((constructor)) _gcry_global_constructor (void)
{
int rv;
@@ -156,11 +151,6 @@ void __attribute__ ((constructor)) _gcry
/* We always need the FSM lock to be functional. */
_gcry_initialize_fsm_lock ();
- rv = access (FIPS_MODULE_PATH, F_OK);
- if (rv < 0 && errno != ENOENT)
- rv = 0;
-
- if (!rv)
{
/* We run the integrity check at this point. The remaining
selftests are run before use of the library by application. */

13
libgcrypt-fips_rsa_no_enforced_mode.patch Normal file
View File

@ -0,0 +1,13 @@
Index: libgcrypt-1.8.2/cipher/rsa.c
===================================================================
--- libgcrypt-1.8.2.orig/cipher/rsa.c 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.2/cipher/rsa.c 2019-03-26 11:14:33.737388126 +0100
@@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig
if (nbits < 1024 || (nbits & 0x1FF))
return GPG_ERR_INV_VALUE;
- if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072)
+ if (fips_mode() && nbits != 2048 && nbits != 3072)
return GPG_ERR_INV_VALUE;
/* The random quality depends on the transient_key flag. */

13
libgcrypt-init-at-elf-load-fips.patch
View File

@ -1,13 +0,0 @@
Index: libgcrypt-1.6.1/src/global.c
===================================================================
--- libgcrypt-1.6.1.orig/src/global.c
+++ libgcrypt-1.6.1/src/global.c
@@ -76,7 +76,7 @@ static gpg_err_code_t external_lock_test
likely to be called at startup. The suggested way for an
application to make sure that this has been called is by using
gcry_check_version. */
-static void
+static void __attribute__((constructor))
global_init (void)
{
gcry_error_t err = 0;

61
libgcrypt.changes
View File

@ -1,3 +1,64 @@
-------------------------------------------------------------------
Fri Apr 26 06:47:45 UTC 2019 - Jason Sikes <jsikes@suse.de>
- do not try to open /dev/urandom if getrandom() works
* Added libgcrypt-1.8.4-getrandom.patch
- Drop libgcrypt-init-at-elf-load-fips.patch obsoleted
by libgcrypt-1.8.3-fips-ctor.patch
-------------------------------------------------------------------
Tue Apr 23 12:38:40 UTC 2019 - Jason Sikes <jsikes@suse.de>
- Restored libgcrypt-binary_integrity_in_non-FIPS.patch sans section that
was partially causing bsc#1131183.
- Fixed race condition in multi-threaded applications by allowing a FSM state
transition to the current state. This means some tests are run twice.
* Added libgcrypt-1.8.4-allow_FSM_same_state.patch
- Fixed an issue in malloc/free wrappers so that memory created by the malloc()
wrappers will be destroyed using the free() wrappers.
* Added libgcrypt-1.8.4-use_xfree.patch
-------------------------------------------------------------------
Fri Apr 5 21:56:00 UTC 2019 - Jason Sikes <jsikes@suse.de>
- removed libgcrypt-binary_integrity_in_non-FIPS.patch since it was breaking
libotr. bsc#1131183
-------------------------------------------------------------------
Tue Mar 26 16:30:23 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- libgcrypt-1.8.3-fips-ctor.patch changed the way the fips selftests
are invoked as well as the state transition, adjust the code so
a missing checksum file is not an issue in non-FIPS mode (bsc#1097073)
* update libgcrypt-binary_integrity_in_non-FIPS.patch
-------------------------------------------------------------------
Tue Mar 26 16:25:18 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- Enforce the minimal RSA keygen size in fips mode (bsc#1125740)
* add libgcrypt-fips_rsa_no_enforced_mode.patch
-------------------------------------------------------------------
Fri Mar 22 14:13:05 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- Don't run full self-tests from constructor (bsc#1097073)
* Don't call global_init() from the constructor, _gcry_global_constructor()
from libgcrypt-1.8.3-fips-ctor.patch takes care of the binary
integrity check instead.
* Only the binary checksum will be verified, the remaining
self-tests will be run upon the library initialization
- Add libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch
- Drop libgcrypt-init-at-elf-load-fips.patch and
libgcrypt-fips_run_selftest_at_constructor.patch obsoleted
by libgcrypt-1.8.3-fips-ctor.patch
-------------------------------------------------------------------
Thu Mar 7 10:53:40 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Skip all the self-tests except for binary integrity when called
from the constructor (bsc#1097073)
* Added libgcrypt-1.8.3-fips-ctor.patch from Fedora
-------------------------------------------------------------------
Mon Nov 26 17:09:47 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>

26
libgcrypt.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package libgcrypt
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -48,7 +48,6 @@ Patch13: libgcrypt-1.6.1-fips-cavs.patch
#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
Patch14: libgcrypt-1.6.1-fips-cfgrandom.patch
Patch28: libgcrypt-fix-rng.patch
Patch29: libgcrypt-init-at-elf-load-fips.patch
#PATCH-FIX-SUSE add FIPS CAVS test app for DRBG
Patch30: drbg_test.patch
#PATCH-FIX-SUSE run FIPS self-test from constructor
@ -57,7 +56,13 @@ Patch32: libgcrypt-fips_run_selftest_at_constructor.patch
Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
Patch37: libgcrypt-binary_integrity_in_non-FIPS.patch
Patch39: libgcrypt-1.8.3-fips-ctor.patch
Patch40: libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch
Patch41: libgcrypt-binary_integrity_in_non-FIPS.patch
Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch
Patch43: libgcrypt-1.8.4-use_xfree.patch
Patch44: libgcrypt-1.8.4-allow_FSM_same_state.patch
Patch45: libgcrypt-1.8.4-getrandom.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.25
@ -137,20 +142,7 @@ understanding of applied cryptography is required to use Libgcrypt.
%prep
%setup -q
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch7 -p1
%patch12 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch32 -p1
%patch13 -p1
%patch14 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%autopatch -p1
%build
echo building with build_hmac256 set to %{build_hmac256}