Accepting request 689095 from home:vitezslav_cizek:branches:devel:libraries:c_c++

- libgcrypt-1.8.3-fips-ctor.patch changed the way the fips selftests are invoked as well as the state transition, adjust the code so a missing checksum file is not an issue in non-FIPS mode (bsc#1097073) * update libgcrypt-binary_integrity_in_non-FIPS.patch - Enforce the minimal RSA keygen size in fips mode (bsc#1125740) * add libgcrypt-fips_rsa_no_enforced_mode.patch OBS-URL: https://build.opensuse.org/request/show/689095 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=122
2019-03-27 14:36:50 +00:00 · 2019-03-27 14:36:50 +00:00 · 9563eb9685
commit 9563eb9685
parent 655523d262
4 changed files with 114 additions and 7 deletions
--- a/libgcrypt-binary_integrity_in_non-FIPS.patch
+++ b/libgcrypt-binary_integrity_in_non-FIPS.patch
@ -1,17 +1,96 @@
-Index: libgcrypt-1.8.4/src/fips.c
+Index: libgcrypt-1.8.2/src/fips.c
 ===================================================================
--- libgcrypt-1.8.4.orig/src/fips.c	2018-11-26 17:30:28.040692529 +0100
-+++ libgcrypt-1.8.4/src/fips.c	2018-11-26 17:59:04.130934181 +0100
-@@ -663,7 +663,11 @@ check_binary_integrity (void)
+--- libgcrypt-1.8.2.orig/src/fips.c	2019-03-27 13:15:14.190987624 +0100
+++ libgcrypt-1.8.2/src/fips.c	2019-03-27 13:18:07.047986428 +0100
+@@ -115,6 +115,50 @@ _gcry_initialize_fsm_lock (void)
+       abort ();
+     }
+ }
+
+/* Checks whether the library will enter the FIPS mode.
+   Uses the same logic as _gcry_initialize_fips_mode */
+static int
+will_enter_fips (void)
+{
+  /* for convenience, so that a process can run fips-enabled, but
+     not necessarily all of them, enable FIPS mode via environment
+     variable LIBGCRYPT_FORCE_FIPS_MODE.	 */
+  if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL)
+      return 1;
+
+  /* For testing the system it is useful to override the system
+     provided detection of the FIPS mode and force FIPS mode using a
+     file.  The filename is hardwired so that there won't be any
+     confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
+     actually used.  The file itself may be empty.  */
+  if ( !access (FIPS_FORCE_FILE, F_OK) )
+    return 1;
+
+  /* Checking based on /proc file properties.  */
+  {
+    static const char procfname[] = "/proc/sys/crypto/fips_enabled";
+    FILE *fp;
+
+    fp = fopen (procfname, "r");
+    if (fp)
+      {
+        char line[256];
+
+        if (fgets (line, sizeof line, fp) && atoi (line))
+          {
+            /* System is in fips mode.  */
+            fclose (fp);
+            return 1;
+          }
+        fclose (fp);
+      }
+  }
+
+  return 0;
+}
+
+
+ 
+ /* Check whether the OS is in FIPS mode and record that in a module
+    local variable.  If FORCE is passed as true, fips mode will be
+@@ -631,10 +675,10 @@ get_library_path(const char *libname, co
+ 
+ /* Run an integrity check on the binary.  Returns 0 on success.  */
+ static int
+-check_binary_integrity (void)
+check_binary_integrity ()
+ {
+ #ifdef ENABLE_HMAC_BINARY_CHECK
+-  gpg_error_t err;
+  gpg_error_t err = 0;
+   char libpath[4096];
+   unsigned char digest[32];
+   int dlen;
+@@ -675,7 +719,14 @@ check_binary_integrity (void)
               /* Open the file.  */
               fp = fopen (fname, "r");
               if (!fp)
 -                err = gpg_error_from_syserror ();
 +                {
-+                  /* Missing checksum is a problem only in FIPS mode */
-+                  if (fips_mode() || errno != ENOENT)
+                  /* Missing checksum is a problem only in FIPS mode.
+                     As the integrity check was moved to the POWERON state,
+                     we no longer can rely on fips_mode(). Because at the point,
+                     the library is not yet initialized. */
+                  if (will_enter_fips() || errno != ENOENT)
 +                    err = gpg_error_from_syserror ();
 +                }
               else
                 {
                   /* A buffer of 64 bytes plus one for a LF and one to
+@@ -743,9 +794,8 @@ _gcry_fips_run_selftests (int extended)
+      we return and finish the remaining selftests before
+      real use of the library. It will be in the POWERON
+      state meanwhile.  */
+-  if (in_poweron)
+-    if (check_binary_integrity ())
+-      goto leave;
+  if (check_binary_integrity ())
+    goto leave;
+ 
+   if (in_poweron)
+     return 0;
--- a/libgcrypt-fips_rsa_no_enforced_mode.patch
+++ b/libgcrypt-fips_rsa_no_enforced_mode.patch
@ -0,0 +1,13 @@
+Index: libgcrypt-1.8.2/cipher/rsa.c
+===================================================================
+--- libgcrypt-1.8.2.orig/cipher/rsa.c	2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.2/cipher/rsa.c	2019-03-26 11:14:33.737388126 +0100
+@@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig
+ 
+   if (nbits < 1024 || (nbits & 0x1FF))
+     return GPG_ERR_INV_VALUE;
+-  if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072)
+  if (fips_mode() && nbits != 2048 && nbits != 3072)
+       return GPG_ERR_INV_VALUE;
+ 
+   /* The random quality depends on the transient_key flag.  */
--- a/libgcrypt.changes
+++ b/libgcrypt.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Mar 26 16:30:23 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- libgcrypt-1.8.3-fips-ctor.patch changed the way the fips selftests
+  are invoked as well as the state transition, adjust the code so
+  a missing checksum file is not an issue in non-FIPS mode (bsc#1097073)
+  * update libgcrypt-binary_integrity_in_non-FIPS.patch
+
+-------------------------------------------------------------------
+Tue Mar 26 16:25:18 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Enforce the minimal RSA keygen size in fips mode (bsc#1125740)
+  * add libgcrypt-fips_rsa_no_enforced_mode.patch
+
 -------------------------------------------------------------------
 Fri Mar 22 14:13:05 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>

--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@ -57,9 +57,10 @@ Patch32:        libgcrypt-fips_run_selftest_at_constructor.patch
 Patch35:        libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
 #PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
 Patch36:        libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
-Patch37:        libgcrypt-binary_integrity_in_non-FIPS.patch
 Patch39:        libgcrypt-1.8.3-fips-ctor.patch
 Patch40:        libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch
+Patch41:        libgcrypt-binary_integrity_in_non-FIPS.patch
+Patch42:        libgcrypt-fips_rsa_no_enforced_mode.patch
 BuildRequires:  automake >= 1.14
 BuildRequires:  fipscheck
 BuildRequires:  libgpg-error-devel >= 1.25