Pedro Monreal Gonzalez
725ec59b57
- Update to 1.10.1: * Bug fixes: - Fix minor memory leaks in FIPS mode. - Build fixes for MUSL libc. * Other: - More portable integrity check in FIPS mode. - Add X9.62 OIDs to sha256 and sha512 modules. * Add the hardware optimizations config file hwf.deny to the /etc/gcrypt/ directory. This file can be used to globally disable the use of hardware based optimizations. * Remove not needed separate_hmac256_binary hmac256 package - Update to 1.10.0: * New and extended interfaces: - New control codes to check for FIPS 140-3 approved algorithms. - New control code to switch into non-FIPS mode. - New cipher modes SIV and GCM-SIV as specified by RFC-5297. - Extended cipher mode AESWRAP with padding as specified by RFC-5649. - New set of KDF functions. - New KDF modes Argon2 and Balloon. - New functions for combining hashing and signing/verification. * Performance: - Improved support for PowerPC architectures. - Improved ECC performance on zSeries/s390x by using accelerated scalar multiplication. - Many more assembler performance improvements for several architectures. * Bug fixes: - Fix Elgamal encryption for other implementations. OBS-URL: https://build.opensuse.org/request/show/1038172 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=160
115 lines
2.6 KiB
Diff
115 lines
2.6 KiB
Diff
Index: libgcrypt-1.10.1/src/fips.c
|
|
===================================================================
|
|
--- libgcrypt-1.10.1.orig/src/fips.c
|
|
+++ libgcrypt-1.10.1/src/fips.c
|
|
@@ -949,6 +949,65 @@ hmac256_check (const char *filename, con
|
|
return err;
|
|
}
|
|
|
|
+static int
|
|
+get_library_path(const char *libname, const char *symbolname,
|
|
+ char *path, size_t pathlen)
|
|
+{
|
|
+ Dl_info info;
|
|
+ void *dl, *sym;
|
|
+ int rv = -1;
|
|
+
|
|
+ dl = dlopen(libname, RTLD_LAZY);
|
|
+ if (dl == NULL)
|
|
+ return -1;
|
|
+
|
|
+ sym = dlsym(dl, symbolname);
|
|
+ if (sym != NULL && dladdr(sym, &info))
|
|
+ {
|
|
+ strncpy(path, info.dli_fname, pathlen-1);
|
|
+ path[pathlen-1] = '\0';
|
|
+ rv = 0;
|
|
+ }
|
|
+
|
|
+ dlclose(dl);
|
|
+
|
|
+ return rv;
|
|
+}
|
|
+
|
|
+static gpg_error_t
|
|
+get_hmac_path(char **fname, char *suffix)
|
|
+{
|
|
+ char libpath[4096];
|
|
+ gpg_error_t err;
|
|
+
|
|
+ if (get_library_path ("libgcrypt.so.20", "gcry_check_version",
|
|
+ libpath, sizeof(libpath)))
|
|
+ err = gpg_error_from_syserror ();
|
|
+ else
|
|
+ {
|
|
+ *fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
|
|
+ if (!*fname)
|
|
+ err = gpg_error_from_syserror ();
|
|
+ else
|
|
+ {
|
|
+ char *p;
|
|
+
|
|
+ /* Prefix the basename with a dot. */
|
|
+ strcpy (*fname, libpath);
|
|
+ p = strrchr (*fname, '/');
|
|
+ if (p)
|
|
+ p++;
|
|
+ else
|
|
+ p = *fname;
|
|
+ memmove (p+1, p, strlen (p)+1);
|
|
+ *p = '.';
|
|
+ strcat (*fname, suffix);
|
|
+ err = 0;
|
|
+ }
|
|
+ }
|
|
+ return err;
|
|
+}
|
|
+
|
|
/* Run an integrity check on the binary. Returns 0 on success. */
|
|
static int
|
|
check_binary_integrity (void)
|
|
@@ -997,6 +1056,33 @@ run_hmac_sha256_selftests (int extended)
|
|
}
|
|
#endif
|
|
|
|
+int
|
|
+can_skip_selftests(void)
|
|
+{
|
|
+ char *fname = NULL;
|
|
+ int ret = 0;
|
|
+
|
|
+ if (fips_mode())
|
|
+ return 0;
|
|
+
|
|
+ if (get_hmac_path(&fname, ".fips"))
|
|
+ return 0;
|
|
+
|
|
+ /* check the hmac presence */
|
|
+ if (access(fname, F_OK))
|
|
+ /* no hmac file is present, don't run the tests */
|
|
+ if (errno == ENOENT)
|
|
+ ret = 1;
|
|
+ /* otherwise one of these events happened:
|
|
+ * access() returned 0
|
|
+ * -> run the tests
|
|
+ * some error other than ENOENT occurred
|
|
+ * -> run the tests anyway and let them fail
|
|
+ */
|
|
+
|
|
+ xfree(fname);
|
|
+ return ret;
|
|
+}
|
|
|
|
/* Run the self-tests. If EXTENDED is true, extended versions of the
|
|
selftest are run, that is more tests than required by FIPS. */
|
|
@@ -1006,6 +1092,9 @@ _gcry_fips_run_selftests (int extended)
|
|
enum module_states result = STATE_ERROR;
|
|
gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED;
|
|
|
|
+ if (can_skip_selftests())
|
|
+ return 0;
|
|
+
|
|
if (fips_mode ())
|
|
fips_new_state (STATE_SELFTEST);
|
|
|