forked from pool/libgcrypt
Accepting request 592205 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). * Added libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch * Added libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch OBS-URL: https://build.opensuse.org/request/show/592205 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=108
This commit is contained in:
parent
4de74bf3f1
commit
7da0c092f1
65
libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
Normal file
65
libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
Normal file
@ -0,0 +1,65 @@
|
||||
Index: libgcrypt-1.6.1/tests/fipsdrv.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.6.1.orig/tests/fipsdrv.c
|
||||
+++ libgcrypt-1.6.1/tests/fipsdrv.c
|
||||
@@ -2190,11 +2190,12 @@ dsa_hash_from_key(gcry_sexp_t s_key)
|
||||
return GCRY_MD_NONE;
|
||||
}
|
||||
|
||||
-
|
||||
+
|
||||
/* Sign DATA of length DATALEN using the key taken from the S-expression
|
||||
encoded KEYFILE. */
|
||||
static void
|
||||
-run_dsa_sign (const void *data, size_t datalen, const char *keyfile)
|
||||
+run_dsa_sign (const void *data, size_t datalen,
|
||||
+ int hashalgo, const char *keyfile)
|
||||
|
||||
{
|
||||
gpg_error_t err;
|
||||
@@ -2202,13 +2203,20 @@ run_dsa_sign (const void *data, size_t d
|
||||
char hash[128];
|
||||
gcry_mpi_t tmpmpi;
|
||||
int algo;
|
||||
+ int algo_len;
|
||||
+ int hashalgo_len;
|
||||
|
||||
s_key = read_sexp_from_file (keyfile);
|
||||
algo = dsa_hash_from_key(s_key);
|
||||
+ algo_len = gcry_md_get_algo_dlen(algo);
|
||||
+ hashalgo_len = gcry_md_get_algo_dlen(hashalgo);
|
||||
|
||||
- gcry_md_hash_buffer (algo, hash, data, datalen);
|
||||
+ if (hashalgo_len < algo_len)
|
||||
+ algo_len = hashalgo_len;
|
||||
+
|
||||
+ gcry_md_hash_buffer (hashalgo, hash, data, datalen);
|
||||
err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash,
|
||||
- gcry_md_get_algo_dlen(algo), NULL);
|
||||
+ algo_len, NULL);
|
||||
if (!err)
|
||||
{
|
||||
err = gcry_sexp_build (&s_data, NULL,
|
||||
@@ -3000,14 +3008,21 @@ main (int argc, char **argv)
|
||||
}
|
||||
else if (!strcmp (mode_string, "dsa-sign"))
|
||||
{
|
||||
+ int algo;
|
||||
+
|
||||
if (!key_string)
|
||||
die ("option --key is required in this mode\n");
|
||||
if (access (key_string, R_OK))
|
||||
die ("option --key needs to specify an existing keyfile\n");
|
||||
+ if (!algo_string)
|
||||
+ die ("option --algo is required in this mode\n");
|
||||
+ algo = gcry_md_map_name (algo_string);
|
||||
+ if (!algo)
|
||||
+ die ("digest algorithm `%s' is not supported\n", algo_string);
|
||||
if (!data)
|
||||
die ("no data available (do not use --chunk)\n");
|
||||
|
||||
- run_dsa_sign (data, datalen, key_string);
|
||||
+ run_dsa_sign (data, datalen, algo, key_string);
|
||||
}
|
||||
else if (!strcmp (mode_string, "dsa-verify"))
|
||||
{
|
64
libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
Normal file
64
libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
Normal file
@ -0,0 +1,64 @@
|
||||
--- libgcrypt-1.6.1-orig/tests/fipsdrv.c 2017-10-20 10:39:56.080098385 +0000
|
||||
+++ libgcrypt-1.6.1-orig/tests/fipsdrv.c 2017-10-20 10:41:15.780098385 +0000
|
||||
@@ -2288,7 +2288,7 @@ run_dsa_sign (const void *data, size_t d
|
||||
S-expression in KEYFILE against the S-expression formatted
|
||||
signature in SIGFILE. */
|
||||
static void
|
||||
-run_dsa_verify (const void *data, size_t datalen,
|
||||
+run_dsa_verify (const void *data, size_t datalen, int hashalgo,
|
||||
const char *keyfile, const char *sigfile)
|
||||
|
||||
{
|
||||
@@ -2297,15 +2297,23 @@ run_dsa_verify (const void *data, size_t
|
||||
char hash[128];
|
||||
gcry_mpi_t tmpmpi;
|
||||
int algo;
|
||||
+ int algo_len;
|
||||
+ int hashalgo_len;
|
||||
|
||||
s_key = read_sexp_from_file (keyfile);
|
||||
algo = dsa_hash_from_key(s_key);
|
||||
|
||||
- gcry_md_hash_buffer (algo, hash, data, datalen);
|
||||
+ algo_len = gcry_md_get_algo_dlen(algo);
|
||||
+ hashalgo_len = gcry_md_get_algo_dlen(hashalgo);
|
||||
+
|
||||
+ if (hashalgo_len < algo_len)
|
||||
+ algo_len = hashalgo_len;
|
||||
+
|
||||
+ gcry_md_hash_buffer (hashalgo, hash, data, datalen);
|
||||
/* Note that we can't simply use %b with HASH to build the
|
||||
S-expression, because that might yield a negative value. */
|
||||
err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash,
|
||||
- gcry_md_get_algo_dlen(algo), NULL);
|
||||
+ algo_len, NULL);
|
||||
if (!err)
|
||||
{
|
||||
err = gcry_sexp_build (&s_data, NULL,
|
||||
@@ -3011,10 +3019,17 @@ main (int argc, char **argv)
|
||||
}
|
||||
else if (!strcmp (mode_string, "dsa-verify"))
|
||||
{
|
||||
+ int algo;
|
||||
+
|
||||
if (!key_string)
|
||||
die ("option --key is required in this mode\n");
|
||||
if (access (key_string, R_OK))
|
||||
die ("option --key needs to specify an existing keyfile\n");
|
||||
+ if (!algo_string)
|
||||
+ die ("option --algo is required in this mode\n");
|
||||
+ algo = gcry_md_map_name (algo_string);
|
||||
+ if (!algo)
|
||||
+ die ("digest algorithm `%s' is not supported\n", algo_string);
|
||||
if (!data)
|
||||
die ("no data available (do not use --chunk)\n");
|
||||
if (!signature_string)
|
||||
@@ -3022,7 +3037,7 @@ main (int argc, char **argv)
|
||||
if (access (signature_string, R_OK))
|
||||
die ("option --signature needs to specify an existing file\n");
|
||||
|
||||
- run_dsa_verify (data, datalen, key_string, signature_string);
|
||||
+ run_dsa_verify (data, datalen, algo, key_string, signature_string);
|
||||
}
|
||||
else if (!strcmp (mode_string, "ecdsa-gen-key"))
|
||||
{
|
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 29 06:37:44 UTC 2018 - pmonrealgonzalez@suse.com
|
||||
|
||||
- Extended the fipsdrv dsa-sign and dsa-verify commands with the
|
||||
--algo parameter for the FIPS testing of DSA SigVer and SigGen
|
||||
(bsc#1064455).
|
||||
* Added libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
|
||||
* Added libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 22 15:10:36 UTC 2018 - fvogt@suse.com
|
||||
|
||||
|
@ -56,6 +56,10 @@ Patch30: drbg_test.patch
|
||||
#PATCH-FIX-SUSE run FIPS self-test from constructor
|
||||
Patch32: libgcrypt-fips_run_selftest_at_constructor.patch
|
||||
Patch34: libgcrypt-1.6.3-aliasing.patch
|
||||
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign
|
||||
Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
|
||||
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
|
||||
Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
|
||||
BuildRequires: automake >= 1.14
|
||||
BuildRequires: fipscheck
|
||||
BuildRequires: libgpg-error-devel >= 1.25
|
||||
@ -152,6 +156,8 @@ understanding of applied cryptography is required to use Libgcrypt.
|
||||
%endif
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch35 -p1
|
||||
%patch36 -p1
|
||||
|
||||
%build
|
||||
echo building with build_hmac256 set to %{build_hmac256}
|
||||
|
Loading…
Reference in New Issue
Block a user