forked from pool/libgcrypt
Accepting request 689095 from home:vitezslav_cizek:branches:devel:libraries:c_c++
- libgcrypt-1.8.3-fips-ctor.patch changed the way the fips selftests are invoked as well as the state transition, adjust the code so a missing checksum file is not an issue in non-FIPS mode (bsc#1097073) * update libgcrypt-binary_integrity_in_non-FIPS.patch - Enforce the minimal RSA keygen size in fips mode (bsc#1125740) * add libgcrypt-fips_rsa_no_enforced_mode.patch OBS-URL: https://build.opensuse.org/request/show/689095 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=122
This commit is contained in:
parent
655523d262
commit
9563eb9685
@ -1,17 +1,96 @@
|
||||
Index: libgcrypt-1.8.4/src/fips.c
|
||||
Index: libgcrypt-1.8.2/src/fips.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.8.4.orig/src/fips.c 2018-11-26 17:30:28.040692529 +0100
|
||||
+++ libgcrypt-1.8.4/src/fips.c 2018-11-26 17:59:04.130934181 +0100
|
||||
@@ -663,7 +663,11 @@ check_binary_integrity (void)
|
||||
--- libgcrypt-1.8.2.orig/src/fips.c 2019-03-27 13:15:14.190987624 +0100
|
||||
+++ libgcrypt-1.8.2/src/fips.c 2019-03-27 13:18:07.047986428 +0100
|
||||
@@ -115,6 +115,50 @@ _gcry_initialize_fsm_lock (void)
|
||||
abort ();
|
||||
}
|
||||
}
|
||||
+
|
||||
+/* Checks whether the library will enter the FIPS mode.
|
||||
+ Uses the same logic as _gcry_initialize_fips_mode */
|
||||
+static int
|
||||
+will_enter_fips (void)
|
||||
+{
|
||||
+ /* for convenience, so that a process can run fips-enabled, but
|
||||
+ not necessarily all of them, enable FIPS mode via environment
|
||||
+ variable LIBGCRYPT_FORCE_FIPS_MODE. */
|
||||
+ if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL)
|
||||
+ return 1;
|
||||
+
|
||||
+ /* For testing the system it is useful to override the system
|
||||
+ provided detection of the FIPS mode and force FIPS mode using a
|
||||
+ file. The filename is hardwired so that there won't be any
|
||||
+ confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
|
||||
+ actually used. The file itself may be empty. */
|
||||
+ if ( !access (FIPS_FORCE_FILE, F_OK) )
|
||||
+ return 1;
|
||||
+
|
||||
+ /* Checking based on /proc file properties. */
|
||||
+ {
|
||||
+ static const char procfname[] = "/proc/sys/crypto/fips_enabled";
|
||||
+ FILE *fp;
|
||||
+
|
||||
+ fp = fopen (procfname, "r");
|
||||
+ if (fp)
|
||||
+ {
|
||||
+ char line[256];
|
||||
+
|
||||
+ if (fgets (line, sizeof line, fp) && atoi (line))
|
||||
+ {
|
||||
+ /* System is in fips mode. */
|
||||
+ fclose (fp);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ fclose (fp);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
|
||||
/* Check whether the OS is in FIPS mode and record that in a module
|
||||
local variable. If FORCE is passed as true, fips mode will be
|
||||
@@ -631,10 +675,10 @@ get_library_path(const char *libname, co
|
||||
|
||||
/* Run an integrity check on the binary. Returns 0 on success. */
|
||||
static int
|
||||
-check_binary_integrity (void)
|
||||
+check_binary_integrity ()
|
||||
{
|
||||
#ifdef ENABLE_HMAC_BINARY_CHECK
|
||||
- gpg_error_t err;
|
||||
+ gpg_error_t err = 0;
|
||||
char libpath[4096];
|
||||
unsigned char digest[32];
|
||||
int dlen;
|
||||
@@ -675,7 +719,14 @@ check_binary_integrity (void)
|
||||
/* Open the file. */
|
||||
fp = fopen (fname, "r");
|
||||
if (!fp)
|
||||
- err = gpg_error_from_syserror ();
|
||||
+ {
|
||||
+ /* Missing checksum is a problem only in FIPS mode */
|
||||
+ if (fips_mode() || errno != ENOENT)
|
||||
+ /* Missing checksum is a problem only in FIPS mode.
|
||||
+ As the integrity check was moved to the POWERON state,
|
||||
+ we no longer can rely on fips_mode(). Because at the point,
|
||||
+ the library is not yet initialized. */
|
||||
+ if (will_enter_fips() || errno != ENOENT)
|
||||
+ err = gpg_error_from_syserror ();
|
||||
+ }
|
||||
else
|
||||
{
|
||||
/* A buffer of 64 bytes plus one for a LF and one to
|
||||
@@ -743,9 +794,8 @@ _gcry_fips_run_selftests (int extended)
|
||||
we return and finish the remaining selftests before
|
||||
real use of the library. It will be in the POWERON
|
||||
state meanwhile. */
|
||||
- if (in_poweron)
|
||||
- if (check_binary_integrity ())
|
||||
- goto leave;
|
||||
+ if (check_binary_integrity ())
|
||||
+ goto leave;
|
||||
|
||||
if (in_poweron)
|
||||
return 0;
|
||||
|
13
libgcrypt-fips_rsa_no_enforced_mode.patch
Normal file
13
libgcrypt-fips_rsa_no_enforced_mode.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: libgcrypt-1.8.2/cipher/rsa.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.8.2.orig/cipher/rsa.c 2017-11-23 19:16:58.000000000 +0100
|
||||
+++ libgcrypt-1.8.2/cipher/rsa.c 2019-03-26 11:14:33.737388126 +0100
|
||||
@@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig
|
||||
|
||||
if (nbits < 1024 || (nbits & 0x1FF))
|
||||
return GPG_ERR_INV_VALUE;
|
||||
- if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072)
|
||||
+ if (fips_mode() && nbits != 2048 && nbits != 3072)
|
||||
return GPG_ERR_INV_VALUE;
|
||||
|
||||
/* The random quality depends on the transient_key flag. */
|
@ -1,3 +1,17 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 26 16:30:23 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
|
||||
|
||||
- libgcrypt-1.8.3-fips-ctor.patch changed the way the fips selftests
|
||||
are invoked as well as the state transition, adjust the code so
|
||||
a missing checksum file is not an issue in non-FIPS mode (bsc#1097073)
|
||||
* update libgcrypt-binary_integrity_in_non-FIPS.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 26 16:25:18 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
|
||||
|
||||
- Enforce the minimal RSA keygen size in fips mode (bsc#1125740)
|
||||
* add libgcrypt-fips_rsa_no_enforced_mode.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 22 14:13:05 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
|
||||
|
||||
|
@ -57,9 +57,10 @@ Patch32: libgcrypt-fips_run_selftest_at_constructor.patch
|
||||
Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
|
||||
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
|
||||
Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
|
||||
Patch37: libgcrypt-binary_integrity_in_non-FIPS.patch
|
||||
Patch39: libgcrypt-1.8.3-fips-ctor.patch
|
||||
Patch40: libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch
|
||||
Patch41: libgcrypt-binary_integrity_in_non-FIPS.patch
|
||||
Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch
|
||||
BuildRequires: automake >= 1.14
|
||||
BuildRequires: fipscheck
|
||||
BuildRequires: libgpg-error-devel >= 1.25
|
||||
|
Loading…
Reference in New Issue
Block a user