forked from pool/libgcrypt
Accepting request 1089003 from devel:libraries:c_c++
OBS-URL: https://build.opensuse.org/request/show/1089003 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libgcrypt?expand=0&rev=97
This commit is contained in:
commit
d746817767
@ -1,7 +1,8 @@
|
||||
libgcrypt20
|
||||
obsoletes "libgcrypt-<targettype> <= <version>"
|
||||
provides "libgcrypt-<targettype> = <version>"
|
||||
libgcrypt20-hmac
|
||||
obsoletes "libgcrypt-<targettype> <= <version>"
|
||||
provides "libgcrypt20-hmac-<targettype> = <version>-%release"
|
||||
obsoletes "libgcrypt20-hmac-<targettype> < <version>-%release"
|
||||
libgcrypt-devel
|
||||
requires -libgcrypt-<targettype>
|
||||
requires "libgcrypt20-<targettype> = <version>"
|
||||
|
1
hwf.deny
1
hwf.deny
@ -1,6 +1,5 @@
|
||||
# This file can be used to globally disable the use of hardware
|
||||
# based optimizations. Supported options are:
|
||||
|
||||
# padlock-rng
|
||||
# padlock-aes
|
||||
# padlock-sha
|
||||
|
@ -1,114 +0,0 @@
|
||||
Index: libgcrypt-1.10.1/src/fips.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.10.1.orig/src/fips.c
|
||||
+++ libgcrypt-1.10.1/src/fips.c
|
||||
@@ -949,6 +949,65 @@ hmac256_check (const char *filename, con
|
||||
return err;
|
||||
}
|
||||
|
||||
+static int
|
||||
+get_library_path(const char *libname, const char *symbolname,
|
||||
+ char *path, size_t pathlen)
|
||||
+{
|
||||
+ Dl_info info;
|
||||
+ void *dl, *sym;
|
||||
+ int rv = -1;
|
||||
+
|
||||
+ dl = dlopen(libname, RTLD_LAZY);
|
||||
+ if (dl == NULL)
|
||||
+ return -1;
|
||||
+
|
||||
+ sym = dlsym(dl, symbolname);
|
||||
+ if (sym != NULL && dladdr(sym, &info))
|
||||
+ {
|
||||
+ strncpy(path, info.dli_fname, pathlen-1);
|
||||
+ path[pathlen-1] = '\0';
|
||||
+ rv = 0;
|
||||
+ }
|
||||
+
|
||||
+ dlclose(dl);
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+static gpg_error_t
|
||||
+get_hmac_path(char **fname, char *suffix)
|
||||
+{
|
||||
+ char libpath[4096];
|
||||
+ gpg_error_t err;
|
||||
+
|
||||
+ if (get_library_path ("libgcrypt.so.20", "gcry_check_version",
|
||||
+ libpath, sizeof(libpath)))
|
||||
+ err = gpg_error_from_syserror ();
|
||||
+ else
|
||||
+ {
|
||||
+ *fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
|
||||
+ if (!*fname)
|
||||
+ err = gpg_error_from_syserror ();
|
||||
+ else
|
||||
+ {
|
||||
+ char *p;
|
||||
+
|
||||
+ /* Prefix the basename with a dot. */
|
||||
+ strcpy (*fname, libpath);
|
||||
+ p = strrchr (*fname, '/');
|
||||
+ if (p)
|
||||
+ p++;
|
||||
+ else
|
||||
+ p = *fname;
|
||||
+ memmove (p+1, p, strlen (p)+1);
|
||||
+ *p = '.';
|
||||
+ strcat (*fname, suffix);
|
||||
+ err = 0;
|
||||
+ }
|
||||
+ }
|
||||
+ return err;
|
||||
+}
|
||||
+
|
||||
/* Run an integrity check on the binary. Returns 0 on success. */
|
||||
static int
|
||||
check_binary_integrity (void)
|
||||
@@ -997,6 +1056,33 @@ run_hmac_sha256_selftests (int extended)
|
||||
}
|
||||
#endif
|
||||
|
||||
+int
|
||||
+can_skip_selftests(void)
|
||||
+{
|
||||
+ char *fname = NULL;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ if (fips_mode())
|
||||
+ return 0;
|
||||
+
|
||||
+ if (get_hmac_path(&fname, ".fips"))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* check the hmac presence */
|
||||
+ if (access(fname, F_OK))
|
||||
+ /* no hmac file is present, don't run the tests */
|
||||
+ if (errno == ENOENT)
|
||||
+ ret = 1;
|
||||
+ /* otherwise one of these events happened:
|
||||
+ * access() returned 0
|
||||
+ * -> run the tests
|
||||
+ * some error other than ENOENT occurred
|
||||
+ * -> run the tests anyway and let them fail
|
||||
+ */
|
||||
+
|
||||
+ xfree(fname);
|
||||
+ return ret;
|
||||
+}
|
||||
|
||||
/* Run the self-tests. If EXTENDED is true, extended versions of the
|
||||
selftest are run, that is more tests than required by FIPS. */
|
||||
@@ -1006,6 +1092,9 @@ _gcry_fips_run_selftests (int extended)
|
||||
enum module_states result = STATE_ERROR;
|
||||
gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED;
|
||||
|
||||
+ if (can_skip_selftests())
|
||||
+ return 0;
|
||||
+
|
||||
if (fips_mode ())
|
||||
fips_new_state (STATE_SELFTEST);
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon May 22 11:32:53 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- FIPS: Merge the libgcrypt20-hmac package into the library and
|
||||
remove the "module is complete" trigger file .fips [bsc#1185116]
|
||||
* Remove libgcrypt-1.10.0-use-fipscheck.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
|
@ -16,7 +16,6 @@
|
||||
#
|
||||
|
||||
|
||||
%define build_hmac256 1
|
||||
%define libsover 20
|
||||
%define libsoname %{name}%{libsover}
|
||||
%define hmac_key orboDeJITITejsirpADONivirpUkvarP
|
||||
@ -49,8 +48,6 @@ Patch102: libgcrypt-FIPS-SLI-hash-mac.patch
|
||||
Patch103: libgcrypt-jitterentropy-3.4.0.patch
|
||||
#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
|
||||
Patch104: libgcrypt-FIPS-rndjent_poll.patch
|
||||
#PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips
|
||||
Patch105: libgcrypt-1.10.0-use-fipscheck.patch
|
||||
BuildRequires: automake >= 1.14
|
||||
BuildRequires: libgpg-error-devel >= 1.27
|
||||
BuildRequires: libtool
|
||||
@ -68,23 +65,13 @@ understanding of applied cryptography is required to use Libgcrypt.
|
||||
Summary: The GNU Crypto Library
|
||||
License: GPL-2.0-or-later AND LGPL-2.1-or-later
|
||||
Group: System/Libraries
|
||||
Suggests: %{libsoname}-hmac = %{version}-%{release}
|
||||
Provides: %{libsoname}-hmac = %{version}-%{release}
|
||||
Obsoletes: %{libsoname}-hmac < %{version}-%{release}
|
||||
|
||||
%description -n %{libsoname}
|
||||
Libgcrypt is a general purpose crypto library based on the code used in
|
||||
GnuPG (alpha version).
|
||||
|
||||
%package -n %{libsoname}-hmac
|
||||
Summary: HMAC checksums for the GNU Crypto Library
|
||||
License: GPL-2.0-or-later AND LGPL-2.1-or-later
|
||||
Group: System/Libraries
|
||||
Requires: %{libsoname} = %{version}-%{release}
|
||||
|
||||
%description -n %{libsoname}-hmac
|
||||
Libgcrypt is a general purpose crypto library based on the code used in
|
||||
GnuPG (alpha version). This package contains the HMAC checksum files
|
||||
for integrity checking the library, as required by FIPS 140-2.
|
||||
|
||||
%package devel
|
||||
Summary: The GNU Crypto Library
|
||||
License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
|
||||
@ -109,8 +96,6 @@ library.
|
||||
sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g" src/Makefile.am src/Makefile.in
|
||||
|
||||
%build
|
||||
echo building with build_hmac256 set to %{build_hmac256}
|
||||
|
||||
export PUBKEYS="dsa elgamal rsa ecc"
|
||||
export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4"
|
||||
export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3"
|
||||
@ -139,18 +124,13 @@ export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
|
||||
%make_build
|
||||
|
||||
%check
|
||||
%make_build check
|
||||
make -k check
|
||||
# run the regression tests also in FIPS mode
|
||||
LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check VERBOSE=1 || true
|
||||
LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true
|
||||
|
||||
# Install the FIPS hmac file
|
||||
cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/
|
||||
|
||||
# create the FIPS "module is complete" trigger file
|
||||
%if 0%{?build_hmac256}
|
||||
touch %{buildroot}%{_libdir}/.%{name}.so.%{libsover}.fips
|
||||
%endif
|
||||
|
||||
%install
|
||||
%make_install
|
||||
rm %{buildroot}%{_libdir}/%{name}.la
|
||||
@ -170,12 +150,7 @@ install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/gcrypt/hwf.deny
|
||||
%dir %{_sysconfdir}/gcrypt
|
||||
%config(noreplace) %{_sysconfdir}/gcrypt/random.conf
|
||||
%config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny
|
||||
|
||||
%files -n %{libsoname}-hmac
|
||||
%{_libdir}/.libgcrypt.so.*.hmac
|
||||
%if 0%{?build_hmac256}
|
||||
%{_libdir}/.libgcrypt.so.*.fips
|
||||
%endif
|
||||
|
||||
%files devel
|
||||
%license COPYING COPYING.LIB LICENSES
|
||||
|
Loading…
Reference in New Issue
Block a user