From dea04356905531e96fec61628cb91e7054dcbd7625fa2dd37b6951416827c5b6 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 3 Feb 2021 12:44:42 +0000 Subject: [PATCH] Accepting request 868925 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 1.9.1 * *Fix exploitable bug* in hash functions introduced with 1.9.0. [bsc#1181632, CVE-2021-3345] * Return an error if a negative MPI is used with sexp scan functions. * Check for operational FIPS in the random and KDF functions. * Fix compile error on ARMv7 with NEON disabled. * Fix self-test in KDF module. * Improve assembler checks for better LTO support. * Fix 32-bit cross build on x86. * Fix non-NEON ARM assembly implementation for SHA512. * Fix build problems with the cipher_bulk_ops_t typedef. * Fix Ed25519 private key handling for preceding ZEROs. * Fix overflow in modular inverse implementation. * Fix register access for AVX/AVX2 implementations of Blake2. * Add optimized cipher and hash functions for s390x/zSeries. * Use hardware bit counting functionx when available. * Update DSA functions to match FIPS 186-3. * New self-tests for CMACs and KDFs. * Add bulk cipher functions for OFB and GCM modes. - Update libgpg-error required version - Use the suffix variable correctly in get_hmac_path() - Rebase libgcrypt-fips_selftest_trigger_file.patch - Add the global config file /etc/gcrypt/random.conf * This file can be used to globally change parameters of the random generator with the options: only-urandom and disable-jent. - Update to 1.9.0: OBS-URL: https://build.opensuse.org/request/show/868925 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=142 --- drbg_test.patch | 33 +- ...pt-1.4.1-rijndael_no_strict_aliasing.patch | 17 +- ...t-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff | 2 +- libgcrypt-1.6.1-fips-cfgrandom.patch | 85 ----- libgcrypt-1.6.1-use-fipscheck.patch | 53 ++- libgcrypt-1.8.3-fips-ctor.patch | 82 ++--- libgcrypt-1.8.4-fips-keygen.patch | 41 ++- libgcrypt-1.8.4-getrandom.patch | 89 +++-- libgcrypt-1.8.7.tar.bz2 | 3 - libgcrypt-1.8.7.tar.bz2.sig | Bin 119 -> 0 bytes libgcrypt-1.9.1.tar.bz2 | 3 + libgcrypt-1.9.1.tar.bz2.sig | Bin 0 -> 119 bytes libgcrypt-CMAC-AES-TDES-selftest.patch | 322 ------------------ libgcrypt-CVE-2019-12904-AES.patch | 322 ------------------ libgcrypt-CVE-2019-12904-GCM-Prefetch.patch | 80 ----- libgcrypt-CVE-2019-12904-GCM.patch | 168 --------- ...FIPS-RSA-DSA-ECDSA-hashing-operation.patch | 44 +-- libgcrypt-PCT-ECC.patch | 124 +++---- libgcrypt-PCT-RSA.patch | 16 +- libgcrypt-ecc-ecdsa-no-blinding.patch | 67 ++-- libgcrypt-fips_rsa_no_enforced_mode.patch | 13 - libgcrypt-fips_selftest_trigger_file.patch | 38 +-- ...ypt-fipsdrv-enable-algo-for-dsa-sign.patch | 4 +- libgcrypt-fix-tests-fipsmode.patch | 85 +++-- libgcrypt-global_init-constructor.patch | 112 +++--- libgcrypt-unresolved-dladdr.patch | 23 -- libgcrypt.changes | 89 +++++ libgcrypt.spec | 100 +++--- random.conf | 9 + 29 files changed, 529 insertions(+), 1495 deletions(-) delete mode 100644 libgcrypt-1.6.1-fips-cfgrandom.patch delete mode 100644 libgcrypt-1.8.7.tar.bz2 delete mode 100644 libgcrypt-1.8.7.tar.bz2.sig create mode 100644 libgcrypt-1.9.1.tar.bz2 create mode 100644 libgcrypt-1.9.1.tar.bz2.sig delete mode 100644 libgcrypt-CMAC-AES-TDES-selftest.patch delete mode 100644 libgcrypt-CVE-2019-12904-AES.patch delete mode 100644 libgcrypt-CVE-2019-12904-GCM-Prefetch.patch delete mode 100644 libgcrypt-CVE-2019-12904-GCM.patch delete mode 100644 libgcrypt-fips_rsa_no_enforced_mode.patch delete mode 100644 libgcrypt-unresolved-dladdr.patch create mode 100644 random.conf diff --git a/drbg_test.patch b/drbg_test.patch index 2538293..b644abe 100644 --- a/drbg_test.patch +++ b/drbg_test.patch @@ -1,7 +1,7 @@ -Index: libgcrypt-1.7.2/tests/drbg_test.c +Index: libgcrypt-1.9.0/tests/drbg_test.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ libgcrypt-1.7.2/tests/drbg_test.c 2016-08-16 16:04:52.289060124 +0200 +--- /dev/null ++++ libgcrypt-1.9.0/tests/drbg_test.c @@ -0,0 +1,1332 @@ +/* DRBG test for libgcrypt + Copyright (C) 2014 Stephan Mueller @@ -1335,11 +1335,26 @@ Index: libgcrypt-1.7.2/tests/drbg_test.c + return 0; +} + -Index: libgcrypt-1.7.2/Makefile.am +Index: libgcrypt-1.9.0/Makefile.am =================================================================== ---- libgcrypt-1.7.2.orig/Makefile.am 2016-08-16 15:57:43.397736723 +0200 -+++ libgcrypt-1.7.2/Makefile.am 2016-08-16 15:57:44.341752563 +0200 -@@ -42,6 +42,14 @@ EXTRA_DIST = autogen.sh autogen.rc READM +--- libgcrypt-1.9.0.orig/Makefile.am ++++ libgcrypt-1.9.0/Makefile.am +@@ -39,6 +39,14 @@ else + doc = + endif + ++bin_PROGRAMS = fipsdrv drbg_test ++ ++fipsdrv_SOURCES = tests/fipsdrv.c ++fipsdrv_LDADD = src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS) ++ ++drbg_test_CPPFLAGS = -I../src -I$(top_srcdir)/src ++drbg_test_SOURCES = src/gcrypt.h tests/drbg_test.c ++drbg_test_LDADD = src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS) + + DIST_SUBDIRS = m4 compat mpi cipher random src doc tests + SUBDIRS = compat mpi cipher random src $(doc) tests +@@ -51,6 +59,14 @@ EXTRA_DIST = autogen.sh autogen.rc READM DISTCLEANFILES = @@ -1352,5 +1367,5 @@ Index: libgcrypt-1.7.2/Makefile.am +drbg_test_SOURCES = src/gcrypt.h tests/drbg_test.c +drbg_test_LDADD = src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS) - # Add all the files listed in "distfiles" files to the distribution, - # apply version number s to some files and create a VERSION file which + # Add all the files listed in "distfiles" files to the distribution + dist-hook: gen-ChangeLog diff --git a/libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch b/libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch index 0594a42..9e786ea 100644 --- a/libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch +++ b/libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch @@ -1,16 +1,17 @@ -Index: libgcrypt-1.8.3/cipher/Makefile.am +Index: libgcrypt-1.9.0/cipher/Makefile.am =================================================================== ---- libgcrypt-1.8.3.orig/cipher/Makefile.am -+++ libgcrypt-1.8.3/cipher/Makefile.am -@@ -128,3 +128,11 @@ tiger.o: $(srcdir)/tiger.c +--- libgcrypt-1.9.0.orig/cipher/Makefile.am ++++ libgcrypt-1.9.0/cipher/Makefile.am +@@ -155,6 +155,12 @@ tiger.o: $(srcdir)/tiger.c Makefile + tiger.lo: $(srcdir)/tiger.c Makefile + `echo $(LTCOMPILE) -c $< | $(o_flag_munging) ` - tiger.lo: $(srcdir)/tiger.c - `echo $(LTCOMPILE) -c $(srcdir)/tiger.c | $(o_flag_munging) ` -+ +# rijndael.c needs -fno-strict-aliasing +rijndael.o: $(srcdir)/rijndael.c + `echo $(COMPILE) -fno-strict-aliasing -c $(srcdir)/rijndael.c` + +rijndael.lo: $(srcdir)/rijndael.c + `echo $(LTCOMPILE) -fno-strict-aliasing -c $(srcdir)/rijndael.c` -+ + + # We need to disable instrumentation for these modules as they use cc as + # thin assembly front-end and do not tolerate in-between function calls diff --git a/libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff b/libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff index d9cb968..babac24 100644 --- a/libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff +++ b/libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff @@ -17,7 +17,7 @@ Index: libgcrypt-1.5.2/src/fips.c + + if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL) + { -+ gcry_assert (!no_fips_mode_required); ++ gcry_assert (!_gcry_no_fips_mode_required); + goto leave; + } + diff --git a/libgcrypt-1.6.1-fips-cfgrandom.patch b/libgcrypt-1.6.1-fips-cfgrandom.patch deleted file mode 100644 index 1db7b54..0000000 --- a/libgcrypt-1.6.1-fips-cfgrandom.patch +++ /dev/null @@ -1,85 +0,0 @@ -Index: libgcrypt-1.8.4/random/rndlinux.c -=================================================================== ---- libgcrypt-1.8.4.orig/random/rndlinux.c -+++ libgcrypt-1.8.4/random/rndlinux.c -@@ -40,7 +40,9 @@ - #include "g10lib.h" - #include "rand-internal.h" - --static int open_device (const char *name, int retry); -+#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed" -+ -+static int open_device (const char *name, int retry, int fatal); - - - static int -@@ -63,7 +65,7 @@ set_cloexec_flag (int fd) - * a fatal error but retries until it is able to reopen the device. - */ - static int --open_device (const char *name, int retry) -+open_device (const char *name, int retry, int fatal) - { - int fd; - -@@ -71,6 +73,8 @@ open_device (const char *name, int retry - _gcry_random_progress ("open_dev_random", 'X', 1, 0); - again: - fd = open (name, O_RDONLY); -+ if (fd == -1 && !fatal) -+ return fd; - if (fd == -1 && retry) - { - struct timeval tv; -@@ -116,6 +120,7 @@ _gcry_rndlinux_gather_random (void (*add - { - static int fd_urandom = -1; - static int fd_random = -1; -+ static int fd_configured = -1; - static int only_urandom = -1; - static unsigned char ever_opened; - static volatile pid_t my_pid; /* The volatile is there to make sure -@@ -156,6 +161,11 @@ _gcry_rndlinux_gather_random (void (*add - close (fd_urandom); - fd_urandom = -1; - } -+ if (fd_configured != -1) -+ { -+ close (fd_configured); -+ fd_configured = -1; -+ } - return 0; - } - -@@ -215,11 +225,21 @@ _gcry_rndlinux_gather_random (void (*add - that we always require the device to be existent but want a more - graceful behaviour if the rarely needed close operation has been - used and the device needs to be re-opened later. */ -+ -+ if (level == -1) -+ { -+ if (fd_configured == -1) -+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0, 0 ); -+ fd = fd_configured; -+ if (fd == -1) -+ return -1; -+ } -+ - if (level >= GCRY_VERY_STRONG_RANDOM && !only_urandom) - { - if (fd_random == -1) - { -- fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1)); -+ fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1), 1); - ever_opened |= 1; - } - fd = fd_random; -@@ -228,7 +248,7 @@ _gcry_rndlinux_gather_random (void (*add - { - if (fd_urandom == -1) - { -- fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2)); -+ fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1); - ever_opened |= 2; - } - fd = fd_urandom; diff --git a/libgcrypt-1.6.1-use-fipscheck.patch b/libgcrypt-1.6.1-use-fipscheck.patch index 3110887..49cf2d7 100644 --- a/libgcrypt-1.6.1-use-fipscheck.patch +++ b/libgcrypt-1.6.1-use-fipscheck.patch @@ -3,27 +3,15 @@ src/fips.c | 39 ++++++++++++++++++++++++++++++++------- 2 files changed, 33 insertions(+), 8 deletions(-) -Index: libgcrypt-1.6.2/src/Makefile.in +Index: libgcrypt-1.9.0/src/fips.c =================================================================== ---- libgcrypt-1.6.2.orig/src/Makefile.in 2014-11-05 20:33:18.000000000 +0000 -+++ libgcrypt-1.6.2/src/Makefile.in 2014-11-05 20:34:04.000000000 +0000 -@@ -449,7 +449,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \ - ../cipher/libcipher.la \ - ../random/librandom.la \ - ../mpi/libmpi.la \ -- ../compat/libcompat.la $(GPG_ERROR_LIBS) -+ ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl - - dumpsexp_SOURCES = dumpsexp.c - dumpsexp_CFLAGS = $(arch_gpg_error_cflags) -Index: libgcrypt-1.6.2/src/fips.c -=================================================================== ---- libgcrypt-1.6.2.orig/src/fips.c 2014-11-05 20:33:18.000000000 +0000 -+++ libgcrypt-1.6.2/src/fips.c 2014-11-05 20:34:04.000000000 +0000 -@@ -589,23 +589,48 @@ run_random_selftests (void) +--- libgcrypt-1.9.0.orig/src/fips.c ++++ libgcrypt-1.9.0/src/fips.c +@@ -603,23 +603,49 @@ run_random_selftests (void) return !!err; } ++#ifdef ENABLE_HMAC_BINARY_CHECK +static int +get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) +{ @@ -31,23 +19,23 @@ Index: libgcrypt-1.6.2/src/fips.c + void *dl, *sym; + int rv = -1; + -+ dl = dlopen(libname, RTLD_LAZY); -+ if (dl == NULL) { -+ return -1; -+ } ++ dl = dlopen(libname, RTLD_LAZY); ++ if (dl == NULL) ++ return -1; + + sym = dlsym(dl, symbolname); ++ if (sym != NULL && dladdr(sym, &info)) ++ { ++ strncpy(path, info.dli_fname, pathlen-1); ++ path[pathlen-1] = '\0'; ++ rv = 0; ++ } + -+ if (sym != NULL && dladdr(sym, &info)) { -+ strncpy(path, info.dli_fname, pathlen-1); -+ path[pathlen-1] = '\0'; -+ rv = 0; -+ } ++ dlclose(dl); + -+ dlclose(dl); -+ + return rv; +} ++#endif + /* Run an integrity check on the binary. Returns 0 on success. */ static int @@ -61,10 +49,9 @@ Index: libgcrypt-1.6.2/src/fips.c int dlen; char *fname = NULL; - const char key[] = "What am I, a doctor or a moonshuttle conductor?"; -- -- if (!dladdr ("gcry_check_version", &info)) + const char key[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ + +- if (!dladdr ("gcry_check_version", &info)) + if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath))) err = gpg_error_from_syserror (); else @@ -74,7 +61,7 @@ Index: libgcrypt-1.6.2/src/fips.c key, strlen (key)); if (dlen < 0) err = gpg_error_from_syserror (); -@@ -613,7 +638,7 @@ check_binary_integrity (void) +@@ -627,7 +652,7 @@ check_binary_integrity (void) err = gpg_error (GPG_ERR_INTERNAL); else { @@ -83,7 +70,7 @@ Index: libgcrypt-1.6.2/src/fips.c if (!fname) err = gpg_error_from_syserror (); else -@@ -622,7 +647,7 @@ check_binary_integrity (void) +@@ -636,7 +661,7 @@ check_binary_integrity (void) char *p; /* Prefix the basename with a dot. */ diff --git a/libgcrypt-1.8.3-fips-ctor.patch b/libgcrypt-1.8.3-fips-ctor.patch index 34a5e95..d562fc1 100644 --- a/libgcrypt-1.8.3-fips-ctor.patch +++ b/libgcrypt-1.8.3-fips-ctor.patch @@ -1,8 +1,8 @@ -Index: libgcrypt-1.8.4/cipher/md.c +Index: libgcrypt-1.9.0/cipher/md.c =================================================================== ---- libgcrypt-1.8.4.orig/cipher/md.c 2019-03-25 16:58:52.844354398 +0100 -+++ libgcrypt-1.8.4/cipher/md.c 2019-03-25 16:58:53.512358321 +0100 -@@ -411,11 +411,8 @@ md_enable (gcry_md_hd_t hd, int algorith +--- libgcrypt-1.9.0.orig/cipher/md.c ++++ libgcrypt-1.9.0/cipher/md.c +@@ -564,11 +564,8 @@ md_enable (gcry_md_hd_t hd, int algorith if (!err && algorithm == GCRY_MD_MD5 && fips_mode ()) { @@ -14,14 +14,15 @@ Index: libgcrypt-1.8.4/cipher/md.c err = GPG_ERR_DIGEST_ALGO; } } -Index: libgcrypt-1.8.4/src/fips.c +Index: libgcrypt-1.9.0/src/fips.c =================================================================== ---- libgcrypt-1.8.4.orig/src/fips.c 2019-03-25 16:58:52.844354398 +0100 -+++ libgcrypt-1.8.4/src/fips.c 2019-03-25 16:58:53.516358344 +0100 -@@ -91,6 +91,31 @@ static void fips_new_state (enum module_ +--- libgcrypt-1.9.0.orig/src/fips.c ++++ libgcrypt-1.9.0/src/fips.c +@@ -90,7 +90,31 @@ static void fips_new_state (enum module_ + #define loxdigit_p(p) !!strchr ("01234567890abcdef", *(p)) - +- +/* Initialize the FSM lock - this function may only + be called once and is intended to be run from the library + constructor */ @@ -46,11 +47,11 @@ Index: libgcrypt-1.8.4/src/fips.c + abort (); + } +} -+ ++ /* Check whether the OS is in FIPS mode and record that in a module local variable. If FORCE is passed as true, fips mode will be enabled anyway. Note: This function is not thread-safe and should -@@ -100,7 +125,6 @@ void +@@ -100,7 +124,6 @@ void _gcry_initialize_fips_mode (int force) { static int done; @@ -58,7 +59,7 @@ Index: libgcrypt-1.8.4/src/fips.c /* Make sure we are not accidentally called twice. */ if (done) -@@ -190,24 +214,6 @@ _gcry_initialize_fips_mode (int force) +@@ -190,24 +213,6 @@ _gcry_initialize_fips_mode (int force) /* Yes, we are in FIPS mode. */ FILE *fp; @@ -83,7 +84,7 @@ Index: libgcrypt-1.8.4/src/fips.c /* If the FIPS force files exists, is readable and has a number != 0 on its first line, we enable the enforced fips mode. */ fp = fopen (FIPS_FORCE_FILE, "r"); -@@ -370,16 +376,20 @@ _gcry_fips_is_operational (void) +@@ -356,16 +361,20 @@ _gcry_fips_is_operational (void) { int result; @@ -92,7 +93,7 @@ Index: libgcrypt-1.8.4/src/fips.c + if (current_state == STATE_POWERON && !fips_mode ()) + /* If we are at this point in POWERON state it means the FIPS + module installation was not completed. (/etc/system-fips -+ is not present.) */ ++ is not present.) */ result = 1; else { @@ -110,7 +111,7 @@ Index: libgcrypt-1.8.4/src/fips.c initialization of libgcrypt, but that has traditionally not been enforced, we use this on demand self-test checking. Note that Proper applications would do the -@@ -395,9 +405,11 @@ _gcry_fips_is_operational (void) +@@ -381,9 +390,11 @@ _gcry_fips_is_operational (void) lock_fsm (); } @@ -124,7 +125,7 @@ Index: libgcrypt-1.8.4/src/fips.c return result; } -@@ -722,9 +734,25 @@ _gcry_fips_run_selftests (int extended) +@@ -729,9 +740,25 @@ _gcry_fips_run_selftests (int extended) { enum module_states result = STATE_ERROR; gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED; @@ -152,14 +153,17 @@ Index: libgcrypt-1.8.4/src/fips.c if (run_cipher_selftests (extended)) goto leave; -@@ -743,18 +771,12 @@ _gcry_fips_run_selftests (int extended) +@@ -753,21 +780,12 @@ _gcry_fips_run_selftests (int extended) if (run_pubkey_selftests (extended)) goto leave; -- /* Now check the integrity of the binary. We do this this after -- having checked the HMAC code. */ -- if (check_binary_integrity ()) -- goto leave; +- if (fips_mode ()) +- { +- /* Now check the integrity of the binary. We do this this after +- having checked the HMAC code. */ +- if (check_binary_integrity ()) +- goto leave; +- } - /* All selftests passed. */ result = STATE_OPERATIONAL; @@ -172,7 +176,7 @@ Index: libgcrypt-1.8.4/src/fips.c return ec; } -@@ -810,6 +832,7 @@ fips_new_state (enum module_states new_s +@@ -823,6 +841,7 @@ fips_new_state (enum module_states new_s { case STATE_POWERON: if (new_state == STATE_INIT @@ -180,7 +184,7 @@ Index: libgcrypt-1.8.4/src/fips.c || new_state == STATE_ERROR || new_state == STATE_FATALERROR) ok = 1; -@@ -824,6 +847,8 @@ fips_new_state (enum module_states new_s +@@ -837,6 +856,8 @@ fips_new_state (enum module_states new_s case STATE_SELFTEST: if (new_state == STATE_OPERATIONAL @@ -189,11 +193,11 @@ Index: libgcrypt-1.8.4/src/fips.c || new_state == STATE_ERROR || new_state == STATE_FATALERROR) ok = 1; -Index: libgcrypt-1.8.4/src/global.c +Index: libgcrypt-1.9.0/src/global.c =================================================================== ---- libgcrypt-1.8.4.orig/src/global.c 2019-03-25 16:58:52.844354398 +0100 -+++ libgcrypt-1.8.4/src/global.c 2019-03-25 16:58:53.516358344 +0100 -@@ -145,6 +145,29 @@ global_init (void) +--- libgcrypt-1.9.0.orig/src/global.c ++++ libgcrypt-1.9.0/src/global.c +@@ -141,6 +141,29 @@ global_init (void) } @@ -223,38 +227,40 @@ Index: libgcrypt-1.8.4/src/global.c /* This function is called by the macro fips_is_operational and makes sure that the minimal initialization has been done. This is far from a perfect solution and hides problems with an improper -@@ -675,8 +698,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, +@@ -672,9 +695,8 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, case GCRYCTL_FIPS_MODE_P: if (fips_mode () - && !_gcry_is_fips_mode_inactive () - && !no_secure_memory) +- rc = GPG_ERR_GENERAL; /* Used as TRUE value */ + && !_gcry_is_fips_mode_inactive ()) - rc = GPG_ERR_GENERAL; /* Used as TRUE value */ ++ rc = GPG_ERR_GENERAL; /* Used as TRUE value */ break; -@@ -753,9 +775,9 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, + case GCRYCTL_FORCE_FIPS_MODE: +@@ -750,9 +772,9 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, break; case GCRYCTL_SET_ENFORCED_FIPS_FLAG: -- if (!any_init_done) -+ if (fips_mode ()) +- if (!_gcry_global_any_init_done) ++ if (fips_mode()) { - /* Not yet initialized at all. Set the enforced fips mode flag */ + /* We are in FIPS mode, we can set the enforced fips mode flag. */ _gcry_set_preferred_rng_type (0); _gcry_set_enforced_fips_mode (); } -Index: libgcrypt-1.8.4/src/g10lib.h +Index: libgcrypt-1.9.0/src/g10lib.h =================================================================== ---- libgcrypt-1.8.4.orig/src/g10lib.h 2019-03-25 16:58:52.844354398 +0100 -+++ libgcrypt-1.8.4/src/g10lib.h 2019-03-25 16:58:53.516358344 +0100 -@@ -422,6 +422,8 @@ gpg_err_code_t _gcry_sexp_vextract_param +--- libgcrypt-1.9.0.orig/src/g10lib.h ++++ libgcrypt-1.9.0/src/g10lib.h +@@ -429,6 +429,8 @@ gpg_err_code_t _gcry_sexp_vextract_param - /*-- fips.c --*/ + extern int _gcry_no_fips_mode_required; +void _gcry_initialize_fsm_lock (void); + void _gcry_initialize_fips_mode (int force); - int _gcry_fips_mode (void); + /* This macro returns true if fips mode is enabled. This is diff --git a/libgcrypt-1.8.4-fips-keygen.patch b/libgcrypt-1.8.4-fips-keygen.patch index 03a8246..e4b40f6 100644 --- a/libgcrypt-1.8.4-fips-keygen.patch +++ b/libgcrypt-1.8.4-fips-keygen.patch @@ -1,33 +1,32 @@ -Index: libgcrypt-1.8.2/cipher/dsa.c +Index: libgcrypt-1.9.1/cipher/dsa.c =================================================================== ---- libgcrypt-1.8.2.orig/cipher/dsa.c -+++ libgcrypt-1.8.2/cipher/dsa.c -@@ -457,11 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un +--- libgcrypt-1.9.1.orig/cipher/dsa.c ++++ libgcrypt-1.9.1/cipher/dsa.c +@@ -457,13 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un &prime_q, &prime_p, r_counter, r_seed, r_seedlen); - else -- ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0, + else if (!domain->p || !domain->q) -+ ec = _gcry_generate_fips186_3_prime (nbits, qbits, -+ initial_seed.seed, -+ initial_seed.seedlen, + ec = _gcry_generate_fips186_3_prime (nbits, qbits, + initial_seed.seed, + initial_seed.seedlen, &prime_q, &prime_p, r_counter, r_seed, r_seedlen, NULL); + else -+ { -+ /* Domain parameters p and q are given; use them. */ -+ prime_p = mpi_copy (domain->p); -+ prime_q = mpi_copy (domain->q); -+ gcry_assert (mpi_get_nbits (prime_p) == nbits); -+ gcry_assert (mpi_get_nbits (prime_q) == qbits); -+ ec = 0; -+ } ++ { ++ /* Domain parameters p and q are given; use them. */ ++ prime_p = mpi_copy (domain->p); ++ prime_q = mpi_copy (domain->q); ++ gcry_assert (mpi_get_nbits (prime_p) == nbits); ++ gcry_assert (mpi_get_nbits (prime_q) == qbits); ++ ec = 0; ++ } sexp_release (initial_seed.sexp); if (ec) goto leave; -@@ -857,13 +868,12 @@ dsa_generate (const gcry_sexp_t genparms +@@ -859,13 +868,12 @@ dsa_generate (const gcry_sexp_t genparms sexp_release (l1); sexp_release (domainsexp); @@ -43,15 +42,15 @@ Index: libgcrypt-1.8.2/cipher/dsa.c return GPG_ERR_MISSING_VALUE; } -Index: libgcrypt-1.8.2/cipher/rsa.c +Index: libgcrypt-1.9.1/cipher/rsa.c =================================================================== ---- libgcrypt-1.8.2.orig/cipher/rsa.c -+++ libgcrypt-1.8.2/cipher/rsa.c +--- libgcrypt-1.9.1.orig/cipher/rsa.c ++++ libgcrypt-1.9.1/cipher/rsa.c @@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig if (nbits < 1024 || (nbits & 0x1FF)) return GPG_ERR_INV_VALUE; -- if (fips_mode() && nbits != 2048 && nbits != 3072) +- if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072) + if (fips_mode() && nbits < 2048) return GPG_ERR_INV_VALUE; diff --git a/libgcrypt-1.8.4-getrandom.patch b/libgcrypt-1.8.4-getrandom.patch index 4810974..6158b35 100644 --- a/libgcrypt-1.8.4-getrandom.patch +++ b/libgcrypt-1.8.4-getrandom.patch @@ -1,7 +1,7 @@ -Index: libgcrypt-1.8.4/random/random-csprng.c +Index: libgcrypt-1.9.1/random/random-csprng.c =================================================================== ---- libgcrypt-1.8.4.orig/random/random-csprng.c -+++ libgcrypt-1.8.4/random/random-csprng.c +--- libgcrypt-1.9.1.orig/random/random-csprng.c ++++ libgcrypt-1.9.1/random/random-csprng.c @@ -55,6 +55,10 @@ #ifdef __MINGW32__ #include @@ -13,7 +13,7 @@ Index: libgcrypt-1.8.4/random/random-csprng.c #include "g10lib.h" #include "random.h" #include "rand-internal.h" -@@ -1116,6 +1120,22 @@ getfnc_gather_random (void))(void (*)(co +@@ -1202,6 +1206,22 @@ getfnc_gather_random (void))(void (*)(co enum random_origins, size_t, int); #if USE_RNDLINUX @@ -31,39 +31,69 @@ Index: libgcrypt-1.8.4/random/random-csprng.c + return fnc; + } + else -+ /* The syscall is not supported - fallback to /dev/urandom. */ ++ /* The syscall is not supported - fallback to /dev/urandom. */ +#endif if ( !access (NAME_OF_DEV_RANDOM, R_OK) && !access (NAME_OF_DEV_URANDOM, R_OK)) { -Index: libgcrypt-1.8.4/random/random.c +Index: libgcrypt-1.9.1/random/random.c =================================================================== ---- libgcrypt-1.8.4.orig/random/random.c -+++ libgcrypt-1.8.4/random/random.c +--- libgcrypt-1.9.1.orig/random/random.c ++++ libgcrypt-1.9.1/random/random.c @@ -110,8 +110,8 @@ _gcry_random_read_conf (void) unsigned int result = 0; fp = fopen (fname, "r"); - if (!fp) - return result; -+ if (!fp) /* We make only_urandom the default. */ ++ if (!fp) /* We make only_urandom the default. */ + return RANDOM_CONF_ONLY_URANDOM; for (;;) { -Index: libgcrypt-1.8.4/random/rndlinux.c +Index: libgcrypt-1.9.1/random/rndlinux.c =================================================================== ---- libgcrypt-1.8.4.orig/random/rndlinux.c -+++ libgcrypt-1.8.4/random/rndlinux.c -@@ -34,6 +34,7 @@ - #include - #if defined(__linux__) && defined(HAVE_SYSCALL) +--- libgcrypt-1.9.1.orig/random/rndlinux.c ++++ libgcrypt-1.9.1/random/rndlinux.c +@@ -39,6 +39,7 @@ extern int getentropy (void *buf, size_t + #if defined(__linux__) || !defined(HAVE_GETENTROPY) + #ifdef HAVE_SYSCALL # include +# include - #endif - - #include "types.h" -@@ -248,6 +249,18 @@ _gcry_rndlinux_gather_random (void (*add + # ifdef __NR_getrandom + # define getentropy(buf,buflen) syscall (__NR_getrandom, buf, buflen, 0) + # endif +@@ -155,12 +156,12 @@ _gcry_rndlinux_gather_random (void (*add + if (!add) + { + /* Special mode to close the descriptors. */ +- if (fd_random != -1) ++ if (fd_random >= 0) + { + close (fd_random); + fd_random = -1; + } +- if (fd_urandom != -1) ++ if (fd_urandom >= 0) + { + close (fd_urandom); + fd_urandom = -1; +@@ -176,12 +177,12 @@ _gcry_rndlinux_gather_random (void (*add + apid = getpid (); + if (my_pid != apid) + { +- if (fd_random != -1) ++ if (fd_random >= 0) + { + close (fd_random); + fd_random = -1; + } +- if (fd_urandom != -1) ++ if (fd_urandom >= 0) + { + close (fd_urandom); + fd_urandom = -1; +@@ -230,6 +231,17 @@ _gcry_rndlinux_gather_random (void (*add { if (fd_urandom == -1) { @@ -76,28 +106,19 @@ Index: libgcrypt-1.8.4/random/rndlinux.c + _gcry_post_syscall (); + if (ret > -1 || errno == EAGAIN || errno == EINTR) + fd_urandom = -2; -+ else -+ /* The syscall is not supported - fallback to /dev/urandom. */ ++ else /* The syscall is not supported - fallback to /dev/urandom. */ +#endif - fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1); + fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2)); ever_opened |= 2; } -@@ -275,6 +288,7 @@ _gcry_rndlinux_gather_random (void (*add - * syscall and not a new device and thus we are not able to use - * select(2) to have a timeout. */ - #if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom) -+ if (fd == -2) - { - long ret; - size_t nbytes; -@@ -290,9 +304,7 @@ _gcry_rndlinux_gather_random (void (*add +@@ -272,9 +284,7 @@ _gcry_rndlinux_gather_random (void (*add _gcry_post_syscall (); } while (ret == -1 && errno == EINTR); - if (ret == -1 && errno == ENOSYS) -- ; /* The syscall is not supported - fallback to pulling from fd. */ +- ; /* getentropy is not supported - fallback to pulling from fd. */ - else + if (1) - { /* The syscall is supported. Some sanity checks. */ + { /* getentropy is supported. Some sanity checks. */ if (ret == -1) - log_fatal ("unexpected error from getrandom: %s\n", + log_fatal ("unexpected error from getentropy: %s\n", diff --git a/libgcrypt-1.8.7.tar.bz2 b/libgcrypt-1.8.7.tar.bz2 deleted file mode 100644 index a61fc14..0000000 --- a/libgcrypt-1.8.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:03b70f028299561b7034b8966d7dd77ef16ed139c43440925fe8782561974748 -size 2985660 diff --git a/libgcrypt-1.8.7.tar.bz2.sig b/libgcrypt-1.8.7.tar.bz2.sig deleted file mode 100644 index ccb605b3bc0d49cefb4888cf598aff5a23111417b9a204739fc41b7a3e891fc1..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 119 zcmeAuWnmEGV2~A4WXWBXm$E!p!y#PSlPRcU`VKV*t6Qv0@sovf8MrtFU?O(u41eW6 zUK3CcE1UV0z2jcaaBxVLWv-|MqNYyUiW Vr%-dY%H_t1&HKaxgG=@?0{|_tGE@Kn literal 0 HcmV?d00001 diff --git a/libgcrypt-CMAC-AES-TDES-selftest.patch b/libgcrypt-CMAC-AES-TDES-selftest.patch deleted file mode 100644 index adefc2c..0000000 --- a/libgcrypt-CMAC-AES-TDES-selftest.patch +++ /dev/null @@ -1,322 +0,0 @@ -diff -up libgcrypt-1.8.3/cipher/cipher-cmac.c.cmac-selftest libgcrypt-1.8.3/cipher/cipher-cmac.c ---- libgcrypt-1.8.3/cipher/cipher-cmac.c.cmac-selftest 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.3/cipher/cipher-cmac.c 2019-05-31 17:33:35.594407152 +0200 -@@ -251,3 +251,246 @@ _gcry_cipher_cmac_set_subkeys (gcry_ciph - - return GPG_ERR_NO_ERROR; - } -+ -+/* CMAC selftests. -+ * Copyright (C) 2008 Free Software Foundation, Inc. -+ * Copyright (C) 2019 Red Hat, Inc. -+ */ -+ -+ -+ -+/* Check one MAC with MAC ALGO using the regular MAC -+ * API. (DATA,DATALEN) is the data to be MACed, (KEY,KEYLEN) the key -+ * and (EXPECT,EXPECTLEN) the expected result. If TRUNC is set, the -+ * EXPECTLEN may be less than the digest length. Returns NULL on -+ * success or a string describing the failure. */ -+static const char * -+check_one (int algo, -+ const void *data, size_t datalen, -+ const void *key, size_t keylen, -+ const void *expect, size_t expectlen) -+{ -+ gcry_mac_hd_t hd; -+ unsigned char mac[512]; /* hardcoded to avoid allocation */ -+ size_t macoutlen = expectlen; -+ -+/* printf ("MAC algo %d\n", algo); */ -+ if (_gcry_mac_get_algo_maclen (algo) != expectlen || -+ expectlen > sizeof (mac)) -+ return "invalid tests data"; -+ if (_gcry_mac_open (&hd, algo, 0, NULL)) -+ return "gcry_mac_open failed"; -+ if (_gcry_mac_setkey (hd, key, keylen)) -+ { -+ _gcry_mac_close (hd); -+ return "gcry_md_setkey failed"; -+ } -+ if (_gcry_mac_write (hd, data, datalen)) -+ { -+ _gcry_mac_close (hd); -+ return "gcry_mac_write failed"; -+ } -+ if (_gcry_mac_read (hd, mac, &macoutlen)) -+ { -+ _gcry_mac_close (hd); -+ return "gcry_mac_read failed"; -+ } -+ _gcry_mac_close (hd); -+ if (macoutlen != expectlen || memcmp (mac, expect, expectlen)) -+ { -+/* int i; */ -+ -+/* fputs (" {", stdout); */ -+/* for (i=0; i < expectlen-1; i++) */ -+/* { */ -+/* if (i && !(i % 8)) */ -+/* fputs ("\n ", stdout); */ -+/* printf (" 0x%02x,", mac[i]); */ -+/* } */ -+/* printf (" 0x%02x } },\n", mac[i]); */ -+ -+ return "does not match"; -+ } -+ return NULL; -+} -+ -+ -+static gpg_err_code_t -+selftests_cmac_tdes (int extended, selftest_report_func_t report) -+{ -+ const char *what; -+ const char *errtxt; -+ -+ what = "Basic TDES"; -+ errtxt = check_one (GCRY_MAC_CMAC_3DES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57", 20, -+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58" -+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24, -+ "\x74\x3d\xdb\xe0\xce\x2d\xc2\xed", 8); -+ if (errtxt) -+ goto failed; -+ -+ if (extended) -+ { -+ what = "Extended TDES #1"; -+ errtxt = check_one (GCRY_MAC_CMAC_3DES, -+ "", 0, -+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58" -+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24, -+ "\xb7\xa6\x88\xe1\x22\xff\xaf\x95", 8); -+ if (errtxt) -+ goto failed; -+ -+ what = "Extended TDES #2"; -+ errtxt = check_one (GCRY_MAC_CMAC_3DES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96", 8, -+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58" -+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24, -+ "\x8e\x8f\x29\x31\x36\x28\x37\x97", 8); -+ if (errtxt) -+ goto failed; -+ -+ what = "Extended TDES #3"; -+ errtxt = check_one (GCRY_MAC_CMAC_3DES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51", 32, -+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58" -+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24, -+ "\x33\xe6\xb1\x09\x24\x00\xea\xe5", 8); -+ if (errtxt) -+ goto failed; -+ } -+ -+ return 0; /* Succeeded. */ -+ -+ failed: -+ if (report) -+ report ("cmac", GCRY_MAC_CMAC_3DES, what, errtxt); -+ return GPG_ERR_SELFTEST_FAILED; -+} -+ -+ -+ -+static gpg_err_code_t -+selftests_cmac_aes (int extended, selftest_report_func_t report) -+{ -+ const char *what; -+ const char *errtxt; -+ -+ what = "Basic AES128"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" -+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11", 40, -+ "\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 16, -+ "\xdf\xa6\x67\x47\xde\x9a\xe6\x30\x30\xca\x32\x61\x14\x97\xc8\x27", 16); -+ if (errtxt) -+ goto failed; -+ -+ what = "Basic AES192"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" -+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11", 40, -+ "\x8e\x73\xb0\xf7\xda\x0e\x64\x52\xc8\x10\xf3\x2b\x80\x90\x79\xe5" -+ "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b", 24, -+ "\x8a\x1d\xe5\xbe\x2e\xb3\x1a\xad\x08\x9a\x82\xe6\xee\x90\x8b\x0e", 16); -+ if (errtxt) -+ goto failed; -+ -+ what = "Basic AES256"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" -+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11", 40, -+ "\x60\x3d\xeb\x10\x15\xca\x71\xbe\x2b\x73\xae\xf0\x85\x7d\x77\x81" -+ "\x1f\x35\x2c\x07\x3b\x61\x08\xd7\x2d\x98\x10\xa3\x09\x14\xdf\xf4", 32, -+ "\xaa\xf3\xd8\xf1\xde\x56\x40\xc2\x32\xf5\xb1\x69\xb9\xc9\x11\xe6", 16); -+ if (errtxt) -+ goto failed; -+ if (extended) -+ { -+ what = "Extended AES #1"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "", 0, -+ "\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 16, -+ "\xbb\x1d\x69\x29\xe9\x59\x37\x28\x7f\xa3\x7d\x12\x9b\x75\x67\x46", 16); -+ if (errtxt) -+ goto failed; -+ -+ what = "Extended AES #2"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a", 16, -+ "\x8e\x73\xb0\xf7\xda\x0e\x64\x52\xc8\x10\xf3\x2b\x80\x90\x79\xe5" -+ "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b", 24, -+ "\x9e\x99\xa7\xbf\x31\xe7\x10\x90\x06\x62\xf6\x5e\x61\x7c\x51\x84", 16); -+ if (errtxt) -+ goto failed; -+ -+ what = "Extended AES #3"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" -+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" -+ "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17\xad\x2b\x41\x7b\xe6\x6c\x37\x10", 64, -+ "\x60\x3d\xeb\x10\x15\xca\x71\xbe\x2b\x73\xae\xf0\x85\x7d\x77\x81" -+ "\x1f\x35\x2c\x07\x3b\x61\x08\xd7\x2d\x98\x10\xa3\x09\x14\xdf\xf4", 32, -+ "\xe1\x99\x21\x90\x54\x9f\x6e\xd5\x69\x6a\x2c\x05\x6c\x31\x54\x10", 16 ); -+ if (errtxt) -+ goto failed; -+ } -+ -+ return 0; /* Succeeded. */ -+ -+ failed: -+ if (report) -+ report ("cmac", GCRY_MAC_CMAC_AES, what, errtxt); -+ return GPG_ERR_SELFTEST_FAILED; -+} -+ -+ -+/* Run a full self-test for ALGO and return 0 on success. */ -+static gpg_err_code_t -+run_cmac_selftests (int algo, int extended, selftest_report_func_t report) -+{ -+ gpg_err_code_t ec; -+ -+ switch (algo) -+ { -+ case GCRY_MAC_CMAC_3DES: -+ ec = selftests_cmac_tdes (extended, report); -+ break; -+ case GCRY_MAC_CMAC_AES: -+ ec = selftests_cmac_aes (extended, report); -+ break; -+ -+ default: -+ ec = GPG_ERR_MAC_ALGO; -+ break; -+ } -+ return ec; -+} -+ -+ -+ -+ -+/* Run the selftests for CMAC with CMAC algorithm ALGO with optional -+ reporting function REPORT. */ -+gpg_error_t -+_gcry_cmac_selftest (int algo, int extended, selftest_report_func_t report) -+{ -+ gcry_err_code_t ec = 0; -+ -+ if (!_gcry_mac_algo_info( algo, GCRYCTL_TEST_ALGO, NULL, NULL )) -+ { -+ ec = run_cmac_selftests (algo, extended, report); -+ } -+ else -+ { -+ ec = GPG_ERR_MAC_ALGO; -+ if (report) -+ report ("mac", algo, "module", "algorithm not available"); -+ } -+ return gpg_error (ec); -+} -diff -up libgcrypt-1.8.3/src/cipher-proto.h.cmac-selftest libgcrypt-1.8.3/src/cipher-proto.h ---- libgcrypt-1.8.3/src/cipher-proto.h.cmac-selftest 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.3/src/cipher-proto.h 2019-05-31 17:29:34.574588234 +0200 -@@ -256,6 +256,8 @@ gcry_error_t _gcry_pk_selftest (int algo - selftest_report_func_t report); - gcry_error_t _gcry_hmac_selftest (int algo, int extended, - selftest_report_func_t report); -+gcry_error_t _gcry_cmac_selftest (int algo, int extended, -+ selftest_report_func_t report); - - gcry_error_t _gcry_random_selftest (selftest_report_func_t report); - -diff -up libgcrypt-1.8.3/src/fips.c.cmac-selftest libgcrypt-1.8.3/src/fips.c ---- libgcrypt-1.8.3/src/fips.c.cmac-selftest 2018-11-01 15:40:36.051865535 +0100 -+++ libgcrypt-1.8.3/src/fips.c 2019-05-31 17:31:20.157756640 +0200 -@@ -521,29 +521,32 @@ run_digest_selftests (int extended) - - /* Run self-tests for all HMAC algorithms. Return 0 on success. */ - static int --run_hmac_selftests (int extended) -+run_mac_selftests (int extended) - { -- static int algos[] = -+ static int algos[][2] = - { -- GCRY_MD_SHA1, -- GCRY_MD_SHA224, -- GCRY_MD_SHA256, -- GCRY_MD_SHA384, -- GCRY_MD_SHA512, -- GCRY_MD_SHA3_224, -- GCRY_MD_SHA3_256, -- GCRY_MD_SHA3_384, -- GCRY_MD_SHA3_512, -- 0 -+ { GCRY_MD_SHA1, 0 }, -+ { GCRY_MD_SHA224, 0 }, -+ { GCRY_MD_SHA256, 0 }, -+ { GCRY_MD_SHA384, 0 }, -+ { GCRY_MD_SHA512, 0 }, -+ { GCRY_MD_SHA3_224, 0 }, -+ { GCRY_MD_SHA3_256, 0 }, -+ { GCRY_MD_SHA3_384, 0 }, -+ { GCRY_MD_SHA3_512, 0 }, -+ { GCRY_MAC_CMAC_3DES, 1 }, -+ { GCRY_MAC_CMAC_AES, 1 }, -+ { 0, 0 } - }; - int idx; - gpg_error_t err; - int anyerr = 0; - -- for (idx=0; algos[idx]; idx++) -+ for (idx=0; algos[idx][0]; idx++) - { -- err = _gcry_hmac_selftest (algos[idx], extended, reporter); -- reporter ("hmac", algos[idx], NULL, -+ err = algos[idx][1] ? _gcry_cmac_selftest (algos[idx][0], extended, reporter) : -+ _gcry_hmac_selftest (algos[idx][0], extended, reporter); -+ reporter (algos[idx][1] ? "cmac" : "hmac", algos[idx][0], NULL, - err? gpg_strerror (err):NULL); - if (err) - anyerr = 1; -@@ -747,7 +750,7 @@ _gcry_fips_run_selftests (int extended) - if (run_digest_selftests (extended)) - goto leave; - -- if (run_hmac_selftests (extended)) -+ if (run_mac_selftests (extended)) - goto leave; - - /* Run random tests before the pubkey tests because the latter diff --git a/libgcrypt-CVE-2019-12904-AES.patch b/libgcrypt-CVE-2019-12904-AES.patch deleted file mode 100644 index c06068c..0000000 --- a/libgcrypt-CVE-2019-12904-AES.patch +++ /dev/null @@ -1,322 +0,0 @@ -From daedbbb5541cd8ecda1459d3b843ea4d92788762 Mon Sep 17 00:00:00 2001 -From: Jussi Kivilinna -Date: Fri, 31 May 2019 17:18:09 +0300 -Subject: [PATCH] AES: move look-up tables to .data section and unshare between - processes - -* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New. -* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure. -(enc_tables): New structure for encryption table with counters before -and after. -(encT): New macro. -(dec_tables): Add counters before and after encryption table; Move -from .rodata to .data section. -(do_encrypt): Change 'encT' to 'enc_tables.T'. -(do_decrypt): Change '&dec_tables' to 'dec_tables.T'. -* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input -with length not multiple of 256. -(prefetch_enc, prefetch_dec): Modify pre- and post-table counters -to unshare look-up table pages between processes. --- - -GnuPG-bug-id: 4541 -Signed-off-by: Jussi Kivilinna ---- - cipher/rijndael-internal.h | 4 +- - cipher/rijndael-tables.h | 155 +++++++++++++++++++++---------------- - cipher/rijndael.c | 35 +++++++-- - 3 files changed, 118 insertions(+), 76 deletions(-) - -Index: libgcrypt-1.8.4/cipher/rijndael-internal.h -=================================================================== ---- libgcrypt-1.8.4.orig/cipher/rijndael-internal.h -+++ libgcrypt-1.8.4/cipher/rijndael-internal.h -@@ -29,11 +29,13 @@ - #define BLOCKSIZE (128/8) - - --/* Helper macro to force alignment to 16 bytes. */ -+/* Helper macro to force alignment to 16 or 64 bytes. */ - #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED - # define ATTR_ALIGNED_16 __attribute__ ((aligned (16))) -+# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) - #else - # define ATTR_ALIGNED_16 -+# define ATTR_ALIGNED_64 - #endif - - -Index: libgcrypt-1.8.4/cipher/rijndael-tables.h -=================================================================== ---- libgcrypt-1.8.4.orig/cipher/rijndael-tables.h -+++ libgcrypt-1.8.4/cipher/rijndael-tables.h -@@ -21,80 +21,98 @@ - /* To keep the actual implementation at a readable size we use this - include file to define the tables. */ - --static const u32 encT[256] = -+static struct -+{ -+ volatile u32 counter_head; -+ u32 cacheline_align[64 / 4 - 1]; -+ u32 T[256]; -+ volatile u32 counter_tail; -+} enc_tables ATTR_ALIGNED_64 = - { -- 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, -- 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, -- 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, -- 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, -- 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, -- 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, -- 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, -- 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, -- 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, -- 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, -- 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, -- 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, -- 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, -- 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, -- 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, -- 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, -- 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, -- 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, -- 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, -- 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, -- 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, -- 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, -- 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, -- 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, -- 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, -- 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, -- 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, -- 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, -- 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, -- 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, -- 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, -- 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, -- 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, -- 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, -- 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, -- 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, -- 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, -- 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, -- 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, -- 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, -- 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, -- 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, -- 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, -- 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, -- 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, -- 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, -- 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, -- 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, -- 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, -- 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, -- 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, -- 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, -- 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, -- 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, -- 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, -- 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, -- 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, -- 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, -- 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, -- 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, -- 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, -- 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, -- 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, -- 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c -+ 0, -+ { 0, }, -+ { -+ 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, -+ 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, -+ 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, -+ 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, -+ 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, -+ 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, -+ 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, -+ 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, -+ 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, -+ 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, -+ 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, -+ 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, -+ 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, -+ 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, -+ 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, -+ 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, -+ 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, -+ 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, -+ 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, -+ 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, -+ 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, -+ 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, -+ 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, -+ 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, -+ 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, -+ 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, -+ 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, -+ 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, -+ 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, -+ 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, -+ 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, -+ 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, -+ 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, -+ 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, -+ 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, -+ 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, -+ 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, -+ 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, -+ 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, -+ 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, -+ 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, -+ 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, -+ 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, -+ 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, -+ 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, -+ 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, -+ 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, -+ 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, -+ 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, -+ 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, -+ 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, -+ 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, -+ 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, -+ 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, -+ 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, -+ 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, -+ 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, -+ 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, -+ 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, -+ 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, -+ 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, -+ 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, -+ 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, -+ 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c -+ }, -+ 0 - }; - --static const struct -+#define encT enc_tables.T -+ -+static struct - { -+ volatile u32 counter_head; -+ u32 cacheline_align[64 / 4 - 1]; - u32 T[256]; - byte inv_sbox[256]; --} dec_tables = -+ volatile u32 counter_tail; -+} dec_tables ATTR_ALIGNED_64 = - { -+ 0, -+ { 0, }, - { - 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, - 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, -@@ -194,7 +212,8 @@ static const struct - 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, - 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, - 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d -- } -+ }, -+ 0 - }; - - #define decT dec_tables.T -Index: libgcrypt-1.8.4/cipher/rijndael.c -=================================================================== ---- libgcrypt-1.8.4.orig/cipher/rijndael.c -+++ libgcrypt-1.8.4/cipher/rijndael.c -@@ -227,11 +227,11 @@ static const char *selftest(void); - - - /* Prefetching for encryption/decryption tables. */ --static void prefetch_table(const volatile byte *tab, size_t len) -+static inline void prefetch_table(const volatile byte *tab, size_t len) - { - size_t i; - -- for (i = 0; i < len; i += 8 * 32) -+ for (i = 0; len - i >= 8 * 32; i += 8 * 32) - { - (void)tab[i + 0 * 32]; - (void)tab[i + 1 * 32]; -@@ -242,17 +242,37 @@ static void prefetch_table(const volatil - (void)tab[i + 6 * 32]; - (void)tab[i + 7 * 32]; - } -+ for (; i < len; i += 32) -+ { -+ (void)tab[i]; -+ } - - (void)tab[len - 1]; - } - - static void prefetch_enc(void) - { -- prefetch_table((const void *)encT, sizeof(encT)); -+ /* Modify counters to trigger copy-on-write and unsharing if physical pages -+ * of look-up table are shared between processes. Modifying counters also -+ * causes checksums for pages to change and hint same-page merging algorithm -+ * that these pages are frequently changing. */ -+ enc_tables.counter_head++; -+ enc_tables.counter_tail++; -+ -+ /* Prefetch look-up tables to cache. */ -+ prefetch_table((const void *)&enc_tables, sizeof(enc_tables)); - } - - static void prefetch_dec(void) - { -+ /* Modify counters to trigger copy-on-write and unsharing if physical pages -+ * of look-up table are shared between processes. Modifying counters also -+ * causes checksums for pages to change and hint same-page merging algorithm -+ * that these pages are frequently changing. */ -+ dec_tables.counter_head++; -+ dec_tables.counter_tail++; -+ -+ /* Prefetch look-up tables to cache. */ - prefetch_table((const void *)&dec_tables, sizeof(dec_tables)); - } - -@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx, - #ifdef USE_AMD64_ASM - # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS - return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, -- encT); -+ enc_tables.T); - # else - /* Call SystemV ABI function without storing non-volatile XMM registers, - * as target function does not use vector instruction sets. */ -@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx, - return ret; - # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ - #elif defined(USE_ARM_ASM) -- return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT); -+ return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, -+ enc_tables.T); - #else - return do_encrypt_fn (ctx, bx, ax); - #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/ -@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, - #ifdef USE_AMD64_ASM - # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS - return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, -- &dec_tables); -+ dec_tables.T); - # else - /* Call SystemV ABI function without storing non-volatile XMM registers, - * as target function does not use vector instruction sets. */ -@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, - # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ - #elif defined(USE_ARM_ASM) - return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, -- &dec_tables); -+ dec_tables.T); - #else - return do_decrypt_fn (ctx, bx, ax); - #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/ diff --git a/libgcrypt-CVE-2019-12904-GCM-Prefetch.patch b/libgcrypt-CVE-2019-12904-GCM-Prefetch.patch deleted file mode 100644 index 6c7e97e..0000000 --- a/libgcrypt-CVE-2019-12904-GCM-Prefetch.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001 -From: Jussi Kivilinna -Date: Sat, 27 Apr 2019 19:33:28 +0300 -Subject: [PATCH] Prefetch GCM look-up tables - -* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables) -(prefetch_tables): New. -(ghash_internal): Call prefetch_tables. --- - -Signed-off-by: Jussi Kivilinna ---- - cipher/cipher-gcm.c | 33 +++++++++++++++++++++++++++++++++ - 1 file changed, 33 insertions(+) - -diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c -index c19f09f2..11f119aa 100644 ---- a/cipher/cipher-gcm.c -+++ b/cipher/cipher-gcm.c -@@ -118,6 +118,34 @@ static const u16 gcmR[256] = { - 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, - }; - -+static inline -+void prefetch_table(const void *tab, size_t len) -+{ -+ const volatile byte *vtab = tab; -+ size_t i; -+ -+ for (i = 0; i < len; i += 8 * 32) -+ { -+ (void)vtab[i + 0 * 32]; -+ (void)vtab[i + 1 * 32]; -+ (void)vtab[i + 2 * 32]; -+ (void)vtab[i + 3 * 32]; -+ (void)vtab[i + 4 * 32]; -+ (void)vtab[i + 5 * 32]; -+ (void)vtab[i + 6 * 32]; -+ (void)vtab[i + 7 * 32]; -+ } -+ -+ (void)vtab[len - 1]; -+} -+ -+static inline void -+do_prefetch_tables (const void *gcmM, size_t gcmM_size) -+{ -+ prefetch_table(gcmM, gcmM_size); -+ prefetch_table(gcmR, sizeof(gcmR)); -+} -+ - #ifdef GCM_TABLES_USE_U64 - static void - bshift (u64 * b0, u64 * b1) -@@ -365,6 +393,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM) - #define fillM(c) \ - do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table) - #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table) -+#define prefetch_tables(c) \ -+ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table)) - - #else - -@@ -430,6 +460,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf) - - #define fillM(c) do { } while (0) - #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf) -+#define prefetch_tables(c) do {} while (0) - - #endif /* !GCM_USE_TABLES */ - -@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf, - const unsigned int blocksize = GCRY_GCM_BLOCK_LEN; - unsigned int burn = 0; - -+ prefetch_tables (c); -+ - while (nblocks) - { - burn = GHASH (c, result, buf); diff --git a/libgcrypt-CVE-2019-12904-GCM.patch b/libgcrypt-CVE-2019-12904-GCM.patch deleted file mode 100644 index fa06c18..0000000 --- a/libgcrypt-CVE-2019-12904-GCM.patch +++ /dev/null @@ -1,168 +0,0 @@ -From a4c561aab1014c3630bc88faf6f5246fee16b020 Mon Sep 17 00:00:00 2001 -From: Jussi Kivilinna -Date: Fri, 31 May 2019 17:27:25 +0300 -Subject: [PATCH] GCM: move look-up table to .data section and unshare between - processes - -* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New. -(gcmR): Move to 'gcm_table' structure. -(gcm_table): New structure for look-up table with counters before and -after. -(gcmR): New macro. -(prefetch_table): Handle input with length not multiple of 256. -(do_prefetch_tables): Modify pre- and post-table counters to unshare -look-up table pages between processes. --- - -GnuPG-bug-id: 4541 -Signed-off-by: Jussi Kivilinna ---- - cipher/cipher-gcm.c | 106 +++++++++++++++++++++++++++++--------------- - 1 file changed, 70 insertions(+), 36 deletions(-) - -diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c -index 11f119aa..194e2ec9 100644 ---- a/cipher/cipher-gcm.c -+++ b/cipher/cipher-gcm.c -@@ -30,6 +30,14 @@ - #include "./cipher-internal.h" - - -+/* Helper macro to force alignment to 16 or 64 bytes. */ -+#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED -+# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) -+#else -+# define ATTR_ALIGNED_64 -+#endif -+ -+ - #ifdef GCM_USE_INTEL_PCLMUL - extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c); - -@@ -83,40 +91,54 @@ ghash_armv7_neon (gcry_cipher_hd_t c, byte *result, const byte *buf, - - - #ifdef GCM_USE_TABLES --static const u16 gcmR[256] = { -- 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, -- 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, -- 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, -- 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, -- 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, -- 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, -- 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, -- 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, -- 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, -- 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, -- 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, -- 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, -- 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, -- 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, -- 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, -- 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, -- 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, -- 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, -- 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, -- 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, -- 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, -- 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, -- 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, -- 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, -- 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, -- 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, -- 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, -- 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, -- 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, -- 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, -- 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, -- 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, --}; -+static struct -+{ -+ volatile u32 counter_head; -+ u32 cacheline_align[64 / 4 - 1]; -+ u16 R[256]; -+ volatile u32 counter_tail; -+} gcm_table ATTR_ALIGNED_64 = -+ { -+ 0, -+ { 0, }, -+ { -+ 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, -+ 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, -+ 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, -+ 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, -+ 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, -+ 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, -+ 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, -+ 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, -+ 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, -+ 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, -+ 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, -+ 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, -+ 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, -+ 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, -+ 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, -+ 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, -+ 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, -+ 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, -+ 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, -+ 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, -+ 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, -+ 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, -+ 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, -+ 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, -+ 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, -+ 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, -+ 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, -+ 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, -+ 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, -+ 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, -+ 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, -+ 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, -+ }, -+ 0 -+ }; -+ -+#define gcmR gcm_table.R - - static inline - void prefetch_table(const void *tab, size_t len) -@@ -124,7 +146,7 @@ void prefetch_table(const void *tab, size_t len) - const volatile byte *vtab = tab; - size_t i; - -- for (i = 0; i < len; i += 8 * 32) -+ for (i = 0; len - i >= 8 * 32; i += 8 * 32) - { - (void)vtab[i + 0 * 32]; - (void)vtab[i + 1 * 32]; -@@ -135,6 +157,10 @@ void prefetch_table(const void *tab, size_t len) - (void)vtab[i + 6 * 32]; - (void)vtab[i + 7 * 32]; - } -+ for (; i < len; i += 32) -+ { -+ (void)vtab[i]; -+ } - - (void)vtab[len - 1]; - } -@@ -142,8 +168,16 @@ void prefetch_table(const void *tab, size_t len) - static inline void - do_prefetch_tables (const void *gcmM, size_t gcmM_size) - { -+ /* Modify counters to trigger copy-on-write and unsharing if physical pages -+ * of look-up table are shared between processes. Modifying counters also -+ * causes checksums for pages to change and hint same-page merging algorithm -+ * that these pages are frequently changing. */ -+ gcm_table.counter_head++; -+ gcm_table.counter_tail++; -+ -+ /* Prefetch look-up tables to cache. */ - prefetch_table(gcmM, gcmM_size); -- prefetch_table(gcmR, sizeof(gcmR)); -+ prefetch_table(&gcm_table, sizeof(gcm_table)); - } - - #ifdef GCM_TABLES_USE_U64 diff --git a/libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch b/libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch index 700e3cb..0356bf2 100644 --- a/libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch +++ b/libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch @@ -1,7 +1,7 @@ -Index: libgcrypt-1.8.2/cipher/pubkey.c +Index: libgcrypt-1.9.0/cipher/pubkey.c =================================================================== ---- libgcrypt-1.8.2.orig/cipher/pubkey.c -+++ libgcrypt-1.8.2/cipher/pubkey.c +--- libgcrypt-1.9.0.orig/cipher/pubkey.c ++++ libgcrypt-1.9.0/cipher/pubkey.c @@ -384,6 +384,33 @@ _gcry_pk_decrypt (gcry_sexp_t *r_plain, } @@ -106,10 +106,10 @@ Index: libgcrypt-1.8.2/cipher/pubkey.c /* Test a key. -Index: libgcrypt-1.8.2/cipher/pubkey-internal.h +Index: libgcrypt-1.9.0/cipher/pubkey-internal.h =================================================================== ---- libgcrypt-1.8.2.orig/cipher/pubkey-internal.h -+++ libgcrypt-1.8.2/cipher/pubkey-internal.h +--- libgcrypt-1.9.0.orig/cipher/pubkey-internal.h ++++ libgcrypt-1.9.0/cipher/pubkey-internal.h @@ -43,6 +43,8 @@ void _gcry_pk_util_free_encoding_ctx (st gcry_err_code_t _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi, @@ -119,11 +119,11 @@ Index: libgcrypt-1.8.2/cipher/pubkey-internal.h -Index: libgcrypt-1.8.2/cipher/pubkey-util.c +Index: libgcrypt-1.9.0/cipher/pubkey-util.c =================================================================== ---- libgcrypt-1.8.2.orig/cipher/pubkey-util.c -+++ libgcrypt-1.8.2/cipher/pubkey-util.c -@@ -1119,3 +1119,50 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t i +--- libgcrypt-1.9.0.orig/cipher/pubkey-util.c ++++ libgcrypt-1.9.0/cipher/pubkey-util.c +@@ -1158,3 +1158,50 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t i return rc; } @@ -174,11 +174,11 @@ Index: libgcrypt-1.8.2/cipher/pubkey-util.c + + return rc; +} -Index: libgcrypt-1.8.2/src/g10lib.h +Index: libgcrypt-1.9.0/src/g10lib.h =================================================================== ---- libgcrypt-1.8.2.orig/src/g10lib.h -+++ libgcrypt-1.8.2/src/g10lib.h -@@ -288,6 +288,10 @@ gpg_err_code_t _gcry_generate_fips186_3_ +--- libgcrypt-1.9.0.orig/src/g10lib.h ++++ libgcrypt-1.9.0/src/g10lib.h +@@ -299,6 +299,10 @@ gpg_err_code_t _gcry_generate_fips186_3_ gpg_err_code_t _gcry_fips186_4_prime_check (const gcry_mpi_t x, unsigned int bits); @@ -189,10 +189,10 @@ Index: libgcrypt-1.8.2/src/g10lib.h /* Replacements of missing functions (missing-string.c). */ #ifndef HAVE_STPCPY -Index: libgcrypt-1.8.2/src/visibility.c +Index: libgcrypt-1.9.0/src/visibility.c =================================================================== ---- libgcrypt-1.8.2.orig/src/visibility.c -+++ libgcrypt-1.8.2/src/visibility.c +--- libgcrypt-1.9.0.orig/src/visibility.c ++++ libgcrypt-1.9.0/src/visibility.c @@ -992,6 +992,18 @@ gcry_pk_decrypt (gcry_sexp_t *result, gc } @@ -228,11 +228,11 @@ Index: libgcrypt-1.8.2/src/visibility.c gcry_pk_verify (gcry_sexp_t sigval, gcry_sexp_t data, gcry_sexp_t pkey) { if (!fips_is_operational ()) -Index: libgcrypt-1.8.2/src/visibility.h +Index: libgcrypt-1.9.0/src/visibility.h =================================================================== ---- libgcrypt-1.8.2.orig/src/visibility.h -+++ libgcrypt-1.8.2/src/visibility.h -@@ -357,8 +357,10 @@ MARK_VISIBLEX (_gcry_mpi_get_const) +--- libgcrypt-1.9.0.orig/src/visibility.h ++++ libgcrypt-1.9.0/src/visibility.h +@@ -360,8 +360,10 @@ MARK_VISIBLEX (_gcry_mpi_get_const) #define gcry_pk_get_param _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_pk_get_nbits _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_pk_map_name _gcry_USE_THE_UNDERSCORED_FUNCTION @@ -242,4 +242,4 @@ Index: libgcrypt-1.8.2/src/visibility.h +#define gcry_pk_verify_md _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_pk_verify _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_pubkey_get_sexp _gcry_USE_THE_UNDERSCORED_FUNCTION - + #define gcry_ecc_get_algo_keylen _gcry_USE_THE_UNDERSCORED_FUNCTION diff --git a/libgcrypt-PCT-ECC.patch b/libgcrypt-PCT-ECC.patch index 6cd7f17..1d41e75 100644 --- a/libgcrypt-PCT-ECC.patch +++ b/libgcrypt-PCT-ECC.patch @@ -1,80 +1,46 @@ -Index: libgcrypt-1.8.2/cipher/ecc.c +Index: libgcrypt-1.9.0/cipher/ecc.c =================================================================== ---- libgcrypt-1.8.2.orig/cipher/ecc.c -+++ libgcrypt-1.8.2/cipher/ecc.c -@@ -99,7 +99,7 @@ static void *progress_cb_data; +--- libgcrypt-1.9.0.orig/cipher/ecc.c ++++ libgcrypt-1.9.0/cipher/ecc.c +@@ -100,7 +100,7 @@ static void *progress_cb_data; /* Local prototypes. */ --static void test_keys (ECC_secret_key * sk, unsigned int nbits); -+static int test_keys (ECC_secret_key * sk, unsigned int nbits); - static void test_ecdh_only_keys (ECC_secret_key * sk, unsigned int nbits, int flags); +-static void test_keys (mpi_ec_t ec, unsigned int nbits); ++static int test_keys (mpi_ec_t ec, unsigned int nbits); + static void test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags); static unsigned int ecc_get_nbits (gcry_sexp_t parms); -@@ -152,6 +152,7 @@ nist_generate_key (ECC_secret_key *sk, e - gcry_random_level_t random_level; - gcry_mpi_t x, y; - const unsigned int pbits = mpi_get_nbits (E->p); -+ int free_skEname = 0; - - point_init (&Q); - -@@ -176,7 +177,6 @@ nist_generate_key (ECC_secret_key *sk, e +@@ -256,8 +256,10 @@ nist_generate_key (mpi_ec_t ec, int flag + else if (ec->model == MPI_EC_MONTGOMERY) + test_ecdh_only_keys (ec, ec->nbits - 63, flags); else - sk->d = _gcry_dsa_gen_k (E->n, random_level); - +- test_keys (ec, ec->nbits - 64); - - /* Compute Q. */ - _gcry_mpi_ec_mul_point (&Q, sk->d, &E->G, ctx); - -@@ -190,6 +190,12 @@ nist_generate_key (ECC_secret_key *sk, e - point_set (&sk->E.G, &E->G); - sk->E.n = mpi_copy (E->n); - sk->E.h = mpi_copy (E->h); -+ if (E->name) + { -+ free_skEname = 1; -+ sk->E.name = _gcry_xstrdup(E->name); -+ } -+ - point_init (&sk->Q); - - x = mpi_new (pbits); -@@ -261,10 +267,16 @@ nist_generate_key (ECC_secret_key *sk, e - if ((flags & PUBKEY_FLAG_NO_KEYTEST)) - ; /* User requested to skip the test. */ - else if (sk->E.model != MPI_EC_MONTGOMERY) -- test_keys (sk, nbits - 64); -+ { -+ if (test_keys (sk, nbits - 64)) ++ if (test_keys (ec, ec->nbits - 64)) + return GPG_ERR_BAD_SIGNATURE; + } - else - test_ecdh_only_keys (sk, nbits - 64, flags); - -+ if (free_skEname) -+ xfree ((void*)sk->E.name); -+ return 0; } -@@ -275,9 +287,10 @@ nist_generate_key (ECC_secret_key *sk, e +@@ -268,9 +270,10 @@ nist_generate_key (mpi_ec_t ec, int flag * test if the information is recuperated. * Second, test with the sign and verify functions. */ -static void +static int - test_keys (ECC_secret_key *sk, unsigned int nbits) + test_keys (mpi_ec_t ec, unsigned int nbits) { -+ int result = -1; /* Default to failure. */ - ECC_public_key pk; ++ int result = -1; /* Default to failure. */ gcry_mpi_t test = mpi_new (nbits); mpi_point_struct R_; -@@ -297,17 +310,190 @@ test_keys (ECC_secret_key *sk, unsigned + gcry_mpi_t c = mpi_new (nbits); +@@ -285,23 +288,205 @@ test_keys (mpi_ec_t ec, unsigned int nbi _gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM); -- if (_gcry_ecc_ecdsa_sign (test, sk, r, s, 0, 0) ) +- if (_gcry_ecc_ecdsa_sign (test, ec, r, s, 0, 0) ) - log_fatal ("ECDSA operation: sign failed\n"); + /* Use the gcry_pk_sign_md API in order to comply with FIPS 140-2, + * which requires full signature operation for PCT (hashing + @@ -102,7 +68,7 @@ Index: libgcrypt-1.8.2/cipher/ecc.c + xfree (buf); + buf = NULL; -- if (_gcry_ecc_ecdsa_verify (test, &pk, r, s)) +- if (_gcry_ecc_ecdsa_verify (test, ec, r, s)) + sexp_build (&s_hash, NULL, "(data (flags rfc6979)(hash-algo sha256))"); + + /* Assemble the point Q from affine coordinates by simple @@ -111,11 +77,10 @@ Index: libgcrypt-1.8.2/cipher/ecc.c + gcry_mpi_t Qy = NULL; + Qx = mpi_new (0); + Qy = mpi_new (0); -+ ctx = _gcry_mpi_ec_p_internal_new (sk->E.model, sk->E.dialect, flags, -+ sk->E.p, sk->E.a, sk->E.b); -+ if (_gcry_mpi_ec_get_affine (Qx, Qy, &(sk->Q), ctx)) - { -- log_fatal ("ECDSA operation: sign, verify failed\n"); ++ ctx = _gcry_mpi_ec_p_internal_new (ec->model, ec->dialect, flags, ++ ec->p, ec->a, ec->b); ++ if (_gcry_mpi_ec_get_affine (Qx, Qy, ec->Q, ctx)) ++ { + if (DBG_CIPHER) + log_debug ("ecdh: Failed to get affine coordinates for Q\n"); + } @@ -163,11 +128,11 @@ Index: libgcrypt-1.8.2/cipher/ecc.c + xfree (rawqy); + + /* build ECC private key sexp in s_skey */ -+ if (sk->E.name) ++ if (ec->name) + { + if (sexp_build (&s_skey, NULL, + "(private-key (ecc (curve %s)(d %m)(q %b)))", -+ sk->E.name, sk->d, qlen, q)) ++ ec->name, ec->d, qlen, q)) + { + if (DBG_CIPHER) + log_debug ("ecc: Failed to build sexp for private key.\n"); @@ -178,16 +143,16 @@ Index: libgcrypt-1.8.2/cipher/ecc.c + if (sexp_build (&s_skey, NULL, + "(private-key" + " (ecc (curve %s)(d %m)(p %m)(a %m)(b %m)(n %m)(h %m)(q %b)))", -+ "NIST P-512", sk->d, sk->E.p, sk->E.a, sk->E.b, sk->E.n, sk->E.h, ++ "NIST P-512", ec->d, ec->p, ec->a, ec->b, ec->n, ec->h, + qlen, q)) + { + if (DBG_CIPHER) + log_debug ("ecc: Failed to build sexp for private key.\n"); + } + } -+ + if (_gcry_pk_sign_md (&r_sig, hd, s_hash, s_skey)) -+ { + { +- log_fatal ("ECDSA operation: sign, verify failed\n"); + if (DBG_CIPHER) + log_debug ("ecc: gcry_pk_sign failed\n"); + goto leave; @@ -210,10 +175,10 @@ Index: libgcrypt-1.8.2/cipher/ecc.c + + /* verify */ + /* build public key sexp in s_pkey */ -+ if (pk.E.name) ++ if (ec->name) + { + if (sexp_build (&s_pkey, NULL, -+ "(public-key (ecc (curve %s)(q %b)))", pk.E.name, qlen, q)) ++ "(public-key (ecc (curve %s)(q %b)))", ec->name, qlen, q)) + { + if (DBG_CIPHER) + log_debug ("ecc: Failed to build sexp for public key.\n"); @@ -224,7 +189,7 @@ Index: libgcrypt-1.8.2/cipher/ecc.c + if (sexp_build (&s_pkey, NULL, + "(public-key" + " (ecc (curve %s)(p %m)(a %m)(b %m)(n %m)(h %m)(q %b)))", -+ "NIST P-512", pk.E.p, pk.E.a, pk.E.b, pk.E.n, pk.E.h, qlen, q)) ++ "NIST P-512", ec->p, ec->a, ec->b, ec->n, ec->h, qlen, q)) + { + if (DBG_CIPHER) + log_debug ("ecc: Failed to build sexp for private key.\n"); @@ -263,10 +228,9 @@ Index: libgcrypt-1.8.2/cipher/ecc.c + result = 0; /* The test succeeded. */ + leave: - point_free (&pk.Q); - _gcry_ecc_curve_free (&pk.E); - -@@ -317,6 +503,16 @@ test_keys (ECC_secret_key *sk, unsigned + point_free (&R_); + mpi_free (s); + mpi_free (r); mpi_free (out); mpi_free (c); mpi_free (test); @@ -283,10 +247,10 @@ Index: libgcrypt-1.8.2/cipher/ecc.c } -Index: libgcrypt-1.8.2/cipher/pubkey.c +Index: libgcrypt-1.9.0/cipher/pubkey.c =================================================================== ---- libgcrypt-1.8.2.orig/cipher/pubkey.c -+++ libgcrypt-1.8.2/cipher/pubkey.c +--- libgcrypt-1.9.0.orig/cipher/pubkey.c ++++ libgcrypt-1.9.0/cipher/pubkey.c @@ -390,6 +390,7 @@ calculate_hash (gcry_md_hd_t hd, gcry_se gcry_err_code_t rc; const unsigned char *digest; @@ -318,10 +282,10 @@ Index: libgcrypt-1.8.2/cipher/pubkey.c return rc; } -Index: libgcrypt-1.8.2/cipher/pubkey-internal.h +Index: libgcrypt-1.9.0/cipher/pubkey-internal.h =================================================================== ---- libgcrypt-1.8.2.orig/cipher/pubkey-internal.h -+++ libgcrypt-1.8.2/cipher/pubkey-internal.h +--- libgcrypt-1.9.0.orig/cipher/pubkey-internal.h ++++ libgcrypt-1.9.0/cipher/pubkey-internal.h @@ -45,6 +45,8 @@ gcry_err_code_t _gcry_pk_util_data_to_mp struct pk_encoding_ctx *ctx); gcry_err_code_t _gcry_pk_util_get_algo (gcry_sexp_t input, @@ -331,11 +295,11 @@ Index: libgcrypt-1.8.2/cipher/pubkey-internal.h -Index: libgcrypt-1.8.2/cipher/pubkey-util.c +Index: libgcrypt-1.9.0/cipher/pubkey-util.c =================================================================== ---- libgcrypt-1.8.2.orig/cipher/pubkey-util.c -+++ libgcrypt-1.8.2/cipher/pubkey-util.c -@@ -1120,6 +1120,40 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t i +--- libgcrypt-1.9.0.orig/cipher/pubkey-util.c ++++ libgcrypt-1.9.0/cipher/pubkey-util.c +@@ -1159,6 +1159,40 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t i return rc; } diff --git a/libgcrypt-PCT-RSA.patch b/libgcrypt-PCT-RSA.patch index 1ce1849..a2cb410 100644 --- a/libgcrypt-PCT-RSA.patch +++ b/libgcrypt-PCT-RSA.patch @@ -2,7 +2,7 @@ Index: libgcrypt-1.8.2/cipher/rsa.c =================================================================== --- libgcrypt-1.8.2.orig/cipher/rsa.c +++ libgcrypt-1.8.2/cipher/rsa.c -@@ -159,27 +159,103 @@ test_keys (RSA_secret_key *sk, unsigned +@@ -159,22 +159,97 @@ test_keys (RSA_secret_key *sk, unsigned /* Create another random plaintext as data for signature checking. */ _gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM); @@ -112,12 +112,6 @@ Index: libgcrypt-1.8.2/cipher/rsa.c leave: _gcry_mpi_release (signature); _gcry_mpi_release (decr_plaintext); - _gcry_mpi_release (ciphertext); - _gcry_mpi_release (plaintext); -+ - return result; - } - @@ -1903,7 +1979,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gc /* This sexp trickery is to prevent the use of blinding. * The flag doesn't get inherited by encr, so we have to @@ -127,11 +121,3 @@ Index: libgcrypt-1.8.2/cipher/rsa.c memset(buf, 0, sizeof(buf)); err = _gcry_mpi_print (GCRYMPI_FMT_STD, buf, sizeof buf, NULL, ciphertext); if (err) -@@ -2012,6 +2088,7 @@ selftests_rsa (selftest_report_func_t re - sexp_release (skey); - if (report) - report ("pubkey", GCRY_PK_RSA, what, errtxt); -+ - return GPG_ERR_SELFTEST_FAILED; - } - diff --git a/libgcrypt-ecc-ecdsa-no-blinding.patch b/libgcrypt-ecc-ecdsa-no-blinding.patch index ea692c4..6536808 100644 --- a/libgcrypt-ecc-ecdsa-no-blinding.patch +++ b/libgcrypt-ecc-ecdsa-no-blinding.patch @@ -1,8 +1,8 @@ -Index: libgcrypt-1.8.5/cipher/ecc.c +Index: libgcrypt-1.9.0/cipher/ecc.c =================================================================== ---- libgcrypt-1.8.5.orig/cipher/ecc.c -+++ libgcrypt-1.8.5/cipher/ecc.c -@@ -2060,11 +2060,11 @@ selftest_sign (gcry_sexp_t pkey, gcry_se +--- libgcrypt-1.9.0.orig/cipher/ecc.c ++++ libgcrypt-1.9.0/cipher/ecc.c +@@ -1581,11 +1581,11 @@ selftest_sign (gcry_sexp_t pkey, gcry_se { /* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */ static const char sample_data[] = @@ -16,19 +16,19 @@ Index: libgcrypt-1.8.5/cipher/ecc.c " (hash sha256 #bf2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915" /**/ "62113d8a62add1bf#))"; static const char signature_r[] = -Index: libgcrypt-1.8.5/cipher/ecc-ecdsa.c +Index: libgcrypt-1.9.0/cipher/ecc-ecdsa.c =================================================================== ---- libgcrypt-1.8.5.orig/cipher/ecc-ecdsa.c -+++ libgcrypt-1.8.5/cipher/ecc-ecdsa.c -@@ -52,6 +52,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, - mpi_ec_t ctx; +--- libgcrypt-1.9.0.orig/cipher/ecc-ecdsa.c ++++ libgcrypt-1.9.0/cipher/ecc-ecdsa.c +@@ -51,6 +51,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, + unsigned int abits, qbits; gcry_mpi_t b; /* Random number needed for blinding. */ gcry_mpi_t bi; /* multiplicative inverse of B. */ + int with_blinding = !(flags & PUBKEY_FLAG_NO_BLINDING); if (DBG_CIPHER) log_mpidump ("ecdsa sign hash ", input ); -@@ -65,12 +66,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, +@@ -64,12 +65,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, b = mpi_snew (qbits); bi = mpi_snew (qbits); @@ -36,48 +36,47 @@ Index: libgcrypt-1.8.5/cipher/ecc-ecdsa.c + if (with_blinding) { - _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM); -- mpi_mod (b, b, skey->E.n); +- mpi_mod (b, b, ec->n); + do + { + _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM); -+ mpi_mod (b, b, skey->E.n); ++ mpi_mod (b, b, ec->n); + } -+ while (!mpi_invm (bi, b, skey->E.n)); ++ while (!mpi_invm (bi, b, ec->n)); } -- while (!mpi_invm (bi, b, skey->E.n)); +- while (!mpi_invm (bi, b, ec->n)); k = NULL; dr = mpi_alloc (0); -@@ -128,14 +132,25 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, +@@ -126,14 +130,23 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, } while (!mpi_cmp_ui (r, 0)); - /* Computation of dr, sum, and s are blinded with b. */ -- mpi_mulm (dr, b, skey->d, skey->E.n); -- mpi_mulm (dr, dr, r, skey->E.n); /* dr = d*r mod n */ -- mpi_mulm (sum, b, hash, skey->E.n); -- mpi_addm (sum, sum, dr, skey->E.n); /* sum = hash + (d*r) mod n */ +- mpi_mulm (dr, b, ec->d, ec->n); +- mpi_mulm (dr, dr, r, ec->n); /* dr = d*r mod n */ +- mpi_mulm (sum, b, hash, ec->n); +- mpi_addm (sum, sum, dr, ec->n); /* sum = hash + (d*r) mod n */ +- mpi_mulm (s, k_1, sum, ec->n); /* s = k^(-1)*(hash+(d*r)) mod n */ +- /* Undo blinding by b^-1 */ +- mpi_mulm (s, bi, s, ec->n); + if (!with_blinding) + { -+ mpi_mulm (dr, skey->d, r, skey->E.n); /* dr = d*r mod n */ -+ mpi_addm (sum, hash, dr, skey->E.n); /* sum = hash + (d*r) mod n */ -+ } ++ mpi_mulm (dr, ec->d, r, ec->n); /* dr = d*r mod n */ ++ mpi_addm (sum, hash, dr, ec->n); /* sum = hash + (d*r) mod n */ ++ } + else + { -+ /* Computation of dr, sum, and s are blinded with b. */ -+ mpi_mulm (dr, b, skey->d, skey->E.n); -+ mpi_mulm (dr, dr, r, skey->E.n); /* dr = d*r mod n */ -+ mpi_mulm (sum, b, hash, skey->E.n); -+ mpi_addm (sum, sum, dr, skey->E.n); /* sum = hash + (d*r) mod n */ -+ } - mpi_mulm (s, k_1, sum, skey->E.n); /* s = k^(-1)*(hash+(d*r)) mod n */ -- /* Undo blinding by b^-1 */ -- mpi_mulm (s, bi, s, skey->E.n); ++ mpi_mulm (dr, b, ec->d, ec->n); ++ mpi_mulm (dr, dr, r, ec->n); /* dr = d*r mod n */ ++ mpi_mulm (sum, b, hash, ec->n); ++ mpi_addm (sum, sum, dr, ec->n); /* sum = hash + (d*r) mod n */ ++ } ++ mpi_mulm (s, k_1, sum, ec->n); /* s = k^(-1)*(hash+(d*r)) mod n */ + if (with_blinding) + { -+ /* Undo blinding by b^-1 */ -+ mpi_mulm (s, bi, s, skey->E.n); -+ } ++ mpi_mulm (s, bi, s, ec->n); /* Undo blinding by b^-1 */ ++ } } while (!mpi_cmp_ui (s, 0)); diff --git a/libgcrypt-fips_rsa_no_enforced_mode.patch b/libgcrypt-fips_rsa_no_enforced_mode.patch deleted file mode 100644 index 55f1003..0000000 --- a/libgcrypt-fips_rsa_no_enforced_mode.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: libgcrypt-1.8.2/cipher/rsa.c -=================================================================== ---- libgcrypt-1.8.2.orig/cipher/rsa.c 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.2/cipher/rsa.c 2019-03-26 11:14:33.737388126 +0100 -@@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig - - if (nbits < 1024 || (nbits & 0x1FF)) - return GPG_ERR_INV_VALUE; -- if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072) -+ if (fips_mode() && nbits != 2048 && nbits != 3072) - return GPG_ERR_INV_VALUE; - - /* The random quality depends on the transient_key flag. */ diff --git a/libgcrypt-fips_selftest_trigger_file.patch b/libgcrypt-fips_selftest_trigger_file.patch index a34adbf..00442b9 100644 --- a/libgcrypt-fips_selftest_trigger_file.patch +++ b/libgcrypt-fips_selftest_trigger_file.patch @@ -1,9 +1,9 @@ -Index: libgcrypt-1.8.2/src/fips.c +Index: libgcrypt-1.9.1/src/fips.c =================================================================== ---- libgcrypt-1.8.2.orig/src/fips.c 2020-04-16 21:15:01.633217969 +0200 -+++ libgcrypt-1.8.2/src/fips.c 2020-04-16 21:21:44.279376166 +0200 -@@ -651,7 +651,7 @@ get_library_path(const char *libname, co - } +--- libgcrypt-1.9.1.orig/src/fips.c ++++ libgcrypt-1.9.1/src/fips.c +@@ -660,7 +660,7 @@ get_library_path(const char *libname, co + #endif static gpg_error_t -get_hmac_path(char **fname) @@ -11,25 +11,25 @@ Index: libgcrypt-1.8.2/src/fips.c { char libpath[4096]; gpg_error_t err; -@@ -676,7 +676,7 @@ get_hmac_path(char **fname) - p = *fname; - memmove (p+1, p, strlen (p)+1); - *p = '.'; -- strcat (*fname, ".hmac"); -+ strcat (*fname, suffix); - err = 0; - } +@@ -685,7 +685,7 @@ get_hmac_path(char **fname) + p = *fname; + memmove (p+1, p, strlen (p)+1); + *p = '.'; +- strcat (*fname, ".hmac"); ++ strcat (*fname, suffix); + err = 0; + } } -@@ -708,7 +708,7 @@ check_binary_integrity (void) +@@ -717,7 +717,7 @@ check_binary_integrity (void) else { FILE *fp; -- err = get_hmac_path(&fname); -+ err = get_hmac_path(&fname, ".hmac"); - if (!err) - { +- err = get_hmac_path(&fname); ++ err = get_hmac_path(&fname, ".hmac"); + if (!err) + { /* Open the file. */ -@@ -769,7 +769,7 @@ can_skip_selftests(void) +@@ -779,7 +779,7 @@ can_skip_selftests(void) if (fips_mode()) return 0; diff --git a/libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch b/libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch index 80710ce..054a0ff 100644 --- a/libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch +++ b/libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch @@ -13,7 +13,7 @@ Index: libgcrypt-1.6.1/tests/fipsdrv.c static void -run_dsa_sign (const void *data, size_t datalen, const char *keyfile) +run_dsa_sign (const void *data, size_t datalen, -+ int hashalgo, const char *keyfile) ++ int hashalgo, const char *keyfile) { gpg_error_t err; @@ -31,7 +31,7 @@ Index: libgcrypt-1.6.1/tests/fipsdrv.c - gcry_md_hash_buffer (algo, hash, data, datalen); + if (hashalgo_len < algo_len) -+ algo_len = hashalgo_len; ++ algo_len = hashalgo_len; + + gcry_md_hash_buffer (hashalgo, hash, data, datalen); err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, diff --git a/libgcrypt-fix-tests-fipsmode.patch b/libgcrypt-fix-tests-fipsmode.patch index 0144c43..c9706ba 100644 --- a/libgcrypt-fix-tests-fipsmode.patch +++ b/libgcrypt-fix-tests-fipsmode.patch @@ -1,8 +1,9 @@ -diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basic.c ---- libgcrypt-1.8.4/tests/basic.c.tests-fipsmode 2018-04-17 17:29:40.000000000 +0200 -+++ libgcrypt-1.8.4/tests/basic.c 2019-02-12 13:30:48.935791024 +0100 -@@ -6964,7 +6964,7 @@ check_ciphers (void) - check_one_cipher (algos[i], GCRY_CIPHER_MODE_CTR, 0); +Index: libgcrypt-1.9.1/tests/basic.c +=================================================================== +--- libgcrypt-1.9.1.orig/tests/basic.c ++++ libgcrypt-1.9.1/tests/basic.c +@@ -9978,7 +9978,7 @@ check_ciphers (void) + check_one_cipher (algos[i], GCRY_CIPHER_MODE_EAX, 0); if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_CCM_BLOCK_LEN) check_one_cipher (algos[i], GCRY_CIPHER_MODE_CCM, 0); - if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_GCM_BLOCK_LEN) @@ -10,7 +11,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi check_one_cipher (algos[i], GCRY_CIPHER_MODE_GCM, 0); if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_OCB_BLOCK_LEN) check_one_cipher (algos[i], GCRY_CIPHER_MODE_OCB, 0); -@@ -7010,11 +7010,17 @@ check_cipher_modes(void) +@@ -10025,12 +10025,18 @@ check_cipher_modes(void) check_cfb_cipher (); check_ofb_cipher (); check_ccm_cipher (); @@ -24,6 +25,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi + check_ocb_cipher (); + } check_xts_cipher (); + check_eax_cipher (); - check_gost28147_cipher (); + if (!in_fips_mode) + { @@ -32,7 +34,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi check_stream_cipher (); check_stream_cipher_large_block (); -@@ -10001,7 +10007,7 @@ check_mac (void) +@@ -13383,7 +13389,7 @@ check_mac (void) show_mac_not_available (algos[i].algo); continue; } @@ -41,16 +43,16 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi { if (verbose) fprintf (stderr, " algorithm %d not available in fips mode\n", -@@ -11095,8 +11101,6 @@ main (int argc, char **argv) +@@ -14508,8 +14514,6 @@ main (int argc, char **argv) /* If we are in fips mode do some more tests. */ gcry_md_hd_t md; - /* First trigger a self-test. */ -- xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); +- xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) fail ("not in operational state after self-test\n"); -@@ -11121,15 +11125,6 @@ main (int argc, char **argv) +@@ -14534,15 +14538,6 @@ main (int argc, char **argv) gcry_md_close (md); if (gcry_control (GCRYCTL_OPERATIONAL_P, 0)) fail ("expected error state but still in operational state\n"); @@ -58,7 +60,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi - { - /* Now run a self-test and to get back into - operational state. */ -- xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); +- xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); - if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) - fail ("did not reach operational after error " - "and self-test\n"); @@ -66,26 +68,28 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi } } -diff -up libgcrypt-1.8.4/tests/benchmark.c.tests-fipsmode libgcrypt-1.8.4/tests/benchmark.c ---- libgcrypt-1.8.4/tests/benchmark.c.tests-fipsmode 2019-02-12 11:31:44.859603883 +0100 -+++ libgcrypt-1.8.4/tests/benchmark.c 2019-02-12 14:10:40.271999352 +0100 -@@ -872,8 +872,10 @@ cipher_bench ( const char *algoname ) - || (blklen == 1 && modes[modeidx].mode != GCRY_CIPHER_MODE_STREAM)) +Index: libgcrypt-1.9.1/tests/benchmark.c +=================================================================== +--- libgcrypt-1.9.1.orig/tests/benchmark.c ++++ libgcrypt-1.9.1/tests/benchmark.c +@@ -943,8 +943,10 @@ cipher_bench ( const char *algoname ) + && algo != GCRY_CIPHER_CHACHA20) continue; - if (modes[modeidx].req_blocksize > 0 - && blklen != modes[modeidx].req_blocksize) + if ((modes[modeidx].req_blocksize > 0 + && blklen != modes[modeidx].req_blocksize) -+ || (in_fips_mode ++ || (in_fips_mode + && modes[modeidx].mode == GCRY_CIPHER_MODE_GCM)) { printf (" %7s %7s", "-", "-" ); continue; -diff -up libgcrypt-1.8.4/tests/bench-slope.c.tests-fipsmode libgcrypt-1.8.4/tests/bench-slope.c ---- libgcrypt-1.8.4/tests/bench-slope.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/tests/bench-slope.c 2019-02-12 14:14:33.618763325 +0100 -@@ -1338,7 +1338,7 @@ cipher_bench_one (int algo, struct bench +Index: libgcrypt-1.9.1/tests/bench-slope.c +=================================================================== +--- libgcrypt-1.9.1.orig/tests/bench-slope.c ++++ libgcrypt-1.9.1/tests/bench-slope.c +@@ -1573,7 +1573,7 @@ cipher_bench_one (int algo, struct bench return; /* GCM has restrictions for block-size */ @@ -94,9 +98,10 @@ diff -up libgcrypt-1.8.4/tests/bench-slope.c.tests-fipsmode libgcrypt-1.8.4/test return; /* XTS has restrictions for block-size */ -diff -up libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode libgcrypt-1.8.4/tests/pubkey.c ---- libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/tests/pubkey.c 2019-02-12 13:52:25.658746415 +0100 +Index: libgcrypt-1.9.1/tests/pubkey.c +=================================================================== +--- libgcrypt-1.9.1.orig/tests/pubkey.c ++++ libgcrypt-1.9.1/tests/pubkey.c @@ -504,15 +504,30 @@ get_dsa_key_with_domain_new (gcry_sexp_t rc = gcry_sexp_new (&key_spec, @@ -137,39 +142,27 @@ diff -up libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode libgcrypt-1.8.4/tests/pub ")))", 0, 1); if (rc) die ("error creating S-expression: %s\n", gcry_strerror (rc)); -@@ -595,7 +610,7 @@ get_dsa_key_fips186_with_seed_new (gcry_ +@@ -596,7 +611,7 @@ get_dsa_key_fips186_with_seed_new (gcry_ " (use-fips186)" " (transient-key)" " (derive-parms" -- " (seed #0cb1990c1fd3626055d7a0096f8fa99807399871#))))", +- " (seed #f770a4598ff756931fc529764513b103ce57d85f4ad8c5cf297c9b4d48241c5b#))))", + " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))", 0, 1); if (rc) die ("error creating S-expression: %s\n", gcry_strerror (rc)); -diff -up libgcrypt-1.8.4/tests/t-cv25519.c.tests-fipsmode libgcrypt-1.8.4/tests/t-cv25519.c ---- libgcrypt-1.8.4/tests/t-cv25519.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/tests/t-cv25519.c 2019-02-12 14:02:35.935705390 +0100 -@@ -560,6 +560,9 @@ main (int argc, char **argv) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); -+ /* Curve25519 isn't supported in fips mode */ -+ if (gcry_fips_mode_active()) -+ return 77; - - start_timer (); - check_cv25519 (); -diff -up libgcrypt-1.8.4/tests/t-secmem.c.tests-fipsmode libgcrypt-1.8.4/tests/t-secmem.c ---- libgcrypt-1.8.4/tests/t-secmem.c.tests-fipsmode 2017-11-23 19:19:54.000000000 +0100 -+++ libgcrypt-1.8.4/tests/t-secmem.c 2019-02-12 11:51:02.462190538 +0100 +Index: libgcrypt-1.9.1/tests/t-secmem.c +=================================================================== +--- libgcrypt-1.9.1.orig/tests/t-secmem.c ++++ libgcrypt-1.9.1/tests/t-secmem.c @@ -174,7 +174,8 @@ main (int argc, char **argv) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INIT_SECMEM, pool_size, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); + xgcry_control ((GCRYCTL_INIT_SECMEM, pool_size, 0)); - gcry_set_outofcore_handler (outofcore_handler, NULL); + if (!gcry_fips_mode_active ()) + gcry_set_outofcore_handler (outofcore_handler, NULL); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); /* Libgcrypt prints a warning when the first overflow is allocated; @@ -184,7 +185,8 @@ main (int argc, char **argv) diff --git a/libgcrypt-global_init-constructor.patch b/libgcrypt-global_init-constructor.patch index 92bc596..e72e606 100644 --- a/libgcrypt-global_init-constructor.patch +++ b/libgcrypt-global_init-constructor.patch @@ -1,7 +1,7 @@ -Index: libgcrypt-1.8.2/src/global.c +Index: libgcrypt-1.9.1/src/global.c =================================================================== ---- libgcrypt-1.8.2.orig/src/global.c 2020-04-16 21:13:28.252717330 +0200 -+++ libgcrypt-1.8.2/src/global.c 2020-04-16 21:13:47.960822991 +0200 +--- libgcrypt-1.9.1.orig/src/global.c ++++ libgcrypt-1.9.1/src/global.c @@ -86,7 +86,7 @@ static gpg_err_code_t external_lock_test likely to be called at startup. The suggested way for an application to make sure that this has been called is by using @@ -45,11 +45,11 @@ Index: libgcrypt-1.8.2/src/global.c /* This function is called by the macro fips_is_operational and makes sure that the minimal initialization has been done. This is far from a perfect solution and hides problems with an improper -Index: libgcrypt-1.8.2/src/fips.c +Index: libgcrypt-1.9.1/src/fips.c =================================================================== ---- libgcrypt-1.8.2.orig/src/fips.c 2020-04-16 21:13:28.252717330 +0200 -+++ libgcrypt-1.8.2/src/fips.c 2020-04-16 21:14:44.781127616 +0200 -@@ -125,6 +125,7 @@ void +--- libgcrypt-1.9.1.orig/src/fips.c ++++ libgcrypt-1.9.1/src/fips.c +@@ -124,6 +124,7 @@ void _gcry_initialize_fips_mode (int force) { static int done; @@ -57,48 +57,33 @@ Index: libgcrypt-1.8.2/src/fips.c /* Make sure we are not accidentally called twice. */ if (done) -@@ -214,6 +215,23 @@ _gcry_initialize_fips_mode (int force) +@@ -213,6 +214,23 @@ _gcry_initialize_fips_mode (int force) /* Yes, we are in FIPS mode. */ FILE *fp; + /* Intitialize the lock to protect the FSM. */ + err = gpgrt_lock_init (&fsm_lock); + if (err) -+ { -+ /* If that fails we can't do anything but abort the -+ process. We need to use log_info so that the FSM won't -+ get involved. */ -+ log_info ("FATAL: failed to create the FSM lock in libgcrypt: %s\n", -+ gpg_strerror (err)); ++ { ++ /* If that fails we can't do anything but abort the ++ * process. We need to use log_info so that the FSM won't ++ * get involved. */ ++ log_info ("FATAL: failed to create the FSM lock in libgcrypt: %s\n", ++ gpg_strerror (err)); +#ifdef HAVE_SYSLOG -+ syslog (LOG_USER|LOG_ERR, "Libgcrypt error: " -+ "creating FSM lock failed: %s - abort", -+ gpg_strerror (err)); ++ syslog (LOG_USER|LOG_ERR, "Libgcrypt error: " ++ "creating FSM lock failed: %s - abort", ++ gpg_strerror (err)); +#endif /*HAVE_SYSLOG*/ -+ abort (); -+ } ++ abort (); ++ } + /* If the FIPS force files exists, is readable and has a number != 0 on its first line, we enable the enforced fips mode. */ fp = fopen (FIPS_FORCE_FILE, "r"); -@@ -614,10 +632,10 @@ get_library_path(const char *libname, co - void *dl, *sym; - int rv = -1; - -- dl = dlopen(libname, RTLD_LAZY); -- if (dl == NULL) { -- return -1; -- } -+ dl = dlopen(libname, RTLD_LAZY); -+ if (dl == NULL) { -+ return -1; -+ } - - sym = dlsym(dl, symbolname); - -@@ -632,6 +650,39 @@ get_library_path(const char *libname, co - return rv; +@@ -641,6 +659,39 @@ get_library_path(const char *libname, co } + #endif +static gpg_error_t +get_hmac_path(char **fname) @@ -112,23 +97,23 @@ Index: libgcrypt-1.8.2/src/fips.c + { + *fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 ); + if (!*fname) -+ err = gpg_error_from_syserror (); ++ err = gpg_error_from_syserror (); + else -+ { ++ { + char *p; + -+ /* Prefix the basename with a dot. */ -+ strcpy (*fname, libpath); -+ p = strrchr (*fname, '/'); -+ if (p) ++ /* Prefix the basename with a dot. */ ++ strcpy (*fname, libpath); ++ p = strrchr (*fname, '/'); ++ if (p) + p++; -+ else -+ p = *fname; -+ memmove (p+1, p, strlen (p)+1); -+ *p = '.'; -+ strcat (*fname, ".hmac"); -+ err = 0; -+ } ++ else ++ p = *fname; ++ memmove (p+1, p, strlen (p)+1); ++ *p = '.'; ++ strcat (*fname, ".hmac"); ++ err = 0; ++ } + } + return err; +} @@ -136,7 +121,7 @@ Index: libgcrypt-1.8.2/src/fips.c /* Run an integrity check on the binary. Returns 0 on success. */ static int check_binary_integrity (void) -@@ -656,25 +707,10 @@ check_binary_integrity (void) +@@ -665,25 +716,10 @@ check_binary_integrity (void) err = gpg_error (GPG_ERR_INTERNAL); else { @@ -144,7 +129,10 @@ Index: libgcrypt-1.8.2/src/fips.c - if (!fname) - err = gpg_error_from_syserror (); - else -- { ++ FILE *fp; ++ err = get_hmac_path(&fname); ++ if (!err) + { - FILE *fp; - char *p; - @@ -159,14 +147,10 @@ Index: libgcrypt-1.8.2/src/fips.c - *p = '.'; - strcat (fname, ".hmac"); - -+ FILE *fp; -+ err = get_hmac_path(&fname); -+ if (!err) -+ { /* Open the file. */ fp = fopen (fname, "r"); if (!fp) -@@ -725,6 +761,33 @@ check_binary_integrity (void) +@@ -734,6 +770,33 @@ check_binary_integrity (void) #endif } @@ -200,18 +184,18 @@ Index: libgcrypt-1.8.2/src/fips.c /* Run the self-tests. If EXTENDED is true, extended versions of the selftest are run, that is more tests than required by FIPS. */ -@@ -733,26 +795,13 @@ _gcry_fips_run_selftests (int extended) +@@ -742,26 +805,13 @@ _gcry_fips_run_selftests (int extended) { enum module_states result = STATE_ERROR; gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED; - int in_poweron; - +- - lock_fsm (); - in_poweron = (current_state == STATE_POWERON); - unlock_fsm (); - - fips_new_state (STATE_SELFTEST); -- + - /* We first check the integrity of the binary. - If run from the constructor we are in POWERON state, - we return and finish the remaining selftests before @@ -231,8 +215,8 @@ Index: libgcrypt-1.8.2/src/fips.c if (run_cipher_selftests (extended)) goto leave; -@@ -762,6 +811,9 @@ _gcry_fips_run_selftests (int extended) - if (run_mac_selftests (extended)) +@@ -774,6 +824,9 @@ _gcry_fips_run_selftests (int extended) + if (run_kdf_selftests (extended)) goto leave; + if (check_binary_integrity ()) @@ -241,7 +225,7 @@ Index: libgcrypt-1.8.2/src/fips.c /* Run random tests before the pubkey tests because the latter require random. */ if (run_random_selftests ()) -@@ -775,7 +827,8 @@ _gcry_fips_run_selftests (int extended) +@@ -787,7 +840,8 @@ _gcry_fips_run_selftests (int extended) ec = 0; leave: @@ -251,7 +235,7 @@ Index: libgcrypt-1.8.2/src/fips.c return ec; } -@@ -831,7 +884,6 @@ fips_new_state (enum module_states new_s +@@ -843,7 +897,6 @@ fips_new_state (enum module_states new_s { case STATE_POWERON: if (new_state == STATE_INIT @@ -259,7 +243,7 @@ Index: libgcrypt-1.8.2/src/fips.c || new_state == STATE_ERROR || new_state == STATE_FATALERROR) ok = 1; -@@ -846,8 +898,6 @@ fips_new_state (enum module_states new_s +@@ -858,8 +911,6 @@ fips_new_state (enum module_states new_s case STATE_SELFTEST: if (new_state == STATE_OPERATIONAL diff --git a/libgcrypt-unresolved-dladdr.patch b/libgcrypt-unresolved-dladdr.patch deleted file mode 100644 index 7a2f8a3..0000000 --- a/libgcrypt-unresolved-dladdr.patch +++ /dev/null @@ -1,23 +0,0 @@ -From: mvyskocil@suse.cz -Subject: unresolved dladdr symbol - -When linking with --as-needed, some symbols are ommited. Add a DL_LIBS for -dladdr symbol to fix the issue. - -References: bnc#701267 -https://bugzilla.novell.com/show_bug.cgi?id=701267 -Original-name: libgcrypt-1.5.0-as-needed.patch - -Index: libgcrypt-1.5.2/src/Makefile.am -=================================================================== ---- libgcrypt-1.5.2.orig/src/Makefile.am -+++ libgcrypt-1.5.2/src/Makefile.am -@@ -110,7 +110,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \ - ../cipher/libcipher.la \ - ../random/librandom.la \ - ../mpi/libmpi.la \ -- ../compat/libcompat.la $(GPG_ERROR_LIBS) -+ ../compat/libcompat.la $(GPG_ERROR_LIBS) $(DL_LIBS) - - - dumpsexp_SOURCES = dumpsexp.c diff --git a/libgcrypt.changes b/libgcrypt.changes index 2eee977..7215d39 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,92 @@ +------------------------------------------------------------------- +Tue Feb 2 01:06:47 UTC 2021 - Pedro Monreal + +- Update to 1.9.1 + * *Fix exploitable bug* in hash functions introduced with + 1.9.0. [bsc#1181632, CVE-2021-3345] + * Return an error if a negative MPI is used with sexp scan + functions. + * Check for operational FIPS in the random and KDF functions. + * Fix compile error on ARMv7 with NEON disabled. + * Fix self-test in KDF module. + * Improve assembler checks for better LTO support. + * Fix 32-bit cross build on x86. + * Fix non-NEON ARM assembly implementation for SHA512. + * Fix build problems with the cipher_bulk_ops_t typedef. + * Fix Ed25519 private key handling for preceding ZEROs. + * Fix overflow in modular inverse implementation. + * Fix register access for AVX/AVX2 implementations of Blake2. + * Add optimized cipher and hash functions for s390x/zSeries. + * Use hardware bit counting functionx when available. + * Update DSA functions to match FIPS 186-3. + * New self-tests for CMACs and KDFs. + * Add bulk cipher functions for OFB and GCM modes. +- Update libgpg-error required version + +------------------------------------------------------------------- +Tue Feb 1 12:03:31 UTC 2021 - Pedro Monreal + +- Use the suffix variable correctly in get_hmac_path() +- Rebase libgcrypt-fips_selftest_trigger_file.patch + +------------------------------------------------------------------- +Mon Jan 25 12:38:35 UTC 2021 - Pedro Monreal + +- Add the global config file /etc/gcrypt/random.conf + * This file can be used to globally change parameters of the random + generator with the options: only-urandom and disable-jent. + +------------------------------------------------------------------- +Thu Jan 21 15:42:15 UTC 2021 - Pedro Monreal + +- Update to 1.9.0: + New stable branch of Libgcrypt with full API and ABI compatibility + to the 1.8 series. Release-info: https://dev.gnupg.org/T4294 + * New and extended interfaces: + - New curves Ed448, X448, and SM2. + - New cipher mode EAX. + - New cipher algo SM4. + - New hash algo SM3. + - New hash algo variants SHA512/224 and SHA512/256. + - New MAC algos for Blake-2 algorithms, the new SHA512 variants, + SM3, SM4 and for a GOST variant. + - New convenience function gcry_mpi_get_ui. + - gcry_sexp_extract_param understands new format specifiers to + directly store to integers and strings. + - New function gcry_ecc_mul_point and curve constants for Curve448 + and Curve25519. + - New function gcry_ecc_get_algo_keylen. + - New control code GCRYCTL_AUTO_EXPAND_SECMEM to allow growing the + secure memory area. + * Performance optimizations and bug fixes: See Release-info. + * Other features: + - Add OIDs from RFC-8410 as aliases for Ed25519 and Curve25519. + - Add mitigation against ECC timing attack CVE-2019-13627. + - Internal cleanup of the ECC implementation. + - Support reading EC point in compressed format for some curves. +- Rebase patches: + * libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch + * libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff + * libgcrypt-1.6.1-use-fipscheck.patch + * drbg_test.patch + * libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch + * libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch + * libgcrypt-1.8.4-fips-keygen.patch + * libgcrypt-1.8.4-getrandom.patch + * libgcrypt-fix-tests-fipsmode.patch + * libgcrypt-global_init-constructor.patch + * libgcrypt-ecc-ecdsa-no-blinding.patch + * libgcrypt-PCT-RSA.patch + * libgcrypt-PCT-ECC.patch +- Remove patches: + * libgcrypt-unresolved-dladdr.patch + * libgcrypt-CVE-2019-12904-GCM-Prefetch.patch + * libgcrypt-CVE-2019-12904-GCM.patch + * libgcrypt-CVE-2019-12904-AES.patch + * libgcrypt-CMAC-AES-TDES-selftest.patch + * libgcrypt-1.6.1-fips-cfgrandom.patch + * libgcrypt-fips_rsa_no_enforced_mode.patch + ------------------------------------------------------------------- Sat Oct 24 10:25:13 UTC 2020 - Andreas Stieger diff --git a/libgcrypt.spec b/libgcrypt.spec index 9be8ebc..7166103 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,7 +1,7 @@ # # spec file for package libgcrypt # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ %define libsoname %{name}%{libsover} %define cavs_dir %{_libexecdir}/%{name}/cavs Name: libgcrypt -Version: 1.8.7 +Version: 1.9.1 Release: 0 Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later @@ -31,67 +31,55 @@ URL: https://directory.fsf.org/wiki/Libgcrypt Source: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2 Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig Source2: baselibs.conf -Source4: %{name}.keyring # https://www.gnupg.org/signature_key.en.html +Source4: libgcrypt.keyring # cavs test framework Source5: cavs-test.sh Source6: cavs_driver.pl -Source99: %{name}.changes -Patch3: %{name}-1.4.1-rijndael_no_strict_aliasing.patch -Patch4: %{name}-sparcv9.diff -#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS) -#was: libgcrypt-1.5.0-as-needed.patch -Patch5: libgcrypt-unresolved-dladdr.patch +Source7: random.conf +Source99: libgcrypt.changes +Patch1: libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch +Patch2: libgcrypt-sparcv9.diff #PATCH-FIX-SUSE: N/A -Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff -Patch12: libgcrypt-1.6.1-use-fipscheck.patch -Patch13: libgcrypt-1.6.1-fips-cavs.patch -#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine -Patch14: libgcrypt-1.6.1-fips-cfgrandom.patch -Patch28: libgcrypt-fix-rng.patch +Patch3: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff +Patch4: libgcrypt-1.6.1-use-fipscheck.patch +Patch5: libgcrypt-1.6.1-fips-cavs.patch +Patch6: libgcrypt-fix-rng.patch #PATCH-FIX-SUSE add FIPS CAVS test app for DRBG -Patch30: drbg_test.patch +Patch7: drbg_test.patch #PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign -Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch +Patch8: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch #PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify -Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch -Patch39: libgcrypt-1.8.3-fips-ctor.patch -Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch -Patch43: libgcrypt-1.8.4-use_xfree.patch -Patch44: libgcrypt-1.8.4-allow_FSM_same_state.patch -Patch45: libgcrypt-1.8.4-getrandom.patch -#PATCH-FIX-UPSTREAM bsc#1138939 CVE-2019-12904 C implementation of AES is -#vulnerable to a flush-and-reload side-channel attack -Patch46: libgcrypt-CVE-2019-12904-GCM-Prefetch.patch -Patch47: libgcrypt-CVE-2019-12904-GCM.patch -Patch48: libgcrypt-CVE-2019-12904-AES.patch -Patch49: libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch -#PATCH-FIX-SUSE bsc#1155338 bsc#1155338 FIPS: CMAC AES and TDES self tests missing -Patch50: libgcrypt-CMAC-AES-TDES-selftest.patch +Patch9: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch +Patch10: libgcrypt-1.8.3-fips-ctor.patch +Patch11: libgcrypt-1.8.4-use_xfree.patch +Patch12: libgcrypt-1.8.4-allow_FSM_same_state.patch +Patch13: libgcrypt-1.8.4-getrandom.patch +Patch14: libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch #PATCH-FIX-SUSE Fix test in FIPS mode -Patch51: libgcrypt-dsa-rfc6979-test-fix.patch -Patch52: libgcrypt-fix-tests-fipsmode.patch +Patch15: libgcrypt-dsa-rfc6979-test-fix.patch +Patch16: libgcrypt-fix-tests-fipsmode.patch #PATCH-FIX-SUSE bsc#1155337 FIPS: RSA/DSA/ECDSA are missing hashing operation -Patch53: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch +Patch17: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch #PATCH-FIX-SUSE bsc#1161220 FIPS: libgcrypt RSA siggen/keygen: 4k not supported -Patch54: libgcrypt-1.8.4-fips-keygen.patch +Patch18: libgcrypt-1.8.4-fips-keygen.patch #PATCH-FIX-SUSE bsc#1164950 Run self-tests from the constructor -Patch55: libgcrypt-invoke-global_init-from-constructor.patch +Patch19: libgcrypt-invoke-global_init-from-constructor.patch #PATCH-FIX-SUSE bsc#1164950 Restore the self-tests from the constructor -Patch56: libgcrypt-Restore-self-tests-from-constructor.patch -Patch57: libgcrypt-FIPS-GMAC_AES-benckmark.patch -Patch58: libgcrypt-global_init-constructor.patch -Patch59: libgcrypt-random_selftests-testentropy.patch -Patch60: libgcrypt-rsa-no-blinding.patch -Patch61: libgcrypt-ecc-ecdsa-no-blinding.patch +Patch20: libgcrypt-Restore-self-tests-from-constructor.patch +Patch21: libgcrypt-FIPS-GMAC_AES-benckmark.patch +Patch22: libgcrypt-global_init-constructor.patch +Patch23: libgcrypt-random_selftests-testentropy.patch +Patch24: libgcrypt-rsa-no-blinding.patch +Patch25: libgcrypt-ecc-ecdsa-no-blinding.patch #PATCH-FIX-SUSE bsc#1165539 FIPS: Use the new signature operation in PCT -Patch62: libgcrypt-PCT-RSA.patch -Patch63: libgcrypt-PCT-DSA.patch -Patch64: libgcrypt-PCT-ECC.patch -Patch65: libgcrypt-fips_selftest_trigger_file.patch +Patch26: libgcrypt-PCT-RSA.patch +Patch27: libgcrypt-PCT-DSA.patch +Patch28: libgcrypt-PCT-ECC.patch +Patch29: libgcrypt-fips_selftest_trigger_file.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck -BuildRequires: libgpg-error-devel >= 1.25 +BuildRequires: libgpg-error-devel >= 1.27 BuildRequires: libtool BuildRequires: pkgconfig @@ -128,7 +116,7 @@ License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT Group: Development/Libraries/C and C++ Requires: %{libsoname} = %{version} Requires: glibc-devel -Requires: libgpg-error-devel >= 1.13 +Requires: libgpg-error-devel >= 1.27 Requires(post): %{install_info_prereq} %description devel @@ -156,7 +144,7 @@ Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Development/Libraries/C and C++ Requires: %{libsoname} = %{version} -Requires: libgpg-error-devel +Requires: libgpg-error-devel >= 1.27 Requires(post): %{install_info_prereq} %description hmac256 @@ -165,7 +153,7 @@ blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. -%endif # #if separate_hmac256_binary +%endif %prep %setup -q @@ -223,6 +211,10 @@ mv %{buildroot}%{_bindir}/drbg_test %{buildroot}%{cavs_dir} touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips %endif +# Create /etc/gcrypt directory and install random.conf +mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt +install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/gcrypt/random.conf + %post -n %{libsoname} -p /sbin/ldconfig %postun -n %{libsoname} -p /sbin/ldconfig %post devel @@ -234,14 +226,16 @@ touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips %files -n %{libsoname} %license COPYING.LIB %{_libdir}/%{name}.so.* +%dir %{_sysconfdir}/gcrypt +%config(noreplace) %{_sysconfdir}/gcrypt/random.conf %if 0%{?build_hmac256} %{_libdir}/.libgcrypt.so.*.hmac -%endif # %%if 0%%{?build_hmac256} +%endif %files -n %{libsoname}-hmac %if 0%{?build_hmac256} %{_libdir}/.libgcrypt.so.*.fips -%endif # %%if 0%%{?build_hmac256} +%endif %files devel %license COPYING COPYING.LIB @@ -257,7 +251,7 @@ touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips %if 0%{?separate_hmac256_binary} %files hmac256 -%endif # %%if 0%%{?separate_hmac256_binary} +%endif %{_bindir}/hmac256 %{_bindir}/.hmac256.hmac %doc %{_mandir}/man1/hmac256.1* diff --git a/random.conf b/random.conf new file mode 100644 index 0000000..9168e43 --- /dev/null +++ b/random.conf @@ -0,0 +1,9 @@ +# This file can be used to globally change parameters of +# the random generator. Supported options are: + +# Always use the non-blocking /dev/urandom or the respective +# system call instead of the blocking /dev/random. +only-urandom + +# Disable the use of the jitter based entropy generator. +#disable-jent