SHA256
1
0
forked from pool/libgcrypt

Accepting request 868925 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Update to 1.9.1
   * *Fix exploitable bug* in hash functions introduced with
     1.9.0. [bsc#1181632, CVE-2021-3345]
   * Return an error if a negative MPI is used with sexp scan
     functions.
   * Check for operational FIPS in the random and KDF functions.
   * Fix compile error on ARMv7 with NEON disabled.
   * Fix self-test in KDF module.
   * Improve assembler checks for better LTO support.
   * Fix 32-bit cross build on x86.
   * Fix non-NEON ARM assembly implementation for SHA512.
   * Fix build problems with the cipher_bulk_ops_t typedef.
   * Fix Ed25519 private key handling for preceding ZEROs.
   * Fix overflow in modular inverse implementation.
   * Fix register access for AVX/AVX2 implementations of Blake2.
   * Add optimized cipher and hash functions for s390x/zSeries.
   * Use hardware bit counting functionx when available.
   * Update DSA functions to match FIPS 186-3.
   * New self-tests for CMACs and KDFs.
   * Add bulk cipher functions for OFB and GCM modes.
- Update libgpg-error required version

- Use the suffix variable correctly in get_hmac_path()
- Rebase libgcrypt-fips_selftest_trigger_file.patch

- Add the global config file /etc/gcrypt/random.conf
  * This file can be used to globally change parameters of the random
    generator with the options: only-urandom and disable-jent.

- Update to 1.9.0:

OBS-URL: https://build.opensuse.org/request/show/868925
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=142
This commit is contained in:
Pedro Monreal Gonzalez 2021-02-03 12:44:42 +00:00 committed by Git OBS Bridge
parent a15018a4a1
commit dea0435690
29 changed files with 529 additions and 1495 deletions

View File

@ -1,7 +1,7 @@
Index: libgcrypt-1.7.2/tests/drbg_test.c Index: libgcrypt-1.9.0/tests/drbg_test.c
=================================================================== ===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000 --- /dev/null
+++ libgcrypt-1.7.2/tests/drbg_test.c 2016-08-16 16:04:52.289060124 +0200 +++ libgcrypt-1.9.0/tests/drbg_test.c
@@ -0,0 +1,1332 @@ @@ -0,0 +1,1332 @@
+/* DRBG test for libgcrypt +/* DRBG test for libgcrypt
+ Copyright (C) 2014 Stephan Mueller <smueller@chronox.de> + Copyright (C) 2014 Stephan Mueller <smueller@chronox.de>
@ -1335,11 +1335,26 @@ Index: libgcrypt-1.7.2/tests/drbg_test.c
+ return 0; + return 0;
+} +}
+ +
Index: libgcrypt-1.7.2/Makefile.am Index: libgcrypt-1.9.0/Makefile.am
=================================================================== ===================================================================
--- libgcrypt-1.7.2.orig/Makefile.am 2016-08-16 15:57:43.397736723 +0200 --- libgcrypt-1.9.0.orig/Makefile.am
+++ libgcrypt-1.7.2/Makefile.am 2016-08-16 15:57:44.341752563 +0200 +++ libgcrypt-1.9.0/Makefile.am
@@ -42,6 +42,14 @@ EXTRA_DIST = autogen.sh autogen.rc READM @@ -39,6 +39,14 @@ else
doc =
endif
+bin_PROGRAMS = fipsdrv drbg_test
+
+fipsdrv_SOURCES = tests/fipsdrv.c
+fipsdrv_LDADD = src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS)
+
+drbg_test_CPPFLAGS = -I../src -I$(top_srcdir)/src
+drbg_test_SOURCES = src/gcrypt.h tests/drbg_test.c
+drbg_test_LDADD = src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS)
DIST_SUBDIRS = m4 compat mpi cipher random src doc tests
SUBDIRS = compat mpi cipher random src $(doc) tests
@@ -51,6 +59,14 @@ EXTRA_DIST = autogen.sh autogen.rc READM
DISTCLEANFILES = DISTCLEANFILES =
@ -1352,5 +1367,5 @@ Index: libgcrypt-1.7.2/Makefile.am
+drbg_test_SOURCES = src/gcrypt.h tests/drbg_test.c +drbg_test_SOURCES = src/gcrypt.h tests/drbg_test.c
+drbg_test_LDADD = src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS) +drbg_test_LDADD = src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS)
# Add all the files listed in "distfiles" files to the distribution, # Add all the files listed in "distfiles" files to the distribution
# apply version number s to some files and create a VERSION file which dist-hook: gen-ChangeLog

View File

@ -1,16 +1,17 @@
Index: libgcrypt-1.8.3/cipher/Makefile.am Index: libgcrypt-1.9.0/cipher/Makefile.am
=================================================================== ===================================================================
--- libgcrypt-1.8.3.orig/cipher/Makefile.am --- libgcrypt-1.9.0.orig/cipher/Makefile.am
+++ libgcrypt-1.8.3/cipher/Makefile.am +++ libgcrypt-1.9.0/cipher/Makefile.am
@@ -128,3 +128,11 @@ tiger.o: $(srcdir)/tiger.c @@ -155,6 +155,12 @@ tiger.o: $(srcdir)/tiger.c Makefile
tiger.lo: $(srcdir)/tiger.c Makefile
`echo $(LTCOMPILE) -c $< | $(o_flag_munging) `
tiger.lo: $(srcdir)/tiger.c
`echo $(LTCOMPILE) -c $(srcdir)/tiger.c | $(o_flag_munging) `
+
+# rijndael.c needs -fno-strict-aliasing +# rijndael.c needs -fno-strict-aliasing
+rijndael.o: $(srcdir)/rijndael.c +rijndael.o: $(srcdir)/rijndael.c
+ `echo $(COMPILE) -fno-strict-aliasing -c $(srcdir)/rijndael.c` + `echo $(COMPILE) -fno-strict-aliasing -c $(srcdir)/rijndael.c`
+ +
+rijndael.lo: $(srcdir)/rijndael.c +rijndael.lo: $(srcdir)/rijndael.c
+ `echo $(LTCOMPILE) -fno-strict-aliasing -c $(srcdir)/rijndael.c` + `echo $(LTCOMPILE) -fno-strict-aliasing -c $(srcdir)/rijndael.c`
+
# We need to disable instrumentation for these modules as they use cc as
# thin assembly front-end and do not tolerate in-between function calls

View File

@ -17,7 +17,7 @@ Index: libgcrypt-1.5.2/src/fips.c
+ +
+ if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL) + if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL)
+ { + {
+ gcry_assert (!no_fips_mode_required); + gcry_assert (!_gcry_no_fips_mode_required);
+ goto leave; + goto leave;
+ } + }
+ +

View File

@ -1,85 +0,0 @@
Index: libgcrypt-1.8.4/random/rndlinux.c
===================================================================
--- libgcrypt-1.8.4.orig/random/rndlinux.c
+++ libgcrypt-1.8.4/random/rndlinux.c
@@ -40,7 +40,9 @@
#include "g10lib.h"
#include "rand-internal.h"
-static int open_device (const char *name, int retry);
+#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed"
+
+static int open_device (const char *name, int retry, int fatal);
static int
@@ -63,7 +65,7 @@ set_cloexec_flag (int fd)
* a fatal error but retries until it is able to reopen the device.
*/
static int
-open_device (const char *name, int retry)
+open_device (const char *name, int retry, int fatal)
{
int fd;
@@ -71,6 +73,8 @@ open_device (const char *name, int retry
_gcry_random_progress ("open_dev_random", 'X', 1, 0);
again:
fd = open (name, O_RDONLY);
+ if (fd == -1 && !fatal)
+ return fd;
if (fd == -1 && retry)
{
struct timeval tv;
@@ -116,6 +120,7 @@ _gcry_rndlinux_gather_random (void (*add
{
static int fd_urandom = -1;
static int fd_random = -1;
+ static int fd_configured = -1;
static int only_urandom = -1;
static unsigned char ever_opened;
static volatile pid_t my_pid; /* The volatile is there to make sure
@@ -156,6 +161,11 @@ _gcry_rndlinux_gather_random (void (*add
close (fd_urandom);
fd_urandom = -1;
}
+ if (fd_configured != -1)
+ {
+ close (fd_configured);
+ fd_configured = -1;
+ }
return 0;
}
@@ -215,11 +225,21 @@ _gcry_rndlinux_gather_random (void (*add
that we always require the device to be existent but want a more
graceful behaviour if the rarely needed close operation has been
used and the device needs to be re-opened later. */
+
+ if (level == -1)
+ {
+ if (fd_configured == -1)
+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0, 0 );
+ fd = fd_configured;
+ if (fd == -1)
+ return -1;
+ }
+
if (level >= GCRY_VERY_STRONG_RANDOM && !only_urandom)
{
if (fd_random == -1)
{
- fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1));
+ fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1), 1);
ever_opened |= 1;
}
fd = fd_random;
@@ -228,7 +248,7 @@ _gcry_rndlinux_gather_random (void (*add
{
if (fd_urandom == -1)
{
- fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2));
+ fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1);
ever_opened |= 2;
}
fd = fd_urandom;

View File

@ -3,27 +3,15 @@
src/fips.c | 39 ++++++++++++++++++++++++++++++++------- src/fips.c | 39 ++++++++++++++++++++++++++++++++-------
2 files changed, 33 insertions(+), 8 deletions(-) 2 files changed, 33 insertions(+), 8 deletions(-)
Index: libgcrypt-1.6.2/src/Makefile.in Index: libgcrypt-1.9.0/src/fips.c
=================================================================== ===================================================================
--- libgcrypt-1.6.2.orig/src/Makefile.in 2014-11-05 20:33:18.000000000 +0000 --- libgcrypt-1.9.0.orig/src/fips.c
+++ libgcrypt-1.6.2/src/Makefile.in 2014-11-05 20:34:04.000000000 +0000 +++ libgcrypt-1.9.0/src/fips.c
@@ -449,7 +449,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \ @@ -603,23 +603,49 @@ run_random_selftests (void)
../cipher/libcipher.la \
../random/librandom.la \
../mpi/libmpi.la \
- ../compat/libcompat.la $(GPG_ERROR_LIBS)
+ ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl
dumpsexp_SOURCES = dumpsexp.c
dumpsexp_CFLAGS = $(arch_gpg_error_cflags)
Index: libgcrypt-1.6.2/src/fips.c
===================================================================
--- libgcrypt-1.6.2.orig/src/fips.c 2014-11-05 20:33:18.000000000 +0000
+++ libgcrypt-1.6.2/src/fips.c 2014-11-05 20:34:04.000000000 +0000
@@ -589,23 +589,48 @@ run_random_selftests (void)
return !!err; return !!err;
} }
+#ifdef ENABLE_HMAC_BINARY_CHECK
+static int +static int
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) +get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
+{ +{
@ -31,23 +19,23 @@ Index: libgcrypt-1.6.2/src/fips.c
+ void *dl, *sym; + void *dl, *sym;
+ int rv = -1; + int rv = -1;
+ +
+ dl = dlopen(libname, RTLD_LAZY); + dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL) { + if (dl == NULL)
+ return -1; + return -1;
+ }
+ +
+ sym = dlsym(dl, symbolname); + sym = dlsym(dl, symbolname);
+ if (sym != NULL && dladdr(sym, &info))
+ {
+ strncpy(path, info.dli_fname, pathlen-1);
+ path[pathlen-1] = '\0';
+ rv = 0;
+ }
+ +
+ if (sym != NULL && dladdr(sym, &info)) { + dlclose(dl);
+ strncpy(path, info.dli_fname, pathlen-1);
+ path[pathlen-1] = '\0';
+ rv = 0;
+ }
+ +
+ dlclose(dl);
+
+ return rv; + return rv;
+} +}
+#endif
+ +
/* Run an integrity check on the binary. Returns 0 on success. */ /* Run an integrity check on the binary. Returns 0 on success. */
static int static int
@ -61,10 +49,9 @@ Index: libgcrypt-1.6.2/src/fips.c
int dlen; int dlen;
char *fname = NULL; char *fname = NULL;
- const char key[] = "What am I, a doctor or a moonshuttle conductor?"; - const char key[] = "What am I, a doctor or a moonshuttle conductor?";
-
- if (!dladdr ("gcry_check_version", &info))
+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP"; + const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
+
- if (!dladdr ("gcry_check_version", &info))
+ if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath))) + if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath)))
err = gpg_error_from_syserror (); err = gpg_error_from_syserror ();
else else
@ -74,7 +61,7 @@ Index: libgcrypt-1.6.2/src/fips.c
key, strlen (key)); key, strlen (key));
if (dlen < 0) if (dlen < 0)
err = gpg_error_from_syserror (); err = gpg_error_from_syserror ();
@@ -613,7 +638,7 @@ check_binary_integrity (void) @@ -627,7 +652,7 @@ check_binary_integrity (void)
err = gpg_error (GPG_ERR_INTERNAL); err = gpg_error (GPG_ERR_INTERNAL);
else else
{ {
@ -83,7 +70,7 @@ Index: libgcrypt-1.6.2/src/fips.c
if (!fname) if (!fname)
err = gpg_error_from_syserror (); err = gpg_error_from_syserror ();
else else
@@ -622,7 +647,7 @@ check_binary_integrity (void) @@ -636,7 +661,7 @@ check_binary_integrity (void)
char *p; char *p;
/* Prefix the basename with a dot. */ /* Prefix the basename with a dot. */

View File

@ -1,8 +1,8 @@
Index: libgcrypt-1.8.4/cipher/md.c Index: libgcrypt-1.9.0/cipher/md.c
=================================================================== ===================================================================
--- libgcrypt-1.8.4.orig/cipher/md.c 2019-03-25 16:58:52.844354398 +0100 --- libgcrypt-1.9.0.orig/cipher/md.c
+++ libgcrypt-1.8.4/cipher/md.c 2019-03-25 16:58:53.512358321 +0100 +++ libgcrypt-1.9.0/cipher/md.c
@@ -411,11 +411,8 @@ md_enable (gcry_md_hd_t hd, int algorith @@ -564,11 +564,8 @@ md_enable (gcry_md_hd_t hd, int algorith
if (!err && algorithm == GCRY_MD_MD5 && fips_mode ()) if (!err && algorithm == GCRY_MD_MD5 && fips_mode ())
{ {
@ -14,14 +14,15 @@ Index: libgcrypt-1.8.4/cipher/md.c
err = GPG_ERR_DIGEST_ALGO; err = GPG_ERR_DIGEST_ALGO;
} }
} }
Index: libgcrypt-1.8.4/src/fips.c Index: libgcrypt-1.9.0/src/fips.c
=================================================================== ===================================================================
--- libgcrypt-1.8.4.orig/src/fips.c 2019-03-25 16:58:52.844354398 +0100 --- libgcrypt-1.9.0.orig/src/fips.c
+++ libgcrypt-1.8.4/src/fips.c 2019-03-25 16:58:53.516358344 +0100 +++ libgcrypt-1.9.0/src/fips.c
@@ -91,6 +91,31 @@ static void fips_new_state (enum module_ @@ -90,7 +90,31 @@ static void fips_new_state (enum module_
#define loxdigit_p(p) !!strchr ("01234567890abcdef", *(p))
-
+/* Initialize the FSM lock - this function may only +/* Initialize the FSM lock - this function may only
+ be called once and is intended to be run from the library + be called once and is intended to be run from the library
+ constructor */ + constructor */
@ -46,11 +47,11 @@ Index: libgcrypt-1.8.4/src/fips.c
+ abort (); + abort ();
+ } + }
+} +}
+ +
/* Check whether the OS is in FIPS mode and record that in a module /* Check whether the OS is in FIPS mode and record that in a module
local variable. If FORCE is passed as true, fips mode will be local variable. If FORCE is passed as true, fips mode will be
enabled anyway. Note: This function is not thread-safe and should enabled anyway. Note: This function is not thread-safe and should
@@ -100,7 +125,6 @@ void @@ -100,7 +124,6 @@ void
_gcry_initialize_fips_mode (int force) _gcry_initialize_fips_mode (int force)
{ {
static int done; static int done;
@ -58,7 +59,7 @@ Index: libgcrypt-1.8.4/src/fips.c
/* Make sure we are not accidentally called twice. */ /* Make sure we are not accidentally called twice. */
if (done) if (done)
@@ -190,24 +214,6 @@ _gcry_initialize_fips_mode (int force) @@ -190,24 +213,6 @@ _gcry_initialize_fips_mode (int force)
/* Yes, we are in FIPS mode. */ /* Yes, we are in FIPS mode. */
FILE *fp; FILE *fp;
@ -83,7 +84,7 @@ Index: libgcrypt-1.8.4/src/fips.c
/* If the FIPS force files exists, is readable and has a number /* If the FIPS force files exists, is readable and has a number
!= 0 on its first line, we enable the enforced fips mode. */ != 0 on its first line, we enable the enforced fips mode. */
fp = fopen (FIPS_FORCE_FILE, "r"); fp = fopen (FIPS_FORCE_FILE, "r");
@@ -370,16 +376,20 @@ _gcry_fips_is_operational (void) @@ -356,16 +361,20 @@ _gcry_fips_is_operational (void)
{ {
int result; int result;
@ -92,7 +93,7 @@ Index: libgcrypt-1.8.4/src/fips.c
+ if (current_state == STATE_POWERON && !fips_mode ()) + if (current_state == STATE_POWERON && !fips_mode ())
+ /* If we are at this point in POWERON state it means the FIPS + /* If we are at this point in POWERON state it means the FIPS
+ module installation was not completed. (/etc/system-fips + module installation was not completed. (/etc/system-fips
+ is not present.) */ + is not present.) */
result = 1; result = 1;
else else
{ {
@ -110,7 +111,7 @@ Index: libgcrypt-1.8.4/src/fips.c
initialization of libgcrypt, but that has traditionally initialization of libgcrypt, but that has traditionally
not been enforced, we use this on demand self-test not been enforced, we use this on demand self-test
checking. Note that Proper applications would do the checking. Note that Proper applications would do the
@@ -395,9 +405,11 @@ _gcry_fips_is_operational (void) @@ -381,9 +390,11 @@ _gcry_fips_is_operational (void)
lock_fsm (); lock_fsm ();
} }
@ -124,7 +125,7 @@ Index: libgcrypt-1.8.4/src/fips.c
return result; return result;
} }
@@ -722,9 +734,25 @@ _gcry_fips_run_selftests (int extended) @@ -729,9 +740,25 @@ _gcry_fips_run_selftests (int extended)
{ {
enum module_states result = STATE_ERROR; enum module_states result = STATE_ERROR;
gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED; gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED;
@ -152,14 +153,17 @@ Index: libgcrypt-1.8.4/src/fips.c
if (run_cipher_selftests (extended)) if (run_cipher_selftests (extended))
goto leave; goto leave;
@@ -743,18 +771,12 @@ _gcry_fips_run_selftests (int extended) @@ -753,21 +780,12 @@ _gcry_fips_run_selftests (int extended)
if (run_pubkey_selftests (extended)) if (run_pubkey_selftests (extended))
goto leave; goto leave;
- /* Now check the integrity of the binary. We do this this after - if (fips_mode ())
- having checked the HMAC code. */ - {
- if (check_binary_integrity ()) - /* Now check the integrity of the binary. We do this this after
- goto leave; - having checked the HMAC code. */
- if (check_binary_integrity ())
- goto leave;
- }
- -
/* All selftests passed. */ /* All selftests passed. */
result = STATE_OPERATIONAL; result = STATE_OPERATIONAL;
@ -172,7 +176,7 @@ Index: libgcrypt-1.8.4/src/fips.c
return ec; return ec;
} }
@@ -810,6 +832,7 @@ fips_new_state (enum module_states new_s @@ -823,6 +841,7 @@ fips_new_state (enum module_states new_s
{ {
case STATE_POWERON: case STATE_POWERON:
if (new_state == STATE_INIT if (new_state == STATE_INIT
@ -180,7 +184,7 @@ Index: libgcrypt-1.8.4/src/fips.c
|| new_state == STATE_ERROR || new_state == STATE_ERROR
|| new_state == STATE_FATALERROR) || new_state == STATE_FATALERROR)
ok = 1; ok = 1;
@@ -824,6 +847,8 @@ fips_new_state (enum module_states new_s @@ -837,6 +856,8 @@ fips_new_state (enum module_states new_s
case STATE_SELFTEST: case STATE_SELFTEST:
if (new_state == STATE_OPERATIONAL if (new_state == STATE_OPERATIONAL
@ -189,11 +193,11 @@ Index: libgcrypt-1.8.4/src/fips.c
|| new_state == STATE_ERROR || new_state == STATE_ERROR
|| new_state == STATE_FATALERROR) || new_state == STATE_FATALERROR)
ok = 1; ok = 1;
Index: libgcrypt-1.8.4/src/global.c Index: libgcrypt-1.9.0/src/global.c
=================================================================== ===================================================================
--- libgcrypt-1.8.4.orig/src/global.c 2019-03-25 16:58:52.844354398 +0100 --- libgcrypt-1.9.0.orig/src/global.c
+++ libgcrypt-1.8.4/src/global.c 2019-03-25 16:58:53.516358344 +0100 +++ libgcrypt-1.9.0/src/global.c
@@ -145,6 +145,29 @@ global_init (void) @@ -141,6 +141,29 @@ global_init (void)
} }
@ -223,38 +227,40 @@ Index: libgcrypt-1.8.4/src/global.c
/* This function is called by the macro fips_is_operational and makes /* This function is called by the macro fips_is_operational and makes
sure that the minimal initialization has been done. This is far sure that the minimal initialization has been done. This is far
from a perfect solution and hides problems with an improper from a perfect solution and hides problems with an improper
@@ -675,8 +698,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, @@ -672,9 +695,8 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
case GCRYCTL_FIPS_MODE_P: case GCRYCTL_FIPS_MODE_P:
if (fips_mode () if (fips_mode ()
- && !_gcry_is_fips_mode_inactive () - && !_gcry_is_fips_mode_inactive ()
- && !no_secure_memory) - && !no_secure_memory)
- rc = GPG_ERR_GENERAL; /* Used as TRUE value */
+ && !_gcry_is_fips_mode_inactive ()) + && !_gcry_is_fips_mode_inactive ())
rc = GPG_ERR_GENERAL; /* Used as TRUE value */ + rc = GPG_ERR_GENERAL; /* Used as TRUE value */
break; break;
@@ -753,9 +775,9 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, case GCRYCTL_FORCE_FIPS_MODE:
@@ -750,9 +772,9 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
break; break;
case GCRYCTL_SET_ENFORCED_FIPS_FLAG: case GCRYCTL_SET_ENFORCED_FIPS_FLAG:
- if (!any_init_done) - if (!_gcry_global_any_init_done)
+ if (fips_mode ()) + if (fips_mode())
{ {
- /* Not yet initialized at all. Set the enforced fips mode flag */ - /* Not yet initialized at all. Set the enforced fips mode flag */
+ /* We are in FIPS mode, we can set the enforced fips mode flag. */ + /* We are in FIPS mode, we can set the enforced fips mode flag. */
_gcry_set_preferred_rng_type (0); _gcry_set_preferred_rng_type (0);
_gcry_set_enforced_fips_mode (); _gcry_set_enforced_fips_mode ();
} }
Index: libgcrypt-1.8.4/src/g10lib.h Index: libgcrypt-1.9.0/src/g10lib.h
=================================================================== ===================================================================
--- libgcrypt-1.8.4.orig/src/g10lib.h 2019-03-25 16:58:52.844354398 +0100 --- libgcrypt-1.9.0.orig/src/g10lib.h
+++ libgcrypt-1.8.4/src/g10lib.h 2019-03-25 16:58:53.516358344 +0100 +++ libgcrypt-1.9.0/src/g10lib.h
@@ -422,6 +422,8 @@ gpg_err_code_t _gcry_sexp_vextract_param @@ -429,6 +429,8 @@ gpg_err_code_t _gcry_sexp_vextract_param
/*-- fips.c --*/ extern int _gcry_no_fips_mode_required;
+void _gcry_initialize_fsm_lock (void); +void _gcry_initialize_fsm_lock (void);
+ +
void _gcry_initialize_fips_mode (int force); void _gcry_initialize_fips_mode (int force);
int _gcry_fips_mode (void); /* This macro returns true if fips mode is enabled. This is

View File

@ -1,33 +1,32 @@
Index: libgcrypt-1.8.2/cipher/dsa.c Index: libgcrypt-1.9.1/cipher/dsa.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/cipher/dsa.c --- libgcrypt-1.9.1.orig/cipher/dsa.c
+++ libgcrypt-1.8.2/cipher/dsa.c +++ libgcrypt-1.9.1/cipher/dsa.c
@@ -457,11 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un @@ -457,13 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un
&prime_q, &prime_p, &prime_q, &prime_p,
r_counter, r_counter,
r_seed, r_seedlen); r_seed, r_seedlen);
- else - else
- ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0,
+ else if (!domain->p || !domain->q) + else if (!domain->p || !domain->q)
+ ec = _gcry_generate_fips186_3_prime (nbits, qbits, ec = _gcry_generate_fips186_3_prime (nbits, qbits,
+ initial_seed.seed, initial_seed.seed,
+ initial_seed.seedlen, initial_seed.seedlen,
&prime_q, &prime_p, &prime_q, &prime_p,
r_counter, r_counter,
r_seed, r_seedlen, NULL); r_seed, r_seedlen, NULL);
+ else + else
+ { + {
+ /* Domain parameters p and q are given; use them. */ + /* Domain parameters p and q are given; use them. */
+ prime_p = mpi_copy (domain->p); + prime_p = mpi_copy (domain->p);
+ prime_q = mpi_copy (domain->q); + prime_q = mpi_copy (domain->q);
+ gcry_assert (mpi_get_nbits (prime_p) == nbits); + gcry_assert (mpi_get_nbits (prime_p) == nbits);
+ gcry_assert (mpi_get_nbits (prime_q) == qbits); + gcry_assert (mpi_get_nbits (prime_q) == qbits);
+ ec = 0; + ec = 0;
+ } + }
sexp_release (initial_seed.sexp); sexp_release (initial_seed.sexp);
if (ec) if (ec)
goto leave; goto leave;
@@ -857,13 +868,12 @@ dsa_generate (const gcry_sexp_t genparms @@ -859,13 +868,12 @@ dsa_generate (const gcry_sexp_t genparms
sexp_release (l1); sexp_release (l1);
sexp_release (domainsexp); sexp_release (domainsexp);
@ -43,15 +42,15 @@ Index: libgcrypt-1.8.2/cipher/dsa.c
return GPG_ERR_MISSING_VALUE; return GPG_ERR_MISSING_VALUE;
} }
Index: libgcrypt-1.8.2/cipher/rsa.c Index: libgcrypt-1.9.1/cipher/rsa.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/cipher/rsa.c --- libgcrypt-1.9.1.orig/cipher/rsa.c
+++ libgcrypt-1.8.2/cipher/rsa.c +++ libgcrypt-1.9.1/cipher/rsa.c
@@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig @@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig
if (nbits < 1024 || (nbits & 0x1FF)) if (nbits < 1024 || (nbits & 0x1FF))
return GPG_ERR_INV_VALUE; return GPG_ERR_INV_VALUE;
- if (fips_mode() && nbits != 2048 && nbits != 3072) - if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072)
+ if (fips_mode() && nbits < 2048) + if (fips_mode() && nbits < 2048)
return GPG_ERR_INV_VALUE; return GPG_ERR_INV_VALUE;

View File

@ -1,7 +1,7 @@
Index: libgcrypt-1.8.4/random/random-csprng.c Index: libgcrypt-1.9.1/random/random-csprng.c
=================================================================== ===================================================================
--- libgcrypt-1.8.4.orig/random/random-csprng.c --- libgcrypt-1.9.1.orig/random/random-csprng.c
+++ libgcrypt-1.8.4/random/random-csprng.c +++ libgcrypt-1.9.1/random/random-csprng.c
@@ -55,6 +55,10 @@ @@ -55,6 +55,10 @@
#ifdef __MINGW32__ #ifdef __MINGW32__
#include <process.h> #include <process.h>
@ -13,7 +13,7 @@ Index: libgcrypt-1.8.4/random/random-csprng.c
#include "g10lib.h" #include "g10lib.h"
#include "random.h" #include "random.h"
#include "rand-internal.h" #include "rand-internal.h"
@@ -1116,6 +1120,22 @@ getfnc_gather_random (void))(void (*)(co @@ -1202,6 +1206,22 @@ getfnc_gather_random (void))(void (*)(co
enum random_origins, size_t, int); enum random_origins, size_t, int);
#if USE_RNDLINUX #if USE_RNDLINUX
@ -31,39 +31,69 @@ Index: libgcrypt-1.8.4/random/random-csprng.c
+ return fnc; + return fnc;
+ } + }
+ else + else
+ /* The syscall is not supported - fallback to /dev/urandom. */ + /* The syscall is not supported - fallback to /dev/urandom. */
+#endif +#endif
if ( !access (NAME_OF_DEV_RANDOM, R_OK) if ( !access (NAME_OF_DEV_RANDOM, R_OK)
&& !access (NAME_OF_DEV_URANDOM, R_OK)) && !access (NAME_OF_DEV_URANDOM, R_OK))
{ {
Index: libgcrypt-1.8.4/random/random.c Index: libgcrypt-1.9.1/random/random.c
=================================================================== ===================================================================
--- libgcrypt-1.8.4.orig/random/random.c --- libgcrypt-1.9.1.orig/random/random.c
+++ libgcrypt-1.8.4/random/random.c +++ libgcrypt-1.9.1/random/random.c
@@ -110,8 +110,8 @@ _gcry_random_read_conf (void) @@ -110,8 +110,8 @@ _gcry_random_read_conf (void)
unsigned int result = 0; unsigned int result = 0;
fp = fopen (fname, "r"); fp = fopen (fname, "r");
- if (!fp) - if (!fp)
- return result; - return result;
+ if (!fp) /* We make only_urandom the default. */ + if (!fp) /* We make only_urandom the default. */
+ return RANDOM_CONF_ONLY_URANDOM; + return RANDOM_CONF_ONLY_URANDOM;
for (;;) for (;;)
{ {
Index: libgcrypt-1.8.4/random/rndlinux.c Index: libgcrypt-1.9.1/random/rndlinux.c
=================================================================== ===================================================================
--- libgcrypt-1.8.4.orig/random/rndlinux.c --- libgcrypt-1.9.1.orig/random/rndlinux.c
+++ libgcrypt-1.8.4/random/rndlinux.c +++ libgcrypt-1.9.1/random/rndlinux.c
@@ -34,6 +34,7 @@ @@ -39,6 +39,7 @@ extern int getentropy (void *buf, size_t
#include <fcntl.h> #if defined(__linux__) || !defined(HAVE_GETENTROPY)
#if defined(__linux__) && defined(HAVE_SYSCALL) #ifdef HAVE_SYSCALL
# include <sys/syscall.h> # include <sys/syscall.h>
+# include <linux/random.h> +# include <linux/random.h>
#endif # ifdef __NR_getrandom
# define getentropy(buf,buflen) syscall (__NR_getrandom, buf, buflen, 0)
#include "types.h" # endif
@@ -248,6 +249,18 @@ _gcry_rndlinux_gather_random (void (*add @@ -155,12 +156,12 @@ _gcry_rndlinux_gather_random (void (*add
if (!add)
{
/* Special mode to close the descriptors. */
- if (fd_random != -1)
+ if (fd_random >= 0)
{
close (fd_random);
fd_random = -1;
}
- if (fd_urandom != -1)
+ if (fd_urandom >= 0)
{
close (fd_urandom);
fd_urandom = -1;
@@ -176,12 +177,12 @@ _gcry_rndlinux_gather_random (void (*add
apid = getpid ();
if (my_pid != apid)
{
- if (fd_random != -1)
+ if (fd_random >= 0)
{
close (fd_random);
fd_random = -1;
}
- if (fd_urandom != -1)
+ if (fd_urandom >= 0)
{
close (fd_urandom);
fd_urandom = -1;
@@ -230,6 +231,17 @@ _gcry_rndlinux_gather_random (void (*add
{ {
if (fd_urandom == -1) if (fd_urandom == -1)
{ {
@ -76,28 +106,19 @@ Index: libgcrypt-1.8.4/random/rndlinux.c
+ _gcry_post_syscall (); + _gcry_post_syscall ();
+ if (ret > -1 || errno == EAGAIN || errno == EINTR) + if (ret > -1 || errno == EAGAIN || errno == EINTR)
+ fd_urandom = -2; + fd_urandom = -2;
+ else + else /* The syscall is not supported - fallback to /dev/urandom. */
+ /* The syscall is not supported - fallback to /dev/urandom. */
+#endif +#endif
fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1); fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2));
ever_opened |= 2; ever_opened |= 2;
} }
@@ -275,6 +288,7 @@ _gcry_rndlinux_gather_random (void (*add @@ -272,9 +284,7 @@ _gcry_rndlinux_gather_random (void (*add
* syscall and not a new device and thus we are not able to use
* select(2) to have a timeout. */
#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
+ if (fd == -2)
{
long ret;
size_t nbytes;
@@ -290,9 +304,7 @@ _gcry_rndlinux_gather_random (void (*add
_gcry_post_syscall (); _gcry_post_syscall ();
} }
while (ret == -1 && errno == EINTR); while (ret == -1 && errno == EINTR);
- if (ret == -1 && errno == ENOSYS) - if (ret == -1 && errno == ENOSYS)
- ; /* The syscall is not supported - fallback to pulling from fd. */ - ; /* getentropy is not supported - fallback to pulling from fd. */
- else - else
+ if (1) + if (1)
{ /* The syscall is supported. Some sanity checks. */ { /* getentropy is supported. Some sanity checks. */
if (ret == -1) if (ret == -1)
log_fatal ("unexpected error from getrandom: %s\n", log_fatal ("unexpected error from getentropy: %s\n",

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:03b70f028299561b7034b8966d7dd77ef16ed139c43440925fe8782561974748
size 2985660

Binary file not shown.

3
libgcrypt-1.9.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c5a67a8b9b2bd370fb415ed1ee31c7172e5683076493cf4a3678a0fbdf0265d9
size 3202683

BIN
libgcrypt-1.9.1.tar.bz2.sig Normal file

Binary file not shown.

View File

@ -1,322 +0,0 @@
diff -up libgcrypt-1.8.3/cipher/cipher-cmac.c.cmac-selftest libgcrypt-1.8.3/cipher/cipher-cmac.c
--- libgcrypt-1.8.3/cipher/cipher-cmac.c.cmac-selftest 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.3/cipher/cipher-cmac.c 2019-05-31 17:33:35.594407152 +0200
@@ -251,3 +251,246 @@ _gcry_cipher_cmac_set_subkeys (gcry_ciph
return GPG_ERR_NO_ERROR;
}
+
+/* CMAC selftests.
+ * Copyright (C) 2008 Free Software Foundation, Inc.
+ * Copyright (C) 2019 Red Hat, Inc.
+ */
+
+
+
+/* Check one MAC with MAC ALGO using the regular MAC
+ * API. (DATA,DATALEN) is the data to be MACed, (KEY,KEYLEN) the key
+ * and (EXPECT,EXPECTLEN) the expected result. If TRUNC is set, the
+ * EXPECTLEN may be less than the digest length. Returns NULL on
+ * success or a string describing the failure. */
+static const char *
+check_one (int algo,
+ const void *data, size_t datalen,
+ const void *key, size_t keylen,
+ const void *expect, size_t expectlen)
+{
+ gcry_mac_hd_t hd;
+ unsigned char mac[512]; /* hardcoded to avoid allocation */
+ size_t macoutlen = expectlen;
+
+/* printf ("MAC algo %d\n", algo); */
+ if (_gcry_mac_get_algo_maclen (algo) != expectlen ||
+ expectlen > sizeof (mac))
+ return "invalid tests data";
+ if (_gcry_mac_open (&hd, algo, 0, NULL))
+ return "gcry_mac_open failed";
+ if (_gcry_mac_setkey (hd, key, keylen))
+ {
+ _gcry_mac_close (hd);
+ return "gcry_md_setkey failed";
+ }
+ if (_gcry_mac_write (hd, data, datalen))
+ {
+ _gcry_mac_close (hd);
+ return "gcry_mac_write failed";
+ }
+ if (_gcry_mac_read (hd, mac, &macoutlen))
+ {
+ _gcry_mac_close (hd);
+ return "gcry_mac_read failed";
+ }
+ _gcry_mac_close (hd);
+ if (macoutlen != expectlen || memcmp (mac, expect, expectlen))
+ {
+/* int i; */
+
+/* fputs (" {", stdout); */
+/* for (i=0; i < expectlen-1; i++) */
+/* { */
+/* if (i && !(i % 8)) */
+/* fputs ("\n ", stdout); */
+/* printf (" 0x%02x,", mac[i]); */
+/* } */
+/* printf (" 0x%02x } },\n", mac[i]); */
+
+ return "does not match";
+ }
+ return NULL;
+}
+
+
+static gpg_err_code_t
+selftests_cmac_tdes (int extended, selftest_report_func_t report)
+{
+ const char *what;
+ const char *errtxt;
+
+ what = "Basic TDES";
+ errtxt = check_one (GCRY_MAC_CMAC_3DES,
+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+ "\xae\x2d\x8a\x57", 20,
+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58"
+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24,
+ "\x74\x3d\xdb\xe0\xce\x2d\xc2\xed", 8);
+ if (errtxt)
+ goto failed;
+
+ if (extended)
+ {
+ what = "Extended TDES #1";
+ errtxt = check_one (GCRY_MAC_CMAC_3DES,
+ "", 0,
+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58"
+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24,
+ "\xb7\xa6\x88\xe1\x22\xff\xaf\x95", 8);
+ if (errtxt)
+ goto failed;
+
+ what = "Extended TDES #2";
+ errtxt = check_one (GCRY_MAC_CMAC_3DES,
+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96", 8,
+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58"
+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24,
+ "\x8e\x8f\x29\x31\x36\x28\x37\x97", 8);
+ if (errtxt)
+ goto failed;
+
+ what = "Extended TDES #3";
+ errtxt = check_one (GCRY_MAC_CMAC_3DES,
+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51", 32,
+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58"
+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24,
+ "\x33\xe6\xb1\x09\x24\x00\xea\xe5", 8);
+ if (errtxt)
+ goto failed;
+ }
+
+ return 0; /* Succeeded. */
+
+ failed:
+ if (report)
+ report ("cmac", GCRY_MAC_CMAC_3DES, what, errtxt);
+ return GPG_ERR_SELFTEST_FAILED;
+}
+
+
+
+static gpg_err_code_t
+selftests_cmac_aes (int extended, selftest_report_func_t report)
+{
+ const char *what;
+ const char *errtxt;
+
+ what = "Basic AES128";
+ errtxt = check_one (GCRY_MAC_CMAC_AES,
+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11", 40,
+ "\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 16,
+ "\xdf\xa6\x67\x47\xde\x9a\xe6\x30\x30\xca\x32\x61\x14\x97\xc8\x27", 16);
+ if (errtxt)
+ goto failed;
+
+ what = "Basic AES192";
+ errtxt = check_one (GCRY_MAC_CMAC_AES,
+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11", 40,
+ "\x8e\x73\xb0\xf7\xda\x0e\x64\x52\xc8\x10\xf3\x2b\x80\x90\x79\xe5"
+ "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b", 24,
+ "\x8a\x1d\xe5\xbe\x2e\xb3\x1a\xad\x08\x9a\x82\xe6\xee\x90\x8b\x0e", 16);
+ if (errtxt)
+ goto failed;
+
+ what = "Basic AES256";
+ errtxt = check_one (GCRY_MAC_CMAC_AES,
+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11", 40,
+ "\x60\x3d\xeb\x10\x15\xca\x71\xbe\x2b\x73\xae\xf0\x85\x7d\x77\x81"
+ "\x1f\x35\x2c\x07\x3b\x61\x08\xd7\x2d\x98\x10\xa3\x09\x14\xdf\xf4", 32,
+ "\xaa\xf3\xd8\xf1\xde\x56\x40\xc2\x32\xf5\xb1\x69\xb9\xc9\x11\xe6", 16);
+ if (errtxt)
+ goto failed;
+ if (extended)
+ {
+ what = "Extended AES #1";
+ errtxt = check_one (GCRY_MAC_CMAC_AES,
+ "", 0,
+ "\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 16,
+ "\xbb\x1d\x69\x29\xe9\x59\x37\x28\x7f\xa3\x7d\x12\x9b\x75\x67\x46", 16);
+ if (errtxt)
+ goto failed;
+
+ what = "Extended AES #2";
+ errtxt = check_one (GCRY_MAC_CMAC_AES,
+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a", 16,
+ "\x8e\x73\xb0\xf7\xda\x0e\x64\x52\xc8\x10\xf3\x2b\x80\x90\x79\xe5"
+ "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b", 24,
+ "\x9e\x99\xa7\xbf\x31\xe7\x10\x90\x06\x62\xf6\x5e\x61\x7c\x51\x84", 16);
+ if (errtxt)
+ goto failed;
+
+ what = "Extended AES #3";
+ errtxt = check_one (GCRY_MAC_CMAC_AES,
+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
+ "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17\xad\x2b\x41\x7b\xe6\x6c\x37\x10", 64,
+ "\x60\x3d\xeb\x10\x15\xca\x71\xbe\x2b\x73\xae\xf0\x85\x7d\x77\x81"
+ "\x1f\x35\x2c\x07\x3b\x61\x08\xd7\x2d\x98\x10\xa3\x09\x14\xdf\xf4", 32,
+ "\xe1\x99\x21\x90\x54\x9f\x6e\xd5\x69\x6a\x2c\x05\x6c\x31\x54\x10", 16 );
+ if (errtxt)
+ goto failed;
+ }
+
+ return 0; /* Succeeded. */
+
+ failed:
+ if (report)
+ report ("cmac", GCRY_MAC_CMAC_AES, what, errtxt);
+ return GPG_ERR_SELFTEST_FAILED;
+}
+
+
+/* Run a full self-test for ALGO and return 0 on success. */
+static gpg_err_code_t
+run_cmac_selftests (int algo, int extended, selftest_report_func_t report)
+{
+ gpg_err_code_t ec;
+
+ switch (algo)
+ {
+ case GCRY_MAC_CMAC_3DES:
+ ec = selftests_cmac_tdes (extended, report);
+ break;
+ case GCRY_MAC_CMAC_AES:
+ ec = selftests_cmac_aes (extended, report);
+ break;
+
+ default:
+ ec = GPG_ERR_MAC_ALGO;
+ break;
+ }
+ return ec;
+}
+
+
+
+
+/* Run the selftests for CMAC with CMAC algorithm ALGO with optional
+ reporting function REPORT. */
+gpg_error_t
+_gcry_cmac_selftest (int algo, int extended, selftest_report_func_t report)
+{
+ gcry_err_code_t ec = 0;
+
+ if (!_gcry_mac_algo_info( algo, GCRYCTL_TEST_ALGO, NULL, NULL ))
+ {
+ ec = run_cmac_selftests (algo, extended, report);
+ }
+ else
+ {
+ ec = GPG_ERR_MAC_ALGO;
+ if (report)
+ report ("mac", algo, "module", "algorithm not available");
+ }
+ return gpg_error (ec);
+}
diff -up libgcrypt-1.8.3/src/cipher-proto.h.cmac-selftest libgcrypt-1.8.3/src/cipher-proto.h
--- libgcrypt-1.8.3/src/cipher-proto.h.cmac-selftest 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.3/src/cipher-proto.h 2019-05-31 17:29:34.574588234 +0200
@@ -256,6 +256,8 @@ gcry_error_t _gcry_pk_selftest (int algo
selftest_report_func_t report);
gcry_error_t _gcry_hmac_selftest (int algo, int extended,
selftest_report_func_t report);
+gcry_error_t _gcry_cmac_selftest (int algo, int extended,
+ selftest_report_func_t report);
gcry_error_t _gcry_random_selftest (selftest_report_func_t report);
diff -up libgcrypt-1.8.3/src/fips.c.cmac-selftest libgcrypt-1.8.3/src/fips.c
--- libgcrypt-1.8.3/src/fips.c.cmac-selftest 2018-11-01 15:40:36.051865535 +0100
+++ libgcrypt-1.8.3/src/fips.c 2019-05-31 17:31:20.157756640 +0200
@@ -521,29 +521,32 @@ run_digest_selftests (int extended)
/* Run self-tests for all HMAC algorithms. Return 0 on success. */
static int
-run_hmac_selftests (int extended)
+run_mac_selftests (int extended)
{
- static int algos[] =
+ static int algos[][2] =
{
- GCRY_MD_SHA1,
- GCRY_MD_SHA224,
- GCRY_MD_SHA256,
- GCRY_MD_SHA384,
- GCRY_MD_SHA512,
- GCRY_MD_SHA3_224,
- GCRY_MD_SHA3_256,
- GCRY_MD_SHA3_384,
- GCRY_MD_SHA3_512,
- 0
+ { GCRY_MD_SHA1, 0 },
+ { GCRY_MD_SHA224, 0 },
+ { GCRY_MD_SHA256, 0 },
+ { GCRY_MD_SHA384, 0 },
+ { GCRY_MD_SHA512, 0 },
+ { GCRY_MD_SHA3_224, 0 },
+ { GCRY_MD_SHA3_256, 0 },
+ { GCRY_MD_SHA3_384, 0 },
+ { GCRY_MD_SHA3_512, 0 },
+ { GCRY_MAC_CMAC_3DES, 1 },
+ { GCRY_MAC_CMAC_AES, 1 },
+ { 0, 0 }
};
int idx;
gpg_error_t err;
int anyerr = 0;
- for (idx=0; algos[idx]; idx++)
+ for (idx=0; algos[idx][0]; idx++)
{
- err = _gcry_hmac_selftest (algos[idx], extended, reporter);
- reporter ("hmac", algos[idx], NULL,
+ err = algos[idx][1] ? _gcry_cmac_selftest (algos[idx][0], extended, reporter) :
+ _gcry_hmac_selftest (algos[idx][0], extended, reporter);
+ reporter (algos[idx][1] ? "cmac" : "hmac", algos[idx][0], NULL,
err? gpg_strerror (err):NULL);
if (err)
anyerr = 1;
@@ -747,7 +750,7 @@ _gcry_fips_run_selftests (int extended)
if (run_digest_selftests (extended))
goto leave;
- if (run_hmac_selftests (extended))
+ if (run_mac_selftests (extended))
goto leave;
/* Run random tests before the pubkey tests because the latter

View File

@ -1,322 +0,0 @@
From daedbbb5541cd8ecda1459d3b843ea4d92788762 Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Fri, 31 May 2019 17:18:09 +0300
Subject: [PATCH] AES: move look-up tables to .data section and unshare between
processes
* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New.
* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure.
(enc_tables): New structure for encryption table with counters before
and after.
(encT): New macro.
(dec_tables): Add counters before and after encryption table; Move
from .rodata to .data section.
(do_encrypt): Change 'encT' to 'enc_tables.T'.
(do_decrypt): Change '&dec_tables' to 'dec_tables.T'.
* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input
with length not multiple of 256.
(prefetch_enc, prefetch_dec): Modify pre- and post-table counters
to unshare look-up table pages between processes.
--
GnuPG-bug-id: 4541
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
cipher/rijndael-internal.h | 4 +-
cipher/rijndael-tables.h | 155 +++++++++++++++++++++----------------
cipher/rijndael.c | 35 +++++++--
3 files changed, 118 insertions(+), 76 deletions(-)
Index: libgcrypt-1.8.4/cipher/rijndael-internal.h
===================================================================
--- libgcrypt-1.8.4.orig/cipher/rijndael-internal.h
+++ libgcrypt-1.8.4/cipher/rijndael-internal.h
@@ -29,11 +29,13 @@
#define BLOCKSIZE (128/8)
-/* Helper macro to force alignment to 16 bytes. */
+/* Helper macro to force alignment to 16 or 64 bytes. */
#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
# define ATTR_ALIGNED_16 __attribute__ ((aligned (16)))
+# define ATTR_ALIGNED_64 __attribute__ ((aligned (64)))
#else
# define ATTR_ALIGNED_16
+# define ATTR_ALIGNED_64
#endif
Index: libgcrypt-1.8.4/cipher/rijndael-tables.h
===================================================================
--- libgcrypt-1.8.4.orig/cipher/rijndael-tables.h
+++ libgcrypt-1.8.4/cipher/rijndael-tables.h
@@ -21,80 +21,98 @@
/* To keep the actual implementation at a readable size we use this
include file to define the tables. */
-static const u32 encT[256] =
+static struct
+{
+ volatile u32 counter_head;
+ u32 cacheline_align[64 / 4 - 1];
+ u32 T[256];
+ volatile u32 counter_tail;
+} enc_tables ATTR_ALIGNED_64 =
{
- 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
- 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
- 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
- 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
- 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
- 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
- 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
- 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
- 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
- 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
- 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
- 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
- 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
- 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
- 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
- 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
- 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
- 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
- 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
- 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
- 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
- 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
- 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
- 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
- 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
- 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
- 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
- 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
- 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
- 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
- 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
- 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
- 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
- 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
- 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
- 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
- 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
- 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
- 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
- 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
- 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
- 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
- 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
- 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
- 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
- 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
- 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
- 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
- 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
- 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
- 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
- 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
- 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
- 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
- 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
- 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
- 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
- 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
- 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
- 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
- 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
- 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
- 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
- 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c
+ 0,
+ { 0, },
+ {
+ 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
+ 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
+ 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
+ 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
+ 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
+ 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
+ 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
+ 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
+ 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
+ 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
+ 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
+ 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
+ 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
+ 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
+ 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
+ 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
+ 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
+ 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
+ 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
+ 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
+ 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
+ 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
+ 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
+ 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
+ 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
+ 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
+ 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
+ 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
+ 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
+ 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
+ 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
+ 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
+ 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
+ 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
+ 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
+ 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
+ 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
+ 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
+ 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
+ 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
+ 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
+ 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
+ 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
+ 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
+ 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
+ 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
+ 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
+ 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
+ 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
+ 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
+ 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
+ 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
+ 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
+ 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
+ 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
+ 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
+ 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
+ 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
+ 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
+ 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
+ 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
+ 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
+ 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
+ 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c
+ },
+ 0
};
-static const struct
+#define encT enc_tables.T
+
+static struct
{
+ volatile u32 counter_head;
+ u32 cacheline_align[64 / 4 - 1];
u32 T[256];
byte inv_sbox[256];
-} dec_tables =
+ volatile u32 counter_tail;
+} dec_tables ATTR_ALIGNED_64 =
{
+ 0,
+ { 0, },
{
0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a,
0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b,
@@ -194,7 +212,8 @@ static const struct
0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61,
0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26,
0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d
- }
+ },
+ 0
};
#define decT dec_tables.T
Index: libgcrypt-1.8.4/cipher/rijndael.c
===================================================================
--- libgcrypt-1.8.4.orig/cipher/rijndael.c
+++ libgcrypt-1.8.4/cipher/rijndael.c
@@ -227,11 +227,11 @@ static const char *selftest(void);
/* Prefetching for encryption/decryption tables. */
-static void prefetch_table(const volatile byte *tab, size_t len)
+static inline void prefetch_table(const volatile byte *tab, size_t len)
{
size_t i;
- for (i = 0; i < len; i += 8 * 32)
+ for (i = 0; len - i >= 8 * 32; i += 8 * 32)
{
(void)tab[i + 0 * 32];
(void)tab[i + 1 * 32];
@@ -242,17 +242,37 @@ static void prefetch_table(const volatil
(void)tab[i + 6 * 32];
(void)tab[i + 7 * 32];
}
+ for (; i < len; i += 32)
+ {
+ (void)tab[i];
+ }
(void)tab[len - 1];
}
static void prefetch_enc(void)
{
- prefetch_table((const void *)encT, sizeof(encT));
+ /* Modify counters to trigger copy-on-write and unsharing if physical pages
+ * of look-up table are shared between processes. Modifying counters also
+ * causes checksums for pages to change and hint same-page merging algorithm
+ * that these pages are frequently changing. */
+ enc_tables.counter_head++;
+ enc_tables.counter_tail++;
+
+ /* Prefetch look-up tables to cache. */
+ prefetch_table((const void *)&enc_tables, sizeof(enc_tables));
}
static void prefetch_dec(void)
{
+ /* Modify counters to trigger copy-on-write and unsharing if physical pages
+ * of look-up table are shared between processes. Modifying counters also
+ * causes checksums for pages to change and hint same-page merging algorithm
+ * that these pages are frequently changing. */
+ dec_tables.counter_head++;
+ dec_tables.counter_tail++;
+
+ /* Prefetch look-up tables to cache. */
prefetch_table((const void *)&dec_tables, sizeof(dec_tables));
}
@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx,
#ifdef USE_AMD64_ASM
# ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds,
- encT);
+ enc_tables.T);
# else
/* Call SystemV ABI function without storing non-volatile XMM registers,
* as target function does not use vector instruction sets. */
@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx,
return ret;
# endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */
#elif defined(USE_ARM_ASM)
- return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT);
+ return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds,
+ enc_tables.T);
#else
return do_encrypt_fn (ctx, bx, ax);
#endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/
@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx,
#ifdef USE_AMD64_ASM
# ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds,
- &dec_tables);
+ dec_tables.T);
# else
/* Call SystemV ABI function without storing non-volatile XMM registers,
* as target function does not use vector instruction sets. */
@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx,
# endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */
#elif defined(USE_ARM_ASM)
return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds,
- &dec_tables);
+ dec_tables.T);
#else
return do_decrypt_fn (ctx, bx, ax);
#endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/

View File

@ -1,80 +0,0 @@
From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Sat, 27 Apr 2019 19:33:28 +0300
Subject: [PATCH] Prefetch GCM look-up tables
* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables)
(prefetch_tables): New.
(ghash_internal): Call prefetch_tables.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
cipher/cipher-gcm.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c
index c19f09f2..11f119aa 100644
--- a/cipher/cipher-gcm.c
+++ b/cipher/cipher-gcm.c
@@ -118,6 +118,34 @@ static const u16 gcmR[256] = {
0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
};
+static inline
+void prefetch_table(const void *tab, size_t len)
+{
+ const volatile byte *vtab = tab;
+ size_t i;
+
+ for (i = 0; i < len; i += 8 * 32)
+ {
+ (void)vtab[i + 0 * 32];
+ (void)vtab[i + 1 * 32];
+ (void)vtab[i + 2 * 32];
+ (void)vtab[i + 3 * 32];
+ (void)vtab[i + 4 * 32];
+ (void)vtab[i + 5 * 32];
+ (void)vtab[i + 6 * 32];
+ (void)vtab[i + 7 * 32];
+ }
+
+ (void)vtab[len - 1];
+}
+
+static inline void
+do_prefetch_tables (const void *gcmM, size_t gcmM_size)
+{
+ prefetch_table(gcmM, gcmM_size);
+ prefetch_table(gcmR, sizeof(gcmR));
+}
+
#ifdef GCM_TABLES_USE_U64
static void
bshift (u64 * b0, u64 * b1)
@@ -365,6 +393,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM)
#define fillM(c) \
do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table)
#define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table)
+#define prefetch_tables(c) \
+ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table))
#else
@@ -430,6 +460,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf)
#define fillM(c) do { } while (0)
#define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf)
+#define prefetch_tables(c) do {} while (0)
#endif /* !GCM_USE_TABLES */
@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf,
const unsigned int blocksize = GCRY_GCM_BLOCK_LEN;
unsigned int burn = 0;
+ prefetch_tables (c);
+
while (nblocks)
{
burn = GHASH (c, result, buf);

View File

@ -1,168 +0,0 @@
From a4c561aab1014c3630bc88faf6f5246fee16b020 Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Fri, 31 May 2019 17:27:25 +0300
Subject: [PATCH] GCM: move look-up table to .data section and unshare between
processes
* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New.
(gcmR): Move to 'gcm_table' structure.
(gcm_table): New structure for look-up table with counters before and
after.
(gcmR): New macro.
(prefetch_table): Handle input with length not multiple of 256.
(do_prefetch_tables): Modify pre- and post-table counters to unshare
look-up table pages between processes.
--
GnuPG-bug-id: 4541
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
cipher/cipher-gcm.c | 106 +++++++++++++++++++++++++++++---------------
1 file changed, 70 insertions(+), 36 deletions(-)
diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c
index 11f119aa..194e2ec9 100644
--- a/cipher/cipher-gcm.c
+++ b/cipher/cipher-gcm.c
@@ -30,6 +30,14 @@
#include "./cipher-internal.h"
+/* Helper macro to force alignment to 16 or 64 bytes. */
+#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
+# define ATTR_ALIGNED_64 __attribute__ ((aligned (64)))
+#else
+# define ATTR_ALIGNED_64
+#endif
+
+
#ifdef GCM_USE_INTEL_PCLMUL
extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c);
@@ -83,40 +91,54 @@ ghash_armv7_neon (gcry_cipher_hd_t c, byte *result, const byte *buf,
#ifdef GCM_USE_TABLES
-static const u16 gcmR[256] = {
- 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e,
- 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e,
- 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e,
- 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e,
- 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e,
- 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e,
- 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e,
- 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e,
- 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce,
- 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde,
- 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee,
- 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe,
- 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e,
- 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e,
- 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae,
- 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe,
- 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e,
- 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e,
- 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e,
- 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e,
- 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e,
- 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e,
- 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e,
- 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e,
- 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce,
- 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade,
- 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee,
- 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe,
- 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e,
- 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e,
- 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae,
- 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
-};
+static struct
+{
+ volatile u32 counter_head;
+ u32 cacheline_align[64 / 4 - 1];
+ u16 R[256];
+ volatile u32 counter_tail;
+} gcm_table ATTR_ALIGNED_64 =
+ {
+ 0,
+ { 0, },
+ {
+ 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e,
+ 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e,
+ 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e,
+ 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e,
+ 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e,
+ 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e,
+ 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e,
+ 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e,
+ 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce,
+ 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde,
+ 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee,
+ 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe,
+ 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e,
+ 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e,
+ 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae,
+ 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe,
+ 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e,
+ 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e,
+ 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e,
+ 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e,
+ 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e,
+ 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e,
+ 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e,
+ 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e,
+ 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce,
+ 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade,
+ 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee,
+ 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe,
+ 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e,
+ 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e,
+ 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae,
+ 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
+ },
+ 0
+ };
+
+#define gcmR gcm_table.R
static inline
void prefetch_table(const void *tab, size_t len)
@@ -124,7 +146,7 @@ void prefetch_table(const void *tab, size_t len)
const volatile byte *vtab = tab;
size_t i;
- for (i = 0; i < len; i += 8 * 32)
+ for (i = 0; len - i >= 8 * 32; i += 8 * 32)
{
(void)vtab[i + 0 * 32];
(void)vtab[i + 1 * 32];
@@ -135,6 +157,10 @@ void prefetch_table(const void *tab, size_t len)
(void)vtab[i + 6 * 32];
(void)vtab[i + 7 * 32];
}
+ for (; i < len; i += 32)
+ {
+ (void)vtab[i];
+ }
(void)vtab[len - 1];
}
@@ -142,8 +168,16 @@ void prefetch_table(const void *tab, size_t len)
static inline void
do_prefetch_tables (const void *gcmM, size_t gcmM_size)
{
+ /* Modify counters to trigger copy-on-write and unsharing if physical pages
+ * of look-up table are shared between processes. Modifying counters also
+ * causes checksums for pages to change and hint same-page merging algorithm
+ * that these pages are frequently changing. */
+ gcm_table.counter_head++;
+ gcm_table.counter_tail++;
+
+ /* Prefetch look-up tables to cache. */
prefetch_table(gcmM, gcmM_size);
- prefetch_table(gcmR, sizeof(gcmR));
+ prefetch_table(&gcm_table, sizeof(gcm_table));
}
#ifdef GCM_TABLES_USE_U64

View File

@ -1,7 +1,7 @@
Index: libgcrypt-1.8.2/cipher/pubkey.c Index: libgcrypt-1.9.0/cipher/pubkey.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/cipher/pubkey.c --- libgcrypt-1.9.0.orig/cipher/pubkey.c
+++ libgcrypt-1.8.2/cipher/pubkey.c +++ libgcrypt-1.9.0/cipher/pubkey.c
@@ -384,6 +384,33 @@ _gcry_pk_decrypt (gcry_sexp_t *r_plain, @@ -384,6 +384,33 @@ _gcry_pk_decrypt (gcry_sexp_t *r_plain,
} }
@ -106,10 +106,10 @@ Index: libgcrypt-1.8.2/cipher/pubkey.c
/* /*
Test a key. Test a key.
Index: libgcrypt-1.8.2/cipher/pubkey-internal.h Index: libgcrypt-1.9.0/cipher/pubkey-internal.h
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/cipher/pubkey-internal.h --- libgcrypt-1.9.0.orig/cipher/pubkey-internal.h
+++ libgcrypt-1.8.2/cipher/pubkey-internal.h +++ libgcrypt-1.9.0/cipher/pubkey-internal.h
@@ -43,6 +43,8 @@ void _gcry_pk_util_free_encoding_ctx (st @@ -43,6 +43,8 @@ void _gcry_pk_util_free_encoding_ctx (st
gcry_err_code_t _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_err_code_t _gcry_pk_util_data_to_mpi (gcry_sexp_t input,
gcry_mpi_t *ret_mpi, gcry_mpi_t *ret_mpi,
@ -119,11 +119,11 @@ Index: libgcrypt-1.8.2/cipher/pubkey-internal.h
Index: libgcrypt-1.8.2/cipher/pubkey-util.c Index: libgcrypt-1.9.0/cipher/pubkey-util.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/cipher/pubkey-util.c --- libgcrypt-1.9.0.orig/cipher/pubkey-util.c
+++ libgcrypt-1.8.2/cipher/pubkey-util.c +++ libgcrypt-1.9.0/cipher/pubkey-util.c
@@ -1119,3 +1119,50 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t i @@ -1158,3 +1158,50 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t i
return rc; return rc;
} }
@ -174,11 +174,11 @@ Index: libgcrypt-1.8.2/cipher/pubkey-util.c
+ +
+ return rc; + return rc;
+} +}
Index: libgcrypt-1.8.2/src/g10lib.h Index: libgcrypt-1.9.0/src/g10lib.h
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/src/g10lib.h --- libgcrypt-1.9.0.orig/src/g10lib.h
+++ libgcrypt-1.8.2/src/g10lib.h +++ libgcrypt-1.9.0/src/g10lib.h
@@ -288,6 +288,10 @@ gpg_err_code_t _gcry_generate_fips186_3_ @@ -299,6 +299,10 @@ gpg_err_code_t _gcry_generate_fips186_3_
gpg_err_code_t _gcry_fips186_4_prime_check (const gcry_mpi_t x, gpg_err_code_t _gcry_fips186_4_prime_check (const gcry_mpi_t x,
unsigned int bits); unsigned int bits);
@ -189,10 +189,10 @@ Index: libgcrypt-1.8.2/src/g10lib.h
/* Replacements of missing functions (missing-string.c). */ /* Replacements of missing functions (missing-string.c). */
#ifndef HAVE_STPCPY #ifndef HAVE_STPCPY
Index: libgcrypt-1.8.2/src/visibility.c Index: libgcrypt-1.9.0/src/visibility.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/src/visibility.c --- libgcrypt-1.9.0.orig/src/visibility.c
+++ libgcrypt-1.8.2/src/visibility.c +++ libgcrypt-1.9.0/src/visibility.c
@@ -992,6 +992,18 @@ gcry_pk_decrypt (gcry_sexp_t *result, gc @@ -992,6 +992,18 @@ gcry_pk_decrypt (gcry_sexp_t *result, gc
} }
@ -228,11 +228,11 @@ Index: libgcrypt-1.8.2/src/visibility.c
gcry_pk_verify (gcry_sexp_t sigval, gcry_sexp_t data, gcry_sexp_t pkey) gcry_pk_verify (gcry_sexp_t sigval, gcry_sexp_t data, gcry_sexp_t pkey)
{ {
if (!fips_is_operational ()) if (!fips_is_operational ())
Index: libgcrypt-1.8.2/src/visibility.h Index: libgcrypt-1.9.0/src/visibility.h
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/src/visibility.h --- libgcrypt-1.9.0.orig/src/visibility.h
+++ libgcrypt-1.8.2/src/visibility.h +++ libgcrypt-1.9.0/src/visibility.h
@@ -357,8 +357,10 @@ MARK_VISIBLEX (_gcry_mpi_get_const) @@ -360,8 +360,10 @@ MARK_VISIBLEX (_gcry_mpi_get_const)
#define gcry_pk_get_param _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_pk_get_param _gcry_USE_THE_UNDERSCORED_FUNCTION
#define gcry_pk_get_nbits _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_pk_get_nbits _gcry_USE_THE_UNDERSCORED_FUNCTION
#define gcry_pk_map_name _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_pk_map_name _gcry_USE_THE_UNDERSCORED_FUNCTION
@ -242,4 +242,4 @@ Index: libgcrypt-1.8.2/src/visibility.h
+#define gcry_pk_verify_md _gcry_USE_THE_UNDERSCORED_FUNCTION +#define gcry_pk_verify_md _gcry_USE_THE_UNDERSCORED_FUNCTION
#define gcry_pk_verify _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_pk_verify _gcry_USE_THE_UNDERSCORED_FUNCTION
#define gcry_pubkey_get_sexp _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_pubkey_get_sexp _gcry_USE_THE_UNDERSCORED_FUNCTION
#define gcry_ecc_get_algo_keylen _gcry_USE_THE_UNDERSCORED_FUNCTION

View File

@ -1,80 +1,46 @@
Index: libgcrypt-1.8.2/cipher/ecc.c Index: libgcrypt-1.9.0/cipher/ecc.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/cipher/ecc.c --- libgcrypt-1.9.0.orig/cipher/ecc.c
+++ libgcrypt-1.8.2/cipher/ecc.c +++ libgcrypt-1.9.0/cipher/ecc.c
@@ -99,7 +99,7 @@ static void *progress_cb_data; @@ -100,7 +100,7 @@ static void *progress_cb_data;
/* Local prototypes. */ /* Local prototypes. */
-static void test_keys (ECC_secret_key * sk, unsigned int nbits); -static void test_keys (mpi_ec_t ec, unsigned int nbits);
+static int test_keys (ECC_secret_key * sk, unsigned int nbits); +static int test_keys (mpi_ec_t ec, unsigned int nbits);
static void test_ecdh_only_keys (ECC_secret_key * sk, unsigned int nbits, int flags); static void test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags);
static unsigned int ecc_get_nbits (gcry_sexp_t parms); static unsigned int ecc_get_nbits (gcry_sexp_t parms);
@@ -152,6 +152,7 @@ nist_generate_key (ECC_secret_key *sk, e @@ -256,8 +256,10 @@ nist_generate_key (mpi_ec_t ec, int flag
gcry_random_level_t random_level; else if (ec->model == MPI_EC_MONTGOMERY)
gcry_mpi_t x, y; test_ecdh_only_keys (ec, ec->nbits - 63, flags);
const unsigned int pbits = mpi_get_nbits (E->p);
+ int free_skEname = 0;
point_init (&Q);
@@ -176,7 +177,6 @@ nist_generate_key (ECC_secret_key *sk, e
else else
sk->d = _gcry_dsa_gen_k (E->n, random_level); - test_keys (ec, ec->nbits - 64);
- -
/* Compute Q. */
_gcry_mpi_ec_mul_point (&Q, sk->d, &E->G, ctx);
@@ -190,6 +190,12 @@ nist_generate_key (ECC_secret_key *sk, e
point_set (&sk->E.G, &E->G);
sk->E.n = mpi_copy (E->n);
sk->E.h = mpi_copy (E->h);
+ if (E->name)
+ { + {
+ free_skEname = 1; + if (test_keys (ec, ec->nbits - 64))
+ sk->E.name = _gcry_xstrdup(E->name);
+ }
+
point_init (&sk->Q);
x = mpi_new (pbits);
@@ -261,10 +267,16 @@ nist_generate_key (ECC_secret_key *sk, e
if ((flags & PUBKEY_FLAG_NO_KEYTEST))
; /* User requested to skip the test. */
else if (sk->E.model != MPI_EC_MONTGOMERY)
- test_keys (sk, nbits - 64);
+ {
+ if (test_keys (sk, nbits - 64))
+ return GPG_ERR_BAD_SIGNATURE; + return GPG_ERR_BAD_SIGNATURE;
+ } + }
else
test_ecdh_only_keys (sk, nbits - 64, flags);
+ if (free_skEname)
+ xfree ((void*)sk->E.name);
+
return 0; return 0;
} }
@@ -275,9 +287,10 @@ nist_generate_key (ECC_secret_key *sk, e @@ -268,9 +270,10 @@ nist_generate_key (mpi_ec_t ec, int flag
* test if the information is recuperated. * test if the information is recuperated.
* Second, test with the sign and verify functions. * Second, test with the sign and verify functions.
*/ */
-static void -static void
+static int +static int
test_keys (ECC_secret_key *sk, unsigned int nbits) test_keys (mpi_ec_t ec, unsigned int nbits)
{ {
+ int result = -1; /* Default to failure. */ + int result = -1; /* Default to failure. */
ECC_public_key pk;
gcry_mpi_t test = mpi_new (nbits); gcry_mpi_t test = mpi_new (nbits);
mpi_point_struct R_; mpi_point_struct R_;
@@ -297,17 +310,190 @@ test_keys (ECC_secret_key *sk, unsigned gcry_mpi_t c = mpi_new (nbits);
@@ -285,23 +288,205 @@ test_keys (mpi_ec_t ec, unsigned int nbi
_gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM); _gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
- if (_gcry_ecc_ecdsa_sign (test, sk, r, s, 0, 0) ) - if (_gcry_ecc_ecdsa_sign (test, ec, r, s, 0, 0) )
- log_fatal ("ECDSA operation: sign failed\n"); - log_fatal ("ECDSA operation: sign failed\n");
+ /* Use the gcry_pk_sign_md API in order to comply with FIPS 140-2, + /* Use the gcry_pk_sign_md API in order to comply with FIPS 140-2,
+ * which requires full signature operation for PCT (hashing + + * which requires full signature operation for PCT (hashing +
@ -102,7 +68,7 @@ Index: libgcrypt-1.8.2/cipher/ecc.c
+ xfree (buf); + xfree (buf);
+ buf = NULL; + buf = NULL;
- if (_gcry_ecc_ecdsa_verify (test, &pk, r, s)) - if (_gcry_ecc_ecdsa_verify (test, ec, r, s))
+ sexp_build (&s_hash, NULL, "(data (flags rfc6979)(hash-algo sha256))"); + sexp_build (&s_hash, NULL, "(data (flags rfc6979)(hash-algo sha256))");
+ +
+ /* Assemble the point Q from affine coordinates by simple + /* Assemble the point Q from affine coordinates by simple
@ -111,11 +77,10 @@ Index: libgcrypt-1.8.2/cipher/ecc.c
+ gcry_mpi_t Qy = NULL; + gcry_mpi_t Qy = NULL;
+ Qx = mpi_new (0); + Qx = mpi_new (0);
+ Qy = mpi_new (0); + Qy = mpi_new (0);
+ ctx = _gcry_mpi_ec_p_internal_new (sk->E.model, sk->E.dialect, flags, + ctx = _gcry_mpi_ec_p_internal_new (ec->model, ec->dialect, flags,
+ sk->E.p, sk->E.a, sk->E.b); + ec->p, ec->a, ec->b);
+ if (_gcry_mpi_ec_get_affine (Qx, Qy, &(sk->Q), ctx)) + if (_gcry_mpi_ec_get_affine (Qx, Qy, ec->Q, ctx))
{ + {
- log_fatal ("ECDSA operation: sign, verify failed\n");
+ if (DBG_CIPHER) + if (DBG_CIPHER)
+ log_debug ("ecdh: Failed to get affine coordinates for Q\n"); + log_debug ("ecdh: Failed to get affine coordinates for Q\n");
+ } + }
@ -163,11 +128,11 @@ Index: libgcrypt-1.8.2/cipher/ecc.c
+ xfree (rawqy); + xfree (rawqy);
+ +
+ /* build ECC private key sexp in s_skey */ + /* build ECC private key sexp in s_skey */
+ if (sk->E.name) + if (ec->name)
+ { + {
+ if (sexp_build (&s_skey, NULL, + if (sexp_build (&s_skey, NULL,
+ "(private-key (ecc (curve %s)(d %m)(q %b)))", + "(private-key (ecc (curve %s)(d %m)(q %b)))",
+ sk->E.name, sk->d, qlen, q)) + ec->name, ec->d, qlen, q))
+ { + {
+ if (DBG_CIPHER) + if (DBG_CIPHER)
+ log_debug ("ecc: Failed to build sexp for private key.\n"); + log_debug ("ecc: Failed to build sexp for private key.\n");
@ -178,16 +143,16 @@ Index: libgcrypt-1.8.2/cipher/ecc.c
+ if (sexp_build (&s_skey, NULL, + if (sexp_build (&s_skey, NULL,
+ "(private-key" + "(private-key"
+ " (ecc (curve %s)(d %m)(p %m)(a %m)(b %m)(n %m)(h %m)(q %b)))", + " (ecc (curve %s)(d %m)(p %m)(a %m)(b %m)(n %m)(h %m)(q %b)))",
+ "NIST P-512", sk->d, sk->E.p, sk->E.a, sk->E.b, sk->E.n, sk->E.h, + "NIST P-512", ec->d, ec->p, ec->a, ec->b, ec->n, ec->h,
+ qlen, q)) + qlen, q))
+ { + {
+ if (DBG_CIPHER) + if (DBG_CIPHER)
+ log_debug ("ecc: Failed to build sexp for private key.\n"); + log_debug ("ecc: Failed to build sexp for private key.\n");
+ } + }
+ } + }
+
+ if (_gcry_pk_sign_md (&r_sig, hd, s_hash, s_skey)) + if (_gcry_pk_sign_md (&r_sig, hd, s_hash, s_skey))
+ { {
- log_fatal ("ECDSA operation: sign, verify failed\n");
+ if (DBG_CIPHER) + if (DBG_CIPHER)
+ log_debug ("ecc: gcry_pk_sign failed\n"); + log_debug ("ecc: gcry_pk_sign failed\n");
+ goto leave; + goto leave;
@ -210,10 +175,10 @@ Index: libgcrypt-1.8.2/cipher/ecc.c
+ +
+ /* verify */ + /* verify */
+ /* build public key sexp in s_pkey */ + /* build public key sexp in s_pkey */
+ if (pk.E.name) + if (ec->name)
+ { + {
+ if (sexp_build (&s_pkey, NULL, + if (sexp_build (&s_pkey, NULL,
+ "(public-key (ecc (curve %s)(q %b)))", pk.E.name, qlen, q)) + "(public-key (ecc (curve %s)(q %b)))", ec->name, qlen, q))
+ { + {
+ if (DBG_CIPHER) + if (DBG_CIPHER)
+ log_debug ("ecc: Failed to build sexp for public key.\n"); + log_debug ("ecc: Failed to build sexp for public key.\n");
@ -224,7 +189,7 @@ Index: libgcrypt-1.8.2/cipher/ecc.c
+ if (sexp_build (&s_pkey, NULL, + if (sexp_build (&s_pkey, NULL,
+ "(public-key" + "(public-key"
+ " (ecc (curve %s)(p %m)(a %m)(b %m)(n %m)(h %m)(q %b)))", + " (ecc (curve %s)(p %m)(a %m)(b %m)(n %m)(h %m)(q %b)))",
+ "NIST P-512", pk.E.p, pk.E.a, pk.E.b, pk.E.n, pk.E.h, qlen, q)) + "NIST P-512", ec->p, ec->a, ec->b, ec->n, ec->h, qlen, q))
+ { + {
+ if (DBG_CIPHER) + if (DBG_CIPHER)
+ log_debug ("ecc: Failed to build sexp for private key.\n"); + log_debug ("ecc: Failed to build sexp for private key.\n");
@ -263,10 +228,9 @@ Index: libgcrypt-1.8.2/cipher/ecc.c
+ result = 0; /* The test succeeded. */ + result = 0; /* The test succeeded. */
+ leave: + leave:
point_free (&pk.Q); point_free (&R_);
_gcry_ecc_curve_free (&pk.E); mpi_free (s);
mpi_free (r);
@@ -317,6 +503,16 @@ test_keys (ECC_secret_key *sk, unsigned
mpi_free (out); mpi_free (out);
mpi_free (c); mpi_free (c);
mpi_free (test); mpi_free (test);
@ -283,10 +247,10 @@ Index: libgcrypt-1.8.2/cipher/ecc.c
} }
Index: libgcrypt-1.8.2/cipher/pubkey.c Index: libgcrypt-1.9.0/cipher/pubkey.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/cipher/pubkey.c --- libgcrypt-1.9.0.orig/cipher/pubkey.c
+++ libgcrypt-1.8.2/cipher/pubkey.c +++ libgcrypt-1.9.0/cipher/pubkey.c
@@ -390,6 +390,7 @@ calculate_hash (gcry_md_hd_t hd, gcry_se @@ -390,6 +390,7 @@ calculate_hash (gcry_md_hd_t hd, gcry_se
gcry_err_code_t rc; gcry_err_code_t rc;
const unsigned char *digest; const unsigned char *digest;
@ -318,10 +282,10 @@ Index: libgcrypt-1.8.2/cipher/pubkey.c
return rc; return rc;
} }
Index: libgcrypt-1.8.2/cipher/pubkey-internal.h Index: libgcrypt-1.9.0/cipher/pubkey-internal.h
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/cipher/pubkey-internal.h --- libgcrypt-1.9.0.orig/cipher/pubkey-internal.h
+++ libgcrypt-1.8.2/cipher/pubkey-internal.h +++ libgcrypt-1.9.0/cipher/pubkey-internal.h
@@ -45,6 +45,8 @@ gcry_err_code_t _gcry_pk_util_data_to_mp @@ -45,6 +45,8 @@ gcry_err_code_t _gcry_pk_util_data_to_mp
struct pk_encoding_ctx *ctx); struct pk_encoding_ctx *ctx);
gcry_err_code_t _gcry_pk_util_get_algo (gcry_sexp_t input, gcry_err_code_t _gcry_pk_util_get_algo (gcry_sexp_t input,
@ -331,11 +295,11 @@ Index: libgcrypt-1.8.2/cipher/pubkey-internal.h
Index: libgcrypt-1.8.2/cipher/pubkey-util.c Index: libgcrypt-1.9.0/cipher/pubkey-util.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/cipher/pubkey-util.c --- libgcrypt-1.9.0.orig/cipher/pubkey-util.c
+++ libgcrypt-1.8.2/cipher/pubkey-util.c +++ libgcrypt-1.9.0/cipher/pubkey-util.c
@@ -1120,6 +1120,40 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t i @@ -1159,6 +1159,40 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t i
return rc; return rc;
} }

View File

@ -2,7 +2,7 @@ Index: libgcrypt-1.8.2/cipher/rsa.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/cipher/rsa.c --- libgcrypt-1.8.2.orig/cipher/rsa.c
+++ libgcrypt-1.8.2/cipher/rsa.c +++ libgcrypt-1.8.2/cipher/rsa.c
@@ -159,27 +159,103 @@ test_keys (RSA_secret_key *sk, unsigned @@ -159,22 +159,97 @@ test_keys (RSA_secret_key *sk, unsigned
/* Create another random plaintext as data for signature checking. */ /* Create another random plaintext as data for signature checking. */
_gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM); _gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM);
@ -112,12 +112,6 @@ Index: libgcrypt-1.8.2/cipher/rsa.c
leave: leave:
_gcry_mpi_release (signature); _gcry_mpi_release (signature);
_gcry_mpi_release (decr_plaintext); _gcry_mpi_release (decr_plaintext);
_gcry_mpi_release (ciphertext);
_gcry_mpi_release (plaintext);
+
return result;
}
@@ -1903,7 +1979,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gc @@ -1903,7 +1979,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gc
/* This sexp trickery is to prevent the use of blinding. /* This sexp trickery is to prevent the use of blinding.
* The flag doesn't get inherited by encr, so we have to * The flag doesn't get inherited by encr, so we have to
@ -127,11 +121,3 @@ Index: libgcrypt-1.8.2/cipher/rsa.c
memset(buf, 0, sizeof(buf)); memset(buf, 0, sizeof(buf));
err = _gcry_mpi_print (GCRYMPI_FMT_STD, buf, sizeof buf, NULL, ciphertext); err = _gcry_mpi_print (GCRYMPI_FMT_STD, buf, sizeof buf, NULL, ciphertext);
if (err) if (err)
@@ -2012,6 +2088,7 @@ selftests_rsa (selftest_report_func_t re
sexp_release (skey);
if (report)
report ("pubkey", GCRY_PK_RSA, what, errtxt);
+
return GPG_ERR_SELFTEST_FAILED;
}

View File

@ -1,8 +1,8 @@
Index: libgcrypt-1.8.5/cipher/ecc.c Index: libgcrypt-1.9.0/cipher/ecc.c
=================================================================== ===================================================================
--- libgcrypt-1.8.5.orig/cipher/ecc.c --- libgcrypt-1.9.0.orig/cipher/ecc.c
+++ libgcrypt-1.8.5/cipher/ecc.c +++ libgcrypt-1.9.0/cipher/ecc.c
@@ -2060,11 +2060,11 @@ selftest_sign (gcry_sexp_t pkey, gcry_se @@ -1581,11 +1581,11 @@ selftest_sign (gcry_sexp_t pkey, gcry_se
{ {
/* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */ /* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */
static const char sample_data[] = static const char sample_data[] =
@ -16,19 +16,19 @@ Index: libgcrypt-1.8.5/cipher/ecc.c
" (hash sha256 #bf2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915" " (hash sha256 #bf2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915"
/**/ "62113d8a62add1bf#))"; /**/ "62113d8a62add1bf#))";
static const char signature_r[] = static const char signature_r[] =
Index: libgcrypt-1.8.5/cipher/ecc-ecdsa.c Index: libgcrypt-1.9.0/cipher/ecc-ecdsa.c
=================================================================== ===================================================================
--- libgcrypt-1.8.5.orig/cipher/ecc-ecdsa.c --- libgcrypt-1.9.0.orig/cipher/ecc-ecdsa.c
+++ libgcrypt-1.8.5/cipher/ecc-ecdsa.c +++ libgcrypt-1.9.0/cipher/ecc-ecdsa.c
@@ -52,6 +52,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, @@ -51,6 +51,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
mpi_ec_t ctx; unsigned int abits, qbits;
gcry_mpi_t b; /* Random number needed for blinding. */ gcry_mpi_t b; /* Random number needed for blinding. */
gcry_mpi_t bi; /* multiplicative inverse of B. */ gcry_mpi_t bi; /* multiplicative inverse of B. */
+ int with_blinding = !(flags & PUBKEY_FLAG_NO_BLINDING); + int with_blinding = !(flags & PUBKEY_FLAG_NO_BLINDING);
if (DBG_CIPHER) if (DBG_CIPHER)
log_mpidump ("ecdsa sign hash ", input ); log_mpidump ("ecdsa sign hash ", input );
@@ -65,12 +66,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, @@ -64,12 +65,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
b = mpi_snew (qbits); b = mpi_snew (qbits);
bi = mpi_snew (qbits); bi = mpi_snew (qbits);
@ -36,48 +36,47 @@ Index: libgcrypt-1.8.5/cipher/ecc-ecdsa.c
+ if (with_blinding) + if (with_blinding)
{ {
- _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM); - _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM);
- mpi_mod (b, b, skey->E.n); - mpi_mod (b, b, ec->n);
+ do + do
+ { + {
+ _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM); + _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM);
+ mpi_mod (b, b, skey->E.n); + mpi_mod (b, b, ec->n);
+ } + }
+ while (!mpi_invm (bi, b, skey->E.n)); + while (!mpi_invm (bi, b, ec->n));
} }
- while (!mpi_invm (bi, b, skey->E.n)); - while (!mpi_invm (bi, b, ec->n));
k = NULL; k = NULL;
dr = mpi_alloc (0); dr = mpi_alloc (0);
@@ -128,14 +132,25 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, @@ -126,14 +130,23 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
} }
while (!mpi_cmp_ui (r, 0)); while (!mpi_cmp_ui (r, 0));
- /* Computation of dr, sum, and s are blinded with b. */ - /* Computation of dr, sum, and s are blinded with b. */
- mpi_mulm (dr, b, skey->d, skey->E.n); - mpi_mulm (dr, b, ec->d, ec->n);
- mpi_mulm (dr, dr, r, skey->E.n); /* dr = d*r mod n */ - mpi_mulm (dr, dr, r, ec->n); /* dr = d*r mod n */
- mpi_mulm (sum, b, hash, skey->E.n); - mpi_mulm (sum, b, hash, ec->n);
- mpi_addm (sum, sum, dr, skey->E.n); /* sum = hash + (d*r) mod n */ - mpi_addm (sum, sum, dr, ec->n); /* sum = hash + (d*r) mod n */
- mpi_mulm (s, k_1, sum, ec->n); /* s = k^(-1)*(hash+(d*r)) mod n */
- /* Undo blinding by b^-1 */
- mpi_mulm (s, bi, s, ec->n);
+ if (!with_blinding) + if (!with_blinding)
+ { + {
+ mpi_mulm (dr, skey->d, r, skey->E.n); /* dr = d*r mod n */ + mpi_mulm (dr, ec->d, r, ec->n); /* dr = d*r mod n */
+ mpi_addm (sum, hash, dr, skey->E.n); /* sum = hash + (d*r) mod n */ + mpi_addm (sum, hash, dr, ec->n); /* sum = hash + (d*r) mod n */
+ } + }
+ else + else
+ { + {
+ /* Computation of dr, sum, and s are blinded with b. */ + mpi_mulm (dr, b, ec->d, ec->n);
+ mpi_mulm (dr, b, skey->d, skey->E.n); + mpi_mulm (dr, dr, r, ec->n); /* dr = d*r mod n */
+ mpi_mulm (dr, dr, r, skey->E.n); /* dr = d*r mod n */ + mpi_mulm (sum, b, hash, ec->n);
+ mpi_mulm (sum, b, hash, skey->E.n); + mpi_addm (sum, sum, dr, ec->n); /* sum = hash + (d*r) mod n */
+ mpi_addm (sum, sum, dr, skey->E.n); /* sum = hash + (d*r) mod n */ + }
+ } + mpi_mulm (s, k_1, sum, ec->n); /* s = k^(-1)*(hash+(d*r)) mod n */
mpi_mulm (s, k_1, sum, skey->E.n); /* s = k^(-1)*(hash+(d*r)) mod n */
- /* Undo blinding by b^-1 */
- mpi_mulm (s, bi, s, skey->E.n);
+ if (with_blinding) + if (with_blinding)
+ { + {
+ /* Undo blinding by b^-1 */ + mpi_mulm (s, bi, s, ec->n); /* Undo blinding by b^-1 */
+ mpi_mulm (s, bi, s, skey->E.n); + }
+ }
} }
while (!mpi_cmp_ui (s, 0)); while (!mpi_cmp_ui (s, 0));

View File

@ -1,13 +0,0 @@
Index: libgcrypt-1.8.2/cipher/rsa.c
===================================================================
--- libgcrypt-1.8.2.orig/cipher/rsa.c 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.2/cipher/rsa.c 2019-03-26 11:14:33.737388126 +0100
@@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig
if (nbits < 1024 || (nbits & 0x1FF))
return GPG_ERR_INV_VALUE;
- if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072)
+ if (fips_mode() && nbits != 2048 && nbits != 3072)
return GPG_ERR_INV_VALUE;
/* The random quality depends on the transient_key flag. */

View File

@ -1,9 +1,9 @@
Index: libgcrypt-1.8.2/src/fips.c Index: libgcrypt-1.9.1/src/fips.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/src/fips.c 2020-04-16 21:15:01.633217969 +0200 --- libgcrypt-1.9.1.orig/src/fips.c
+++ libgcrypt-1.8.2/src/fips.c 2020-04-16 21:21:44.279376166 +0200 +++ libgcrypt-1.9.1/src/fips.c
@@ -651,7 +651,7 @@ get_library_path(const char *libname, co @@ -660,7 +660,7 @@ get_library_path(const char *libname, co
} #endif
static gpg_error_t static gpg_error_t
-get_hmac_path(char **fname) -get_hmac_path(char **fname)
@ -11,25 +11,25 @@ Index: libgcrypt-1.8.2/src/fips.c
{ {
char libpath[4096]; char libpath[4096];
gpg_error_t err; gpg_error_t err;
@@ -676,7 +676,7 @@ get_hmac_path(char **fname) @@ -685,7 +685,7 @@ get_hmac_path(char **fname)
p = *fname; p = *fname;
memmove (p+1, p, strlen (p)+1); memmove (p+1, p, strlen (p)+1);
*p = '.'; *p = '.';
- strcat (*fname, ".hmac"); - strcat (*fname, ".hmac");
+ strcat (*fname, suffix); + strcat (*fname, suffix);
err = 0; err = 0;
} }
} }
@@ -708,7 +708,7 @@ check_binary_integrity (void) @@ -717,7 +717,7 @@ check_binary_integrity (void)
else else
{ {
FILE *fp; FILE *fp;
- err = get_hmac_path(&fname); - err = get_hmac_path(&fname);
+ err = get_hmac_path(&fname, ".hmac"); + err = get_hmac_path(&fname, ".hmac");
if (!err) if (!err)
{ {
/* Open the file. */ /* Open the file. */
@@ -769,7 +769,7 @@ can_skip_selftests(void) @@ -779,7 +779,7 @@ can_skip_selftests(void)
if (fips_mode()) if (fips_mode())
return 0; return 0;

View File

@ -13,7 +13,7 @@ Index: libgcrypt-1.6.1/tests/fipsdrv.c
static void static void
-run_dsa_sign (const void *data, size_t datalen, const char *keyfile) -run_dsa_sign (const void *data, size_t datalen, const char *keyfile)
+run_dsa_sign (const void *data, size_t datalen, +run_dsa_sign (const void *data, size_t datalen,
+ int hashalgo, const char *keyfile) + int hashalgo, const char *keyfile)
{ {
gpg_error_t err; gpg_error_t err;
@ -31,7 +31,7 @@ Index: libgcrypt-1.6.1/tests/fipsdrv.c
- gcry_md_hash_buffer (algo, hash, data, datalen); - gcry_md_hash_buffer (algo, hash, data, datalen);
+ if (hashalgo_len < algo_len) + if (hashalgo_len < algo_len)
+ algo_len = hashalgo_len; + algo_len = hashalgo_len;
+ +
+ gcry_md_hash_buffer (hashalgo, hash, data, datalen); + gcry_md_hash_buffer (hashalgo, hash, data, datalen);
err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash,

View File

@ -1,8 +1,9 @@
diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basic.c Index: libgcrypt-1.9.1/tests/basic.c
--- libgcrypt-1.8.4/tests/basic.c.tests-fipsmode 2018-04-17 17:29:40.000000000 +0200 ===================================================================
+++ libgcrypt-1.8.4/tests/basic.c 2019-02-12 13:30:48.935791024 +0100 --- libgcrypt-1.9.1.orig/tests/basic.c
@@ -6964,7 +6964,7 @@ check_ciphers (void) +++ libgcrypt-1.9.1/tests/basic.c
check_one_cipher (algos[i], GCRY_CIPHER_MODE_CTR, 0); @@ -9978,7 +9978,7 @@ check_ciphers (void)
check_one_cipher (algos[i], GCRY_CIPHER_MODE_EAX, 0);
if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_CCM_BLOCK_LEN) if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_CCM_BLOCK_LEN)
check_one_cipher (algos[i], GCRY_CIPHER_MODE_CCM, 0); check_one_cipher (algos[i], GCRY_CIPHER_MODE_CCM, 0);
- if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_GCM_BLOCK_LEN) - if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_GCM_BLOCK_LEN)
@ -10,7 +11,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi
check_one_cipher (algos[i], GCRY_CIPHER_MODE_GCM, 0); check_one_cipher (algos[i], GCRY_CIPHER_MODE_GCM, 0);
if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_OCB_BLOCK_LEN) if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_OCB_BLOCK_LEN)
check_one_cipher (algos[i], GCRY_CIPHER_MODE_OCB, 0); check_one_cipher (algos[i], GCRY_CIPHER_MODE_OCB, 0);
@@ -7010,11 +7010,17 @@ check_cipher_modes(void) @@ -10025,12 +10025,18 @@ check_cipher_modes(void)
check_cfb_cipher (); check_cfb_cipher ();
check_ofb_cipher (); check_ofb_cipher ();
check_ccm_cipher (); check_ccm_cipher ();
@ -24,6 +25,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi
+ check_ocb_cipher (); + check_ocb_cipher ();
+ } + }
check_xts_cipher (); check_xts_cipher ();
check_eax_cipher ();
- check_gost28147_cipher (); - check_gost28147_cipher ();
+ if (!in_fips_mode) + if (!in_fips_mode)
+ { + {
@ -32,7 +34,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi
check_stream_cipher (); check_stream_cipher ();
check_stream_cipher_large_block (); check_stream_cipher_large_block ();
@@ -10001,7 +10007,7 @@ check_mac (void) @@ -13383,7 +13389,7 @@ check_mac (void)
show_mac_not_available (algos[i].algo); show_mac_not_available (algos[i].algo);
continue; continue;
} }
@ -41,16 +43,16 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi
{ {
if (verbose) if (verbose)
fprintf (stderr, " algorithm %d not available in fips mode\n", fprintf (stderr, " algorithm %d not available in fips mode\n",
@@ -11095,8 +11101,6 @@ main (int argc, char **argv) @@ -14508,8 +14514,6 @@ main (int argc, char **argv)
/* If we are in fips mode do some more tests. */ /* If we are in fips mode do some more tests. */
gcry_md_hd_t md; gcry_md_hd_t md;
- /* First trigger a self-test. */ - /* First trigger a self-test. */
- xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); - xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0));
if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0))
fail ("not in operational state after self-test\n"); fail ("not in operational state after self-test\n");
@@ -11121,15 +11125,6 @@ main (int argc, char **argv) @@ -14534,15 +14538,6 @@ main (int argc, char **argv)
gcry_md_close (md); gcry_md_close (md);
if (gcry_control (GCRYCTL_OPERATIONAL_P, 0)) if (gcry_control (GCRYCTL_OPERATIONAL_P, 0))
fail ("expected error state but still in operational state\n"); fail ("expected error state but still in operational state\n");
@ -58,7 +60,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi
- { - {
- /* Now run a self-test and to get back into - /* Now run a self-test and to get back into
- operational state. */ - operational state. */
- xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); - xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0));
- if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) - if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0))
- fail ("did not reach operational after error " - fail ("did not reach operational after error "
- "and self-test\n"); - "and self-test\n");
@ -66,26 +68,28 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi
} }
} }
diff -up libgcrypt-1.8.4/tests/benchmark.c.tests-fipsmode libgcrypt-1.8.4/tests/benchmark.c Index: libgcrypt-1.9.1/tests/benchmark.c
--- libgcrypt-1.8.4/tests/benchmark.c.tests-fipsmode 2019-02-12 11:31:44.859603883 +0100 ===================================================================
+++ libgcrypt-1.8.4/tests/benchmark.c 2019-02-12 14:10:40.271999352 +0100 --- libgcrypt-1.9.1.orig/tests/benchmark.c
@@ -872,8 +872,10 @@ cipher_bench ( const char *algoname ) +++ libgcrypt-1.9.1/tests/benchmark.c
|| (blklen == 1 && modes[modeidx].mode != GCRY_CIPHER_MODE_STREAM)) @@ -943,8 +943,10 @@ cipher_bench ( const char *algoname )
&& algo != GCRY_CIPHER_CHACHA20)
continue; continue;
- if (modes[modeidx].req_blocksize > 0 - if (modes[modeidx].req_blocksize > 0
- && blklen != modes[modeidx].req_blocksize) - && blklen != modes[modeidx].req_blocksize)
+ if ((modes[modeidx].req_blocksize > 0 + if ((modes[modeidx].req_blocksize > 0
+ && blklen != modes[modeidx].req_blocksize) + && blklen != modes[modeidx].req_blocksize)
+ || (in_fips_mode + || (in_fips_mode
+ && modes[modeidx].mode == GCRY_CIPHER_MODE_GCM)) + && modes[modeidx].mode == GCRY_CIPHER_MODE_GCM))
{ {
printf (" %7s %7s", "-", "-" ); printf (" %7s %7s", "-", "-" );
continue; continue;
diff -up libgcrypt-1.8.4/tests/bench-slope.c.tests-fipsmode libgcrypt-1.8.4/tests/bench-slope.c Index: libgcrypt-1.9.1/tests/bench-slope.c
--- libgcrypt-1.8.4/tests/bench-slope.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100 ===================================================================
+++ libgcrypt-1.8.4/tests/bench-slope.c 2019-02-12 14:14:33.618763325 +0100 --- libgcrypt-1.9.1.orig/tests/bench-slope.c
@@ -1338,7 +1338,7 @@ cipher_bench_one (int algo, struct bench +++ libgcrypt-1.9.1/tests/bench-slope.c
@@ -1573,7 +1573,7 @@ cipher_bench_one (int algo, struct bench
return; return;
/* GCM has restrictions for block-size */ /* GCM has restrictions for block-size */
@ -94,9 +98,10 @@ diff -up libgcrypt-1.8.4/tests/bench-slope.c.tests-fipsmode libgcrypt-1.8.4/test
return; return;
/* XTS has restrictions for block-size */ /* XTS has restrictions for block-size */
diff -up libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode libgcrypt-1.8.4/tests/pubkey.c Index: libgcrypt-1.9.1/tests/pubkey.c
--- libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100 ===================================================================
+++ libgcrypt-1.8.4/tests/pubkey.c 2019-02-12 13:52:25.658746415 +0100 --- libgcrypt-1.9.1.orig/tests/pubkey.c
+++ libgcrypt-1.9.1/tests/pubkey.c
@@ -504,15 +504,30 @@ get_dsa_key_with_domain_new (gcry_sexp_t @@ -504,15 +504,30 @@ get_dsa_key_with_domain_new (gcry_sexp_t
rc = gcry_sexp_new rc = gcry_sexp_new
(&key_spec, (&key_spec,
@ -137,39 +142,27 @@ diff -up libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode libgcrypt-1.8.4/tests/pub
")))", 0, 1); ")))", 0, 1);
if (rc) if (rc)
die ("error creating S-expression: %s\n", gcry_strerror (rc)); die ("error creating S-expression: %s\n", gcry_strerror (rc));
@@ -595,7 +610,7 @@ get_dsa_key_fips186_with_seed_new (gcry_ @@ -596,7 +611,7 @@ get_dsa_key_fips186_with_seed_new (gcry_
" (use-fips186)" " (use-fips186)"
" (transient-key)" " (transient-key)"
" (derive-parms" " (derive-parms"
- " (seed #0cb1990c1fd3626055d7a0096f8fa99807399871#))))", - " (seed #f770a4598ff756931fc529764513b103ce57d85f4ad8c5cf297c9b4d48241c5b#))))",
+ " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))", + " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))",
0, 1); 0, 1);
if (rc) if (rc)
die ("error creating S-expression: %s\n", gcry_strerror (rc)); die ("error creating S-expression: %s\n", gcry_strerror (rc));
diff -up libgcrypt-1.8.4/tests/t-cv25519.c.tests-fipsmode libgcrypt-1.8.4/tests/t-cv25519.c Index: libgcrypt-1.9.1/tests/t-secmem.c
--- libgcrypt-1.8.4/tests/t-cv25519.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100 ===================================================================
+++ libgcrypt-1.8.4/tests/t-cv25519.c 2019-02-12 14:02:35.935705390 +0100 --- libgcrypt-1.9.1.orig/tests/t-secmem.c
@@ -560,6 +560,9 @@ main (int argc, char **argv) +++ libgcrypt-1.9.1/tests/t-secmem.c
xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+ /* Curve25519 isn't supported in fips mode */
+ if (gcry_fips_mode_active())
+ return 77;
start_timer ();
check_cv25519 ();
diff -up libgcrypt-1.8.4/tests/t-secmem.c.tests-fipsmode libgcrypt-1.8.4/tests/t-secmem.c
--- libgcrypt-1.8.4/tests/t-secmem.c.tests-fipsmode 2017-11-23 19:19:54.000000000 +0100
+++ libgcrypt-1.8.4/tests/t-secmem.c 2019-02-12 11:51:02.462190538 +0100
@@ -174,7 +174,8 @@ main (int argc, char **argv) @@ -174,7 +174,8 @@ main (int argc, char **argv)
xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0));
xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0));
xgcry_control (GCRYCTL_INIT_SECMEM, pool_size, 0); xgcry_control ((GCRYCTL_INIT_SECMEM, pool_size, 0));
- gcry_set_outofcore_handler (outofcore_handler, NULL); - gcry_set_outofcore_handler (outofcore_handler, NULL);
+ if (!gcry_fips_mode_active ()) + if (!gcry_fips_mode_active ())
+ gcry_set_outofcore_handler (outofcore_handler, NULL); + gcry_set_outofcore_handler (outofcore_handler, NULL);
xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
/* Libgcrypt prints a warning when the first overflow is allocated; /* Libgcrypt prints a warning when the first overflow is allocated;
@@ -184,7 +185,8 @@ main (int argc, char **argv) @@ -184,7 +185,8 @@ main (int argc, char **argv)

View File

@ -1,7 +1,7 @@
Index: libgcrypt-1.8.2/src/global.c Index: libgcrypt-1.9.1/src/global.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/src/global.c 2020-04-16 21:13:28.252717330 +0200 --- libgcrypt-1.9.1.orig/src/global.c
+++ libgcrypt-1.8.2/src/global.c 2020-04-16 21:13:47.960822991 +0200 +++ libgcrypt-1.9.1/src/global.c
@@ -86,7 +86,7 @@ static gpg_err_code_t external_lock_test @@ -86,7 +86,7 @@ static gpg_err_code_t external_lock_test
likely to be called at startup. The suggested way for an likely to be called at startup. The suggested way for an
application to make sure that this has been called is by using application to make sure that this has been called is by using
@ -45,11 +45,11 @@ Index: libgcrypt-1.8.2/src/global.c
/* This function is called by the macro fips_is_operational and makes /* This function is called by the macro fips_is_operational and makes
sure that the minimal initialization has been done. This is far sure that the minimal initialization has been done. This is far
from a perfect solution and hides problems with an improper from a perfect solution and hides problems with an improper
Index: libgcrypt-1.8.2/src/fips.c Index: libgcrypt-1.9.1/src/fips.c
=================================================================== ===================================================================
--- libgcrypt-1.8.2.orig/src/fips.c 2020-04-16 21:13:28.252717330 +0200 --- libgcrypt-1.9.1.orig/src/fips.c
+++ libgcrypt-1.8.2/src/fips.c 2020-04-16 21:14:44.781127616 +0200 +++ libgcrypt-1.9.1/src/fips.c
@@ -125,6 +125,7 @@ void @@ -124,6 +124,7 @@ void
_gcry_initialize_fips_mode (int force) _gcry_initialize_fips_mode (int force)
{ {
static int done; static int done;
@ -57,48 +57,33 @@ Index: libgcrypt-1.8.2/src/fips.c
/* Make sure we are not accidentally called twice. */ /* Make sure we are not accidentally called twice. */
if (done) if (done)
@@ -214,6 +215,23 @@ _gcry_initialize_fips_mode (int force) @@ -213,6 +214,23 @@ _gcry_initialize_fips_mode (int force)
/* Yes, we are in FIPS mode. */ /* Yes, we are in FIPS mode. */
FILE *fp; FILE *fp;
+ /* Intitialize the lock to protect the FSM. */ + /* Intitialize the lock to protect the FSM. */
+ err = gpgrt_lock_init (&fsm_lock); + err = gpgrt_lock_init (&fsm_lock);
+ if (err) + if (err)
+ { + {
+ /* If that fails we can't do anything but abort the + /* If that fails we can't do anything but abort the
+ process. We need to use log_info so that the FSM won't + * process. We need to use log_info so that the FSM won't
+ get involved. */ + * get involved. */
+ log_info ("FATAL: failed to create the FSM lock in libgcrypt: %s\n", + log_info ("FATAL: failed to create the FSM lock in libgcrypt: %s\n",
+ gpg_strerror (err)); + gpg_strerror (err));
+#ifdef HAVE_SYSLOG +#ifdef HAVE_SYSLOG
+ syslog (LOG_USER|LOG_ERR, "Libgcrypt error: " + syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
+ "creating FSM lock failed: %s - abort", + "creating FSM lock failed: %s - abort",
+ gpg_strerror (err)); + gpg_strerror (err));
+#endif /*HAVE_SYSLOG*/ +#endif /*HAVE_SYSLOG*/
+ abort (); + abort ();
+ } + }
+ +
/* If the FIPS force files exists, is readable and has a number /* If the FIPS force files exists, is readable and has a number
!= 0 on its first line, we enable the enforced fips mode. */ != 0 on its first line, we enable the enforced fips mode. */
fp = fopen (FIPS_FORCE_FILE, "r"); fp = fopen (FIPS_FORCE_FILE, "r");
@@ -614,10 +632,10 @@ get_library_path(const char *libname, co @@ -641,6 +659,39 @@ get_library_path(const char *libname, co
void *dl, *sym;
int rv = -1;
- dl = dlopen(libname, RTLD_LAZY);
- if (dl == NULL) {
- return -1;
- }
+ dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL) {
+ return -1;
+ }
sym = dlsym(dl, symbolname);
@@ -632,6 +650,39 @@ get_library_path(const char *libname, co
return rv;
} }
#endif
+static gpg_error_t +static gpg_error_t
+get_hmac_path(char **fname) +get_hmac_path(char **fname)
@ -112,23 +97,23 @@ Index: libgcrypt-1.8.2/src/fips.c
+ { + {
+ *fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 ); + *fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
+ if (!*fname) + if (!*fname)
+ err = gpg_error_from_syserror (); + err = gpg_error_from_syserror ();
+ else + else
+ { + {
+ char *p; + char *p;
+ +
+ /* Prefix the basename with a dot. */ + /* Prefix the basename with a dot. */
+ strcpy (*fname, libpath); + strcpy (*fname, libpath);
+ p = strrchr (*fname, '/'); + p = strrchr (*fname, '/');
+ if (p) + if (p)
+ p++; + p++;
+ else + else
+ p = *fname; + p = *fname;
+ memmove (p+1, p, strlen (p)+1); + memmove (p+1, p, strlen (p)+1);
+ *p = '.'; + *p = '.';
+ strcat (*fname, ".hmac"); + strcat (*fname, ".hmac");
+ err = 0; + err = 0;
+ } + }
+ } + }
+ return err; + return err;
+} +}
@ -136,7 +121,7 @@ Index: libgcrypt-1.8.2/src/fips.c
/* Run an integrity check on the binary. Returns 0 on success. */ /* Run an integrity check on the binary. Returns 0 on success. */
static int static int
check_binary_integrity (void) check_binary_integrity (void)
@@ -656,25 +707,10 @@ check_binary_integrity (void) @@ -665,25 +716,10 @@ check_binary_integrity (void)
err = gpg_error (GPG_ERR_INTERNAL); err = gpg_error (GPG_ERR_INTERNAL);
else else
{ {
@ -144,7 +129,10 @@ Index: libgcrypt-1.8.2/src/fips.c
- if (!fname) - if (!fname)
- err = gpg_error_from_syserror (); - err = gpg_error_from_syserror ();
- else - else
- { + FILE *fp;
+ err = get_hmac_path(&fname);
+ if (!err)
{
- FILE *fp; - FILE *fp;
- char *p; - char *p;
- -
@ -159,14 +147,10 @@ Index: libgcrypt-1.8.2/src/fips.c
- *p = '.'; - *p = '.';
- strcat (fname, ".hmac"); - strcat (fname, ".hmac");
- -
+ FILE *fp;
+ err = get_hmac_path(&fname);
+ if (!err)
+ {
/* Open the file. */ /* Open the file. */
fp = fopen (fname, "r"); fp = fopen (fname, "r");
if (!fp) if (!fp)
@@ -725,6 +761,33 @@ check_binary_integrity (void) @@ -734,6 +770,33 @@ check_binary_integrity (void)
#endif #endif
} }
@ -200,18 +184,18 @@ Index: libgcrypt-1.8.2/src/fips.c
/* Run the self-tests. If EXTENDED is true, extended versions of the /* Run the self-tests. If EXTENDED is true, extended versions of the
selftest are run, that is more tests than required by FIPS. */ selftest are run, that is more tests than required by FIPS. */
@@ -733,26 +795,13 @@ _gcry_fips_run_selftests (int extended) @@ -742,26 +805,13 @@ _gcry_fips_run_selftests (int extended)
{ {
enum module_states result = STATE_ERROR; enum module_states result = STATE_ERROR;
gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED; gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED;
- int in_poweron; - int in_poweron;
-
- lock_fsm (); - lock_fsm ();
- in_poweron = (current_state == STATE_POWERON); - in_poweron = (current_state == STATE_POWERON);
- unlock_fsm (); - unlock_fsm ();
- -
- fips_new_state (STATE_SELFTEST); - fips_new_state (STATE_SELFTEST);
-
- /* We first check the integrity of the binary. - /* We first check the integrity of the binary.
- If run from the constructor we are in POWERON state, - If run from the constructor we are in POWERON state,
- we return and finish the remaining selftests before - we return and finish the remaining selftests before
@ -231,8 +215,8 @@ Index: libgcrypt-1.8.2/src/fips.c
if (run_cipher_selftests (extended)) if (run_cipher_selftests (extended))
goto leave; goto leave;
@@ -762,6 +811,9 @@ _gcry_fips_run_selftests (int extended) @@ -774,6 +824,9 @@ _gcry_fips_run_selftests (int extended)
if (run_mac_selftests (extended)) if (run_kdf_selftests (extended))
goto leave; goto leave;
+ if (check_binary_integrity ()) + if (check_binary_integrity ())
@ -241,7 +225,7 @@ Index: libgcrypt-1.8.2/src/fips.c
/* Run random tests before the pubkey tests because the latter /* Run random tests before the pubkey tests because the latter
require random. */ require random. */
if (run_random_selftests ()) if (run_random_selftests ())
@@ -775,7 +827,8 @@ _gcry_fips_run_selftests (int extended) @@ -787,7 +840,8 @@ _gcry_fips_run_selftests (int extended)
ec = 0; ec = 0;
leave: leave:
@ -251,7 +235,7 @@ Index: libgcrypt-1.8.2/src/fips.c
return ec; return ec;
} }
@@ -831,7 +884,6 @@ fips_new_state (enum module_states new_s @@ -843,7 +897,6 @@ fips_new_state (enum module_states new_s
{ {
case STATE_POWERON: case STATE_POWERON:
if (new_state == STATE_INIT if (new_state == STATE_INIT
@ -259,7 +243,7 @@ Index: libgcrypt-1.8.2/src/fips.c
|| new_state == STATE_ERROR || new_state == STATE_ERROR
|| new_state == STATE_FATALERROR) || new_state == STATE_FATALERROR)
ok = 1; ok = 1;
@@ -846,8 +898,6 @@ fips_new_state (enum module_states new_s @@ -858,8 +911,6 @@ fips_new_state (enum module_states new_s
case STATE_SELFTEST: case STATE_SELFTEST:
if (new_state == STATE_OPERATIONAL if (new_state == STATE_OPERATIONAL

View File

@ -1,23 +0,0 @@
From: mvyskocil@suse.cz
Subject: unresolved dladdr symbol
When linking with --as-needed, some symbols are ommited. Add a DL_LIBS for
dladdr symbol to fix the issue.
References: bnc#701267
https://bugzilla.novell.com/show_bug.cgi?id=701267
Original-name: libgcrypt-1.5.0-as-needed.patch
Index: libgcrypt-1.5.2/src/Makefile.am
===================================================================
--- libgcrypt-1.5.2.orig/src/Makefile.am
+++ libgcrypt-1.5.2/src/Makefile.am
@@ -110,7 +110,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \
../cipher/libcipher.la \
../random/librandom.la \
../mpi/libmpi.la \
- ../compat/libcompat.la $(GPG_ERROR_LIBS)
+ ../compat/libcompat.la $(GPG_ERROR_LIBS) $(DL_LIBS)
dumpsexp_SOURCES = dumpsexp.c

View File

@ -1,3 +1,92 @@
-------------------------------------------------------------------
Tue Feb 2 01:06:47 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.9.1
* *Fix exploitable bug* in hash functions introduced with
1.9.0. [bsc#1181632, CVE-2021-3345]
* Return an error if a negative MPI is used with sexp scan
functions.
* Check for operational FIPS in the random and KDF functions.
* Fix compile error on ARMv7 with NEON disabled.
* Fix self-test in KDF module.
* Improve assembler checks for better LTO support.
* Fix 32-bit cross build on x86.
* Fix non-NEON ARM assembly implementation for SHA512.
* Fix build problems with the cipher_bulk_ops_t typedef.
* Fix Ed25519 private key handling for preceding ZEROs.
* Fix overflow in modular inverse implementation.
* Fix register access for AVX/AVX2 implementations of Blake2.
* Add optimized cipher and hash functions for s390x/zSeries.
* Use hardware bit counting functionx when available.
* Update DSA functions to match FIPS 186-3.
* New self-tests for CMACs and KDFs.
* Add bulk cipher functions for OFB and GCM modes.
- Update libgpg-error required version
-------------------------------------------------------------------
Tue Feb 1 12:03:31 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- Use the suffix variable correctly in get_hmac_path()
- Rebase libgcrypt-fips_selftest_trigger_file.patch
-------------------------------------------------------------------
Mon Jan 25 12:38:35 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- Add the global config file /etc/gcrypt/random.conf
* This file can be used to globally change parameters of the random
generator with the options: only-urandom and disable-jent.
-------------------------------------------------------------------
Thu Jan 21 15:42:15 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.9.0:
New stable branch of Libgcrypt with full API and ABI compatibility
to the 1.8 series. Release-info: https://dev.gnupg.org/T4294
* New and extended interfaces:
- New curves Ed448, X448, and SM2.
- New cipher mode EAX.
- New cipher algo SM4.
- New hash algo SM3.
- New hash algo variants SHA512/224 and SHA512/256.
- New MAC algos for Blake-2 algorithms, the new SHA512 variants,
SM3, SM4 and for a GOST variant.
- New convenience function gcry_mpi_get_ui.
- gcry_sexp_extract_param understands new format specifiers to
directly store to integers and strings.
- New function gcry_ecc_mul_point and curve constants for Curve448
and Curve25519.
- New function gcry_ecc_get_algo_keylen.
- New control code GCRYCTL_AUTO_EXPAND_SECMEM to allow growing the
secure memory area.
* Performance optimizations and bug fixes: See Release-info.
* Other features:
- Add OIDs from RFC-8410 as aliases for Ed25519 and Curve25519.
- Add mitigation against ECC timing attack CVE-2019-13627.
- Internal cleanup of the ECC implementation.
- Support reading EC point in compressed format for some curves.
- Rebase patches:
* libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch
* libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
* libgcrypt-1.6.1-use-fipscheck.patch
* drbg_test.patch
* libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
* libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch
* libgcrypt-1.8.4-fips-keygen.patch
* libgcrypt-1.8.4-getrandom.patch
* libgcrypt-fix-tests-fipsmode.patch
* libgcrypt-global_init-constructor.patch
* libgcrypt-ecc-ecdsa-no-blinding.patch
* libgcrypt-PCT-RSA.patch
* libgcrypt-PCT-ECC.patch
- Remove patches:
* libgcrypt-unresolved-dladdr.patch
* libgcrypt-CVE-2019-12904-GCM-Prefetch.patch
* libgcrypt-CVE-2019-12904-GCM.patch
* libgcrypt-CVE-2019-12904-AES.patch
* libgcrypt-CMAC-AES-TDES-selftest.patch
* libgcrypt-1.6.1-fips-cfgrandom.patch
* libgcrypt-fips_rsa_no_enforced_mode.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Oct 24 10:25:13 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de> Sat Oct 24 10:25:13 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>

View File

@ -1,7 +1,7 @@
# #
# spec file for package libgcrypt # spec file for package libgcrypt
# #
# Copyright (c) 2020 SUSE LLC # Copyright (c) 2021 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -22,7 +22,7 @@
%define libsoname %{name}%{libsover} %define libsoname %{name}%{libsover}
%define cavs_dir %{_libexecdir}/%{name}/cavs %define cavs_dir %{_libexecdir}/%{name}/cavs
Name: libgcrypt Name: libgcrypt
Version: 1.8.7 Version: 1.9.1
Release: 0 Release: 0
Summary: The GNU Crypto Library Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
@ -31,67 +31,55 @@ URL: https://directory.fsf.org/wiki/Libgcrypt
Source: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2 Source: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
Source2: baselibs.conf Source2: baselibs.conf
Source4: %{name}.keyring
# https://www.gnupg.org/signature_key.en.html # https://www.gnupg.org/signature_key.en.html
Source4: libgcrypt.keyring
# cavs test framework # cavs test framework
Source5: cavs-test.sh Source5: cavs-test.sh
Source6: cavs_driver.pl Source6: cavs_driver.pl
Source99: %{name}.changes Source7: random.conf
Patch3: %{name}-1.4.1-rijndael_no_strict_aliasing.patch Source99: libgcrypt.changes
Patch4: %{name}-sparcv9.diff Patch1: libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch
#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS) Patch2: libgcrypt-sparcv9.diff
#was: libgcrypt-1.5.0-as-needed.patch
Patch5: libgcrypt-unresolved-dladdr.patch
#PATCH-FIX-SUSE: N/A #PATCH-FIX-SUSE: N/A
Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff Patch3: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
Patch12: libgcrypt-1.6.1-use-fipscheck.patch Patch4: libgcrypt-1.6.1-use-fipscheck.patch
Patch13: libgcrypt-1.6.1-fips-cavs.patch Patch5: libgcrypt-1.6.1-fips-cavs.patch
#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine Patch6: libgcrypt-fix-rng.patch
Patch14: libgcrypt-1.6.1-fips-cfgrandom.patch
Patch28: libgcrypt-fix-rng.patch
#PATCH-FIX-SUSE add FIPS CAVS test app for DRBG #PATCH-FIX-SUSE add FIPS CAVS test app for DRBG
Patch30: drbg_test.patch Patch7: drbg_test.patch
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign #PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign
Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch Patch8: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify #PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch Patch9: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
Patch39: libgcrypt-1.8.3-fips-ctor.patch Patch10: libgcrypt-1.8.3-fips-ctor.patch
Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch Patch11: libgcrypt-1.8.4-use_xfree.patch
Patch43: libgcrypt-1.8.4-use_xfree.patch Patch12: libgcrypt-1.8.4-allow_FSM_same_state.patch
Patch44: libgcrypt-1.8.4-allow_FSM_same_state.patch Patch13: libgcrypt-1.8.4-getrandom.patch
Patch45: libgcrypt-1.8.4-getrandom.patch Patch14: libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch
#PATCH-FIX-UPSTREAM bsc#1138939 CVE-2019-12904 C implementation of AES is
#vulnerable to a flush-and-reload side-channel attack
Patch46: libgcrypt-CVE-2019-12904-GCM-Prefetch.patch
Patch47: libgcrypt-CVE-2019-12904-GCM.patch
Patch48: libgcrypt-CVE-2019-12904-AES.patch
Patch49: libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch
#PATCH-FIX-SUSE bsc#1155338 bsc#1155338 FIPS: CMAC AES and TDES self tests missing
Patch50: libgcrypt-CMAC-AES-TDES-selftest.patch
#PATCH-FIX-SUSE Fix test in FIPS mode #PATCH-FIX-SUSE Fix test in FIPS mode
Patch51: libgcrypt-dsa-rfc6979-test-fix.patch Patch15: libgcrypt-dsa-rfc6979-test-fix.patch
Patch52: libgcrypt-fix-tests-fipsmode.patch Patch16: libgcrypt-fix-tests-fipsmode.patch
#PATCH-FIX-SUSE bsc#1155337 FIPS: RSA/DSA/ECDSA are missing hashing operation #PATCH-FIX-SUSE bsc#1155337 FIPS: RSA/DSA/ECDSA are missing hashing operation
Patch53: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch Patch17: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch
#PATCH-FIX-SUSE bsc#1161220 FIPS: libgcrypt RSA siggen/keygen: 4k not supported #PATCH-FIX-SUSE bsc#1161220 FIPS: libgcrypt RSA siggen/keygen: 4k not supported
Patch54: libgcrypt-1.8.4-fips-keygen.patch Patch18: libgcrypt-1.8.4-fips-keygen.patch
#PATCH-FIX-SUSE bsc#1164950 Run self-tests from the constructor #PATCH-FIX-SUSE bsc#1164950 Run self-tests from the constructor
Patch55: libgcrypt-invoke-global_init-from-constructor.patch Patch19: libgcrypt-invoke-global_init-from-constructor.patch
#PATCH-FIX-SUSE bsc#1164950 Restore the self-tests from the constructor #PATCH-FIX-SUSE bsc#1164950 Restore the self-tests from the constructor
Patch56: libgcrypt-Restore-self-tests-from-constructor.patch Patch20: libgcrypt-Restore-self-tests-from-constructor.patch
Patch57: libgcrypt-FIPS-GMAC_AES-benckmark.patch Patch21: libgcrypt-FIPS-GMAC_AES-benckmark.patch
Patch58: libgcrypt-global_init-constructor.patch Patch22: libgcrypt-global_init-constructor.patch
Patch59: libgcrypt-random_selftests-testentropy.patch Patch23: libgcrypt-random_selftests-testentropy.patch
Patch60: libgcrypt-rsa-no-blinding.patch Patch24: libgcrypt-rsa-no-blinding.patch
Patch61: libgcrypt-ecc-ecdsa-no-blinding.patch Patch25: libgcrypt-ecc-ecdsa-no-blinding.patch
#PATCH-FIX-SUSE bsc#1165539 FIPS: Use the new signature operation in PCT #PATCH-FIX-SUSE bsc#1165539 FIPS: Use the new signature operation in PCT
Patch62: libgcrypt-PCT-RSA.patch Patch26: libgcrypt-PCT-RSA.patch
Patch63: libgcrypt-PCT-DSA.patch Patch27: libgcrypt-PCT-DSA.patch
Patch64: libgcrypt-PCT-ECC.patch Patch28: libgcrypt-PCT-ECC.patch
Patch65: libgcrypt-fips_selftest_trigger_file.patch Patch29: libgcrypt-fips_selftest_trigger_file.patch
BuildRequires: automake >= 1.14 BuildRequires: automake >= 1.14
BuildRequires: fipscheck BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.25 BuildRequires: libgpg-error-devel >= 1.27
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pkgconfig BuildRequires: pkgconfig
@ -128,7 +116,7 @@ License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version} Requires: %{libsoname} = %{version}
Requires: glibc-devel Requires: glibc-devel
Requires: libgpg-error-devel >= 1.13 Requires: libgpg-error-devel >= 1.27
Requires(post): %{install_info_prereq} Requires(post): %{install_info_prereq}
%description devel %description devel
@ -156,7 +144,7 @@ Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version} Requires: %{libsoname} = %{version}
Requires: libgpg-error-devel Requires: libgpg-error-devel >= 1.27
Requires(post): %{install_info_prereq} Requires(post): %{install_info_prereq}
%description hmac256 %description hmac256
@ -165,7 +153,7 @@ blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt. understanding of applied cryptography is required to use Libgcrypt.
%endif # #if separate_hmac256_binary %endif
%prep %prep
%setup -q %setup -q
@ -223,6 +211,10 @@ mv %{buildroot}%{_bindir}/drbg_test %{buildroot}%{cavs_dir}
touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips
%endif %endif
# Create /etc/gcrypt directory and install random.conf
mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt
install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
%post -n %{libsoname} -p /sbin/ldconfig %post -n %{libsoname} -p /sbin/ldconfig
%postun -n %{libsoname} -p /sbin/ldconfig %postun -n %{libsoname} -p /sbin/ldconfig
%post devel %post devel
@ -234,14 +226,16 @@ touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips
%files -n %{libsoname} %files -n %{libsoname}
%license COPYING.LIB %license COPYING.LIB
%{_libdir}/%{name}.so.* %{_libdir}/%{name}.so.*
%dir %{_sysconfdir}/gcrypt
%config(noreplace) %{_sysconfdir}/gcrypt/random.conf
%if 0%{?build_hmac256} %if 0%{?build_hmac256}
%{_libdir}/.libgcrypt.so.*.hmac %{_libdir}/.libgcrypt.so.*.hmac
%endif # %%if 0%%{?build_hmac256} %endif
%files -n %{libsoname}-hmac %files -n %{libsoname}-hmac
%if 0%{?build_hmac256} %if 0%{?build_hmac256}
%{_libdir}/.libgcrypt.so.*.fips %{_libdir}/.libgcrypt.so.*.fips
%endif # %%if 0%%{?build_hmac256} %endif
%files devel %files devel
%license COPYING COPYING.LIB %license COPYING COPYING.LIB
@ -257,7 +251,7 @@ touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips
%if 0%{?separate_hmac256_binary} %if 0%{?separate_hmac256_binary}
%files hmac256 %files hmac256
%endif # %%if 0%%{?separate_hmac256_binary} %endif
%{_bindir}/hmac256 %{_bindir}/hmac256
%{_bindir}/.hmac256.hmac %{_bindir}/.hmac256.hmac
%doc %{_mandir}/man1/hmac256.1* %doc %{_mandir}/man1/hmac256.1*

9
random.conf Normal file
View File

@ -0,0 +1,9 @@
# This file can be used to globally change parameters of
# the random generator. Supported options are:
# Always use the non-blocking /dev/urandom or the respective
# system call instead of the blocking /dev/random.
only-urandom
# Disable the use of the jitter based entropy generator.
#disable-jent