diff --git a/libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff b/libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff new file mode 100644 index 0000000..d9cb968 --- /dev/null +++ b/libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff @@ -0,0 +1,27 @@ +From: draht@suse.com +Subject: LIBGCRYPT_FORCE_FIPS_MODE env + +environ LIBGCRYPT_FORCE_FIPS_MODE forces FIPS mode of libgcrypt + +Index: libgcrypt-1.5.2/src/fips.c +=================================================================== +--- libgcrypt-1.5.2.orig/src/fips.c ++++ libgcrypt-1.5.2/src/fips.c +@@ -123,6 +123,17 @@ _gcry_initialize_fips_mode (int force) + goto leave; + } + ++ /* for convenience, so that a process can run fips-enabled, but ++ not necessarily all of them, enable FIPS mode via environment ++ variable LIBGCRYPT_FORCE_FIPS_MODE. */ ++ ++ if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL) ++ { ++ gcry_assert (!no_fips_mode_required); ++ goto leave; ++ } ++ ++ + /* For testing the system it is useful to override the system + provided detection of the FIPS mode and force FIPS mode using a + file. The filename is hardwired so that there won't be any diff --git a/libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff b/libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff new file mode 100644 index 0000000..e430f46 --- /dev/null +++ b/libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff @@ -0,0 +1,161 @@ +From: draht@suse.com +Subject: /etc/gcrypt/rngseed symlink + +logic error in evaluation of routine to open /dev/{u,}random or +/etc/gcrypt/rngseed (open_device()) causes abort() in cases where +do_randomize(nbytes, level) is called with level == 1 +(GCRY_STRONG_RANDOM). + +References: bnc#724841 +https://bugzilla.novell.com/show_bug.cgi?id=724841 + +--- + random/random-csprng.c | 2 +- + random/random-fips.c | 10 +++++----- + random/rndlinux.c | 48 ++++++++++++++++++++++++++++++++++++++++++------ + 3 files changed, 48 insertions(+), 12 deletions(-) + +Index: libgcrypt-1.5.2/random/random-csprng.c +=================================================================== +--- libgcrypt-1.5.2.orig/random/random-csprng.c ++++ libgcrypt-1.5.2/random/random-csprng.c +@@ -827,7 +827,7 @@ read_seed_file (void) + * entropy drivers, however the rndlinux driver will use + * /dev/urandom and return some stuff - Do not read too much as we + * want to be friendly to the scare system entropy resource. */ +- read_random_source ( RANDOM_ORIGIN_INIT, 16, GCRY_WEAK_RANDOM ); ++ read_random_source ( RANDOM_ORIGIN_INIT, 16, -1 ); + + allow_seed_file_update = 1; + return 1; +Index: libgcrypt-1.5.2/random/random-fips.c +=================================================================== +--- libgcrypt-1.5.2.orig/random/random-fips.c ++++ libgcrypt-1.5.2/random/random-fips.c +@@ -27,10 +27,10 @@ + There are 3 random context which map to the different levels of + random quality: + +- Generator Seed and Key Kernel entropy (init/reseed) +- ------------------------------------------------------------ +- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits +- GCRY_STRONG_RANDOM /dev/random 256/128 bits ++ Generator Seed and Key Kernel entropy (init/reseed) ++ --------------------------------------------------------------------------------------- ++ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits ++ GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits + gcry_create_nonce GCRY_STRONG_RANDOM n/a + + All random generators return their data in 128 bit blocks. If the +@@ -562,7 +562,7 @@ get_entropy (size_t nbytes) + #if USE_RNDLINUX + rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0, + X931_AES_KEYLEN, +- GCRY_VERY_STRONG_RANDOM); ++ -1); + #elif USE_RNDW32 + do + { +Index: libgcrypt-1.5.2/random/rndlinux.c +=================================================================== +--- libgcrypt-1.5.2.orig/random/rndlinux.c ++++ libgcrypt-1.5.2/random/rndlinux.c +@@ -36,7 +36,8 @@ + #include "g10lib.h" + #include "rand-internal.h" + +-static int open_device ( const char *name ); ++static int open_device ( const char *name, int fatal ); ++#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed" + + + static int +@@ -57,13 +58,17 @@ set_cloexec_flag (int fd) + * Used to open the /dev/random devices (Linux, xBSD, Solaris (if it exists)). + */ + static int +-open_device ( const char *name ) ++open_device ( const char *name, int fatal) + { + int fd; + + fd = open ( name, O_RDONLY ); + if ( fd == -1 ) +- log_fatal ("can't open %s: %s\n", name, strerror(errno) ); ++ { ++ if (fatal) ++ log_fatal ("can't open %s: %s\n", name, strerror(errno) ); ++ return fd; ++ } + + if (set_cloexec_flag (fd)) + log_error ("error setting FD_CLOEXEC on fd %d: %s\n", +@@ -92,10 +97,12 @@ _gcry_rndlinux_gather_random (void (*add + { + static int fd_urandom = -1; + static int fd_random = -1; ++ static int fd_configured = -1; + int fd; + int n; + byte buffer[768]; + size_t n_hw; ++ size_t orig_length = length; + size_t want = length; + size_t last_so_far = 0; + int any_need_entropy = 0; +@@ -110,16 +117,42 @@ _gcry_rndlinux_gather_random (void (*add + length -= n_hw; + + /* Open the requested device. */ ++ ++ /* Clarification: path how "level == -1" comes about: ++ gcry_random_bytes( ... , GCRY_STRONG_RANDOM) (public) -> ++ do_randomize(buffer, nbytes, level) -> ++ _gcry_rngcsprng_randomize(buffer, length, level) -> ++ read_pool (p, n, level) -> ++ read_seed_file(), ++ random_poll() -> ++ read_random_source(..., ..., GCRY_STRONG_RANDOM), ++ read_random_source(... , ..., , -1 ) (note: -1) -> ++ slow_gather_fnc(..., ..., ..., level) ++ function pointer set by getfnc_gather_random() to ++ _gcry_rndlinux_gather_random() , which is here. ++ */ ++ ++ ++ if (level == -1) ++ { ++ if (fd_configured == -1) ++ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0 ); ++ fd = fd_configured; ++ if (fd == -1) ++ level = 1; ++ } ++ ++ + if (level >= 2) + { + if( fd_random == -1 ) +- fd_random = open_device ( NAME_OF_DEV_RANDOM ); ++ fd_random = open_device ( NAME_OF_DEV_RANDOM, 1 ); + fd = fd_random; + } +- else ++ else if (level != -1) + { + if( fd_urandom == -1 ) +- fd_urandom = open_device ( NAME_OF_DEV_URANDOM ); ++ fd_urandom = open_device ( NAME_OF_DEV_URANDOM, 1 ); + fd = fd_urandom; + } + +@@ -187,6 +220,9 @@ _gcry_rndlinux_gather_random (void (*add + } + memset(buffer, 0, sizeof(buffer) ); + ++ if (level == -1) ++ _gcry_rndlinux_gather_random(add, origin, orig_length, 1); ++ + if (any_need_entropy) + _gcry_random_progress ("need_entropy", 'X', (int)want, (int)want); + diff --git a/libgcrypt-unresolved-dladdr.patch b/libgcrypt-unresolved-dladdr.patch new file mode 100644 index 0000000..7a2f8a3 --- /dev/null +++ b/libgcrypt-unresolved-dladdr.patch @@ -0,0 +1,23 @@ +From: mvyskocil@suse.cz +Subject: unresolved dladdr symbol + +When linking with --as-needed, some symbols are ommited. Add a DL_LIBS for +dladdr symbol to fix the issue. + +References: bnc#701267 +https://bugzilla.novell.com/show_bug.cgi?id=701267 +Original-name: libgcrypt-1.5.0-as-needed.patch + +Index: libgcrypt-1.5.2/src/Makefile.am +=================================================================== +--- libgcrypt-1.5.2.orig/src/Makefile.am ++++ libgcrypt-1.5.2/src/Makefile.am +@@ -110,7 +110,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \ + ../cipher/libcipher.la \ + ../random/librandom.la \ + ../mpi/libmpi.la \ +- ../compat/libcompat.la $(GPG_ERROR_LIBS) ++ ../compat/libcompat.la $(GPG_ERROR_LIBS) $(DL_LIBS) + + + dumpsexp_SOURCES = dumpsexp.c diff --git a/libgcrypt.changes b/libgcrypt.changes index f3dc780..e2496f0 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Jul 25 09:15:43 UTC 2013 - mvyskocil@suse.com + +- port SLE enhancenments to Factory (bnc#831028) + * add libgcrypt-unresolved-dladdr.patch (bnc#701267) + * add libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff (bnc#724841) + * add libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff +- install .hmac256.hmac (bnc#704068) +- enable varuous new options in configure (m-guard, hmac binary check and + random device linux) +- build with all ciphers, pubkeys and digest by default as whitelist + simply allowed them all + ------------------------------------------------------------------- Mon Jun 17 13:22:33 UTC 2013 - coolo@suse.com @@ -6,7 +19,7 @@ Mon Jun 17 13:22:33 UTC 2013 - coolo@suse.com ------------------------------------------------------------------- Sun Jun 16 22:56:56 UTC 2013 - crrodriguez@opensuse.org -- Library must by built with large file support in +- Library must be built with large file support in 32 bit archs. ------------------------------------------------------------------- diff --git a/libgcrypt.spec b/libgcrypt.spec index 6155185..2074062 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -16,8 +16,13 @@ # -Name: libgcrypt +%define build_hmac256 1 +%define separate_hmac256_binary 0 + %define libsoname %{name}11 +%define sosuffix 11.8.1 + +Name: libgcrypt Url: http://directory.fsf.org/wiki/Libgcrypt Version: 1.5.2 Release: 0 @@ -33,10 +38,18 @@ Patch0: %{name}-ppc64.patch Patch1: %{name}-strict-aliasing.patch Patch3: %{name}-1.4.1-rijndael_no_strict_aliasing.patch Patch4: %{name}-sparcv9.diff +#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS) +#was: libgcrypt-1.5.0-as-needed.patch +Patch5: libgcrypt-unresolved-dladdr.patch +#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine +Patch6: libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff +#PATCH-FIX-SUSE: N/A +Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: automake >= 1.11 BuildRequires: libgpg-error-devel >= 1.8 BuildRequires: libtool +# not for base packages to avoid huge cycles #BuildRequires: gpg-offline %description @@ -49,14 +62,6 @@ understanding of applied cryptography is required to use Libgcrypt. Summary: The GNU Crypto Library License: GPL-2.0+ and LGPL-2.1+ Group: Development/Libraries/C and C++ -# bug437293 -%ifarch ppc64 -Obsoletes: %{name}-64bit -%endif -# -# libgcrypt last used in 10.3 -Obsoletes: %{name} < %{version} -Provides: %{name} = %{version} %description -n %{libsoname} Libgcrypt is a general purpose crypto library based on the code used in @@ -69,11 +74,6 @@ Group: Development/Libraries/C and C++ Requires: %{libsoname} = %{version} Requires: glibc-devel Requires: libgpg-error-devel >= 1.8 -# bug437293 -%ifarch ppc64 -Obsoletes: %{name}-devel-64bit -%endif -# PreReq: %install_info_prereq %description devel @@ -85,41 +85,76 @@ understanding of applied cryptography is required to use Libgcrypt. This package contains needed files to compile and link against the library. +%if 0%{?separate_hmac256_binary} + +%package hmac256 +Summary: The GNU Crypto Library +License: GPL-2.0+ and LGPL-2.1+ +Group: Development/Libraries/C and C++ +Requires: libgcrypt11 = %version +Requires: libgpg-error-devel +PreReq: %install_info_prereq + +%description hmac256 +Libgcrypt is a general purpose library of cryptographic building +blocks. It is originally based on code used by GnuPG. It does not +provide any implementation of OpenPGP or other protocols. Thorough +understanding of applied cryptography is required to use Libgcrypt. + +%endif # #if separate_hmac256_binary + %prep %setup -q -n %{name}-%{version} %patch0 -p1 %patch1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build -# define ciphers to build -ENABLE_CIPHER="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea" -ENABLE_PUBKEY="dsa elgamal rsa ecc" -ENABLE_DIGEST="crc md4 md5 rmd160 sha1 sha256 sha512 tiger whirlpool" -# +echo building with build_hmac256 set to %{build_hmac256} %{?suse_update_config} autoreconf -fi export CFLAGS="%optflags $(getconf LFS_CFLAGS)" %configure --with-pic \ --enable-noexecstack \ --disable-static \ + --enable-m-guard \ %ifarch %sparc --disable-asm \ %endif - --enable-ciphers="$ENABLE_CIPHER" \ - --enable-pubkey-ciphers="$ENABLE_PUBKEY" \ - --enable-digests="$ENABLE_DIGEST" + --enable-hmac-binary-check \ + --enable-random=linux %{__make} %{?_smp_mflags} +%if 0%{?build_hmac256} +# this is a hack that re-defines the __os_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. +# +# this shows up earlier because otherwise the %expand of +# the macro is too late. +%{expand:%%global __os_install_post {%__os_install_post + +%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \ + < %{buildroot}/%{_bindir}/hmac256 > %{buildroot}/%{_bindir}/.hmac256.hmac +%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \ + < %{buildroot}/%{_libdir}/libgcrypt.so.%{sosuffix} > %{buildroot}/%{_libdir}/.libgcrypt.so.11.hmac +}} +%endif + %check # Nice idea. however this uses /dev/random, which hangs # on hardware without random feeds. -#make check +# so lets not run it inside OBS +# make check %install make DESTDIR=$RPM_BUILD_ROOT install -# + rm %{buildroot}%{_libdir}/%{name}.la %post -n %{libsoname} -p /sbin/ldconfig @@ -140,6 +175,9 @@ rm %{buildroot}%{_libdir}/%{name}.la %defattr(-,root,root) %doc AUTHORS COPYING COPYING.LIB ChangeLog NEWS README THANKS TODO %{_libdir}/%{name}.so.11* +%if 0%{?build_hmac256} +%{_libdir}/.libgcrypt.so.11.hmac +%endif # %if 0%{?build_hmac256} %files devel %defattr(-,root,root) @@ -147,10 +185,16 @@ rm %{buildroot}%{_libdir}/%{name}.la %_infodir/gcrypt.info-1.gz %_infodir/gcrypt.info-2.gz %_bindir/dumpsexp -%_bindir/hmac256 %_bindir/%{name}-config %_libdir/%{name}.so %_includedir/gcrypt*.h %_datadir/aclocal/%{name}.m4 +%if 0%{?separate_hmac256_binary} + +%files hmac256 +%defattr(-,root,root) +%endif # %if 0%{?separate_hmac256_binary} +%{_bindir}/hmac256 +%{_bindir}/.hmac256.hmac %changelog