Accepting request 247239 from home:vitezslav_cizek:branches:devel:libraries:c_c++

- fix an issue in DRBG patchset
  * size_t type is 32-bit on 32-bit systems
- fix a potential NULL pointer deference in DRBG patchset
  * patches from https://bugs.g10code.com/gnupg/issue1701
- added v9-0001-SP800-90A-Deterministic-Random-Bit-Generator.patch
- added v9-0007-User-interface-to-DRBG.patch
- removed v7-0001-SP800-90A-Deterministic-Random-Bit-Generator.patch
- removed v7-0007-User-interface-to-DRBG.patch
- add a subpackage for CAVS testing
  * add cavs_driver.pl and cavs-test.sh from the kernel cavs package
  * added drbg_test.patch

OBS-URL: https://build.opensuse.org/request/show/247239
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=61

0001-SP800-90A-Deterministic-Random-Bit-Generator.patch.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bfa2d8bbd979682e3e33455481daeec820fd02b556bdfa8a69a890f20ab9cea1
-size 16119

cavs-test.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+#
+# This is the driver script around the actual FIPS testing
+# Written by: Stephan Müller <sm@atsec.com>
+# (c) atsec information security corporation
+
+# The easiest way to perform the cipher compliance testing
+# is the following:
+#
+# 1. patch/compile/copy the openssl binary with the patch if necessary
+#    (old versions hang when running the MC test if unpatched)
+#
+# 2. unpack the test vector ZIP file to a local dir
+#
+# 3. set PATH in a way that cavs_driver.pl is found
+#
+# 4. go to the local dir where you unzipped the test vector archive and execute
+#    $0 
+#
+# 5. send atsec the prepared CAVS_results-*.zip archive found in the same dir
+
+DATE=$(date +%Y%m%d)
+ARCH=$(uname -m)
+PATH=$PATH:$(pwd)
+
+# test interface to be used
+# can be overridden by passing an argument to this script
+# possible values are:
+#	openssl     OpenSSL (default)
+#	libgcrypt   Libgcrypt
+#	cryptoapi   Kernel
+INTERFACE="libgcrypt"
+
+if [ "$1" == "-I" -a -n "$2" ]; then
+	INTERFACE="$2"
+fi
+
+for i in $(find ./ -name "*.req");
+do
+(
+	cd $(dirname $i) || exit 1
+
+	# We have to see whether we check on DSA based on path name
+	echo $(dirname $i) | if [ ! $(grep -v DSA) ]; then
+		/usr/lib/libgcrypt/cavs_driver.pl -I $INTERFACE -D $(basename $i)
+	else
+		/usr/lib/libgcrypt/cavs_driver.pl -I $INTERFACE $(basename $i)
+	fi
+
+
+	# for CAVS, we have path/req/<testvectors>
+	# and want to have the responses in path/resp/*.rsp
+	if [ $(basename $(dirname $i)) = "req" ]; then
+		mkdir ../resp > /dev/null 2>&1
+		outfile="$(basename $i .req).rsp"
+		mv "$outfile" ../resp/
+	fi
+) &
+done
+wait
+zip -r CAVS_results-$ARCH-$DATE.zip $(find ./ -name "*.rsp")

libgcrypt.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Mon Sep  1 10:57:06 UTC 2014 - vcizek@suse.com
+
+- fix an issue in DRBG patchset
+  * size_t type is 32-bit on 32-bit systems
+- fix a potential NULL pointer deference in DRBG patchset
+  * patches from https://bugs.g10code.com/gnupg/issue1701
+- added v9-0001-SP800-90A-Deterministic-Random-Bit-Generator.patch
+- added v9-0007-User-interface-to-DRBG.patch
+- removed v7-0001-SP800-90A-Deterministic-Random-Bit-Generator.patch
+- removed v7-0007-User-interface-to-DRBG.patch
+- add a subpackage for CAVS testing
+  * add cavs_driver.pl and cavs-test.sh from the kernel cavs package
+  * added drbg_test.patch
+
 -------------------------------------------------------------------
 Tue Aug 12 07:43:19 UTC 2014 - meissner@suse.com
 

libgcrypt.spec

@@ -32,6 +32,9 @@ Source1:        ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.
 Source2:        baselibs.conf
 # http://www.gnupg.org/signature_key.en.html
 Source4:        %{name}.keyring
+# cavs test framework
+Source5:        cavs-test.sh
+Source6:        cavs_driver.pl
 Patch0:         %{name}-ppc64.patch
 Patch1:         %{name}-strict-aliasing.patch
 Patch3:         %{name}-1.4.1-rijndael_no_strict_aliasing.patch
@@ -49,15 +52,16 @@ Patch13:        libgcrypt-1.6.1-fips-cavs.patch
 #PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
 Patch14:        libgcrypt-1.6.1-fips-cfgrandom.patch
 # add support for SP800-90A DRBG (fate#316929, bnc#856312)
-Patch21:        0001-SP800-90A-Deterministic-Random-Bit-Generator.patch.bz2
+Patch21:        v9-0001-SP800-90A-Deterministic-Random-Bit-Generator.patch
 Patch22:        0002-Compile-DRBG.patch
 Patch23:        0003-Function-definitions-of-interfaces-for-random.c.patch
 Patch24:        0004-Invoke-DRBG-from-common-libgcrypt-RNG-code.patch
 Patch25:        0005-Function-definitions-for-gcry_control-callbacks.patch
 Patch26:        0006-DRBG-specific-gcry_control-requests.patch
-Patch27:        0007-User-interface-to-DRBG.patch
+Patch27:        v9-0007-User-interface-to-DRBG.patch
 Patch28:        libgcrypt-fix-rng.patch
 Patch29:        libgcrypt-init-at-elf-load-fips.patch
+Patch30:        drbg_test.patch
 BuildRequires:  automake >= 1.11
 BuildRequires:  libgpg-error-devel >= 1.11
 BuildRequires:  libtool
@@ -65,8 +69,6 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?suse_version} > 1310
 BuildRequires:  fipscheck
 %endif
-# not for base packages to avoid huge cycles
-#BuildRequires:  gpg-offline
 
 %description
 Libgcrypt is a general purpose library of cryptographic building
@@ -111,6 +113,16 @@ understanding of applied cryptography is required to use Libgcrypt.
 This package contains needed files to compile and link against the
 library.
 
+%package cavs
+Summary:        The GNU Crypto Library
+License:        GFDL-1.1 and GPL-2.0+ and LGPL-2.1+ and MIT
+Group:          Development/Libraries/C and C++
+Requires:       %{libsoname} = %{version}
+Requires:       %{libsoname}-hmac
+
+%description cavs
+CAVS testing framework for libgcrypt
+
 %if 0%{?separate_hmac256_binary}
 
 %package hmac256
@@ -150,6 +162,7 @@ understanding of applied cryptography is required to use Libgcrypt.
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
+%patch30 -p1
 %endif
 %patch13 -p1
 %patch14 -p1
@@ -207,6 +220,12 @@ fipshmac src/.libs/libgcrypt.so.??
 make DESTDIR=%{buildroot} install %{?_smp_mflags}
 
 rm %{buildroot}%{_libdir}/%{name}.la
+# cavs
+install -m 0755 -d %{buildroot}/%{_libexecdir}/%{name}
+install -m 0755 %{SOURCE5} %{buildroot}/%{_libexecdir}/%{name}
+install -m 0755 %{SOURCE6} %{buildroot}/%{_libexecdir}/%{name}
+mv %{buildroot}%{_bindir}/fipsdrv %{buildroot}/%{_libexecdir}/%{name}
+mv %{buildroot}%{_bindir}/drbg_test %{buildroot}/%{_libexecdir}/%{name}
 
 %post -n %{libsoname} -p /sbin/ldconfig
 
@@ -255,4 +274,8 @@ rm %{buildroot}%{_libdir}/%{name}.la
 %{_bindir}/.hmac256.hmac
 %doc %{_mandir}/man1/hmac256.1*
 
+%files cavs
+%defattr(-,root,root)
+%{_libexecdir}/%{name}
+
 %changelog

v9-0007-User-interface-to-DRBG.patch

@@ -1,15 +1,58 @@
-Changes v4:
+From 581c850aa7ac63086a489480efa4cc0bf8cfd510 Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Thu, 21 Aug 2014 21:26:27 +0200
+Subject: [PATCH v9 7/7] User interface to DRBG
 
- * add explicit type casting from void to unsigned char as reported
-   in https://bugzilla.novell.com/show_bug.cgi?id=877233
+DRBG Usage
+==========
+The SP 800-90A DRBG allows the user to specify a personalization string
+for initialization as well as an additional information string for each
+random number request. The following code fragments show how a caller
+uses the kernel crypto API to use the full functionality of the DRBG.
 
-Signed-off-by: Stephan Mueller <smueller at chronox.de>
+Usage without any additional data
+---------------------------------
+gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
+
+Usage with personalization string during initialization
+-------------------------------------------------------
+struct drbg_string pers;
+
+drbg_string_fill(&pers, "string", strlen("string"));
+// The reset completely re-initializes the DRBG with the provided
+// personalization string without changing the DRBG type
+ret = gcry_control(GCRYCTL_DRBG_REINIT, 0, &pers, NULL);
+gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
+
+Usage with additional information string during random number request
+---------------------------------------------------------------------
+struct drbg_string addtl;
+
+drbg_string_fill(&addtl, "string", strlen("string"));
+// The following call is a wrapper to gcry_randomize() and returns
+// the same error codes.
+gcry_randomize_drbg(outbuf, OUTLEN, GCRY_STRONG_RANDOM, &addtl);
+
+Usage with personalization and additional information strings
+-------------------------------------------------------------
+Just mix both scenarios above.
+
+Switch the DRBG type to some other type
+---------------------------------------
+// Switch to CTR DRBG AES-128 without prediction resistance
+ret = gcry_control(GCRYCTL_DRBG_REINIT, DRBG_NOPR_CTRAES128, NULL, NULL);
+gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
+
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
 ---
-diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
-index c84a3f7..569d7a0 100644
---- a/src/gcrypt.h.in
-+++ b/src/gcrypt.h.in
-@@ -193,7 +193,7 @@ gcry_error_t gcry_err_make_from_errno (gcry_err_source_t source, int err);
+ src/gcrypt.h.in | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 144 insertions(+), 13 deletions(-)
+
+Index: libgcrypt-1.6.1/src/gcrypt.h.in
+===================================================================
+--- libgcrypt-1.6.1.orig/src/gcrypt.h.in	2014-01-29 10:49:05.000000000 +0100
++++ libgcrypt-1.6.1/src/gcrypt.h.in	2014-09-02 13:45:42.439648231 +0200
+@@ -193,7 +193,7 @@ gcry_error_t gcry_err_make_from_errno (g
  /* Return an error value with the system error ERR.  */
  gcry_err_code_t gcry_error_from_errno (int err);
  
@@ -36,24 +79,17 @@ index c84a3f7..569d7a0 100644
  
  /* Check that the library fulfills the version requirement.  */
  const char *gcry_check_version (const char *req_version);
-@@ -329,13 +329,14 @@ enum gcry_ctl_cmds
+@@ -329,7 +329,8 @@ enum gcry_ctl_cmds
      GCRYCTL_SET_CCM_LENGTHS = 69,
      GCRYCTL_CLOSE_RANDOM_DEVICE = 70,
      GCRYCTL_INACTIVATE_FIPS_FLAG = 71,
 -    GCRYCTL_REACTIVATE_FIPS_FLAG = 72
 +    GCRYCTL_REACTIVATE_FIPS_FLAG = 72,
-+    GCRYCTL_DRBG_REINIT = 73,
++    GCRYCTL_DRBG_REINIT = 74,
    };
  
  /* Perform various operations defined by CMD. */
- gcry_error_t gcry_control (enum gcry_ctl_cmds CMD, ...);
- 
--
-+
- /* S-expression management. */
- 
- /* The object to represent an S-expression as used with the public key
-@@ -477,7 +478,7 @@ gpg_error_t gcry_sexp_extract_param (gcry_sexp_t sexp,
+@@ -477,7 +478,7 @@ gpg_error_t gcry_sexp_extract_param (gcr
                                       const char *list,
                                       ...) _GCRY_GCC_ATTR_SENTINEL(0);
  
@@ -71,7 +107,7 @@ index c84a3f7..569d7a0 100644
  /************************************
   *                                  *
   *   Symmetric Cipher Functions     *
-@@ -1015,7 +1016,7 @@ size_t gcry_cipher_get_algo_blklen (int algo);
+@@ -1015,7 +1016,7 @@ size_t gcry_cipher_get_algo_blklen (int
  #define gcry_cipher_test_algo(a) \
              gcry_cipher_algo_info( (a), GCRYCTL_TEST_ALGO, NULL, NULL )
  
@@ -80,7 +116,7 @@ index c84a3f7..569d7a0 100644
  /************************************
   *                                  *
   *    Asymmetric Cipher Functions   *
-@@ -1114,7 +1115,7 @@ gcry_sexp_t gcry_pk_get_param (int algo, const char *name);
+@@ -1114,7 +1115,7 @@ gcry_sexp_t gcry_pk_get_param (int algo,
  gcry_error_t gcry_pubkey_get_sexp (gcry_sexp_t *r_sexp,
                                     int mode, gcry_ctx_t ctx);
  
@@ -89,7 +125,7 @@ index c84a3f7..569d7a0 100644
  
  /************************************
   *                                  *
-@@ -1291,7 +1292,7 @@ void gcry_md_debug (gcry_md_hd_t hd, const char *suffix);
+@@ -1291,7 +1292,7 @@ void gcry_md_debug (gcry_md_hd_t hd, con
  #define gcry_md_get_asnoid(a,b,n) \
              gcry_md_algo_info((a), GCRYCTL_GET_ASNOID, (b), (n))
  
@@ -98,7 +134,7 @@ index c84a3f7..569d7a0 100644
  
  /**********************************************
   *                                            *
-@@ -1411,7 +1412,7 @@ int gcry_mac_map_name (const char *name) _GCRY_GCC_ATTR_PURE;
+@@ -1407,7 +1408,7 @@ int gcry_mac_map_name (const char *name)
  #define gcry_mac_test_algo(a) \
              gcry_mac_algo_info( (a), GCRYCTL_TEST_ALGO, NULL, NULL )
  
@@ -107,7 +143,7 @@ index c84a3f7..569d7a0 100644
  /******************************
   *                            *
   *  Key Derivation Functions  *
-@@ -1439,7 +1440,7 @@ gpg_error_t gcry_kdf_derive (const void *passphrase, size_t passphraselen,
+@@ -1435,7 +1436,7 @@ gpg_error_t gcry_kdf_derive (const void
  
  
  
@@ -116,7 +152,7 @@ index c84a3f7..569d7a0 100644
  /************************************
   *                                  *
   *   Random Generating Functions    *
-@@ -1508,7 +1509,7 @@ void gcry_create_nonce (void *buffer, size_t length);
+@@ -1504,7 +1505,7 @@ void gcry_create_nonce (void *buffer, si
  
  
  
@@ -125,7 +161,7 @@ index c84a3f7..569d7a0 100644
  /*******************************/
  /*                             */
  /*    Prime Number Functions   */
-@@ -1567,7 +1568,7 @@ void gcry_prime_release_factors (gcry_mpi_t *factors);
+@@ -1563,7 +1564,7 @@ void gcry_prime_release_factors (gcry_mp
  gcry_error_t gcry_prime_check (gcry_mpi_t x, unsigned int flags);
  
  
@@ -134,7 +170,7 @@ index c84a3f7..569d7a0 100644
  /************************************
   *                                  *
   *     Miscellaneous Stuff          *
-@@ -1672,6 +1673,136 @@ int gcry_is_secure (const void *a) _GCRY_GCC_ATTR_PURE;
+@@ -1668,6 +1669,136 @@ int gcry_is_secure (const void *a) _GCRY
  /* Return true if Libgcrypt is in FIPS mode.  */
  #define gcry_fips_mode_active()  !!gcry_control (GCRYCTL_FIPS_MODE_P, 0)