3
0
forked from pool/libgcrypt

Accepting request 1088864 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- FIPS: Merge the libgcrypt20-hmac package into the library and
  remove the "module is complete" trigger file .fips [bsc#1185116]
  * Remove libgcrypt-1.10.0-use-fipscheck.patch

OBS-URL: https://build.opensuse.org/request/show/1088864
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=168
This commit is contained in:
Dirk Mueller 2023-05-25 10:47:22 +00:00 committed by Git OBS Bridge
parent d2525ea576
commit 20cf449281
5 changed files with 16 additions and 148 deletions

View File

@ -1,7 +1,8 @@
libgcrypt20 libgcrypt20
obsoletes "libgcrypt-<targettype> <= <version>"
provides "libgcrypt-<targettype> = <version>" provides "libgcrypt-<targettype> = <version>"
libgcrypt20-hmac obsoletes "libgcrypt-<targettype> <= <version>"
provides "libgcrypt20-hmac-<targettype> = <version>-%release"
obsoletes "libgcrypt20-hmac-<targettype> < <version>-%release"
libgcrypt-devel libgcrypt-devel
requires -libgcrypt-<targettype> requires -libgcrypt-<targettype>
requires "libgcrypt20-<targettype> = <version>" requires "libgcrypt20-<targettype> = <version>"

View File

@ -1,6 +1,5 @@
# This file can be used to globally disable the use of hardware # This file can be used to globally disable the use of hardware
# based optimizations. Supported options are: # based optimizations. Supported options are:
# padlock-rng # padlock-rng
# padlock-aes # padlock-aes
# padlock-sha # padlock-sha

View File

@ -1,114 +0,0 @@
Index: libgcrypt-1.10.1/src/fips.c
===================================================================
--- libgcrypt-1.10.1.orig/src/fips.c
+++ libgcrypt-1.10.1/src/fips.c
@@ -949,6 +949,65 @@ hmac256_check (const char *filename, con
return err;
}
+static int
+get_library_path(const char *libname, const char *symbolname,
+ char *path, size_t pathlen)
+{
+ Dl_info info;
+ void *dl, *sym;
+ int rv = -1;
+
+ dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL)
+ return -1;
+
+ sym = dlsym(dl, symbolname);
+ if (sym != NULL && dladdr(sym, &info))
+ {
+ strncpy(path, info.dli_fname, pathlen-1);
+ path[pathlen-1] = '\0';
+ rv = 0;
+ }
+
+ dlclose(dl);
+
+ return rv;
+}
+
+static gpg_error_t
+get_hmac_path(char **fname, char *suffix)
+{
+ char libpath[4096];
+ gpg_error_t err;
+
+ if (get_library_path ("libgcrypt.so.20", "gcry_check_version",
+ libpath, sizeof(libpath)))
+ err = gpg_error_from_syserror ();
+ else
+ {
+ *fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
+ if (!*fname)
+ err = gpg_error_from_syserror ();
+ else
+ {
+ char *p;
+
+ /* Prefix the basename with a dot. */
+ strcpy (*fname, libpath);
+ p = strrchr (*fname, '/');
+ if (p)
+ p++;
+ else
+ p = *fname;
+ memmove (p+1, p, strlen (p)+1);
+ *p = '.';
+ strcat (*fname, suffix);
+ err = 0;
+ }
+ }
+ return err;
+}
+
/* Run an integrity check on the binary. Returns 0 on success. */
static int
check_binary_integrity (void)
@@ -997,6 +1056,33 @@ run_hmac_sha256_selftests (int extended)
}
#endif
+int
+can_skip_selftests(void)
+{
+ char *fname = NULL;
+ int ret = 0;
+
+ if (fips_mode())
+ return 0;
+
+ if (get_hmac_path(&fname, ".fips"))
+ return 0;
+
+ /* check the hmac presence */
+ if (access(fname, F_OK))
+ /* no hmac file is present, don't run the tests */
+ if (errno == ENOENT)
+ ret = 1;
+ /* otherwise one of these events happened:
+ * access() returned 0
+ * -> run the tests
+ * some error other than ENOENT occurred
+ * -> run the tests anyway and let them fail
+ */
+
+ xfree(fname);
+ return ret;
+}
/* Run the self-tests. If EXTENDED is true, extended versions of the
selftest are run, that is more tests than required by FIPS. */
@@ -1006,6 +1092,9 @@ _gcry_fips_run_selftests (int extended)
enum module_states result = STATE_ERROR;
gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED;
+ if (can_skip_selftests())
+ return 0;
+
if (fips_mode ())
fips_new_state (STATE_SELFTEST);

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon May 22 11:32:53 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- FIPS: Merge the libgcrypt20-hmac package into the library and
remove the "module is complete" trigger file .fips [bsc#1185116]
* Remove libgcrypt-1.10.0-use-fipscheck.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal <pmonreal@suse.com> Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

View File

@ -16,7 +16,6 @@
# #
%define build_hmac256 1
%define libsover 20 %define libsover 20
%define libsoname %{name}%{libsover} %define libsoname %{name}%{libsover}
%define hmac_key orboDeJITITejsirpADONivirpUkvarP %define hmac_key orboDeJITITejsirpADONivirpUkvarP
@ -49,8 +48,6 @@ Patch102: libgcrypt-FIPS-SLI-hash-mac.patch
Patch103: libgcrypt-jitterentropy-3.4.0.patch Patch103: libgcrypt-jitterentropy-3.4.0.patch
#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll #PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
Patch104: libgcrypt-FIPS-rndjent_poll.patch Patch104: libgcrypt-FIPS-rndjent_poll.patch
#PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips
Patch105: libgcrypt-1.10.0-use-fipscheck.patch
BuildRequires: automake >= 1.14 BuildRequires: automake >= 1.14
BuildRequires: libgpg-error-devel >= 1.27 BuildRequires: libgpg-error-devel >= 1.27
BuildRequires: libtool BuildRequires: libtool
@ -68,23 +65,13 @@ understanding of applied cryptography is required to use Libgcrypt.
Summary: The GNU Crypto Library Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: System/Libraries Group: System/Libraries
Suggests: %{libsoname}-hmac = %{version}-%{release} Provides: %{libsoname}-hmac = %{version}-%{release}
Obsoletes: %{libsoname}-hmac < %{version}-%{release}
%description -n %{libsoname} %description -n %{libsoname}
Libgcrypt is a general purpose crypto library based on the code used in Libgcrypt is a general purpose crypto library based on the code used in
GnuPG (alpha version). GnuPG (alpha version).
%package -n %{libsoname}-hmac
Summary: HMAC checksums for the GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: System/Libraries
Requires: %{libsoname} = %{version}-%{release}
%description -n %{libsoname}-hmac
Libgcrypt is a general purpose crypto library based on the code used in
GnuPG (alpha version). This package contains the HMAC checksum files
for integrity checking the library, as required by FIPS 140-2.
%package devel %package devel
Summary: The GNU Crypto Library Summary: The GNU Crypto Library
License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
@ -109,8 +96,6 @@ library.
sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g" src/Makefile.am src/Makefile.in sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g" src/Makefile.am src/Makefile.in
%build %build
echo building with build_hmac256 set to %{build_hmac256}
export PUBKEYS="dsa elgamal rsa ecc" export PUBKEYS="dsa elgamal rsa ecc"
export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4" export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4"
export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3" export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3"
@ -139,18 +124,13 @@ export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
%make_build %make_build
%check %check
%make_build check make -k check
# run the regression tests also in FIPS mode # run the regression tests also in FIPS mode
LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check VERBOSE=1 || true LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true
# Install the FIPS hmac file # Install the FIPS hmac file
cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/ cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/
# create the FIPS "module is complete" trigger file
%if 0%{?build_hmac256}
touch %{buildroot}%{_libdir}/.%{name}.so.%{libsover}.fips
%endif
%install %install
%make_install %make_install
rm %{buildroot}%{_libdir}/%{name}.la rm %{buildroot}%{_libdir}/%{name}.la
@ -170,12 +150,7 @@ install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/gcrypt/hwf.deny
%dir %{_sysconfdir}/gcrypt %dir %{_sysconfdir}/gcrypt
%config(noreplace) %{_sysconfdir}/gcrypt/random.conf %config(noreplace) %{_sysconfdir}/gcrypt/random.conf
%config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny %config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny
%files -n %{libsoname}-hmac
%{_libdir}/.libgcrypt.so.*.hmac %{_libdir}/.libgcrypt.so.*.hmac
%if 0%{?build_hmac256}
%{_libdir}/.libgcrypt.so.*.fips
%endif
%files devel %files devel
%license COPYING COPYING.LIB LICENSES %license COPYING COPYING.LIB LICENSES