forked from pool/libgcrypt
Accepting request 697283 from home:jsikes:branches:devel:libraries:c_c++
Fixed a few bugs. Enjoy! OBS-URL: https://build.opensuse.org/request/show/697283 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=124
This commit is contained in:
parent
9521655df0
commit
44e7a5642f
15
libgcrypt-1.8.4-allow_FSM_same_state.patch
Normal file
15
libgcrypt-1.8.4-allow_FSM_same_state.patch
Normal file
@ -0,0 +1,15 @@
|
||||
Index: libgcrypt-1.8.4/src/fips.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.8.4.orig/src/fips.c
|
||||
+++ libgcrypt-1.8.4/src/fips.c
|
||||
@@ -930,6 +930,10 @@ fips_new_state (enum module_states new_s
|
||||
|
||||
}
|
||||
|
||||
+ /* Allow a transition to the current state */
|
||||
+ if (current_state == new_state)
|
||||
+ ok = 1;
|
||||
+
|
||||
if (ok)
|
||||
{
|
||||
current_state = new_state;
|
39
libgcrypt-1.8.4-use_xfree.patch
Normal file
39
libgcrypt-1.8.4-use_xfree.patch
Normal file
@ -0,0 +1,39 @@
|
||||
Index: libgcrypt-1.8.4/src/hmac256.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.8.4.orig/src/hmac256.c
|
||||
+++ libgcrypt-1.8.4/src/hmac256.c
|
||||
@@ -69,6 +69,7 @@ typedef uint32_t u32;
|
||||
|
||||
#ifdef STANDALONE
|
||||
#define xtrymalloc(a) malloc((a))
|
||||
+#define xfree(a) free((a))
|
||||
#define gpg_err_set_errno(a) (errno = (a))
|
||||
#else
|
||||
#include "g10lib.h"
|
||||
@@ -341,7 +342,7 @@ _gcry_hmac256_new (const void *key, size
|
||||
tmphd = _gcry_hmac256_new (NULL, 0);
|
||||
if (!tmphd)
|
||||
{
|
||||
- free (hd);
|
||||
+ xfree (hd);
|
||||
return NULL;
|
||||
}
|
||||
_gcry_hmac256_update (tmphd, key, keylen);
|
||||
@@ -373,7 +374,7 @@ _gcry_hmac256_release (hmac256_context_t
|
||||
/* Note: We need to take care not to modify errno. */
|
||||
if (ctx->use_hmac)
|
||||
my_wipememory (ctx->opad, 64);
|
||||
- free (ctx);
|
||||
+ xfree (ctx);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -489,7 +490,7 @@ _gcry_hmac256_file (void *result, size_t
|
||||
while ( (nread = fread (buffer, 1, buffer_size, fp)))
|
||||
_gcry_hmac256_update (hd, buffer, nread);
|
||||
|
||||
- free (buffer);
|
||||
+ xfree (buffer);
|
||||
|
||||
if (ferror (fp))
|
||||
{
|
84
libgcrypt-binary_integrity_in_non-FIPS.patch
Normal file
84
libgcrypt-binary_integrity_in_non-FIPS.patch
Normal file
@ -0,0 +1,84 @@
|
||||
Index: libgcrypt-1.8.2/src/fips.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.8.2.orig/src/fips.c 2019-03-27 13:15:14.190987624 +0100
|
||||
+++ libgcrypt-1.8.2/src/fips.c 2019-03-27 13:18:07.047986428 +0100
|
||||
@@ -115,6 +115,50 @@ _gcry_initialize_fsm_lock (void)
|
||||
abort ();
|
||||
}
|
||||
}
|
||||
+
|
||||
+/* Checks whether the library will enter the FIPS mode.
|
||||
+ Uses the same logic as _gcry_initialize_fips_mode */
|
||||
+static int
|
||||
+will_enter_fips (void)
|
||||
+{
|
||||
+ /* for convenience, so that a process can run fips-enabled, but
|
||||
+ not necessarily all of them, enable FIPS mode via environment
|
||||
+ variable LIBGCRYPT_FORCE_FIPS_MODE. */
|
||||
+ if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL)
|
||||
+ return 1;
|
||||
+
|
||||
+ /* For testing the system it is useful to override the system
|
||||
+ provided detection of the FIPS mode and force FIPS mode using a
|
||||
+ file. The filename is hardwired so that there won't be any
|
||||
+ confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
|
||||
+ actually used. The file itself may be empty. */
|
||||
+ if ( !access (FIPS_FORCE_FILE, F_OK) )
|
||||
+ return 1;
|
||||
+
|
||||
+ /* Checking based on /proc file properties. */
|
||||
+ {
|
||||
+ static const char procfname[] = "/proc/sys/crypto/fips_enabled";
|
||||
+ FILE *fp;
|
||||
+
|
||||
+ fp = fopen (procfname, "r");
|
||||
+ if (fp)
|
||||
+ {
|
||||
+ char line[256];
|
||||
+
|
||||
+ if (fgets (line, sizeof line, fp) && atoi (line))
|
||||
+ {
|
||||
+ /* System is in fips mode. */
|
||||
+ fclose (fp);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ fclose (fp);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
|
||||
/* Check whether the OS is in FIPS mode and record that in a module
|
||||
local variable. If FORCE is passed as true, fips mode will be
|
||||
@@ -631,10 +675,10 @@ get_library_path(const char *libname, co
|
||||
|
||||
/* Run an integrity check on the binary. Returns 0 on success. */
|
||||
static int
|
||||
-check_binary_integrity (void)
|
||||
+check_binary_integrity ()
|
||||
{
|
||||
#ifdef ENABLE_HMAC_BINARY_CHECK
|
||||
- gpg_error_t err;
|
||||
+ gpg_error_t err = 0;
|
||||
char libpath[4096];
|
||||
unsigned char digest[32];
|
||||
int dlen;
|
||||
@@ -675,7 +719,14 @@ check_binary_integrity (void)
|
||||
/* Open the file. */
|
||||
fp = fopen (fname, "r");
|
||||
if (!fp)
|
||||
- err = gpg_error_from_syserror ();
|
||||
+ {
|
||||
+ /* Missing checksum is a problem only in FIPS mode.
|
||||
+ As the integrity check was moved to the POWERON state,
|
||||
+ we no longer can rely on fips_mode(). Because at the point,
|
||||
+ the library is not yet initialized. */
|
||||
+ if (will_enter_fips() || errno != ENOENT)
|
||||
+ err = gpg_error_from_syserror ();
|
||||
+ }
|
||||
else
|
||||
{
|
||||
/* A buffer of 64 bytes plus one for a LF and one to
|
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 23 12:38:40 UTC 2019 - Jason Sikes <jsikes@suse.de>
|
||||
|
||||
- Restored libgcrypt-binary_integrity_in_non-FIPS.patch sans section that
|
||||
was partially causing bsc#1131183.
|
||||
- Fixed race condition in multi-threaded applications by allowing a FSM state
|
||||
transition to the current state. This means some tests are run twice.
|
||||
* Added libgcrypt-1.8.4-allow_FSM_same_state.patch
|
||||
- Fixed an issue in malloc/free wrappers so that memory created by the malloc()
|
||||
wrappers will be destroyed using the free() wrappers.
|
||||
* Added libgcrypt-1.8.4-use_xfree.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 5 21:56:00 UTC 2019 - Jason Sikes <jsikes@suse.de>
|
||||
|
||||
|
@ -59,7 +59,10 @@ Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
|
||||
Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
|
||||
Patch39: libgcrypt-1.8.3-fips-ctor.patch
|
||||
Patch40: libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch
|
||||
Patch41: libgcrypt-binary_integrity_in_non-FIPS.patch
|
||||
Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch
|
||||
Patch43: libgcrypt-1.8.4-use_xfree.patch
|
||||
Patch44: libgcrypt-1.8.4-allow_FSM_same_state.patch
|
||||
BuildRequires: automake >= 1.14
|
||||
BuildRequires: fipscheck
|
||||
BuildRequires: libgpg-error-devel >= 1.25
|
||||
|
Loading…
Reference in New Issue
Block a user