Accepting request 697283 from home:jsikes:branches:devel:libraries:c_c++

Fixed a few bugs. Enjoy!

OBS-URL: https://build.opensuse.org/request/show/697283
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=124

libgcrypt-1.8.4-allow_FSM_same_state.patch

@@ -0,0 +1,15 @@
+Index: libgcrypt-1.8.4/src/fips.c
+===================================================================
+--- libgcrypt-1.8.4.orig/src/fips.c
++++ libgcrypt-1.8.4/src/fips.c
+@@ -930,6 +930,10 @@ fips_new_state (enum module_states new_s
+ 
+     }
+ 
++  /* Allow a transition to the current state */
++  if (current_state == new_state)
++    ok = 1;
++
+   if (ok)
+     {
+       current_state = new_state;

libgcrypt-1.8.4-use_xfree.patch

@@ -0,0 +1,39 @@
+Index: libgcrypt-1.8.4/src/hmac256.c
+===================================================================
+--- libgcrypt-1.8.4.orig/src/hmac256.c
++++ libgcrypt-1.8.4/src/hmac256.c
+@@ -69,6 +69,7 @@ typedef uint32_t u32;
+ 
+ #ifdef STANDALONE
+ #define xtrymalloc(a) malloc((a))
++#define xfree(a) free((a))
+ #define gpg_err_set_errno(a) (errno = (a))
+ #else
+ #include "g10lib.h"
+@@ -341,7 +342,7 @@ _gcry_hmac256_new (const void *key, size
+           tmphd = _gcry_hmac256_new (NULL, 0);
+           if (!tmphd)
+             {
+-              free (hd);
++              xfree (hd);
+               return NULL;
+             }
+           _gcry_hmac256_update (tmphd, key, keylen);
+@@ -373,7 +374,7 @@ _gcry_hmac256_release (hmac256_context_t
+       /* Note: We need to take care not to modify errno.  */
+       if (ctx->use_hmac)
+         my_wipememory (ctx->opad, 64);
+-      free (ctx);
++      xfree (ctx);
+     }
+ }
+ 
+@@ -489,7 +490,7 @@ _gcry_hmac256_file (void *result, size_t
+   while ( (nread = fread (buffer, 1, buffer_size, fp)))
+     _gcry_hmac256_update (hd, buffer, nread);
+ 
+-  free (buffer);
++  xfree (buffer);
+ 
+   if (ferror (fp))
+     {

libgcrypt-binary_integrity_in_non-FIPS.patch

@@ -0,0 +1,84 @@
+Index: libgcrypt-1.8.2/src/fips.c
+===================================================================
+--- libgcrypt-1.8.2.orig/src/fips.c	2019-03-27 13:15:14.190987624 +0100
++++ libgcrypt-1.8.2/src/fips.c	2019-03-27 13:18:07.047986428 +0100
+@@ -115,6 +115,50 @@ _gcry_initialize_fsm_lock (void)
+       abort ();
+     }
+ }
++
++/* Checks whether the library will enter the FIPS mode.
++   Uses the same logic as _gcry_initialize_fips_mode */
++static int
++will_enter_fips (void)
++{
++  /* for convenience, so that a process can run fips-enabled, but
++     not necessarily all of them, enable FIPS mode via environment
++     variable LIBGCRYPT_FORCE_FIPS_MODE.	 */
++  if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL)
++      return 1;
++
++  /* For testing the system it is useful to override the system
++     provided detection of the FIPS mode and force FIPS mode using a
++     file.  The filename is hardwired so that there won't be any
++     confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
++     actually used.  The file itself may be empty.  */
++  if ( !access (FIPS_FORCE_FILE, F_OK) )
++    return 1;
++
++  /* Checking based on /proc file properties.  */
++  {
++    static const char procfname[] = "/proc/sys/crypto/fips_enabled";
++    FILE *fp;
++
++    fp = fopen (procfname, "r");
++    if (fp)
++      {
++        char line[256];
++
++        if (fgets (line, sizeof line, fp) && atoi (line))
++          {
++            /* System is in fips mode.  */
++            fclose (fp);
++            return 1;
++          }
++        fclose (fp);
++      }
++  }
++
++  return 0;
++}
++
++
+ 
+ /* Check whether the OS is in FIPS mode and record that in a module
+    local variable.  If FORCE is passed as true, fips mode will be
+@@ -631,10 +675,10 @@ get_library_path(const char *libname, co
+ 
+ /* Run an integrity check on the binary.  Returns 0 on success.  */
+ static int
+-check_binary_integrity (void)
++check_binary_integrity ()
+ {
+ #ifdef ENABLE_HMAC_BINARY_CHECK
+-  gpg_error_t err;
++  gpg_error_t err = 0;
+   char libpath[4096];
+   unsigned char digest[32];
+   int dlen;
+@@ -675,7 +719,14 @@ check_binary_integrity (void)
+               /* Open the file.  */
+               fp = fopen (fname, "r");
+               if (!fp)
+-                err = gpg_error_from_syserror ();
++                {
++                  /* Missing checksum is a problem only in FIPS mode.
++                     As the integrity check was moved to the POWERON state,
++                     we no longer can rely on fips_mode(). Because at the point,
++                     the library is not yet initialized. */
++                  if (will_enter_fips() || errno != ENOENT)
++                    err = gpg_error_from_syserror ();
++                }
+               else
+                 {
+                   /* A buffer of 64 bytes plus one for a LF and one to

libgcrypt.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Tue Apr 23 12:38:40 UTC 2019 - Jason Sikes <jsikes@suse.de>
+
+- Restored libgcrypt-binary_integrity_in_non-FIPS.patch sans section that
+  was partially causing bsc#1131183.
+- Fixed race condition in multi-threaded applications by allowing a FSM state
+  transition to the current state. This means some tests are run twice.
+  * Added libgcrypt-1.8.4-allow_FSM_same_state.patch
+- Fixed an issue in malloc/free wrappers so that memory created by the malloc()
+  wrappers will be destroyed using the free() wrappers.
+  * Added libgcrypt-1.8.4-use_xfree.patch
+
 -------------------------------------------------------------------
 Fri Apr  5 21:56:00 UTC 2019 - Jason Sikes <jsikes@suse.de>
 

libgcrypt.spec

@@ -59,7 +59,10 @@ Patch35:        libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
 Patch36:        libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
 Patch39:        libgcrypt-1.8.3-fips-ctor.patch
 Patch40:        libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch
+Patch41:        libgcrypt-binary_integrity_in_non-FIPS.patch
 Patch42:        libgcrypt-fips_rsa_no_enforced_mode.patch
+Patch43:        libgcrypt-1.8.4-use_xfree.patch
+Patch44:        libgcrypt-1.8.4-allow_FSM_same_state.patch
 BuildRequires:  automake >= 1.14
 BuildRequires:  fipscheck
 BuildRequires:  libgpg-error-devel >= 1.25