forked from pool/libgcrypt
- port SLE enhancenments to Factory (bnc#831028)
* add libgcrypt-unresolved-dladdr.patch (bnc#701267) * add libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff (bnc#724841) * add libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff - install .hmac256.hmac (bnc#704068) - enable varuous new options in configure (m-guard, hmac binary check and random device linux) - build with all ciphers, pubkeys and digest by default as whitelist simply allowed them all - Library must be built with large file support in OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=27
This commit is contained in:
parent
6a35aedefa
commit
84f3f9aea5
27
libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
Normal file
27
libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
Normal file
@ -0,0 +1,27 @@
|
||||
From: draht@suse.com
|
||||
Subject: LIBGCRYPT_FORCE_FIPS_MODE env
|
||||
|
||||
environ LIBGCRYPT_FORCE_FIPS_MODE forces FIPS mode of libgcrypt
|
||||
|
||||
Index: libgcrypt-1.5.2/src/fips.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.5.2.orig/src/fips.c
|
||||
+++ libgcrypt-1.5.2/src/fips.c
|
||||
@@ -123,6 +123,17 @@ _gcry_initialize_fips_mode (int force)
|
||||
goto leave;
|
||||
}
|
||||
|
||||
+ /* for convenience, so that a process can run fips-enabled, but
|
||||
+ not necessarily all of them, enable FIPS mode via environment
|
||||
+ variable LIBGCRYPT_FORCE_FIPS_MODE. */
|
||||
+
|
||||
+ if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL)
|
||||
+ {
|
||||
+ gcry_assert (!no_fips_mode_required);
|
||||
+ goto leave;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
/* For testing the system it is useful to override the system
|
||||
provided detection of the FIPS mode and force FIPS mode using a
|
||||
file. The filename is hardwired so that there won't be any
|
161
libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff
Normal file
161
libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff
Normal file
@ -0,0 +1,161 @@
|
||||
From: draht@suse.com
|
||||
Subject: /etc/gcrypt/rngseed symlink
|
||||
|
||||
logic error in evaluation of routine to open /dev/{u,}random or
|
||||
/etc/gcrypt/rngseed (open_device()) causes abort() in cases where
|
||||
do_randomize(nbytes, level) is called with level == 1
|
||||
(GCRY_STRONG_RANDOM).
|
||||
|
||||
References: bnc#724841
|
||||
https://bugzilla.novell.com/show_bug.cgi?id=724841
|
||||
|
||||
---
|
||||
random/random-csprng.c | 2 +-
|
||||
random/random-fips.c | 10 +++++-----
|
||||
random/rndlinux.c | 48 ++++++++++++++++++++++++++++++++++++++++++------
|
||||
3 files changed, 48 insertions(+), 12 deletions(-)
|
||||
|
||||
Index: libgcrypt-1.5.2/random/random-csprng.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.5.2.orig/random/random-csprng.c
|
||||
+++ libgcrypt-1.5.2/random/random-csprng.c
|
||||
@@ -827,7 +827,7 @@ read_seed_file (void)
|
||||
* entropy drivers, however the rndlinux driver will use
|
||||
* /dev/urandom and return some stuff - Do not read too much as we
|
||||
* want to be friendly to the scare system entropy resource. */
|
||||
- read_random_source ( RANDOM_ORIGIN_INIT, 16, GCRY_WEAK_RANDOM );
|
||||
+ read_random_source ( RANDOM_ORIGIN_INIT, 16, -1 );
|
||||
|
||||
allow_seed_file_update = 1;
|
||||
return 1;
|
||||
Index: libgcrypt-1.5.2/random/random-fips.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.5.2.orig/random/random-fips.c
|
||||
+++ libgcrypt-1.5.2/random/random-fips.c
|
||||
@@ -27,10 +27,10 @@
|
||||
There are 3 random context which map to the different levels of
|
||||
random quality:
|
||||
|
||||
- Generator Seed and Key Kernel entropy (init/reseed)
|
||||
- ------------------------------------------------------------
|
||||
- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits
|
||||
- GCRY_STRONG_RANDOM /dev/random 256/128 bits
|
||||
+ Generator Seed and Key Kernel entropy (init/reseed)
|
||||
+ ---------------------------------------------------------------------------------------
|
||||
+ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
|
||||
+ GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
|
||||
gcry_create_nonce GCRY_STRONG_RANDOM n/a
|
||||
|
||||
All random generators return their data in 128 bit blocks. If the
|
||||
@@ -562,7 +562,7 @@ get_entropy (size_t nbytes)
|
||||
#if USE_RNDLINUX
|
||||
rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
|
||||
X931_AES_KEYLEN,
|
||||
- GCRY_VERY_STRONG_RANDOM);
|
||||
+ -1);
|
||||
#elif USE_RNDW32
|
||||
do
|
||||
{
|
||||
Index: libgcrypt-1.5.2/random/rndlinux.c
|
||||
===================================================================
|
||||
--- libgcrypt-1.5.2.orig/random/rndlinux.c
|
||||
+++ libgcrypt-1.5.2/random/rndlinux.c
|
||||
@@ -36,7 +36,8 @@
|
||||
#include "g10lib.h"
|
||||
#include "rand-internal.h"
|
||||
|
||||
-static int open_device ( const char *name );
|
||||
+static int open_device ( const char *name, int fatal );
|
||||
+#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed"
|
||||
|
||||
|
||||
static int
|
||||
@@ -57,13 +58,17 @@ set_cloexec_flag (int fd)
|
||||
* Used to open the /dev/random devices (Linux, xBSD, Solaris (if it exists)).
|
||||
*/
|
||||
static int
|
||||
-open_device ( const char *name )
|
||||
+open_device ( const char *name, int fatal)
|
||||
{
|
||||
int fd;
|
||||
|
||||
fd = open ( name, O_RDONLY );
|
||||
if ( fd == -1 )
|
||||
- log_fatal ("can't open %s: %s\n", name, strerror(errno) );
|
||||
+ {
|
||||
+ if (fatal)
|
||||
+ log_fatal ("can't open %s: %s\n", name, strerror(errno) );
|
||||
+ return fd;
|
||||
+ }
|
||||
|
||||
if (set_cloexec_flag (fd))
|
||||
log_error ("error setting FD_CLOEXEC on fd %d: %s\n",
|
||||
@@ -92,10 +97,12 @@ _gcry_rndlinux_gather_random (void (*add
|
||||
{
|
||||
static int fd_urandom = -1;
|
||||
static int fd_random = -1;
|
||||
+ static int fd_configured = -1;
|
||||
int fd;
|
||||
int n;
|
||||
byte buffer[768];
|
||||
size_t n_hw;
|
||||
+ size_t orig_length = length;
|
||||
size_t want = length;
|
||||
size_t last_so_far = 0;
|
||||
int any_need_entropy = 0;
|
||||
@@ -110,16 +117,42 @@ _gcry_rndlinux_gather_random (void (*add
|
||||
length -= n_hw;
|
||||
|
||||
/* Open the requested device. */
|
||||
+
|
||||
+ /* Clarification: path how "level == -1" comes about:
|
||||
+ gcry_random_bytes( ... , GCRY_STRONG_RANDOM) (public) ->
|
||||
+ do_randomize(buffer, nbytes, level) ->
|
||||
+ _gcry_rngcsprng_randomize(buffer, length, level) ->
|
||||
+ read_pool (p, n, level) ->
|
||||
+ read_seed_file(),
|
||||
+ random_poll() ->
|
||||
+ read_random_source(..., ..., GCRY_STRONG_RANDOM),
|
||||
+ read_random_source(... , ..., , -1 ) (note: -1) ->
|
||||
+ slow_gather_fnc(..., ..., ..., level)
|
||||
+ function pointer set by getfnc_gather_random() to
|
||||
+ _gcry_rndlinux_gather_random() , which is here.
|
||||
+ */
|
||||
+
|
||||
+
|
||||
+ if (level == -1)
|
||||
+ {
|
||||
+ if (fd_configured == -1)
|
||||
+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0 );
|
||||
+ fd = fd_configured;
|
||||
+ if (fd == -1)
|
||||
+ level = 1;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
if (level >= 2)
|
||||
{
|
||||
if( fd_random == -1 )
|
||||
- fd_random = open_device ( NAME_OF_DEV_RANDOM );
|
||||
+ fd_random = open_device ( NAME_OF_DEV_RANDOM, 1 );
|
||||
fd = fd_random;
|
||||
}
|
||||
- else
|
||||
+ else if (level != -1)
|
||||
{
|
||||
if( fd_urandom == -1 )
|
||||
- fd_urandom = open_device ( NAME_OF_DEV_URANDOM );
|
||||
+ fd_urandom = open_device ( NAME_OF_DEV_URANDOM, 1 );
|
||||
fd = fd_urandom;
|
||||
}
|
||||
|
||||
@@ -187,6 +220,9 @@ _gcry_rndlinux_gather_random (void (*add
|
||||
}
|
||||
memset(buffer, 0, sizeof(buffer) );
|
||||
|
||||
+ if (level == -1)
|
||||
+ _gcry_rndlinux_gather_random(add, origin, orig_length, 1);
|
||||
+
|
||||
if (any_need_entropy)
|
||||
_gcry_random_progress ("need_entropy", 'X', (int)want, (int)want);
|
||||
|
23
libgcrypt-unresolved-dladdr.patch
Normal file
23
libgcrypt-unresolved-dladdr.patch
Normal file
@ -0,0 +1,23 @@
|
||||
From: mvyskocil@suse.cz
|
||||
Subject: unresolved dladdr symbol
|
||||
|
||||
When linking with --as-needed, some symbols are ommited. Add a DL_LIBS for
|
||||
dladdr symbol to fix the issue.
|
||||
|
||||
References: bnc#701267
|
||||
https://bugzilla.novell.com/show_bug.cgi?id=701267
|
||||
Original-name: libgcrypt-1.5.0-as-needed.patch
|
||||
|
||||
Index: libgcrypt-1.5.2/src/Makefile.am
|
||||
===================================================================
|
||||
--- libgcrypt-1.5.2.orig/src/Makefile.am
|
||||
+++ libgcrypt-1.5.2/src/Makefile.am
|
||||
@@ -110,7 +110,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \
|
||||
../cipher/libcipher.la \
|
||||
../random/librandom.la \
|
||||
../mpi/libmpi.la \
|
||||
- ../compat/libcompat.la $(GPG_ERROR_LIBS)
|
||||
+ ../compat/libcompat.la $(GPG_ERROR_LIBS) $(DL_LIBS)
|
||||
|
||||
|
||||
dumpsexp_SOURCES = dumpsexp.c
|
@ -1,3 +1,16 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 25 09:15:43 UTC 2013 - mvyskocil@suse.com
|
||||
|
||||
- port SLE enhancenments to Factory (bnc#831028)
|
||||
* add libgcrypt-unresolved-dladdr.patch (bnc#701267)
|
||||
* add libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff (bnc#724841)
|
||||
* add libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
|
||||
- install .hmac256.hmac (bnc#704068)
|
||||
- enable varuous new options in configure (m-guard, hmac binary check and
|
||||
random device linux)
|
||||
- build with all ciphers, pubkeys and digest by default as whitelist
|
||||
simply allowed them all
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 17 13:22:33 UTC 2013 - coolo@suse.com
|
||||
|
||||
@ -6,7 +19,7 @@ Mon Jun 17 13:22:33 UTC 2013 - coolo@suse.com
|
||||
-------------------------------------------------------------------
|
||||
Sun Jun 16 22:56:56 UTC 2013 - crrodriguez@opensuse.org
|
||||
|
||||
- Library must by built with large file support in
|
||||
- Library must be built with large file support in
|
||||
32 bit archs.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
|
@ -16,8 +16,13 @@
|
||||
#
|
||||
|
||||
|
||||
Name: libgcrypt
|
||||
%define build_hmac256 1
|
||||
%define separate_hmac256_binary 0
|
||||
|
||||
%define libsoname %{name}11
|
||||
%define sosuffix 11.8.1
|
||||
|
||||
Name: libgcrypt
|
||||
Url: http://directory.fsf.org/wiki/Libgcrypt
|
||||
Version: 1.5.2
|
||||
Release: 0
|
||||
@ -33,10 +38,18 @@ Patch0: %{name}-ppc64.patch
|
||||
Patch1: %{name}-strict-aliasing.patch
|
||||
Patch3: %{name}-1.4.1-rijndael_no_strict_aliasing.patch
|
||||
Patch4: %{name}-sparcv9.diff
|
||||
#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS)
|
||||
#was: libgcrypt-1.5.0-as-needed.patch
|
||||
Patch5: libgcrypt-unresolved-dladdr.patch
|
||||
#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
|
||||
Patch6: libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff
|
||||
#PATCH-FIX-SUSE: N/A
|
||||
Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: automake >= 1.11
|
||||
BuildRequires: libgpg-error-devel >= 1.8
|
||||
BuildRequires: libtool
|
||||
# not for base packages to avoid huge cycles
|
||||
#BuildRequires: gpg-offline
|
||||
|
||||
%description
|
||||
@ -49,14 +62,6 @@ understanding of applied cryptography is required to use Libgcrypt.
|
||||
Summary: The GNU Crypto Library
|
||||
License: GPL-2.0+ and LGPL-2.1+
|
||||
Group: Development/Libraries/C and C++
|
||||
# bug437293
|
||||
%ifarch ppc64
|
||||
Obsoletes: %{name}-64bit
|
||||
%endif
|
||||
#
|
||||
# libgcrypt last used in 10.3
|
||||
Obsoletes: %{name} < %{version}
|
||||
Provides: %{name} = %{version}
|
||||
|
||||
%description -n %{libsoname}
|
||||
Libgcrypt is a general purpose crypto library based on the code used in
|
||||
@ -69,11 +74,6 @@ Group: Development/Libraries/C and C++
|
||||
Requires: %{libsoname} = %{version}
|
||||
Requires: glibc-devel
|
||||
Requires: libgpg-error-devel >= 1.8
|
||||
# bug437293
|
||||
%ifarch ppc64
|
||||
Obsoletes: %{name}-devel-64bit
|
||||
%endif
|
||||
#
|
||||
PreReq: %install_info_prereq
|
||||
|
||||
%description devel
|
||||
@ -85,41 +85,76 @@ understanding of applied cryptography is required to use Libgcrypt.
|
||||
This package contains needed files to compile and link against the
|
||||
library.
|
||||
|
||||
%if 0%{?separate_hmac256_binary}
|
||||
|
||||
%package hmac256
|
||||
Summary: The GNU Crypto Library
|
||||
License: GPL-2.0+ and LGPL-2.1+
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: libgcrypt11 = %version
|
||||
Requires: libgpg-error-devel
|
||||
PreReq: %install_info_prereq
|
||||
|
||||
%description hmac256
|
||||
Libgcrypt is a general purpose library of cryptographic building
|
||||
blocks. It is originally based on code used by GnuPG. It does not
|
||||
provide any implementation of OpenPGP or other protocols. Thorough
|
||||
understanding of applied cryptography is required to use Libgcrypt.
|
||||
|
||||
%endif # #if separate_hmac256_binary
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
%patch0 -p1
|
||||
%patch1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
|
||||
%build
|
||||
# define ciphers to build
|
||||
ENABLE_CIPHER="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea"
|
||||
ENABLE_PUBKEY="dsa elgamal rsa ecc"
|
||||
ENABLE_DIGEST="crc md4 md5 rmd160 sha1 sha256 sha512 tiger whirlpool"
|
||||
#
|
||||
echo building with build_hmac256 set to %{build_hmac256}
|
||||
%{?suse_update_config}
|
||||
autoreconf -fi
|
||||
export CFLAGS="%optflags $(getconf LFS_CFLAGS)"
|
||||
%configure --with-pic \
|
||||
--enable-noexecstack \
|
||||
--disable-static \
|
||||
--enable-m-guard \
|
||||
%ifarch %sparc
|
||||
--disable-asm \
|
||||
%endif
|
||||
--enable-ciphers="$ENABLE_CIPHER" \
|
||||
--enable-pubkey-ciphers="$ENABLE_PUBKEY" \
|
||||
--enable-digests="$ENABLE_DIGEST"
|
||||
--enable-hmac-binary-check \
|
||||
--enable-random=linux
|
||||
%{__make} %{?_smp_mflags}
|
||||
|
||||
%if 0%{?build_hmac256}
|
||||
# this is a hack that re-defines the __os_install_post macro
|
||||
# for a simple reason: the macro strips the binaries and thereby
|
||||
# invalidates a HMAC that may have been created earlier.
|
||||
# solution: create the hashes _after_ the macro runs.
|
||||
#
|
||||
# this shows up earlier because otherwise the %expand of
|
||||
# the macro is too late.
|
||||
%{expand:%%global __os_install_post {%__os_install_post
|
||||
|
||||
%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \
|
||||
< %{buildroot}/%{_bindir}/hmac256 > %{buildroot}/%{_bindir}/.hmac256.hmac
|
||||
%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \
|
||||
< %{buildroot}/%{_libdir}/libgcrypt.so.%{sosuffix} > %{buildroot}/%{_libdir}/.libgcrypt.so.11.hmac
|
||||
}}
|
||||
%endif
|
||||
|
||||
%check
|
||||
# Nice idea. however this uses /dev/random, which hangs
|
||||
# on hardware without random feeds.
|
||||
#make check
|
||||
# so lets not run it inside OBS
|
||||
# make check
|
||||
|
||||
%install
|
||||
make DESTDIR=$RPM_BUILD_ROOT install
|
||||
#
|
||||
|
||||
rm %{buildroot}%{_libdir}/%{name}.la
|
||||
|
||||
%post -n %{libsoname} -p /sbin/ldconfig
|
||||
@ -140,6 +175,9 @@ rm %{buildroot}%{_libdir}/%{name}.la
|
||||
%defattr(-,root,root)
|
||||
%doc AUTHORS COPYING COPYING.LIB ChangeLog NEWS README THANKS TODO
|
||||
%{_libdir}/%{name}.so.11*
|
||||
%if 0%{?build_hmac256}
|
||||
%{_libdir}/.libgcrypt.so.11.hmac
|
||||
%endif # %if 0%{?build_hmac256}
|
||||
|
||||
%files devel
|
||||
%defattr(-,root,root)
|
||||
@ -147,10 +185,16 @@ rm %{buildroot}%{_libdir}/%{name}.la
|
||||
%_infodir/gcrypt.info-1.gz
|
||||
%_infodir/gcrypt.info-2.gz
|
||||
%_bindir/dumpsexp
|
||||
%_bindir/hmac256
|
||||
%_bindir/%{name}-config
|
||||
%_libdir/%{name}.so
|
||||
%_includedir/gcrypt*.h
|
||||
%_datadir/aclocal/%{name}.m4
|
||||
%if 0%{?separate_hmac256_binary}
|
||||
|
||||
%files hmac256
|
||||
%defattr(-,root,root)
|
||||
%endif # %if 0%{?separate_hmac256_binary}
|
||||
%{_bindir}/hmac256
|
||||
%{_bindir}/.hmac256.hmac
|
||||
|
||||
%changelog
|
||||
|
Loading…
Reference in New Issue
Block a user