3
0
forked from pool/libgcrypt

- port SLE enhancenments to Factory (bnc#831028)

* add libgcrypt-unresolved-dladdr.patch (bnc#701267)
  * add libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff (bnc#724841)
  * add libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
- install .hmac256.hmac (bnc#704068)
- enable varuous new options in configure (m-guard, hmac binary check and
  random device linux)
- build with all ciphers, pubkeys and digest by default as whitelist
  simply allowed them all
- Library must be built with large file support in

OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=27
This commit is contained in:
Michal Vyskocil 2013-07-25 09:26:56 +00:00 committed by Git OBS Bridge
parent 6a35aedefa
commit 84f3f9aea5
5 changed files with 294 additions and 26 deletions

View File

@ -0,0 +1,27 @@
From: draht@suse.com
Subject: LIBGCRYPT_FORCE_FIPS_MODE env
environ LIBGCRYPT_FORCE_FIPS_MODE forces FIPS mode of libgcrypt
Index: libgcrypt-1.5.2/src/fips.c
===================================================================
--- libgcrypt-1.5.2.orig/src/fips.c
+++ libgcrypt-1.5.2/src/fips.c
@@ -123,6 +123,17 @@ _gcry_initialize_fips_mode (int force)
goto leave;
}
+ /* for convenience, so that a process can run fips-enabled, but
+ not necessarily all of them, enable FIPS mode via environment
+ variable LIBGCRYPT_FORCE_FIPS_MODE. */
+
+ if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL)
+ {
+ gcry_assert (!no_fips_mode_required);
+ goto leave;
+ }
+
+
/* For testing the system it is useful to override the system
provided detection of the FIPS mode and force FIPS mode using a
file. The filename is hardwired so that there won't be any

View File

@ -0,0 +1,161 @@
From: draht@suse.com
Subject: /etc/gcrypt/rngseed symlink
logic error in evaluation of routine to open /dev/{u,}random or
/etc/gcrypt/rngseed (open_device()) causes abort() in cases where
do_randomize(nbytes, level) is called with level == 1
(GCRY_STRONG_RANDOM).
References: bnc#724841
https://bugzilla.novell.com/show_bug.cgi?id=724841
---
random/random-csprng.c | 2 +-
random/random-fips.c | 10 +++++-----
random/rndlinux.c | 48 ++++++++++++++++++++++++++++++++++++++++++------
3 files changed, 48 insertions(+), 12 deletions(-)
Index: libgcrypt-1.5.2/random/random-csprng.c
===================================================================
--- libgcrypt-1.5.2.orig/random/random-csprng.c
+++ libgcrypt-1.5.2/random/random-csprng.c
@@ -827,7 +827,7 @@ read_seed_file (void)
* entropy drivers, however the rndlinux driver will use
* /dev/urandom and return some stuff - Do not read too much as we
* want to be friendly to the scare system entropy resource. */
- read_random_source ( RANDOM_ORIGIN_INIT, 16, GCRY_WEAK_RANDOM );
+ read_random_source ( RANDOM_ORIGIN_INIT, 16, -1 );
allow_seed_file_update = 1;
return 1;
Index: libgcrypt-1.5.2/random/random-fips.c
===================================================================
--- libgcrypt-1.5.2.orig/random/random-fips.c
+++ libgcrypt-1.5.2/random/random-fips.c
@@ -27,10 +27,10 @@
There are 3 random context which map to the different levels of
random quality:
- Generator Seed and Key Kernel entropy (init/reseed)
- ------------------------------------------------------------
- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits
- GCRY_STRONG_RANDOM /dev/random 256/128 bits
+ Generator Seed and Key Kernel entropy (init/reseed)
+ ---------------------------------------------------------------------------------------
+ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
+ GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
gcry_create_nonce GCRY_STRONG_RANDOM n/a
All random generators return their data in 128 bit blocks. If the
@@ -562,7 +562,7 @@ get_entropy (size_t nbytes)
#if USE_RNDLINUX
rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
X931_AES_KEYLEN,
- GCRY_VERY_STRONG_RANDOM);
+ -1);
#elif USE_RNDW32
do
{
Index: libgcrypt-1.5.2/random/rndlinux.c
===================================================================
--- libgcrypt-1.5.2.orig/random/rndlinux.c
+++ libgcrypt-1.5.2/random/rndlinux.c
@@ -36,7 +36,8 @@
#include "g10lib.h"
#include "rand-internal.h"
-static int open_device ( const char *name );
+static int open_device ( const char *name, int fatal );
+#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed"
static int
@@ -57,13 +58,17 @@ set_cloexec_flag (int fd)
* Used to open the /dev/random devices (Linux, xBSD, Solaris (if it exists)).
*/
static int
-open_device ( const char *name )
+open_device ( const char *name, int fatal)
{
int fd;
fd = open ( name, O_RDONLY );
if ( fd == -1 )
- log_fatal ("can't open %s: %s\n", name, strerror(errno) );
+ {
+ if (fatal)
+ log_fatal ("can't open %s: %s\n", name, strerror(errno) );
+ return fd;
+ }
if (set_cloexec_flag (fd))
log_error ("error setting FD_CLOEXEC on fd %d: %s\n",
@@ -92,10 +97,12 @@ _gcry_rndlinux_gather_random (void (*add
{
static int fd_urandom = -1;
static int fd_random = -1;
+ static int fd_configured = -1;
int fd;
int n;
byte buffer[768];
size_t n_hw;
+ size_t orig_length = length;
size_t want = length;
size_t last_so_far = 0;
int any_need_entropy = 0;
@@ -110,16 +117,42 @@ _gcry_rndlinux_gather_random (void (*add
length -= n_hw;
/* Open the requested device. */
+
+ /* Clarification: path how "level == -1" comes about:
+ gcry_random_bytes( ... , GCRY_STRONG_RANDOM) (public) ->
+ do_randomize(buffer, nbytes, level) ->
+ _gcry_rngcsprng_randomize(buffer, length, level) ->
+ read_pool (p, n, level) ->
+ read_seed_file(),
+ random_poll() ->
+ read_random_source(..., ..., GCRY_STRONG_RANDOM),
+ read_random_source(... , ..., , -1 ) (note: -1) ->
+ slow_gather_fnc(..., ..., ..., level)
+ function pointer set by getfnc_gather_random() to
+ _gcry_rndlinux_gather_random() , which is here.
+ */
+
+
+ if (level == -1)
+ {
+ if (fd_configured == -1)
+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0 );
+ fd = fd_configured;
+ if (fd == -1)
+ level = 1;
+ }
+
+
if (level >= 2)
{
if( fd_random == -1 )
- fd_random = open_device ( NAME_OF_DEV_RANDOM );
+ fd_random = open_device ( NAME_OF_DEV_RANDOM, 1 );
fd = fd_random;
}
- else
+ else if (level != -1)
{
if( fd_urandom == -1 )
- fd_urandom = open_device ( NAME_OF_DEV_URANDOM );
+ fd_urandom = open_device ( NAME_OF_DEV_URANDOM, 1 );
fd = fd_urandom;
}
@@ -187,6 +220,9 @@ _gcry_rndlinux_gather_random (void (*add
}
memset(buffer, 0, sizeof(buffer) );
+ if (level == -1)
+ _gcry_rndlinux_gather_random(add, origin, orig_length, 1);
+
if (any_need_entropy)
_gcry_random_progress ("need_entropy", 'X', (int)want, (int)want);

View File

@ -0,0 +1,23 @@
From: mvyskocil@suse.cz
Subject: unresolved dladdr symbol
When linking with --as-needed, some symbols are ommited. Add a DL_LIBS for
dladdr symbol to fix the issue.
References: bnc#701267
https://bugzilla.novell.com/show_bug.cgi?id=701267
Original-name: libgcrypt-1.5.0-as-needed.patch
Index: libgcrypt-1.5.2/src/Makefile.am
===================================================================
--- libgcrypt-1.5.2.orig/src/Makefile.am
+++ libgcrypt-1.5.2/src/Makefile.am
@@ -110,7 +110,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \
../cipher/libcipher.la \
../random/librandom.la \
../mpi/libmpi.la \
- ../compat/libcompat.la $(GPG_ERROR_LIBS)
+ ../compat/libcompat.la $(GPG_ERROR_LIBS) $(DL_LIBS)
dumpsexp_SOURCES = dumpsexp.c

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Thu Jul 25 09:15:43 UTC 2013 - mvyskocil@suse.com
- port SLE enhancenments to Factory (bnc#831028)
* add libgcrypt-unresolved-dladdr.patch (bnc#701267)
* add libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff (bnc#724841)
* add libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
- install .hmac256.hmac (bnc#704068)
- enable varuous new options in configure (m-guard, hmac binary check and
random device linux)
- build with all ciphers, pubkeys and digest by default as whitelist
simply allowed them all
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jun 17 13:22:33 UTC 2013 - coolo@suse.com Mon Jun 17 13:22:33 UTC 2013 - coolo@suse.com
@ -6,7 +19,7 @@ Mon Jun 17 13:22:33 UTC 2013 - coolo@suse.com
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Jun 16 22:56:56 UTC 2013 - crrodriguez@opensuse.org Sun Jun 16 22:56:56 UTC 2013 - crrodriguez@opensuse.org
- Library must by built with large file support in - Library must be built with large file support in
32 bit archs. 32 bit archs.
------------------------------------------------------------------- -------------------------------------------------------------------

View File

@ -16,8 +16,13 @@
# #
Name: libgcrypt %define build_hmac256 1
%define separate_hmac256_binary 0
%define libsoname %{name}11 %define libsoname %{name}11
%define sosuffix 11.8.1
Name: libgcrypt
Url: http://directory.fsf.org/wiki/Libgcrypt Url: http://directory.fsf.org/wiki/Libgcrypt
Version: 1.5.2 Version: 1.5.2
Release: 0 Release: 0
@ -33,10 +38,18 @@ Patch0: %{name}-ppc64.patch
Patch1: %{name}-strict-aliasing.patch Patch1: %{name}-strict-aliasing.patch
Patch3: %{name}-1.4.1-rijndael_no_strict_aliasing.patch Patch3: %{name}-1.4.1-rijndael_no_strict_aliasing.patch
Patch4: %{name}-sparcv9.diff Patch4: %{name}-sparcv9.diff
#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS)
#was: libgcrypt-1.5.0-as-needed.patch
Patch5: libgcrypt-unresolved-dladdr.patch
#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
Patch6: libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff
#PATCH-FIX-SUSE: N/A
Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: automake >= 1.11 BuildRequires: automake >= 1.11
BuildRequires: libgpg-error-devel >= 1.8 BuildRequires: libgpg-error-devel >= 1.8
BuildRequires: libtool BuildRequires: libtool
# not for base packages to avoid huge cycles
#BuildRequires: gpg-offline #BuildRequires: gpg-offline
%description %description
@ -49,14 +62,6 @@ understanding of applied cryptography is required to use Libgcrypt.
Summary: The GNU Crypto Library Summary: The GNU Crypto Library
License: GPL-2.0+ and LGPL-2.1+ License: GPL-2.0+ and LGPL-2.1+
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
# bug437293
%ifarch ppc64
Obsoletes: %{name}-64bit
%endif
#
# libgcrypt last used in 10.3
Obsoletes: %{name} < %{version}
Provides: %{name} = %{version}
%description -n %{libsoname} %description -n %{libsoname}
Libgcrypt is a general purpose crypto library based on the code used in Libgcrypt is a general purpose crypto library based on the code used in
@ -69,11 +74,6 @@ Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version} Requires: %{libsoname} = %{version}
Requires: glibc-devel Requires: glibc-devel
Requires: libgpg-error-devel >= 1.8 Requires: libgpg-error-devel >= 1.8
# bug437293
%ifarch ppc64
Obsoletes: %{name}-devel-64bit
%endif
#
PreReq: %install_info_prereq PreReq: %install_info_prereq
%description devel %description devel
@ -85,41 +85,76 @@ understanding of applied cryptography is required to use Libgcrypt.
This package contains needed files to compile and link against the This package contains needed files to compile and link against the
library. library.
%if 0%{?separate_hmac256_binary}
%package hmac256
Summary: The GNU Crypto Library
License: GPL-2.0+ and LGPL-2.1+
Group: Development/Libraries/C and C++
Requires: libgcrypt11 = %version
Requires: libgpg-error-devel
PreReq: %install_info_prereq
%description hmac256
Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt.
%endif # #if separate_hmac256_binary
%prep %prep
%setup -q -n %{name}-%{version} %setup -q -n %{name}-%{version}
%patch0 -p1 %patch0 -p1
%patch1 %patch1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build %build
# define ciphers to build echo building with build_hmac256 set to %{build_hmac256}
ENABLE_CIPHER="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea"
ENABLE_PUBKEY="dsa elgamal rsa ecc"
ENABLE_DIGEST="crc md4 md5 rmd160 sha1 sha256 sha512 tiger whirlpool"
#
%{?suse_update_config} %{?suse_update_config}
autoreconf -fi autoreconf -fi
export CFLAGS="%optflags $(getconf LFS_CFLAGS)" export CFLAGS="%optflags $(getconf LFS_CFLAGS)"
%configure --with-pic \ %configure --with-pic \
--enable-noexecstack \ --enable-noexecstack \
--disable-static \ --disable-static \
--enable-m-guard \
%ifarch %sparc %ifarch %sparc
--disable-asm \ --disable-asm \
%endif %endif
--enable-ciphers="$ENABLE_CIPHER" \ --enable-hmac-binary-check \
--enable-pubkey-ciphers="$ENABLE_PUBKEY" \ --enable-random=linux
--enable-digests="$ENABLE_DIGEST"
%{__make} %{?_smp_mflags} %{__make} %{?_smp_mflags}
%if 0%{?build_hmac256}
# this is a hack that re-defines the __os_install_post macro
# for a simple reason: the macro strips the binaries and thereby
# invalidates a HMAC that may have been created earlier.
# solution: create the hashes _after_ the macro runs.
#
# this shows up earlier because otherwise the %expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \
< %{buildroot}/%{_bindir}/hmac256 > %{buildroot}/%{_bindir}/.hmac256.hmac
%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \
< %{buildroot}/%{_libdir}/libgcrypt.so.%{sosuffix} > %{buildroot}/%{_libdir}/.libgcrypt.so.11.hmac
}}
%endif
%check %check
# Nice idea. however this uses /dev/random, which hangs # Nice idea. however this uses /dev/random, which hangs
# on hardware without random feeds. # on hardware without random feeds.
#make check # so lets not run it inside OBS
# make check
%install %install
make DESTDIR=$RPM_BUILD_ROOT install make DESTDIR=$RPM_BUILD_ROOT install
#
rm %{buildroot}%{_libdir}/%{name}.la rm %{buildroot}%{_libdir}/%{name}.la
%post -n %{libsoname} -p /sbin/ldconfig %post -n %{libsoname} -p /sbin/ldconfig
@ -140,6 +175,9 @@ rm %{buildroot}%{_libdir}/%{name}.la
%defattr(-,root,root) %defattr(-,root,root)
%doc AUTHORS COPYING COPYING.LIB ChangeLog NEWS README THANKS TODO %doc AUTHORS COPYING COPYING.LIB ChangeLog NEWS README THANKS TODO
%{_libdir}/%{name}.so.11* %{_libdir}/%{name}.so.11*
%if 0%{?build_hmac256}
%{_libdir}/.libgcrypt.so.11.hmac
%endif # %if 0%{?build_hmac256}
%files devel %files devel
%defattr(-,root,root) %defattr(-,root,root)
@ -147,10 +185,16 @@ rm %{buildroot}%{_libdir}/%{name}.la
%_infodir/gcrypt.info-1.gz %_infodir/gcrypt.info-1.gz
%_infodir/gcrypt.info-2.gz %_infodir/gcrypt.info-2.gz
%_bindir/dumpsexp %_bindir/dumpsexp
%_bindir/hmac256
%_bindir/%{name}-config %_bindir/%{name}-config
%_libdir/%{name}.so %_libdir/%{name}.so
%_includedir/gcrypt*.h %_includedir/gcrypt*.h
%_datadir/aclocal/%{name}.m4 %_datadir/aclocal/%{name}.m4
%if 0%{?separate_hmac256_binary}
%files hmac256
%defattr(-,root,root)
%endif # %if 0%{?separate_hmac256_binary}
%{_bindir}/hmac256
%{_bindir}/.hmac256.hmac
%changelog %changelog