testing/libgcrypt
SHA256
3
0
Fork 0
forked from pool/libgcrypt
Code Pull Requests Activity

Accepting request 228871 from devel:libraries:c_c++

Browse Source 
- Cleanup with spec-cleaner to sort out.
- Really apply ppc64 patch as it was ommited probably by mistake.

- FIPS changes (from Fedora):
  - replaced libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff by
    libgcrypt-1.6.1-fips-cfgrandom.patch
  - libgcrypt-fixed-sizet.patch: fixed an int type for -flto
  - libgcrypt-1.6.1-use-fipscheck.patch: use the fipscheck binary
  - libgcrypt-1.6.1-fips-cavs.patch: add CAVS tests
- use fipscheck only after 13.1
- libgcrypt-fips-allow-legacy.patch: attempt to allow some
  legacy algorithms for gpg2 usage even in FIPS mode.
  (currently not applied)

OBS-URL: https://build.opensuse.org/request/show/228871
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libgcrypt?expand=0&rev=44
This commit is contained in:
Stephan Kulow 2014-04-05 14:50:10 +00:00 committed by Git OBS Bridge
commit 8631b8d6e2
8 changed files with 1637 additions and 206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff
View File

@ -1,185 +0,0 @@
From: draht@suse.com
Subject: /etc/gcrypt/rngseed symlink
logic error in evaluation of routine to open /dev/{u,}random or
/etc/gcrypt/rngseed (open_device()) causes abort() in cases where
do_randomize(nbytes, level) is called with level == 1
(GCRY_STRONG_RANDOM).
References: bnc#724841
https://bugzilla.novell.com/show_bug.cgi?id=724841
---
random/random-csprng.c | 2 -
random/random-fips.c | 10 ++++----
random/rndlinux.c | 58 ++++++++++++++++++++++++++++++++++++++++---------
3 files changed, 54 insertions(+), 16 deletions(-)
Index: libgcrypt-1.6.0/random/random-csprng.c
===================================================================
--- libgcrypt-1.6.0.orig/random/random-csprng.c
+++ libgcrypt-1.6.0/random/random-csprng.c
@@ -832,7 +832,7 @@ read_seed_file (void)
* entropy drivers, however the rndlinux driver will use
* /dev/urandom and return some stuff - Do not read too much as we
* want to be friendly to the scare system entropy resource. */
- read_random_source ( RANDOM_ORIGIN_INIT, 16, GCRY_WEAK_RANDOM );
+ read_random_source ( RANDOM_ORIGIN_INIT, 16, -1 );
allow_seed_file_update = 1;
return 1;
Index: libgcrypt-1.6.0/random/random-fips.c
===================================================================
--- libgcrypt-1.6.0.orig/random/random-fips.c
+++ libgcrypt-1.6.0/random/random-fips.c
@@ -27,10 +27,10 @@
There are 3 random context which map to the different levels of
random quality:
- Generator Seed and Key Kernel entropy (init/reseed)
- ------------------------------------------------------------
- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits
- GCRY_STRONG_RANDOM /dev/random 256/128 bits
+ Generator Seed and Key Kernel entropy (init/reseed)
+ ---------------------------------------------------------------------------------------
+ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
+ GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
gcry_create_nonce GCRY_STRONG_RANDOM n/a
All random generators return their data in 128 bit blocks. If the
@@ -562,7 +562,7 @@ get_entropy (size_t nbytes)
#if USE_RNDLINUX
rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
X931_AES_KEYLEN,
- GCRY_VERY_STRONG_RANDOM);
+ -1);
#elif USE_RNDW32
do
{
Index: libgcrypt-1.6.0/random/rndlinux.c
===================================================================
--- libgcrypt-1.6.0.orig/random/rndlinux.c
+++ libgcrypt-1.6.0/random/rndlinux.c
@@ -36,7 +36,8 @@
#include "g10lib.h"
#include "rand-internal.h"
-static int open_device (const char *name, int retry);
+static int open_device (const char *name, int retry, int fatal);
+#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed"
static int
@@ -59,7 +60,7 @@ set_cloexec_flag (int fd)
* a fatal error but retries until it is able to reopen the device.
*/
static int
-open_device (const char *name, int retry)
+open_device (const char *name, int retry, int fatal)
{
int fd;
@@ -67,8 +68,9 @@ open_device (const char *name, int retry
_gcry_random_progress ("open_dev_random", 'X', 1, 0);
again:
fd = open (name, O_RDONLY);
- if (fd == -1 && retry)
- {
+ if (fd == -1) {
+ if (retry)
+ {
struct timeval tv;
tv.tv_sec = 5;
@@ -76,9 +78,14 @@ open_device (const char *name, int retry
_gcry_random_progress ("wait_dev_random", 'X', 0, (int)tv.tv_sec);
select (0, NULL, NULL, NULL, &tv);
goto again;
- }
- if (fd == -1)
- log_fatal ("can't open %s: %s\n", name, strerror(errno) );
+ }
+ else
+ {
+ if (fatal)
+ log_fatal ("can't open %s: %s\n", name, strerror(errno) );
+ return fd;
+ }
+ }
if (set_cloexec_flag (fd))
log_error ("error setting FD_CLOEXEC on fd %d: %s\n",
@@ -111,11 +118,13 @@ _gcry_rndlinux_gather_random (void (*add
{
static int fd_urandom = -1;
static int fd_random = -1;
+ static int fd_configured = -1;
static unsigned char ever_opened;
int fd;
int n;
byte buffer[768];
size_t n_hw;
+ size_t orig_length = length;
size_t want = length;
size_t last_so_far = 0;
int any_need_entropy = 0;
@@ -153,20 +162,46 @@ _gcry_rndlinux_gather_random (void (*add
that we always require the device to be existent but want a more
graceful behaviour if the rarely needed close operation has been
used and the device needs to be re-opened later. */
+
+ /* Clarification: path how "level == -1" comes about:
+ gcry_random_bytes( ... , GCRY_STRONG_RANDOM) (public) ->
+ do_randomize(buffer, nbytes, level) ->
+ _gcry_rngcsprng_randomize(buffer, length, level) ->
+ read_pool (p, n, level) ->
+ read_seed_file(),
+ random_poll() ->
+ read_random_source(..., ..., GCRY_STRONG_RANDOM),
+ read_random_source(... , ..., , -1 ) (note: -1) ->
+ slow_gather_fnc(..., ..., ..., level)
+ function pointer set by getfnc_gather_random() to
+ _gcry_rndlinux_gather_random() , which is here.
+ */
+
+
+ if (level == -1)
+ {
+ if (fd_configured == -1)
+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0, 0);
+ fd = fd_configured;
+ if (fd == -1)
+ level = 1;
+ }
+
+
if (level >= 2)
{
if (fd_random == -1)
{
- fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1));
+ fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1), 1);
ever_opened |= 1;
}
fd = fd_random;
}
- else
+ else if (level != -1)
{
if (fd_urandom == -1)
{
- fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2));
+ fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1);
ever_opened |= 2;
}
fd = fd_urandom;
@@ -242,6 +277,9 @@ _gcry_rndlinux_gather_random (void (*add
}
memset(buffer, 0, sizeof(buffer) );
+ if (level == -1)
+ _gcry_rndlinux_gather_random(add, origin, orig_length, 1);
+
if (any_need_entropy)
_gcry_random_progress ("need_entropy", 'X', (int)want, (int)want);

1123
libgcrypt-1.6.1-fips-cavs.patch Normal file
View File

File diff suppressed because it is too large Load Diff

134
libgcrypt-1.6.1-fips-cfgrandom.patch Normal file
View File

@ -0,0 +1,134 @@
Index: libgcrypt-1.6.1/random/random-fips.c
===================================================================
--- libgcrypt-1.6.1.orig/random/random-fips.c
+++ libgcrypt-1.6.1/random/random-fips.c
@@ -27,10 +27,10 @@
There are 3 random context which map to the different levels of
random quality:
- Generator Seed and Key Kernel entropy (init/reseed)
- ------------------------------------------------------------
- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits
- GCRY_STRONG_RANDOM /dev/random 256/128 bits
+ Generator Seed and Key Kernel entropy (init/reseed)
+ ---------------------------------------------------------------------------------------
+ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
+ GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
gcry_create_nonce GCRY_STRONG_RANDOM n/a
All random generators return their data in 128 bit blocks. If the
@@ -40,8 +40,10 @@
(SEED_TTL) output blocks; the re-seeding is disabled in test mode.
The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are
- keyed and seeded from the /dev/random device. Thus these
- generators may block until the kernel has collected enough entropy.
+ keyed and seeded with data that is loaded from the /etc/gcrypt/rngseed
+ if the device or symlink to device exists xored with the data
+ from the /dev/urandom device. This allows the system administrator
+ to always seed the RNGs from /dev/random if it is required.
The gcry_create_nonce generator is keyed and seeded from the
GCRY_STRONG_RANDOM generator. It may also block if the
@@ -560,9 +562,13 @@ get_entropy (size_t nbytes)
entropy_collect_buffer_len = 0;
#if USE_RNDLINUX
+ _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
+ X931_AES_KEYLEN,
+ -1);
+ entropy_collect_buffer_len = 0;
rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
X931_AES_KEYLEN,
- GCRY_VERY_STRONG_RANDOM);
+ GCRY_STRONG_RANDOM);
#elif USE_RNDW32
do
{
Index: libgcrypt-1.6.1/random/rndlinux.c
===================================================================
--- libgcrypt-1.6.1.orig/random/rndlinux.c
+++ libgcrypt-1.6.1/random/rndlinux.c
@@ -36,7 +36,9 @@
#include "g10lib.h"
#include "rand-internal.h"
-static int open_device (const char *name, int retry);
+#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed"
+
+static int open_device (const char *name, int retry, int fatal);
static int
@@ -59,7 +61,7 @@ set_cloexec_flag (int fd)
* a fatal error but retries until it is able to reopen the device.
*/
static int
-open_device (const char *name, int retry)
+open_device (const char *name, int retry, int fatal)
{
int fd;
@@ -67,6 +69,8 @@ open_device (const char *name, int retry
_gcry_random_progress ("open_dev_random", 'X', 1, 0);
again:
fd = open (name, O_RDONLY);
+ if (fd == -1 && !fatal)
+ return fd;
if (fd == -1 && retry)
{
struct timeval tv;
@@ -111,6 +115,7 @@ _gcry_rndlinux_gather_random (void (*add
{
static int fd_urandom = -1;
static int fd_random = -1;
+ static int fd_configured = -1;
static unsigned char ever_opened;
int fd;
int n;
@@ -134,6 +139,11 @@ _gcry_rndlinux_gather_random (void (*add
close (fd_urandom);
fd_urandom = -1;
}
+ if (fd_configured != -1)
+ {
+ close (fd_configured);
+ fd_configured = -1;
+ }
return 0;
}
@@ -153,20 +163,30 @@ _gcry_rndlinux_gather_random (void (*add
that we always require the device to be existent but want a more
graceful behaviour if the rarely needed close operation has been
used and the device needs to be re-opened later. */
+
+ if (level == -1)
+ {
+ if (fd_configured == -1)
+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0, 0 );
+ fd = fd_configured;
+ if (fd == -1)
+ return -1;
+ }
+
if (level >= 2)
{
if (fd_random == -1)
{
- fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1));
+ fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1), 1);
ever_opened |= 1;
}
fd = fd_random;
}
- else
+ else if (level != -1)
{
if (fd_urandom == -1)
{
- fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2));
+ fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1);
ever_opened |= 2;
}
fd = fd_urandom;

89
libgcrypt-1.6.1-use-fipscheck.patch Normal file
View File

@ -0,0 +1,89 @@
Index: libgcrypt-1.6.1/src/fips.c
===================================================================
--- libgcrypt-1.6.1.orig/src/fips.c
+++ libgcrypt-1.6.1/src/fips.c
@@ -589,23 +589,48 @@ run_random_selftests (void)
return !!err;
}
+static int
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
+{
+ Dl_info info;
+ void *dl, *sym;
+ int rv = -1;
+
+ dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL) {
+ return -1;
+ }
+
+ sym = dlsym(dl, symbolname);
+
+ if (sym != NULL && dladdr(sym, &info)) {
+ strncpy(path, info.dli_fname, pathlen-1);
+ path[pathlen-1] = '\0';
+ rv = 0;
+ }
+
+ dlclose(dl);
+
+ return rv;
+}
+
/* Run an integrity check on the binary. Returns 0 on success. */
static int
check_binary_integrity (void)
{
#ifdef ENABLE_HMAC_BINARY_CHECK
gpg_error_t err;
- Dl_info info;
+ char libpath[4096];
unsigned char digest[32];
int dlen;
char *fname = NULL;
- const char key[] = "What am I, a doctor or a moonshuttle conductor?";
-
- if (!dladdr ("gcry_check_version", &info))
+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
+
+ if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath)))
err = gpg_error_from_syserror ();
else
{
- dlen = _gcry_hmac256_file (digest, sizeof digest, info.dli_fname,
+ dlen = _gcry_hmac256_file (digest, sizeof digest, libpath,
key, strlen (key));
if (dlen < 0)
err = gpg_error_from_syserror ();
@@ -613,7 +638,7 @@ check_binary_integrity (void)
err = gpg_error (GPG_ERR_INTERNAL);
else
{
- fname = _gcry_malloc (strlen (info.dli_fname) + 1 + 5 + 1 );
+ fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
if (!fname)
err = gpg_error_from_syserror ();
else
@@ -622,7 +647,7 @@ check_binary_integrity (void)
char *p;
/* Prefix the basename with a dot. */
- strcpy (fname, info.dli_fname);
+ strcpy (fname, libpath);
p = strrchr (fname, '/');
if (p)
p++;
Index: libgcrypt-1.6.1/src/Makefile.in
===================================================================
--- libgcrypt-1.6.1.orig/src/Makefile.in
+++ libgcrypt-1.6.1/src/Makefile.in
@@ -449,7 +449,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \
../cipher/libcipher.la \
../random/librandom.la \
../mpi/libmpi.la \
- ../compat/libcompat.la $(GPG_ERROR_LIBS)
+ ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl
dumpsexp_SOURCES = dumpsexp.c
dumpsexp_CFLAGS = $(arch_gpg_error_cflags)

216
libgcrypt-fips-allow-legacy.patch Normal file
View File

@ -0,0 +1,216 @@
diff -urNp libgcrypt-1.5.3.orig/cipher/cipher.c libgcrypt-1.5.3/cipher/cipher.c
--- libgcrypt-1.5.3.orig/cipher/cipher.c 2013-08-14 02:41:07.967316255 +0200
+++ libgcrypt-1.5.3/cipher/cipher.c 2013-08-14 03:11:19.403611811 +0200
@@ -293,6 +293,15 @@ dummy_decrypt_stream (void *c,
BUG();
}
+/* Re-Register default cipher listing */
+void
+cipher_reregister_default(void)
+{
+ ath_mutex_lock (&ciphers_registered_lock);
+ default_ciphers_registered = 0;
+ ath_mutex_unlock (&ciphers_registered_lock);
+}
+
/* Internal function. Register all the ciphers included in
CIPHER_TABLE. Note, that this function gets only used by the macro
@@ -316,7 +325,8 @@ cipher_register_default (void)
if (! cipher_table[i].cipher->stdecrypt)
cipher_table[i].cipher->stdecrypt = dummy_decrypt_stream;
- if ( fips_mode () && !cipher_table[i].fips_allowed )
+ if ( !_gcry_is_fips_mode_inactive() &&
+ fips_mode () && !cipher_table[i].fips_allowed )
continue;
err = _gcry_module_add (&ciphers_registered,
diff -urNp libgcrypt-1.5.3.orig/cipher/md.c libgcrypt-1.5.3/cipher/md.c
--- libgcrypt-1.5.3.orig/cipher/md.c 2013-08-14 02:41:07.968316245 +0200
+++ libgcrypt-1.5.3/cipher/md.c 2013-08-14 03:20:04.269937326 +0200
@@ -168,7 +168,14 @@ static void md_start_debug ( gcry_md_hd_
static void md_stop_debug ( gcry_md_hd_t a );
-
+/* Re-Register default digest listing */
+void
+digest_reregister_default(void)
+{
+ ath_mutex_lock (&digests_registered_lock);
+ default_digests_registered = 0;
+ ath_mutex_unlock (&digests_registered_lock);
+}
/* Internal function. Register all the ciphers included in
CIPHER_TABLE. Returns zero on success or an error code. */
@@ -180,7 +187,8 @@ md_register_default (void)
for (i = 0; !err && digest_table[i].digest; i++)
{
- if ( fips_mode ())
+ if ( !_gcry_is_fips_mode_inactive() &&
+ fips_mode ())
{
if (!digest_table[i].fips_allowed)
continue;
diff -urNp libgcrypt-1.5.3.orig/cipher/pubkey.c libgcrypt-1.5.3/cipher/pubkey.c
--- libgcrypt-1.5.3.orig/cipher/pubkey.c 2013-08-14 02:41:07.969316234 +0200
+++ libgcrypt-1.5.3/cipher/pubkey.c 2013-08-14 03:22:07.227878253 +0200
@@ -192,6 +192,15 @@ dummy_get_nbits (int algorithm, gcry_mpi
return 0;
}
+/* Re-Register default digest listing */
+void
+pk_reregister_default(void)
+{
+ ath_mutex_lock (&pubkeys_registered_lock);
+ default_pubkeys_registered = 0;
+ ath_mutex_unlock (&pubkeys_registered_lock);
+}
+
/* Internal function. Register all the pubkeys included in
PUBKEY_TABLE. Returns zero on success or an error code. */
static void
@@ -202,6 +211,10 @@ pk_register_default (void)
for (i = 0; (! err) && pubkey_table[i].pubkey; i++)
{
+ if ( !_gcry_is_fips_mode_inactive() &&
+ fips_mode () && !pubkey_table[i].fips_allowed )
+ continue;
+
#define pubkey_use_dummy(func) \
if (! pubkey_table[i].pubkey->func) \
pubkey_table[i].pubkey->func = dummy_##func;
diff -urNp libgcrypt-1.5.3.orig/doc/gcrypt.texi libgcrypt-1.5.3/doc/gcrypt.texi
--- libgcrypt-1.5.3.orig/doc/gcrypt.texi 2013-08-14 02:41:07.908316872 +0200
+++ libgcrypt-1.5.3/doc/gcrypt.texi 2013-08-14 03:43:51.808257657 +0200
@@ -844,6 +844,25 @@ This option may be used to disabale a ce
behaves as if this feature has not been detected. Note that the
detection code might be run if the feature has been disabled. This
command must be used at initialization time; i.e. before calling
+
+@item GCRYCTL_INACTIVATE_FIPS_FLAG; Arguments: const char *log
+Suspend FIPS mode which implies that all ciphers are again allowed to be used.
+Still, all operations around the FIPS 140-2 mode, such as the finite
+state model enforcement are still enforced. The idea of this mode
+is to allow the caller to implement legacy operations, such as
+decryption or signature verification of data that is already present
+using non-approved ciphers. After the legacy operation is completed,
+GCRYCTL_REACTIVATE_FIPS_FLAG should be invoked to limit the ciphers
+again. The argument allows the caller to provide a string that is logged.
+
+@item GCRYCTL_REACTIVATE_FIPS_FLAG; Arguments: const char *log
+Re-activate FIPS mode by limiting the allowed cipher listing to the
+approved ciphers. This call should be called immediately after the
+legacy operations that are made possible with
+@code{GCRYCTL_INACTIVATE_FIPS_FLAG} are completed. FIPS 140-2 self
+tests are invoked. The argument allows the caller to provide a
+string that is logged.
+
@code{gcry_check_version}.
@end table
Binärdateien libgcrypt-1.5.3.orig/doc/.gcrypt.texi.swp und libgcrypt-1.5.3/doc/.gcrypt.texi.swp sind verschieden.
diff -urNp libgcrypt-1.5.3.orig/src/fips.c libgcrypt-1.5.3/src/fips.c
--- libgcrypt-1.5.3.orig/src/fips.c 2013-08-14 02:41:07.943316506 +0200
+++ libgcrypt-1.5.3/src/fips.c 2013-08-14 03:33:47.600705208 +0200
@@ -307,6 +307,10 @@ _gcry_inactivate_fips_mode (const char *
{
inactive_fips_mode = 1;
unlock_fsm ();
+ /* enforce reloading of cipher list to allow use of all ciphers */
+ cipher_reregister_default();
+ digest_reregister_default();
+ pk_reregister_default();
#ifdef HAVE_SYSLOG
syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: "
"%s - FIPS mode inactivated", text);
@@ -316,6 +320,33 @@ _gcry_inactivate_fips_mode (const char *
unlock_fsm ();
}
+void
+_gcry_reactivate_fips_mode (const char *text)
+{
+ gcry_assert (_gcry_fips_mode ());
+
+ lock_fsm ();
+ if (inactive_fips_mode)
+ {
+ inactive_fips_mode = 0;
+ unlock_fsm ();
+ /* execute self test as there have been non-approved ciphers allowed
+ * to execute */
+ _gcry_fips_run_selftests(0);
+ /* enforce reloading of cipher list to only use FIPS ciphers */
+ cipher_reregister_default();
+ digest_reregister_default();
+ pk_reregister_default();
+#ifdef HAVE_SYSLOG
+ syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: "
+ "%s - FIPS mode activated", text);
+#endif /*HAVE_SYSLOG*/
+ }
+ else
+ unlock_fsm ();
+
+}
+
/* Return the FIPS mode inactive flag. If it is true the FIPS mode is
not anymore active. */
diff -urNp libgcrypt-1.5.3.orig/src/g10lib.h libgcrypt-1.5.3/src/g10lib.h
--- libgcrypt-1.5.3.orig/src/g10lib.h 2013-08-14 02:41:07.941316527 +0200
+++ libgcrypt-1.5.3/src/g10lib.h 2013-08-14 03:25:29.836347533 +0200
@@ -329,8 +329,11 @@ int _gcry_enforced_fips_mode (void);
void _gcry_set_enforced_fips_mode (void);
void _gcry_inactivate_fips_mode (const char *text);
+void _gcry_reactivate_fips_mode (const char *text);
int _gcry_is_fips_mode_inactive (void);
-
+void cipher_reregister_default(void);
+void digest_reregister_default(void);
+void pk_reregister_default(void);
void _gcry_fips_signal_error (const char *srcfile,
int srcline,
diff -urNp libgcrypt-1.5.3.orig/src/gcrypt.h libgcrypt-1.5.3/src/gcrypt.h
--- libgcrypt-1.5.3.orig/src/gcrypt.h.in 2013-08-14 02:41:07.942316516 +0200
+++ libgcrypt-1.5.3/src/gcrypt.h.in 2013-08-14 02:58:13.304374921 +0200
@@ -423,7 +423,9 @@ enum gcry_ctl_cmds
GCRYCTL_SELFTEST = 57,
/* Note: 58 .. 62 are used internally. */
GCRYCTL_DISABLE_HWF = 63,
- GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64
+ GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64,
+ GCRYCTL_INACTIVATE_FIPS_FLAG = 65,
+ GCRYCTL_REACTIVATE_FIPS_FLAG = 66
};
/* Perform various operations defined by CMD. */
diff -urNp libgcrypt-1.5.3.orig/src/global.c libgcrypt-1.5.3/src/global.c
--- libgcrypt-1.5.3.orig/src/global.c 2013-08-14 02:41:07.943316506 +0200
+++ libgcrypt-1.5.3/src/global.c 2013-08-15 23:40:34.233497710 +0200
@@ -609,6 +609,16 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
err = GPG_ERR_GENERAL;
break;
+ case GCRYCTL_INACTIVATE_FIPS_FLAG:
+ log_info ("FIPS mode enabled but allow all approved and non-approved ciphers\n");
+ _gcry_inactivate_fips_mode (va_arg (arg_ptr, const char *));
+ break;
+
+ case GCRYCTL_REACTIVATE_FIPS_FLAG:
+ log_info ("FIPS mode enabled and limit ciphers to approved ciphers\n");
+ _gcry_reactivate_fips_mode (va_arg (arg_ptr, const char *));
+ break;
+
default:
err = GPG_ERR_INV_OP;
}

13
libgcrypt-fixed-sizet.patch Normal file
View File

@ -0,0 +1,13 @@
Index: libgcrypt-1.6.1/random/rndlinux.c
===================================================================
--- libgcrypt-1.6.1.orig/random/rndlinux.c
+++ libgcrypt-1.6.1/random/rndlinux.c
@@ -261,7 +261,7 @@ _gcry_rndlinux_gather_random (void (*add
do
{
- int nbytes = length < sizeof(buffer)? length : sizeof(buffer);
+ size_t nbytes = length < sizeof(buffer)? length : sizeof(buffer);
n = read(fd, buffer, nbytes );
if( n >= 0 && n > nbytes )
{

20
libgcrypt.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Thu Apr 3 12:04:46 UTC 2014 - tchvatal@suse.com
- Cleanup with spec-cleaner to sort out.
- Really apply ppc64 patch as it was ommited probably by mistake.
-------------------------------------------------------------------
Thu Mar 27 14:57:22 UTC 2014 - meissner@suse.com
- FIPS changes (from Fedora):
- replaced libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff by
libgcrypt-1.6.1-fips-cfgrandom.patch
- libgcrypt-fixed-sizet.patch: fixed an int type for -flto
- libgcrypt-1.6.1-use-fipscheck.patch: use the fipscheck binary
- libgcrypt-1.6.1-fips-cavs.patch: add CAVS tests
- use fipscheck only after 13.1
- libgcrypt-fips-allow-legacy.patch: attempt to allow some
legacy algorithms for gpg2 usage even in FIPS mode.
(currently not applied)
-------------------------------------------------------------------
Thu Jan 30 13:29:49 UTC 2014 - idonmez@suse.com

63
libgcrypt.spec
View File

@ -18,17 +18,15 @@
%define build_hmac256 1
%define separate_hmac256_binary 0
%define libsoname %{name}20
%define sosuffix 20.0.1
Name: libgcrypt
Url: http://directory.fsf.org/wiki/Libgcrypt
Version: 1.6.1
Release: 0
Summary: The GNU Crypto Library
License: GPL-2.0+ and LGPL-2.1+ and GPL-3.0+
Group: Development/Libraries/C and C++
Url: http://directory.fsf.org/wiki/Libgcrypt
Source: ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
Source2: baselibs.conf
@ -41,16 +39,23 @@ Patch4: %{name}-sparcv9.diff
#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS)
#was: libgcrypt-1.5.0-as-needed.patch
Patch5: libgcrypt-unresolved-dladdr.patch
#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
Patch6: libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff
#PATCH-FIX-SUSE: N/A
Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
#PATCH-FIX-UPSTREAM: internal functions are supposed to be used inside libgcrypt, mvyskocil@suse.com
Patch8: libgcrypt-1.6.0-use-intenal-functions.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Patch10: libgcrypt-fips-allow-legacy.patch
Patch11: libgcrypt-fixed-sizet.patch
Patch12: libgcrypt-1.6.1-use-fipscheck.patch
Patch13: libgcrypt-1.6.1-fips-cavs.patch
#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
Patch14: libgcrypt-1.6.1-fips-cfgrandom.patch
BuildRequires: automake >= 1.11
BuildRequires: libgpg-error-devel >= 1.11
BuildRequires: libtool
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?suse_version} > 1310
BuildRequires: fipscheck
%endif
# not for base packages to avoid huge cycles
#BuildRequires: gpg-offline
@ -76,7 +81,7 @@ Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version}
Requires: glibc-devel
Requires: libgpg-error-devel >= 1.8
PreReq: %install_info_prereq
Requires(post): %{install_info_prereq}
%description devel
Libgcrypt is a general purpose library of cryptographic building
@ -93,9 +98,9 @@ library.
Summary: The GNU Crypto Library
License: GPL-2.0+ and LGPL-2.1+
Group: Development/Libraries/C and C++
Requires: %{libsoname} = %version
Requires: %{libsoname} = %{version}
Requires: libgpg-error-devel
PreReq: %install_info_prereq
Requires(post): %{install_info_prereq}
%description hmac256
Libgcrypt is a general purpose library of cryptographic building
@ -106,27 +111,33 @@ understanding of applied cryptography is required to use Libgcrypt.
%endif # #if separate_hmac256_binary
%prep
%setup -q -n %{name}-%{version}
%setup -q
%patch0 -p1
%patch1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
#%patch10 -p1
%patch11 -p1
%if 0%{?suse_version} > 1310
%patch12 -p1
%endif
%patch13 -p1
%patch14 -p1
%build
echo building with build_hmac256 set to %{build_hmac256}
%{?suse_update_config}
autoreconf -fi
export CFLAGS="%optflags $(getconf LFS_CFLAGS)"
export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
%configure --with-pic \
--enable-noexecstack \
--disable-static \
--enable-noexecstack \
--disable-static \
--enable-m-guard \
%ifarch %sparc
--disable-asm \
%ifarch %{sparc}
--disable-asm \
%endif
--enable-hmac-binary-check \
--enable-random=linux
@ -140,6 +151,12 @@ make %{?_smp_mflags}
#
# this shows up earlier because otherwise the %expand of
# the macro is too late.
%if 0%{?suse_version} > 1310
%{expand:%%global __os_install_post {%__os_install_post
fipshmac %{buildroot}/%{_bindir}/hmac256
fipshmac %{buildroot}/%{_libdir}/*.so.??
}}
%else
%{expand:%%global __os_install_post {%__os_install_post
%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \
@ -148,15 +165,19 @@ make %{?_smp_mflags}
< %{buildroot}/%{_libdir}/libgcrypt.so.%{sosuffix} > %{buildroot}/%{_libdir}/.libgcrypt.so.20.hmac
}}
%endif
%endif
%check
%if 0%{?suse_version} > 1310
fipshmac src/.libs/libgcrypt.so.??
%endif
# Nice idea. however this uses /dev/random, which hangs
# on hardware without random feeds.
# so lets not run it inside OBS
# make check
%install
make DESTDIR=$RPM_BUILD_ROOT install
make DESTDIR=%{buildroot} install %{?_smp_mflags}
rm %{buildroot}%{_libdir}/%{name}.la
@ -176,15 +197,15 @@ rm %{buildroot}%{_libdir}/%{name}.la
%files -n %{libsoname}
%defattr(-,root,root)
%doc COPYING.LIB
%doc COPYING.LIB
%{_libdir}/%{name}.so.*
%if 0%{?build_hmac256}
%{_libdir}/.libgcrypt.so.*.hmac
%endif # %if 0%{?build_hmac256}
%endif # %if 0%{?build_hmac256}
%files devel
%defattr(-,root,root)
%doc AUTHORS COPYING COPYING.LIB ChangeLog NEWS README THANKS TODO
%doc AUTHORS COPYING COPYING.LIB ChangeLog NEWS README THANKS TODO
%{_infodir}/gcrypt.info.gz
%{_infodir}/gcrypt.info-1.gz
%{_infodir}/gcrypt.info-2.gz
@ -198,7 +219,7 @@ rm %{buildroot}%{_libdir}/%{name}.la
%if 0%{?separate_hmac256_binary}
%files hmac256
%defattr(-,root,root)
%endif # %if 0%{?separate_hmac256_binary}
%endif # %if 0%{?separate_hmac256_binary}
%{_bindir}/hmac256
%{_bindir}/.hmac256.hmac
%doc %{_mandir}/man1/hmac256.1*