forked from pool/libgcrypt
Accepting request 227791 from home:msmeissn:branches:devel:libraries:c_c++
- FIPS changes (from Fedora): - replaced libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff by libgcrypt-1.6.1-fips-cfgrandom.patch - libgcrypt-fixed-sizet.patch: fixed an int type for -flto - libgcrypt-1.6.1-use-fipscheck.patch: use the fipscheck binary - libgcrypt-1.6.1-fips-cavs.patch: add CAVS tests OBS-URL: https://build.opensuse.org/request/show/227791 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=46
This commit is contained in:
parent
660cd0c24e
commit
c25b02784b
@ -1,185 +0,0 @@
|
|||||||
From: draht@suse.com
|
|
||||||
Subject: /etc/gcrypt/rngseed symlink
|
|
||||||
|
|
||||||
logic error in evaluation of routine to open /dev/{u,}random or
|
|
||||||
/etc/gcrypt/rngseed (open_device()) causes abort() in cases where
|
|
||||||
do_randomize(nbytes, level) is called with level == 1
|
|
||||||
(GCRY_STRONG_RANDOM).
|
|
||||||
|
|
||||||
References: bnc#724841
|
|
||||||
https://bugzilla.novell.com/show_bug.cgi?id=724841
|
|
||||||
|
|
||||||
---
|
|
||||||
random/random-csprng.c | 2 -
|
|
||||||
random/random-fips.c | 10 ++++----
|
|
||||||
random/rndlinux.c | 58 ++++++++++++++++++++++++++++++++++++++++---------
|
|
||||||
3 files changed, 54 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
Index: libgcrypt-1.6.0/random/random-csprng.c
|
|
||||||
===================================================================
|
|
||||||
--- libgcrypt-1.6.0.orig/random/random-csprng.c
|
|
||||||
+++ libgcrypt-1.6.0/random/random-csprng.c
|
|
||||||
@@ -832,7 +832,7 @@ read_seed_file (void)
|
|
||||||
* entropy drivers, however the rndlinux driver will use
|
|
||||||
* /dev/urandom and return some stuff - Do not read too much as we
|
|
||||||
* want to be friendly to the scare system entropy resource. */
|
|
||||||
- read_random_source ( RANDOM_ORIGIN_INIT, 16, GCRY_WEAK_RANDOM );
|
|
||||||
+ read_random_source ( RANDOM_ORIGIN_INIT, 16, -1 );
|
|
||||||
|
|
||||||
allow_seed_file_update = 1;
|
|
||||||
return 1;
|
|
||||||
Index: libgcrypt-1.6.0/random/random-fips.c
|
|
||||||
===================================================================
|
|
||||||
--- libgcrypt-1.6.0.orig/random/random-fips.c
|
|
||||||
+++ libgcrypt-1.6.0/random/random-fips.c
|
|
||||||
@@ -27,10 +27,10 @@
|
|
||||||
There are 3 random context which map to the different levels of
|
|
||||||
random quality:
|
|
||||||
|
|
||||||
- Generator Seed and Key Kernel entropy (init/reseed)
|
|
||||||
- ------------------------------------------------------------
|
|
||||||
- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits
|
|
||||||
- GCRY_STRONG_RANDOM /dev/random 256/128 bits
|
|
||||||
+ Generator Seed and Key Kernel entropy (init/reseed)
|
|
||||||
+ ---------------------------------------------------------------------------------------
|
|
||||||
+ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
|
|
||||||
+ GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
|
|
||||||
gcry_create_nonce GCRY_STRONG_RANDOM n/a
|
|
||||||
|
|
||||||
All random generators return their data in 128 bit blocks. If the
|
|
||||||
@@ -562,7 +562,7 @@ get_entropy (size_t nbytes)
|
|
||||||
#if USE_RNDLINUX
|
|
||||||
rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
|
|
||||||
X931_AES_KEYLEN,
|
|
||||||
- GCRY_VERY_STRONG_RANDOM);
|
|
||||||
+ -1);
|
|
||||||
#elif USE_RNDW32
|
|
||||||
do
|
|
||||||
{
|
|
||||||
Index: libgcrypt-1.6.0/random/rndlinux.c
|
|
||||||
===================================================================
|
|
||||||
--- libgcrypt-1.6.0.orig/random/rndlinux.c
|
|
||||||
+++ libgcrypt-1.6.0/random/rndlinux.c
|
|
||||||
@@ -36,7 +36,8 @@
|
|
||||||
#include "g10lib.h"
|
|
||||||
#include "rand-internal.h"
|
|
||||||
|
|
||||||
-static int open_device (const char *name, int retry);
|
|
||||||
+static int open_device (const char *name, int retry, int fatal);
|
|
||||||
+#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed"
|
|
||||||
|
|
||||||
|
|
||||||
static int
|
|
||||||
@@ -59,7 +60,7 @@ set_cloexec_flag (int fd)
|
|
||||||
* a fatal error but retries until it is able to reopen the device.
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
-open_device (const char *name, int retry)
|
|
||||||
+open_device (const char *name, int retry, int fatal)
|
|
||||||
{
|
|
||||||
int fd;
|
|
||||||
|
|
||||||
@@ -67,8 +68,9 @@ open_device (const char *name, int retry
|
|
||||||
_gcry_random_progress ("open_dev_random", 'X', 1, 0);
|
|
||||||
again:
|
|
||||||
fd = open (name, O_RDONLY);
|
|
||||||
- if (fd == -1 && retry)
|
|
||||||
- {
|
|
||||||
+ if (fd == -1) {
|
|
||||||
+ if (retry)
|
|
||||||
+ {
|
|
||||||
struct timeval tv;
|
|
||||||
|
|
||||||
tv.tv_sec = 5;
|
|
||||||
@@ -76,9 +78,14 @@ open_device (const char *name, int retry
|
|
||||||
_gcry_random_progress ("wait_dev_random", 'X', 0, (int)tv.tv_sec);
|
|
||||||
select (0, NULL, NULL, NULL, &tv);
|
|
||||||
goto again;
|
|
||||||
- }
|
|
||||||
- if (fd == -1)
|
|
||||||
- log_fatal ("can't open %s: %s\n", name, strerror(errno) );
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ if (fatal)
|
|
||||||
+ log_fatal ("can't open %s: %s\n", name, strerror(errno) );
|
|
||||||
+ return fd;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (set_cloexec_flag (fd))
|
|
||||||
log_error ("error setting FD_CLOEXEC on fd %d: %s\n",
|
|
||||||
@@ -111,11 +118,13 @@ _gcry_rndlinux_gather_random (void (*add
|
|
||||||
{
|
|
||||||
static int fd_urandom = -1;
|
|
||||||
static int fd_random = -1;
|
|
||||||
+ static int fd_configured = -1;
|
|
||||||
static unsigned char ever_opened;
|
|
||||||
int fd;
|
|
||||||
int n;
|
|
||||||
byte buffer[768];
|
|
||||||
size_t n_hw;
|
|
||||||
+ size_t orig_length = length;
|
|
||||||
size_t want = length;
|
|
||||||
size_t last_so_far = 0;
|
|
||||||
int any_need_entropy = 0;
|
|
||||||
@@ -153,20 +162,46 @@ _gcry_rndlinux_gather_random (void (*add
|
|
||||||
that we always require the device to be existent but want a more
|
|
||||||
graceful behaviour if the rarely needed close operation has been
|
|
||||||
used and the device needs to be re-opened later. */
|
|
||||||
+
|
|
||||||
+ /* Clarification: path how "level == -1" comes about:
|
|
||||||
+ gcry_random_bytes( ... , GCRY_STRONG_RANDOM) (public) ->
|
|
||||||
+ do_randomize(buffer, nbytes, level) ->
|
|
||||||
+ _gcry_rngcsprng_randomize(buffer, length, level) ->
|
|
||||||
+ read_pool (p, n, level) ->
|
|
||||||
+ read_seed_file(),
|
|
||||||
+ random_poll() ->
|
|
||||||
+ read_random_source(..., ..., GCRY_STRONG_RANDOM),
|
|
||||||
+ read_random_source(... , ..., , -1 ) (note: -1) ->
|
|
||||||
+ slow_gather_fnc(..., ..., ..., level)
|
|
||||||
+ function pointer set by getfnc_gather_random() to
|
|
||||||
+ _gcry_rndlinux_gather_random() , which is here.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ if (level == -1)
|
|
||||||
+ {
|
|
||||||
+ if (fd_configured == -1)
|
|
||||||
+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0, 0);
|
|
||||||
+ fd = fd_configured;
|
|
||||||
+ if (fd == -1)
|
|
||||||
+ level = 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+
|
|
||||||
if (level >= 2)
|
|
||||||
{
|
|
||||||
if (fd_random == -1)
|
|
||||||
{
|
|
||||||
- fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1));
|
|
||||||
+ fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1), 1);
|
|
||||||
ever_opened |= 1;
|
|
||||||
}
|
|
||||||
fd = fd_random;
|
|
||||||
}
|
|
||||||
- else
|
|
||||||
+ else if (level != -1)
|
|
||||||
{
|
|
||||||
if (fd_urandom == -1)
|
|
||||||
{
|
|
||||||
- fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2));
|
|
||||||
+ fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1);
|
|
||||||
ever_opened |= 2;
|
|
||||||
}
|
|
||||||
fd = fd_urandom;
|
|
||||||
@@ -242,6 +277,9 @@ _gcry_rndlinux_gather_random (void (*add
|
|
||||||
}
|
|
||||||
memset(buffer, 0, sizeof(buffer) );
|
|
||||||
|
|
||||||
+ if (level == -1)
|
|
||||||
+ _gcry_rndlinux_gather_random(add, origin, orig_length, 1);
|
|
||||||
+
|
|
||||||
if (any_need_entropy)
|
|
||||||
_gcry_random_progress ("need_entropy", 'X', (int)want, (int)want);
|
|
||||||
|
|
1123
libgcrypt-1.6.1-fips-cavs.patch
Normal file
1123
libgcrypt-1.6.1-fips-cavs.patch
Normal file
File diff suppressed because it is too large
Load Diff
134
libgcrypt-1.6.1-fips-cfgrandom.patch
Normal file
134
libgcrypt-1.6.1-fips-cfgrandom.patch
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
Index: libgcrypt-1.6.1/random/random-fips.c
|
||||||
|
===================================================================
|
||||||
|
--- libgcrypt-1.6.1.orig/random/random-fips.c
|
||||||
|
+++ libgcrypt-1.6.1/random/random-fips.c
|
||||||
|
@@ -27,10 +27,10 @@
|
||||||
|
There are 3 random context which map to the different levels of
|
||||||
|
random quality:
|
||||||
|
|
||||||
|
- Generator Seed and Key Kernel entropy (init/reseed)
|
||||||
|
- ------------------------------------------------------------
|
||||||
|
- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits
|
||||||
|
- GCRY_STRONG_RANDOM /dev/random 256/128 bits
|
||||||
|
+ Generator Seed and Key Kernel entropy (init/reseed)
|
||||||
|
+ ---------------------------------------------------------------------------------------
|
||||||
|
+ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
|
||||||
|
+ GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
|
||||||
|
gcry_create_nonce GCRY_STRONG_RANDOM n/a
|
||||||
|
|
||||||
|
All random generators return their data in 128 bit blocks. If the
|
||||||
|
@@ -40,8 +40,10 @@
|
||||||
|
(SEED_TTL) output blocks; the re-seeding is disabled in test mode.
|
||||||
|
|
||||||
|
The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are
|
||||||
|
- keyed and seeded from the /dev/random device. Thus these
|
||||||
|
- generators may block until the kernel has collected enough entropy.
|
||||||
|
+ keyed and seeded with data that is loaded from the /etc/gcrypt/rngseed
|
||||||
|
+ if the device or symlink to device exists xored with the data
|
||||||
|
+ from the /dev/urandom device. This allows the system administrator
|
||||||
|
+ to always seed the RNGs from /dev/random if it is required.
|
||||||
|
|
||||||
|
The gcry_create_nonce generator is keyed and seeded from the
|
||||||
|
GCRY_STRONG_RANDOM generator. It may also block if the
|
||||||
|
@@ -560,9 +562,13 @@ get_entropy (size_t nbytes)
|
||||||
|
entropy_collect_buffer_len = 0;
|
||||||
|
|
||||||
|
#if USE_RNDLINUX
|
||||||
|
+ _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
|
||||||
|
+ X931_AES_KEYLEN,
|
||||||
|
+ -1);
|
||||||
|
+ entropy_collect_buffer_len = 0;
|
||||||
|
rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
|
||||||
|
X931_AES_KEYLEN,
|
||||||
|
- GCRY_VERY_STRONG_RANDOM);
|
||||||
|
+ GCRY_STRONG_RANDOM);
|
||||||
|
#elif USE_RNDW32
|
||||||
|
do
|
||||||
|
{
|
||||||
|
Index: libgcrypt-1.6.1/random/rndlinux.c
|
||||||
|
===================================================================
|
||||||
|
--- libgcrypt-1.6.1.orig/random/rndlinux.c
|
||||||
|
+++ libgcrypt-1.6.1/random/rndlinux.c
|
||||||
|
@@ -36,7 +36,9 @@
|
||||||
|
#include "g10lib.h"
|
||||||
|
#include "rand-internal.h"
|
||||||
|
|
||||||
|
-static int open_device (const char *name, int retry);
|
||||||
|
+#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed"
|
||||||
|
+
|
||||||
|
+static int open_device (const char *name, int retry, int fatal);
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
@@ -59,7 +61,7 @@ set_cloexec_flag (int fd)
|
||||||
|
* a fatal error but retries until it is able to reopen the device.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
-open_device (const char *name, int retry)
|
||||||
|
+open_device (const char *name, int retry, int fatal)
|
||||||
|
{
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
@@ -67,6 +69,8 @@ open_device (const char *name, int retry
|
||||||
|
_gcry_random_progress ("open_dev_random", 'X', 1, 0);
|
||||||
|
again:
|
||||||
|
fd = open (name, O_RDONLY);
|
||||||
|
+ if (fd == -1 && !fatal)
|
||||||
|
+ return fd;
|
||||||
|
if (fd == -1 && retry)
|
||||||
|
{
|
||||||
|
struct timeval tv;
|
||||||
|
@@ -111,6 +115,7 @@ _gcry_rndlinux_gather_random (void (*add
|
||||||
|
{
|
||||||
|
static int fd_urandom = -1;
|
||||||
|
static int fd_random = -1;
|
||||||
|
+ static int fd_configured = -1;
|
||||||
|
static unsigned char ever_opened;
|
||||||
|
int fd;
|
||||||
|
int n;
|
||||||
|
@@ -134,6 +139,11 @@ _gcry_rndlinux_gather_random (void (*add
|
||||||
|
close (fd_urandom);
|
||||||
|
fd_urandom = -1;
|
||||||
|
}
|
||||||
|
+ if (fd_configured != -1)
|
||||||
|
+ {
|
||||||
|
+ close (fd_configured);
|
||||||
|
+ fd_configured = -1;
|
||||||
|
+ }
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -153,20 +163,30 @@ _gcry_rndlinux_gather_random (void (*add
|
||||||
|
that we always require the device to be existent but want a more
|
||||||
|
graceful behaviour if the rarely needed close operation has been
|
||||||
|
used and the device needs to be re-opened later. */
|
||||||
|
+
|
||||||
|
+ if (level == -1)
|
||||||
|
+ {
|
||||||
|
+ if (fd_configured == -1)
|
||||||
|
+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0, 0 );
|
||||||
|
+ fd = fd_configured;
|
||||||
|
+ if (fd == -1)
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (level >= 2)
|
||||||
|
{
|
||||||
|
if (fd_random == -1)
|
||||||
|
{
|
||||||
|
- fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1));
|
||||||
|
+ fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1), 1);
|
||||||
|
ever_opened |= 1;
|
||||||
|
}
|
||||||
|
fd = fd_random;
|
||||||
|
}
|
||||||
|
- else
|
||||||
|
+ else if (level != -1)
|
||||||
|
{
|
||||||
|
if (fd_urandom == -1)
|
||||||
|
{
|
||||||
|
- fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2));
|
||||||
|
+ fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1);
|
||||||
|
ever_opened |= 2;
|
||||||
|
}
|
||||||
|
fd = fd_urandom;
|
89
libgcrypt-1.6.1-use-fipscheck.patch
Normal file
89
libgcrypt-1.6.1-use-fipscheck.patch
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
Index: libgcrypt-1.6.1/src/fips.c
|
||||||
|
===================================================================
|
||||||
|
--- libgcrypt-1.6.1.orig/src/fips.c
|
||||||
|
+++ libgcrypt-1.6.1/src/fips.c
|
||||||
|
@@ -589,23 +589,48 @@ run_random_selftests (void)
|
||||||
|
return !!err;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
|
||||||
|
+{
|
||||||
|
+ Dl_info info;
|
||||||
|
+ void *dl, *sym;
|
||||||
|
+ int rv = -1;
|
||||||
|
+
|
||||||
|
+ dl = dlopen(libname, RTLD_LAZY);
|
||||||
|
+ if (dl == NULL) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ sym = dlsym(dl, symbolname);
|
||||||
|
+
|
||||||
|
+ if (sym != NULL && dladdr(sym, &info)) {
|
||||||
|
+ strncpy(path, info.dli_fname, pathlen-1);
|
||||||
|
+ path[pathlen-1] = '\0';
|
||||||
|
+ rv = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ dlclose(dl);
|
||||||
|
+
|
||||||
|
+ return rv;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Run an integrity check on the binary. Returns 0 on success. */
|
||||||
|
static int
|
||||||
|
check_binary_integrity (void)
|
||||||
|
{
|
||||||
|
#ifdef ENABLE_HMAC_BINARY_CHECK
|
||||||
|
gpg_error_t err;
|
||||||
|
- Dl_info info;
|
||||||
|
+ char libpath[4096];
|
||||||
|
unsigned char digest[32];
|
||||||
|
int dlen;
|
||||||
|
char *fname = NULL;
|
||||||
|
- const char key[] = "What am I, a doctor or a moonshuttle conductor?";
|
||||||
|
-
|
||||||
|
- if (!dladdr ("gcry_check_version", &info))
|
||||||
|
+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
|
||||||
|
+
|
||||||
|
+ if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath)))
|
||||||
|
err = gpg_error_from_syserror ();
|
||||||
|
else
|
||||||
|
{
|
||||||
|
- dlen = _gcry_hmac256_file (digest, sizeof digest, info.dli_fname,
|
||||||
|
+ dlen = _gcry_hmac256_file (digest, sizeof digest, libpath,
|
||||||
|
key, strlen (key));
|
||||||
|
if (dlen < 0)
|
||||||
|
err = gpg_error_from_syserror ();
|
||||||
|
@@ -613,7 +638,7 @@ check_binary_integrity (void)
|
||||||
|
err = gpg_error (GPG_ERR_INTERNAL);
|
||||||
|
else
|
||||||
|
{
|
||||||
|
- fname = _gcry_malloc (strlen (info.dli_fname) + 1 + 5 + 1 );
|
||||||
|
+ fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
|
||||||
|
if (!fname)
|
||||||
|
err = gpg_error_from_syserror ();
|
||||||
|
else
|
||||||
|
@@ -622,7 +647,7 @@ check_binary_integrity (void)
|
||||||
|
char *p;
|
||||||
|
|
||||||
|
/* Prefix the basename with a dot. */
|
||||||
|
- strcpy (fname, info.dli_fname);
|
||||||
|
+ strcpy (fname, libpath);
|
||||||
|
p = strrchr (fname, '/');
|
||||||
|
if (p)
|
||||||
|
p++;
|
||||||
|
Index: libgcrypt-1.6.1/src/Makefile.in
|
||||||
|
===================================================================
|
||||||
|
--- libgcrypt-1.6.1.orig/src/Makefile.in
|
||||||
|
+++ libgcrypt-1.6.1/src/Makefile.in
|
||||||
|
@@ -449,7 +449,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \
|
||||||
|
../cipher/libcipher.la \
|
||||||
|
../random/librandom.la \
|
||||||
|
../mpi/libmpi.la \
|
||||||
|
- ../compat/libcompat.la $(GPG_ERROR_LIBS)
|
||||||
|
+ ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl
|
||||||
|
|
||||||
|
dumpsexp_SOURCES = dumpsexp.c
|
||||||
|
dumpsexp_CFLAGS = $(arch_gpg_error_cflags)
|
216
libgcrypt-fips-allow-legacy.patch
Normal file
216
libgcrypt-fips-allow-legacy.patch
Normal file
@ -0,0 +1,216 @@
|
|||||||
|
diff -urNp libgcrypt-1.5.3.orig/cipher/cipher.c libgcrypt-1.5.3/cipher/cipher.c
|
||||||
|
--- libgcrypt-1.5.3.orig/cipher/cipher.c 2013-08-14 02:41:07.967316255 +0200
|
||||||
|
+++ libgcrypt-1.5.3/cipher/cipher.c 2013-08-14 03:11:19.403611811 +0200
|
||||||
|
@@ -293,6 +293,15 @@ dummy_decrypt_stream (void *c,
|
||||||
|
BUG();
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Re-Register default cipher listing */
|
||||||
|
+void
|
||||||
|
+cipher_reregister_default(void)
|
||||||
|
+{
|
||||||
|
+ ath_mutex_lock (&ciphers_registered_lock);
|
||||||
|
+ default_ciphers_registered = 0;
|
||||||
|
+ ath_mutex_unlock (&ciphers_registered_lock);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
|
||||||
|
/* Internal function. Register all the ciphers included in
|
||||||
|
CIPHER_TABLE. Note, that this function gets only used by the macro
|
||||||
|
@@ -316,7 +325,8 @@ cipher_register_default (void)
|
||||||
|
if (! cipher_table[i].cipher->stdecrypt)
|
||||||
|
cipher_table[i].cipher->stdecrypt = dummy_decrypt_stream;
|
||||||
|
|
||||||
|
- if ( fips_mode () && !cipher_table[i].fips_allowed )
|
||||||
|
+ if ( !_gcry_is_fips_mode_inactive() &&
|
||||||
|
+ fips_mode () && !cipher_table[i].fips_allowed )
|
||||||
|
continue;
|
||||||
|
|
||||||
|
err = _gcry_module_add (&ciphers_registered,
|
||||||
|
diff -urNp libgcrypt-1.5.3.orig/cipher/md.c libgcrypt-1.5.3/cipher/md.c
|
||||||
|
--- libgcrypt-1.5.3.orig/cipher/md.c 2013-08-14 02:41:07.968316245 +0200
|
||||||
|
+++ libgcrypt-1.5.3/cipher/md.c 2013-08-14 03:20:04.269937326 +0200
|
||||||
|
@@ -168,7 +168,14 @@ static void md_start_debug ( gcry_md_hd_
|
||||||
|
static void md_stop_debug ( gcry_md_hd_t a );
|
||||||
|
|
||||||
|
|
||||||
|
-
|
||||||
|
+/* Re-Register default digest listing */
|
||||||
|
+void
|
||||||
|
+digest_reregister_default(void)
|
||||||
|
+{
|
||||||
|
+ ath_mutex_lock (&digests_registered_lock);
|
||||||
|
+ default_digests_registered = 0;
|
||||||
|
+ ath_mutex_unlock (&digests_registered_lock);
|
||||||
|
+}
|
||||||
|
|
||||||
|
/* Internal function. Register all the ciphers included in
|
||||||
|
CIPHER_TABLE. Returns zero on success or an error code. */
|
||||||
|
@@ -180,7 +187,8 @@ md_register_default (void)
|
||||||
|
|
||||||
|
for (i = 0; !err && digest_table[i].digest; i++)
|
||||||
|
{
|
||||||
|
- if ( fips_mode ())
|
||||||
|
+ if ( !_gcry_is_fips_mode_inactive() &&
|
||||||
|
+ fips_mode ())
|
||||||
|
{
|
||||||
|
if (!digest_table[i].fips_allowed)
|
||||||
|
continue;
|
||||||
|
diff -urNp libgcrypt-1.5.3.orig/cipher/pubkey.c libgcrypt-1.5.3/cipher/pubkey.c
|
||||||
|
--- libgcrypt-1.5.3.orig/cipher/pubkey.c 2013-08-14 02:41:07.969316234 +0200
|
||||||
|
+++ libgcrypt-1.5.3/cipher/pubkey.c 2013-08-14 03:22:07.227878253 +0200
|
||||||
|
@@ -192,6 +192,15 @@ dummy_get_nbits (int algorithm, gcry_mpi
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Re-Register default digest listing */
|
||||||
|
+void
|
||||||
|
+pk_reregister_default(void)
|
||||||
|
+{
|
||||||
|
+ ath_mutex_lock (&pubkeys_registered_lock);
|
||||||
|
+ default_pubkeys_registered = 0;
|
||||||
|
+ ath_mutex_unlock (&pubkeys_registered_lock);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Internal function. Register all the pubkeys included in
|
||||||
|
PUBKEY_TABLE. Returns zero on success or an error code. */
|
||||||
|
static void
|
||||||
|
@@ -202,6 +211,10 @@ pk_register_default (void)
|
||||||
|
|
||||||
|
for (i = 0; (! err) && pubkey_table[i].pubkey; i++)
|
||||||
|
{
|
||||||
|
+ if ( !_gcry_is_fips_mode_inactive() &&
|
||||||
|
+ fips_mode () && !pubkey_table[i].fips_allowed )
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
#define pubkey_use_dummy(func) \
|
||||||
|
if (! pubkey_table[i].pubkey->func) \
|
||||||
|
pubkey_table[i].pubkey->func = dummy_##func;
|
||||||
|
diff -urNp libgcrypt-1.5.3.orig/doc/gcrypt.texi libgcrypt-1.5.3/doc/gcrypt.texi
|
||||||
|
--- libgcrypt-1.5.3.orig/doc/gcrypt.texi 2013-08-14 02:41:07.908316872 +0200
|
||||||
|
+++ libgcrypt-1.5.3/doc/gcrypt.texi 2013-08-14 03:43:51.808257657 +0200
|
||||||
|
@@ -844,6 +844,25 @@ This option may be used to disabale a ce
|
||||||
|
behaves as if this feature has not been detected. Note that the
|
||||||
|
detection code might be run if the feature has been disabled. This
|
||||||
|
command must be used at initialization time; i.e. before calling
|
||||||
|
+
|
||||||
|
+@item GCRYCTL_INACTIVATE_FIPS_FLAG; Arguments: const char *log
|
||||||
|
+Suspend FIPS mode which implies that all ciphers are again allowed to be used.
|
||||||
|
+Still, all operations around the FIPS 140-2 mode, such as the finite
|
||||||
|
+state model enforcement are still enforced. The idea of this mode
|
||||||
|
+is to allow the caller to implement legacy operations, such as
|
||||||
|
+decryption or signature verification of data that is already present
|
||||||
|
+using non-approved ciphers. After the legacy operation is completed,
|
||||||
|
+GCRYCTL_REACTIVATE_FIPS_FLAG should be invoked to limit the ciphers
|
||||||
|
+again. The argument allows the caller to provide a string that is logged.
|
||||||
|
+
|
||||||
|
+@item GCRYCTL_REACTIVATE_FIPS_FLAG; Arguments: const char *log
|
||||||
|
+Re-activate FIPS mode by limiting the allowed cipher listing to the
|
||||||
|
+approved ciphers. This call should be called immediately after the
|
||||||
|
+legacy operations that are made possible with
|
||||||
|
+@code{GCRYCTL_INACTIVATE_FIPS_FLAG} are completed. FIPS 140-2 self
|
||||||
|
+tests are invoked. The argument allows the caller to provide a
|
||||||
|
+string that is logged.
|
||||||
|
+
|
||||||
|
@code{gcry_check_version}.
|
||||||
|
|
||||||
|
@end table
|
||||||
|
Binärdateien libgcrypt-1.5.3.orig/doc/.gcrypt.texi.swp und libgcrypt-1.5.3/doc/.gcrypt.texi.swp sind verschieden.
|
||||||
|
diff -urNp libgcrypt-1.5.3.orig/src/fips.c libgcrypt-1.5.3/src/fips.c
|
||||||
|
--- libgcrypt-1.5.3.orig/src/fips.c 2013-08-14 02:41:07.943316506 +0200
|
||||||
|
+++ libgcrypt-1.5.3/src/fips.c 2013-08-14 03:33:47.600705208 +0200
|
||||||
|
@@ -307,6 +307,10 @@ _gcry_inactivate_fips_mode (const char *
|
||||||
|
{
|
||||||
|
inactive_fips_mode = 1;
|
||||||
|
unlock_fsm ();
|
||||||
|
+ /* enforce reloading of cipher list to allow use of all ciphers */
|
||||||
|
+ cipher_reregister_default();
|
||||||
|
+ digest_reregister_default();
|
||||||
|
+ pk_reregister_default();
|
||||||
|
#ifdef HAVE_SYSLOG
|
||||||
|
syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: "
|
||||||
|
"%s - FIPS mode inactivated", text);
|
||||||
|
@@ -316,6 +320,33 @@ _gcry_inactivate_fips_mode (const char *
|
||||||
|
unlock_fsm ();
|
||||||
|
}
|
||||||
|
|
||||||
|
+void
|
||||||
|
+_gcry_reactivate_fips_mode (const char *text)
|
||||||
|
+{
|
||||||
|
+ gcry_assert (_gcry_fips_mode ());
|
||||||
|
+
|
||||||
|
+ lock_fsm ();
|
||||||
|
+ if (inactive_fips_mode)
|
||||||
|
+ {
|
||||||
|
+ inactive_fips_mode = 0;
|
||||||
|
+ unlock_fsm ();
|
||||||
|
+ /* execute self test as there have been non-approved ciphers allowed
|
||||||
|
+ * to execute */
|
||||||
|
+ _gcry_fips_run_selftests(0);
|
||||||
|
+ /* enforce reloading of cipher list to only use FIPS ciphers */
|
||||||
|
+ cipher_reregister_default();
|
||||||
|
+ digest_reregister_default();
|
||||||
|
+ pk_reregister_default();
|
||||||
|
+#ifdef HAVE_SYSLOG
|
||||||
|
+ syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: "
|
||||||
|
+ "%s - FIPS mode activated", text);
|
||||||
|
+#endif /*HAVE_SYSLOG*/
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ unlock_fsm ();
|
||||||
|
+
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
|
||||||
|
/* Return the FIPS mode inactive flag. If it is true the FIPS mode is
|
||||||
|
not anymore active. */
|
||||||
|
diff -urNp libgcrypt-1.5.3.orig/src/g10lib.h libgcrypt-1.5.3/src/g10lib.h
|
||||||
|
--- libgcrypt-1.5.3.orig/src/g10lib.h 2013-08-14 02:41:07.941316527 +0200
|
||||||
|
+++ libgcrypt-1.5.3/src/g10lib.h 2013-08-14 03:25:29.836347533 +0200
|
||||||
|
@@ -329,8 +329,11 @@ int _gcry_enforced_fips_mode (void);
|
||||||
|
void _gcry_set_enforced_fips_mode (void);
|
||||||
|
|
||||||
|
void _gcry_inactivate_fips_mode (const char *text);
|
||||||
|
+void _gcry_reactivate_fips_mode (const char *text);
|
||||||
|
int _gcry_is_fips_mode_inactive (void);
|
||||||
|
-
|
||||||
|
+void cipher_reregister_default(void);
|
||||||
|
+void digest_reregister_default(void);
|
||||||
|
+void pk_reregister_default(void);
|
||||||
|
|
||||||
|
void _gcry_fips_signal_error (const char *srcfile,
|
||||||
|
int srcline,
|
||||||
|
diff -urNp libgcrypt-1.5.3.orig/src/gcrypt.h libgcrypt-1.5.3/src/gcrypt.h
|
||||||
|
--- libgcrypt-1.5.3.orig/src/gcrypt.h.in 2013-08-14 02:41:07.942316516 +0200
|
||||||
|
+++ libgcrypt-1.5.3/src/gcrypt.h.in 2013-08-14 02:58:13.304374921 +0200
|
||||||
|
@@ -423,7 +423,9 @@ enum gcry_ctl_cmds
|
||||||
|
GCRYCTL_SELFTEST = 57,
|
||||||
|
/* Note: 58 .. 62 are used internally. */
|
||||||
|
GCRYCTL_DISABLE_HWF = 63,
|
||||||
|
- GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64
|
||||||
|
+ GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64,
|
||||||
|
+ GCRYCTL_INACTIVATE_FIPS_FLAG = 65,
|
||||||
|
+ GCRYCTL_REACTIVATE_FIPS_FLAG = 66
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Perform various operations defined by CMD. */
|
||||||
|
diff -urNp libgcrypt-1.5.3.orig/src/global.c libgcrypt-1.5.3/src/global.c
|
||||||
|
--- libgcrypt-1.5.3.orig/src/global.c 2013-08-14 02:41:07.943316506 +0200
|
||||||
|
+++ libgcrypt-1.5.3/src/global.c 2013-08-15 23:40:34.233497710 +0200
|
||||||
|
@@ -609,6 +609,16 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
|
||||||
|
err = GPG_ERR_GENERAL;
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case GCRYCTL_INACTIVATE_FIPS_FLAG:
|
||||||
|
+ log_info ("FIPS mode enabled but allow all approved and non-approved ciphers\n");
|
||||||
|
+ _gcry_inactivate_fips_mode (va_arg (arg_ptr, const char *));
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ case GCRYCTL_REACTIVATE_FIPS_FLAG:
|
||||||
|
+ log_info ("FIPS mode enabled and limit ciphers to approved ciphers\n");
|
||||||
|
+ _gcry_reactivate_fips_mode (va_arg (arg_ptr, const char *));
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
default:
|
||||||
|
err = GPG_ERR_INV_OP;
|
||||||
|
}
|
13
libgcrypt-fixed-sizet.patch
Normal file
13
libgcrypt-fixed-sizet.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
Index: libgcrypt-1.6.1/random/rndlinux.c
|
||||||
|
===================================================================
|
||||||
|
--- libgcrypt-1.6.1.orig/random/rndlinux.c
|
||||||
|
+++ libgcrypt-1.6.1/random/rndlinux.c
|
||||||
|
@@ -261,7 +261,7 @@ _gcry_rndlinux_gather_random (void (*add
|
||||||
|
|
||||||
|
do
|
||||||
|
{
|
||||||
|
- int nbytes = length < sizeof(buffer)? length : sizeof(buffer);
|
||||||
|
+ size_t nbytes = length < sizeof(buffer)? length : sizeof(buffer);
|
||||||
|
n = read(fd, buffer, nbytes );
|
||||||
|
if( n >= 0 && n > nbytes )
|
||||||
|
{
|
@ -1,3 +1,13 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Mar 27 14:57:22 UTC 2014 - meissner@suse.com
|
||||||
|
|
||||||
|
- FIPS changes (from Fedora):
|
||||||
|
- replaced libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff by
|
||||||
|
libgcrypt-1.6.1-fips-cfgrandom.patch
|
||||||
|
- libgcrypt-fixed-sizet.patch: fixed an int type for -flto
|
||||||
|
- libgcrypt-1.6.1-use-fipscheck.patch: use the fipscheck binary
|
||||||
|
- libgcrypt-1.6.1-fips-cavs.patch: add CAVS tests
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Jan 30 13:29:49 UTC 2014 - idonmez@suse.com
|
Thu Jan 30 13:29:49 UTC 2014 - idonmez@suse.com
|
||||||
|
|
||||||
|
@ -41,14 +41,22 @@ Patch4: %{name}-sparcv9.diff
|
|||||||
#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS)
|
#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS)
|
||||||
#was: libgcrypt-1.5.0-as-needed.patch
|
#was: libgcrypt-1.5.0-as-needed.patch
|
||||||
Patch5: libgcrypt-unresolved-dladdr.patch
|
Patch5: libgcrypt-unresolved-dladdr.patch
|
||||||
#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
|
|
||||||
Patch6: libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff
|
|
||||||
#PATCH-FIX-SUSE: N/A
|
#PATCH-FIX-SUSE: N/A
|
||||||
|
|
||||||
Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
|
Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
|
||||||
|
|
||||||
#PATCH-FIX-UPSTREAM: internal functions are supposed to be used inside libgcrypt, mvyskocil@suse.com
|
#PATCH-FIX-UPSTREAM: internal functions are supposed to be used inside libgcrypt, mvyskocil@suse.com
|
||||||
Patch8: libgcrypt-1.6.0-use-intenal-functions.patch
|
Patch8: libgcrypt-1.6.0-use-intenal-functions.patch
|
||||||
|
Patch10: libgcrypt-fips-allow-legacy.patch
|
||||||
|
Patch11: libgcrypt-fixed-sizet.patch
|
||||||
|
|
||||||
|
Patch12: libgcrypt-1.6.1-use-fipscheck.patch
|
||||||
|
Patch13: libgcrypt-1.6.1-fips-cavs.patch
|
||||||
|
#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
|
||||||
|
Patch14: libgcrypt-1.6.1-fips-cfgrandom.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildRequires: automake >= 1.11
|
BuildRequires: automake >= 1.11
|
||||||
|
BuildRequires: fipscheck
|
||||||
BuildRequires: libgpg-error-devel >= 1.11
|
BuildRequires: libgpg-error-devel >= 1.11
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
# not for base packages to avoid huge cycles
|
# not for base packages to avoid huge cycles
|
||||||
@ -107,14 +115,17 @@ understanding of applied cryptography is required to use Libgcrypt.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{version}
|
%setup -q -n %{name}-%{version}
|
||||||
%patch0 -p1
|
|
||||||
%patch1
|
%patch1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6 -p1
|
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
|
#%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
%patch12 -p1
|
||||||
|
%patch13 -p1
|
||||||
|
%patch14 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
echo building with build_hmac256 set to %{build_hmac256}
|
echo building with build_hmac256 set to %{build_hmac256}
|
||||||
@ -141,15 +152,13 @@ make %{?_smp_mflags}
|
|||||||
# this shows up earlier because otherwise the %expand of
|
# this shows up earlier because otherwise the %expand of
|
||||||
# the macro is too late.
|
# the macro is too late.
|
||||||
%{expand:%%global __os_install_post {%__os_install_post
|
%{expand:%%global __os_install_post {%__os_install_post
|
||||||
|
fipshmac %{buildroot}/%{_bindir}/hmac256
|
||||||
%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \
|
fipshmac %{buildroot}/%{_libdir}/*.so.??
|
||||||
< %{buildroot}/%{_bindir}/hmac256 > %{buildroot}/%{_bindir}/.hmac256.hmac
|
|
||||||
%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \
|
|
||||||
< %{buildroot}/%{_libdir}/libgcrypt.so.%{sosuffix} > %{buildroot}/%{_libdir}/.libgcrypt.so.20.hmac
|
|
||||||
}}
|
}}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%check
|
%check
|
||||||
|
fipshmac src/.libs/libgcrypt.so.??
|
||||||
# Nice idea. however this uses /dev/random, which hangs
|
# Nice idea. however this uses /dev/random, which hangs
|
||||||
# on hardware without random feeds.
|
# on hardware without random feeds.
|
||||||
# so lets not run it inside OBS
|
# so lets not run it inside OBS
|
||||||
|
Loading…
Reference in New Issue
Block a user