- use /dev/urandom for seeding in the FIPS mode

- make the tests to pass in the FIPS mode also fixing the FIPS-186-3 DSA keygen
2011-02-01 18:54:42 +01:00 · 2011-02-01 18:54:42 +01:00 · 16991a5be4
commit 16991a5be4
parent 76ce03ce82
3 changed files with 251 additions and 1 deletions
--- a/libgcrypt-1.4.5-tests.patch
+++ b/libgcrypt-1.4.5-tests.patch
@ -0,0 +1,206 @@
+diff -up libgcrypt-1.4.5/cipher/dsa.c.tests libgcrypt-1.4.5/cipher/dsa.c
+--- libgcrypt-1.4.5/cipher/dsa.c.tests	2009-08-21 10:18:30.000000000 +0200
+++ libgcrypt-1.4.5/cipher/dsa.c	2011-02-01 18:04:56.000000000 +0100
+@@ -468,21 +468,20 @@ generate_fips186 (DSA_secret_key *sk, un
+                                                     &initial_seed.seedlen);
+         }
+       
+-      /* Fixme: Enable 186-3 after it has been approved and after fixing
+-         the generation function.  */
+-      /*   if (use_fips186_2) */
+-      (void)use_fips186_2;
+-      ec = _gcry_generate_fips186_2_prime (nbits, qbits, 
+      if (use_fips186_2)
+        ec = _gcry_generate_fips186_2_prime (nbits, qbits, 
+                                            initial_seed.seed, 
+                                            initial_seed.seedlen,
+                                            &prime_q, &prime_p, 
+                                            r_counter,
+                                            r_seed, r_seedlen);
+-      /*   else */
+-      /*     ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0, */
+-      /*                                          &prime_q, &prime_p, */
+-      /*                                          r_counter, */
+-      /*                                          r_seed, r_seedlen, NULL); */
+      else
+        ec = _gcry_generate_fips186_3_prime (nbits, qbits,
+                                          initial_seed.seed,
+                                          initial_seed.seedlen,
+                                          &prime_q, &prime_p,
+                                          r_counter,
+                                          r_seed, r_seedlen, NULL);
+       gcry_sexp_release (initial_seed.sexp);
+       if (ec)
+         goto leave;
+diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen.c
+--- libgcrypt-1.4.5/cipher/primegen.c.tests	2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/cipher/primegen.c	2011-02-01 18:00:53.000000000 +0100
+@@ -1647,7 +1647,7 @@ _gcry_generate_fips186_3_prime (unsigned
+   gpg_err_code_t ec;
+   unsigned char seed_help_buffer[256/8];  /* Used to hold a generated SEED. */
+   unsigned char *seed_plus;     /* Malloced buffer to hold SEED+x.  */
+-  unsigned char digest[256/8];  /* Helper buffer for SHA-1 digest.  */
+  unsigned char digest[256/8];  /* Helper buffer for SHA-x digest.  */
+   gcry_mpi_t val_2 = NULL;      /* Helper for the prime test.  */
+   gcry_mpi_t tmpval = NULL;     /* Helper variable.  */
+   int hashalgo;                 /* The id of the Approved Hash Function.  */
+@@ -1737,7 +1737,7 @@ _gcry_generate_fips186_3_prime (unsigned
+         }
+       gcry_mpi_release (prime_q); prime_q = NULL;
+       ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG, 
+-                                        value_u, sizeof value_u, NULL));
+                                        value_u, qbits/8, NULL));
+       if (ec)
+         goto leave;
+       mpi_set_highbit (prime_q, qbits-1 );
+@@ -1782,7 +1782,7 @@ _gcry_generate_fips186_3_prime (unsigned
+               if (seed_plus[i])
+                 break;
+             }
+-          gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen);
+          gcry_md_hash_buffer (hashalgo, digest, seed_plus, seedlen);
+           
+           gcry_mpi_release (tmpval); tmpval = NULL;
+           ec = gpg_err_code (gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG,
+@@ -1822,11 +1822,11 @@ _gcry_generate_fips186_3_prime (unsigned
+     }
+ 
+   /* Step 12:  Save p, q, counter and seed.  */
+-  log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n",
+/*  log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n",
+              mpi_get_nbits (prime_p), mpi_get_nbits (prime_q), counter);
+   log_printhex("fips186-3 seed:", seed, seedlen);
+   log_mpidump ("fips186-3 prime p", prime_p);
+-  log_mpidump ("fips186-3 prime q", prime_q);
+  log_mpidump ("fips186-3 prime q", prime_q); */
+   if (r_q)
+     {
+       *r_q = prime_q;
+diff -up libgcrypt-1.4.5/cipher/rsa.c.tests libgcrypt-1.4.5/cipher/rsa.c
+--- libgcrypt-1.4.5/cipher/rsa.c.tests	2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/cipher/rsa.c	2011-02-01 18:40:26.000000000 +0100
+@@ -388,7 +388,7 @@ generate_x931 (RSA_secret_key *sk, unsig
+ 
+   *swapped = 0;
+ 
+-  if (e_value == 1)   /* Alias for a secure value. */
+  if (e_value == 1 || e_value == 0)   /* Alias for a secure value. */
+     e_value = 65537; 
+ 
+   /* Point 1 of section 4.1:  k = 1024 + 256s with S >= 0  */
+diff -up libgcrypt-1.4.5/random/random-fips.c.tests libgcrypt-1.4.5/random/random-fips.c
+--- libgcrypt-1.4.5/random/random-fips.c.tests	2011-02-01 12:31:00.000000000 +0100
+++ libgcrypt-1.4.5/random/random-fips.c	2011-02-01 12:31:00.000000000 +0100
+@@ -691,6 +691,7 @@ get_random (void *buffer, size_t length,
+ 
+   check_guards (rng_ctx);
+ 
+ reinitialize:
+   /* Initialize the cipher handle and thus setup the key if needed.  */
+   if (!rng_ctx->cipher_hd)
+     {
+@@ -710,13 +711,11 @@ get_random (void *buffer, size_t length,
+   if (rng_ctx->key_init_pid != getpid ()
+       || rng_ctx->seed_init_pid != getpid ())
+     {
+-      /* We are in a child of us.  Because we have no way yet to do
+-         proper re-initialization (including self-checks etc), the
+-         only chance we have is to bail out.  Obviusly a fork/exec
+-         won't harm because the exec overwrites the old image. */
+-      fips_signal_error ("fork without proper re-initialization "
+-                         "detected in RNG");
+-      goto bailout;
+      /* Just reinitialize the key & seed. */
+      gcry_cipher_close(rng_ctx->cipher_hd);
+      rng_ctx->cipher_hd = NULL;
+      rng_ctx->is_seeded = 0;
+      goto reinitialize;
+     }
+ 
+   if (x931_aes_driver (buffer, length, rng_ctx))
+diff -up libgcrypt-1.4.5/tests/ac.c.tests libgcrypt-1.4.5/tests/ac.c
+--- libgcrypt-1.4.5/tests/ac.c.tests	2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/tests/ac.c	2011-02-01 12:49:14.000000000 +0100
+@@ -150,6 +150,9 @@ main (int argc, char **argv)
+   if (!gcry_check_version (GCRYPT_VERSION))
+     die ("version mismatch\n");
+   gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+  if (gcry_fips_mode_active())
+    /* ac not functional in the fips mode, skip it */
+    return 77;
+   if (debug)
+     gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
+   /* No valuable keys are create, so we can speed up our RNG. */
+diff -up libgcrypt-1.4.5/tests/ac-data.c.tests libgcrypt-1.4.5/tests/ac-data.c
+--- libgcrypt-1.4.5/tests/ac-data.c.tests	2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/tests/ac-data.c	2011-02-01 12:49:54.000000000 +0100
+@@ -198,6 +198,9 @@ main (int argc, char **argv)
+   if (!gcry_check_version (GCRYPT_VERSION))
+     die ("version mismatch\n");
+   gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+  if (gcry_fips_mode_active())
+    /* ac not functional in the fips mode, skip it */
+    return 77;
+   if (debug)
+     gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
+ 
+diff -up libgcrypt-1.4.5/tests/ac-schemes.c.tests libgcrypt-1.4.5/tests/ac-schemes.c
+--- libgcrypt-1.4.5/tests/ac-schemes.c.tests	2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/tests/ac-schemes.c	2011-02-01 12:49:41.000000000 +0100
+@@ -338,6 +338,9 @@ main (int argc, char **argv)
+   if (! gcry_check_version (GCRYPT_VERSION))
+     die ("version mismatch\n");
+   gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+  if (gcry_fips_mode_active())
+    /* ac not functional in the fips mode, skip it */
+    return 77;
+   if (debug)
+     gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0);
+ 
+diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c
+--- libgcrypt-1.4.5/tests/keygen.c.tests	2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/tests/keygen.c	2011-02-01 18:19:56.000000000 +0100
+@@ -148,12 +148,12 @@ check_rsa_keys (void)
+     }
+ 
+   if (verbose)
+-    fprintf (stderr, "creating 1536 bit DSA key\n");
+    fprintf (stderr, "creating 2048 bit DSA key\n");
+   rc = gcry_sexp_new (&keyparm, 
+                       "(genkey\n"
+                       " (dsa\n"
+-                      "  (nbits 4:1536)\n"
+-                      "  (qbits 3:224)\n"
+                      "  (nbits 4:2048)\n"
+                      "  (qbits 3:256)\n"
+                       " ))", 0, 1);
+   if (rc)
+     die ("error creating S-expression: %s\n", gpg_strerror (rc));
+@@ -190,11 +190,11 @@ check_rsa_keys (void)
+ 
+ 
+   if (verbose)
+-    fprintf (stderr, "creating 512 bit RSA key with e=257\n");
+    fprintf (stderr, "creating 1024 bit RSA key with e=257\n");
+   rc = gcry_sexp_new (&keyparm, 
+                       "(genkey\n"
+                       " (rsa\n"
+-                      "  (nbits 3:512)\n"
+                      "  (nbits 4:1024)\n"
+                       "  (rsa-use-e 3:257)\n"
+                       " ))", 0, 1);
+   if (rc)
+@@ -208,11 +208,11 @@ check_rsa_keys (void)
+   gcry_sexp_release (key);
+ 
+   if (verbose)
+-    fprintf (stderr, "creating 512 bit RSA key with default e\n");
+    fprintf (stderr, "creating 1024 bit RSA key with default secure e\n");
+   rc = gcry_sexp_new (&keyparm, 
+                       "(genkey\n"
+                       " (rsa\n"
+-                      "  (nbits 3:512)\n"
+                      "  (nbits 4:1024)\n"
+                       "  (rsa-use-e 1:0)\n"
+                       " ))", 0, 1);
+   if (rc)
--- a/libgcrypt-1.4.5-urandom.patch
+++ b/libgcrypt-1.4.5-urandom.patch
@ -0,0 +1,33 @@
+diff -up libgcrypt-1.4.5/random/random-fips.c.urandom libgcrypt-1.4.5/random/random-fips.c
+--- libgcrypt-1.4.5/random/random-fips.c.urandom	2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/random/random-fips.c	2011-02-01 11:33:59.000000000 +0100
+@@ -29,8 +29,8 @@
+ 
+    Generator                Seed and Key        Kernel entropy (init/reseed)
+    ------------------------------------------------------------
+-   GCRY_VERY_STRONG_RANDOM  /dev/random         256/128 bits
+-   GCRY_STRONG_RANDOM       /dev/random         256/128 bits
+   GCRY_VERY_STRONG_RANDOM  /dev/urandom        256/128 bits
+   GCRY_STRONG_RANDOM       /dev/urandom        256/128 bits
+    gcry_create_nonce        GCRY_STRONG_RANDOM  n/a
+ 
+    All random generators return their data in 128 bit blocks.  If the
+@@ -40,8 +40,7 @@
+    (SEED_TTL) output blocks; the re-seeding is disabled in test mode.
+ 
+    The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are
+-   keyed and seeded from the /dev/random device.  Thus these
+-   generators may block until the kernel has collected enough entropy.
+   keyed and seeded from the /dev/urandom device.
+ 
+    The gcry_create_nonce generator is keyed and seeded from the
+    GCRY_STRONG_RANDOM generator.  It may also block if the
+@@ -562,7 +561,7 @@ get_entropy (size_t nbytes)
+ #if USE_RNDLINUX
+   rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
+                                      X931_AES_KEYLEN,
+-                                     GCRY_VERY_STRONG_RANDOM);
+                                     GCRY_STRONG_RANDOM);
+ #elif USE_RNDW32
+   do 
+     {
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@ -1,6 +1,6 @@
 Name: libgcrypt
 Version: 1.4.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 URL: http://www.gnupg.org/
 Source0: libgcrypt-%{version}-hobbled.tar.bz2
 # The original libgcrypt sources now contain potentially patented ECC
@ -14,6 +14,10 @@ Source3: hobble-libgcrypt
 Patch2: libgcrypt-1.4.4-use-fipscheck.patch
 # fix ImplicitDSOLinking (missing -lgpg-error linkage in tests/), upstreamable
 Patch3: libgcrypt-1.4.5-ImplicitDSOLinking.patch
+# use /dev/urandom in the FIPS mode
+Patch4: libgcrypt-1.4.5-urandom.patch
+# fix tests in the FIPS mode, fix the FIPS-186-3 DSA keygen
+Patch5: libgcrypt-1.4.5-tests.patch

 # Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction.
 # Documentation and some utilities are GPLv2+ licensed. These files
@ -48,6 +52,8 @@ applications using libgcrypt.
 %{SOURCE3}
 %patch2 -p1 -b .use-fipscheck
 %patch3 -p1 -b .ImplicitDSOLinking
+%patch4 -p1 -b .urandom
+%patch5 -p1 -b .tests

 mv AUTHORS AUTHORS.iso88591
 iconv -f ISO-8859-1 -t UTF-8 AUTHORS.iso88591 >AUTHORS
@ -159,6 +165,11 @@ exit 0
 %doc COPYING

 %changelog
+* Tue Feb  1 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-5
+- use /dev/urandom for seeding in the FIPS mode
+- make the tests to pass in the FIPS mode also fixing
+  the FIPS-186-3 DSA keygen
+
 * Sun Feb 14 2010 Rex Dieter <rdieter@fedoraproject.org> 1.4.5-4
 - FTBFS libgcrypt-1.4.5-3.fc13: ImplicitDSOLinking (#564973)