From 16991a5be46cb1617acec215a4e83d0268501b11 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 1 Feb 2011 18:54:42 +0100 Subject: [PATCH] - use /dev/urandom for seeding in the FIPS mode - make the tests to pass in the FIPS mode also fixing the FIPS-186-3 DSA keygen --- libgcrypt-1.4.5-tests.patch | 206 ++++++++++++++++++++++++++++++++++ libgcrypt-1.4.5-urandom.patch | 33 ++++++ libgcrypt.spec | 13 ++- 3 files changed, 251 insertions(+), 1 deletion(-) create mode 100644 libgcrypt-1.4.5-tests.patch create mode 100644 libgcrypt-1.4.5-urandom.patch diff --git a/libgcrypt-1.4.5-tests.patch b/libgcrypt-1.4.5-tests.patch new file mode 100644 index 0000000..c71f3a8 --- /dev/null +++ b/libgcrypt-1.4.5-tests.patch @@ -0,0 +1,206 @@ +diff -up libgcrypt-1.4.5/cipher/dsa.c.tests libgcrypt-1.4.5/cipher/dsa.c +--- libgcrypt-1.4.5/cipher/dsa.c.tests 2009-08-21 10:18:30.000000000 +0200 ++++ libgcrypt-1.4.5/cipher/dsa.c 2011-02-01 18:04:56.000000000 +0100 +@@ -468,21 +468,20 @@ generate_fips186 (DSA_secret_key *sk, un + &initial_seed.seedlen); + } + +- /* Fixme: Enable 186-3 after it has been approved and after fixing +- the generation function. */ +- /* if (use_fips186_2) */ +- (void)use_fips186_2; +- ec = _gcry_generate_fips186_2_prime (nbits, qbits, ++ if (use_fips186_2) ++ ec = _gcry_generate_fips186_2_prime (nbits, qbits, + initial_seed.seed, + initial_seed.seedlen, + &prime_q, &prime_p, + r_counter, + r_seed, r_seedlen); +- /* else */ +- /* ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0, */ +- /* &prime_q, &prime_p, */ +- /* r_counter, */ +- /* r_seed, r_seedlen, NULL); */ ++ else ++ ec = _gcry_generate_fips186_3_prime (nbits, qbits, ++ initial_seed.seed, ++ initial_seed.seedlen, ++ &prime_q, &prime_p, ++ r_counter, ++ r_seed, r_seedlen, NULL); + gcry_sexp_release (initial_seed.sexp); + if (ec) + goto leave; +diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen.c +--- libgcrypt-1.4.5/cipher/primegen.c.tests 2009-04-02 11:25:34.000000000 +0200 ++++ libgcrypt-1.4.5/cipher/primegen.c 2011-02-01 18:00:53.000000000 +0100 +@@ -1647,7 +1647,7 @@ _gcry_generate_fips186_3_prime (unsigned + gpg_err_code_t ec; + unsigned char seed_help_buffer[256/8]; /* Used to hold a generated SEED. */ + unsigned char *seed_plus; /* Malloced buffer to hold SEED+x. */ +- unsigned char digest[256/8]; /* Helper buffer for SHA-1 digest. */ ++ unsigned char digest[256/8]; /* Helper buffer for SHA-x digest. */ + gcry_mpi_t val_2 = NULL; /* Helper for the prime test. */ + gcry_mpi_t tmpval = NULL; /* Helper variable. */ + int hashalgo; /* The id of the Approved Hash Function. */ +@@ -1737,7 +1737,7 @@ _gcry_generate_fips186_3_prime (unsigned + } + gcry_mpi_release (prime_q); prime_q = NULL; + ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG, +- value_u, sizeof value_u, NULL)); ++ value_u, qbits/8, NULL)); + if (ec) + goto leave; + mpi_set_highbit (prime_q, qbits-1 ); +@@ -1782,7 +1782,7 @@ _gcry_generate_fips186_3_prime (unsigned + if (seed_plus[i]) + break; + } +- gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen); ++ gcry_md_hash_buffer (hashalgo, digest, seed_plus, seedlen); + + gcry_mpi_release (tmpval); tmpval = NULL; + ec = gpg_err_code (gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG, +@@ -1822,11 +1822,11 @@ _gcry_generate_fips186_3_prime (unsigned + } + + /* Step 12: Save p, q, counter and seed. */ +- log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n", ++/* log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n", + mpi_get_nbits (prime_p), mpi_get_nbits (prime_q), counter); + log_printhex("fips186-3 seed:", seed, seedlen); + log_mpidump ("fips186-3 prime p", prime_p); +- log_mpidump ("fips186-3 prime q", prime_q); ++ log_mpidump ("fips186-3 prime q", prime_q); */ + if (r_q) + { + *r_q = prime_q; +diff -up libgcrypt-1.4.5/cipher/rsa.c.tests libgcrypt-1.4.5/cipher/rsa.c +--- libgcrypt-1.4.5/cipher/rsa.c.tests 2009-04-02 11:25:34.000000000 +0200 ++++ libgcrypt-1.4.5/cipher/rsa.c 2011-02-01 18:40:26.000000000 +0100 +@@ -388,7 +388,7 @@ generate_x931 (RSA_secret_key *sk, unsig + + *swapped = 0; + +- if (e_value == 1) /* Alias for a secure value. */ ++ if (e_value == 1 || e_value == 0) /* Alias for a secure value. */ + e_value = 65537; + + /* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */ +diff -up libgcrypt-1.4.5/random/random-fips.c.tests libgcrypt-1.4.5/random/random-fips.c +--- libgcrypt-1.4.5/random/random-fips.c.tests 2011-02-01 12:31:00.000000000 +0100 ++++ libgcrypt-1.4.5/random/random-fips.c 2011-02-01 12:31:00.000000000 +0100 +@@ -691,6 +691,7 @@ get_random (void *buffer, size_t length, + + check_guards (rng_ctx); + ++ reinitialize: + /* Initialize the cipher handle and thus setup the key if needed. */ + if (!rng_ctx->cipher_hd) + { +@@ -710,13 +711,11 @@ get_random (void *buffer, size_t length, + if (rng_ctx->key_init_pid != getpid () + || rng_ctx->seed_init_pid != getpid ()) + { +- /* We are in a child of us. Because we have no way yet to do +- proper re-initialization (including self-checks etc), the +- only chance we have is to bail out. Obviusly a fork/exec +- won't harm because the exec overwrites the old image. */ +- fips_signal_error ("fork without proper re-initialization " +- "detected in RNG"); +- goto bailout; ++ /* Just reinitialize the key & seed. */ ++ gcry_cipher_close(rng_ctx->cipher_hd); ++ rng_ctx->cipher_hd = NULL; ++ rng_ctx->is_seeded = 0; ++ goto reinitialize; + } + + if (x931_aes_driver (buffer, length, rng_ctx)) +diff -up libgcrypt-1.4.5/tests/ac.c.tests libgcrypt-1.4.5/tests/ac.c +--- libgcrypt-1.4.5/tests/ac.c.tests 2009-04-02 11:25:34.000000000 +0200 ++++ libgcrypt-1.4.5/tests/ac.c 2011-02-01 12:49:14.000000000 +0100 +@@ -150,6 +150,9 @@ main (int argc, char **argv) + if (!gcry_check_version (GCRYPT_VERSION)) + die ("version mismatch\n"); + gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); ++ if (gcry_fips_mode_active()) ++ /* ac not functional in the fips mode, skip it */ ++ return 77; + if (debug) + gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + /* No valuable keys are create, so we can speed up our RNG. */ +diff -up libgcrypt-1.4.5/tests/ac-data.c.tests libgcrypt-1.4.5/tests/ac-data.c +--- libgcrypt-1.4.5/tests/ac-data.c.tests 2009-04-02 11:25:34.000000000 +0200 ++++ libgcrypt-1.4.5/tests/ac-data.c 2011-02-01 12:49:54.000000000 +0100 +@@ -198,6 +198,9 @@ main (int argc, char **argv) + if (!gcry_check_version (GCRYPT_VERSION)) + die ("version mismatch\n"); + gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); ++ if (gcry_fips_mode_active()) ++ /* ac not functional in the fips mode, skip it */ ++ return 77; + if (debug) + gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + +diff -up libgcrypt-1.4.5/tests/ac-schemes.c.tests libgcrypt-1.4.5/tests/ac-schemes.c +--- libgcrypt-1.4.5/tests/ac-schemes.c.tests 2009-04-02 11:25:34.000000000 +0200 ++++ libgcrypt-1.4.5/tests/ac-schemes.c 2011-02-01 12:49:41.000000000 +0100 +@@ -338,6 +338,9 @@ main (int argc, char **argv) + if (! gcry_check_version (GCRYPT_VERSION)) + die ("version mismatch\n"); + gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); ++ if (gcry_fips_mode_active()) ++ /* ac not functional in the fips mode, skip it */ ++ return 77; + if (debug) + gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + +diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c +--- libgcrypt-1.4.5/tests/keygen.c.tests 2009-04-02 11:25:34.000000000 +0200 ++++ libgcrypt-1.4.5/tests/keygen.c 2011-02-01 18:19:56.000000000 +0100 +@@ -148,12 +148,12 @@ check_rsa_keys (void) + } + + if (verbose) +- fprintf (stderr, "creating 1536 bit DSA key\n"); ++ fprintf (stderr, "creating 2048 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" +- " (nbits 4:1536)\n" +- " (qbits 3:224)\n" ++ " (nbits 4:2048)\n" ++ " (qbits 3:256)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); +@@ -190,11 +190,11 @@ check_rsa_keys (void) + + + if (verbose) +- fprintf (stderr, "creating 512 bit RSA key with e=257\n"); ++ fprintf (stderr, "creating 1024 bit RSA key with e=257\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (rsa\n" +- " (nbits 3:512)\n" ++ " (nbits 4:1024)\n" + " (rsa-use-e 3:257)\n" + " ))", 0, 1); + if (rc) +@@ -208,11 +208,11 @@ check_rsa_keys (void) + gcry_sexp_release (key); + + if (verbose) +- fprintf (stderr, "creating 512 bit RSA key with default e\n"); ++ fprintf (stderr, "creating 1024 bit RSA key with default secure e\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (rsa\n" +- " (nbits 3:512)\n" ++ " (nbits 4:1024)\n" + " (rsa-use-e 1:0)\n" + " ))", 0, 1); + if (rc) diff --git a/libgcrypt-1.4.5-urandom.patch b/libgcrypt-1.4.5-urandom.patch new file mode 100644 index 0000000..0bccbfc --- /dev/null +++ b/libgcrypt-1.4.5-urandom.patch @@ -0,0 +1,33 @@ +diff -up libgcrypt-1.4.5/random/random-fips.c.urandom libgcrypt-1.4.5/random/random-fips.c +--- libgcrypt-1.4.5/random/random-fips.c.urandom 2009-04-02 11:25:34.000000000 +0200 ++++ libgcrypt-1.4.5/random/random-fips.c 2011-02-01 11:33:59.000000000 +0100 +@@ -29,8 +29,8 @@ + + Generator Seed and Key Kernel entropy (init/reseed) + ------------------------------------------------------------ +- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits +- GCRY_STRONG_RANDOM /dev/random 256/128 bits ++ GCRY_VERY_STRONG_RANDOM /dev/urandom 256/128 bits ++ GCRY_STRONG_RANDOM /dev/urandom 256/128 bits + gcry_create_nonce GCRY_STRONG_RANDOM n/a + + All random generators return their data in 128 bit blocks. If the +@@ -40,8 +40,7 @@ + (SEED_TTL) output blocks; the re-seeding is disabled in test mode. + + The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are +- keyed and seeded from the /dev/random device. Thus these +- generators may block until the kernel has collected enough entropy. ++ keyed and seeded from the /dev/urandom device. + + The gcry_create_nonce generator is keyed and seeded from the + GCRY_STRONG_RANDOM generator. It may also block if the +@@ -562,7 +561,7 @@ get_entropy (size_t nbytes) + #if USE_RNDLINUX + rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0, + X931_AES_KEYLEN, +- GCRY_VERY_STRONG_RANDOM); ++ GCRY_STRONG_RANDOM); + #elif USE_RNDW32 + do + { diff --git a/libgcrypt.spec b/libgcrypt.spec index e81f80e..a6ca1f6 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt Version: 1.4.5 -Release: 4%{?dist} +Release: 5%{?dist} URL: http://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.bz2 # The original libgcrypt sources now contain potentially patented ECC @@ -14,6 +14,10 @@ Source3: hobble-libgcrypt Patch2: libgcrypt-1.4.4-use-fipscheck.patch # fix ImplicitDSOLinking (missing -lgpg-error linkage in tests/), upstreamable Patch3: libgcrypt-1.4.5-ImplicitDSOLinking.patch +# use /dev/urandom in the FIPS mode +Patch4: libgcrypt-1.4.5-urandom.patch +# fix tests in the FIPS mode, fix the FIPS-186-3 DSA keygen +Patch5: libgcrypt-1.4.5-tests.patch # Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction. # Documentation and some utilities are GPLv2+ licensed. These files @@ -48,6 +52,8 @@ applications using libgcrypt. %{SOURCE3} %patch2 -p1 -b .use-fipscheck %patch3 -p1 -b .ImplicitDSOLinking +%patch4 -p1 -b .urandom +%patch5 -p1 -b .tests mv AUTHORS AUTHORS.iso88591 iconv -f ISO-8859-1 -t UTF-8 AUTHORS.iso88591 >AUTHORS @@ -159,6 +165,11 @@ exit 0 %doc COPYING %changelog +* Tue Feb 1 2011 Tomas Mraz 1.4.5-5 +- use /dev/urandom for seeding in the FIPS mode +- make the tests to pass in the FIPS mode also fixing + the FIPS-186-3 DSA keygen + * Sun Feb 14 2010 Rex Dieter 1.4.5-4 - FTBFS libgcrypt-1.4.5-3.fc13: ImplicitDSOLinking (#564973)