Two selftest bug fixes.
- touch only urandom in the selftest and when /dev/random is unavailable for example by SELinux confinement - fix the RSA selftest key (p q swap) (#1204517)
This commit is contained in:
parent
f56a95f03b
commit
376991d05a
@ -182,30 +182,30 @@ diff -up libgcrypt-1.6.2/cipher/rsa.c.fips-reqs libgcrypt-1.6.2/cipher/rsa.c
|
||||
-" (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e"
|
||||
-" ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)))";
|
||||
-/* A sample 1024 bit RSA key used for the selftests (public only). */
|
||||
+" (d #36273db1f91bdba7a0417f1223ac232999d53a7b606741076353b4d2e758"
|
||||
+" 950ac705f34eb2b412d470dc4f8506d3ddd863273e673121243904bc06a4"
|
||||
+" ccce2b7afe7badde116ea3a5e604530ea34e2db48f31bfca7525520285de"
|
||||
+" 3db27243b2898a9a3441263f9a67bea4967b0e75baa693d5b8d8b857f24b"
|
||||
+" 0f1481d1574ef6454ca63bd070cad39d55de2205e78e284dee11cfb66776"
|
||||
+" 09d3e33c13f99934107bec8138f0b6349c9b506f0b91814d8994047bf03c"
|
||||
+" f4b1b200488d5a8f889ec5ab3a9e443f54e7d96e47aaa1bd404631f9f034"
|
||||
+" b604e12b5b7386dd3a921b71c73f32e5c3c2aba17ebfa452a0b06890d120"
|
||||
+" 1279e9d7c940baf219c7a50092860d01#)"
|
||||
+" (p #00fc5c6e16ce1f037bcdf7b372b28f1672b856aef7cd67d84e7d07afd543"
|
||||
+" 26c335be438f4e2f1c434e6bd2b2ec526d97522bcc5c3a6bf414c674da66"
|
||||
+" 381c7a3f842fe3f95ab865694606a33779b2a15b58ed5ea75f8c6566bbd1"
|
||||
+" 2436e637a73d49778a8c34d86929f34d5822b05124b640a886590ab7ba5c"
|
||||
+" 97da57e836da7a9cad#)"
|
||||
+" (q #00ccbe7b096906ee45bf884738a8f817e5b6ba6755e3e8058bb8e253d68e"
|
||||
+" (d #03b1e24a94e50ab21f8619701ec97679be2cf8f733c9331d9e2974dba721"
|
||||
+" 27e5def480290e78a769f96b19d28397a284868fb614ca9b1fb3a0d7efed"
|
||||
+" df41451204ce71aceba659f6ed15964ebb317712364e1cfaf2fded77d658"
|
||||
+" 8561acc49c97c2d7efe75f1534b35bd4f6561e1f468b45590db34553d4d0"
|
||||
+" c2cb4d806b74e1b2c52740462538865d9792b0aefbbf7b9827f4b3badcb3"
|
||||
+" 5adab638266a2d2fb8422a7a19142e08848e56af77a66c39b2afafa2e15b"
|
||||
+" 1a7e4ed1f2c7ed350678c0465d86472af97371b13ef5058662f835ef9087"
|
||||
+" f6cca8281bbf1b6b155c737b33d9e443350df85e7cc3b507231fb839f41f"
|
||||
+" 02c654b29017f35d69007c70e13ba0e5#)"
|
||||
+" (p #00ccbe7b096906ee45bf884738a8f817e5b6ba6755e3e8058bb8e253d68e"
|
||||
+" ef2ce74f4af74e268d850b3fecc31cd4ebec6ac8722a257dfda67796f01e"
|
||||
+" cd2857f83730756bbdd47b0c87c56c8740a5bb272c78c9745a545b0b306f"
|
||||
+" 444afa71e4216166f9ee65de7c04d7fda9155b7fe27aba698672a6068d9b"
|
||||
+" 9055609e4c5da9b655#)"
|
||||
+" (u #00afdecbdc5268ea7b1bff7284db7f6757dae3165fd80691ed2bbe8e54a1"
|
||||
+" 6f7ff950aad059e9695903d93e59ff206ee1470bd2b099ca4e83426a7684"
|
||||
+" 75a1ecafd3092fec0f008d78fe773174ec6fbff85384f3a91c2e4b1f59f1"
|
||||
+" 1f2000fee86569f6cab5de338087bc615b90570de4aeb1a9125abbe3834d"
|
||||
+" 5a69716c0a5fa20603#)))";
|
||||
+" (q #00fc5c6e16ce1f037bcdf7b372b28f1672b856aef7cd67d84e7d07afd543"
|
||||
+" 26c335be438f4e2f1c434e6bd2b2ec526d97522bcc5c3a6bf414c674da66"
|
||||
+" 381c7a3f842fe3f95ab865694606a33779b2a15b58ed5ea75f8c6566bbd1"
|
||||
+" 2436e637a73d49778a8c34d86929f34d5822b05124b640a886590ab7ba5c"
|
||||
+" 97da57e836da7a9cad#)"
|
||||
+" (u #2396c191175e0a83d2dc7b69b2591d3358523f18c709501cb9a1bb4ca238"
|
||||
+" 404c9a8efe9c9092d0719f899950911f348b745311114a70e2f730d88c80"
|
||||
+" e1cc9ff163171a7d67294ccb4e747be03e9e2ff4678fecb95c001e7ea27b"
|
||||
+" 92c96f4ce40ef94863cd50225dbfb69d01336af450be86984fca3f3afacf"
|
||||
+" 0740c4aaadaebebf#)))";
|
||||
+/* A sample 2048 bit RSA key used for the selftests (public only). */
|
||||
static const char sample_public_key[] =
|
||||
"(public-key"
|
||||
|
@ -189,15 +189,15 @@ diff -up libgcrypt-1.6.3/cipher/rsa.c.fips-keygen libgcrypt-1.6.3/cipher/rsa.c
|
||||
+ if (testparms) goto err;
|
||||
+ goto qloop;
|
||||
+ }
|
||||
+ if (mpi_cmp (p, q) < 0)
|
||||
+ if (mpi_cmp (p, q) > 0)
|
||||
+ {
|
||||
+ pqswitch = 1;
|
||||
+ mpi_sub (diff, q, p);
|
||||
+ mpi_sub (diff, p, q);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ pqswitch = 0;
|
||||
+ mpi_sub (diff, p, q);
|
||||
+ mpi_sub (diff, q, p);
|
||||
+ }
|
||||
+ if (mpi_cmp (diff, mindiff) < 0)
|
||||
+ {
|
||||
|
29
libgcrypt-1.6.3-urandom-only.patch
Normal file
29
libgcrypt-1.6.3-urandom-only.patch
Normal file
@ -0,0 +1,29 @@
|
||||
diff -up libgcrypt-1.6.3/random/random-csprng.c.urandom-only libgcrypt-1.6.3/random/random-csprng.c
|
||||
--- libgcrypt-1.6.3/random/random-csprng.c.urandom-only 2015-02-27 10:54:03.000000000 +0100
|
||||
+++ libgcrypt-1.6.3/random/random-csprng.c 2015-03-20 08:29:27.513113519 +0100
|
||||
@@ -1125,8 +1125,7 @@ getfnc_gather_random (void))(void (*)(co
|
||||
enum random_origins, size_t, int);
|
||||
|
||||
#if USE_RNDLINUX
|
||||
- if ( !access (NAME_OF_DEV_RANDOM, R_OK)
|
||||
- && !access (NAME_OF_DEV_URANDOM, R_OK))
|
||||
+ if (!access (NAME_OF_DEV_URANDOM, R_OK))
|
||||
{
|
||||
fnc = _gcry_rndlinux_gather_random;
|
||||
return fnc;
|
||||
diff -up libgcrypt-1.6.3/random/rndlinux.c.urandom-only libgcrypt-1.6.3/random/rndlinux.c
|
||||
--- libgcrypt-1.6.3/random/rndlinux.c.urandom-only 2015-03-20 08:36:13.472098269 +0100
|
||||
+++ libgcrypt-1.6.3/random/rndlinux.c 2015-03-20 08:36:43.765097131 +0100
|
||||
@@ -178,7 +178,11 @@ _gcry_rndlinux_gather_random (void (*add
|
||||
{
|
||||
if (fd_random == -1)
|
||||
{
|
||||
- fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1), 1);
|
||||
+ /* We try to open /dev/random first but in case the open fails
|
||||
+ we gracefully retry with /dev/urandom. */
|
||||
+ fd_random = open_device (NAME_OF_DEV_RANDOM, 0, 0);
|
||||
+ if (fd_random == -1)
|
||||
+ fd_random = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 1), 1);
|
||||
ever_opened |= 1;
|
||||
}
|
||||
fd = fd_random;
|
@ -1,6 +1,6 @@
|
||||
Name: libgcrypt
|
||||
Version: 1.6.3
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
URL: http://www.gnupg.org/
|
||||
Source0: libgcrypt-%{version}-hobbled.tar.xz
|
||||
# The original libgcrypt sources now contain potentially patented ECC
|
||||
@ -45,6 +45,8 @@ Patch20: libgcrypt-1.6.3-rsa-fips-keygen.patch
|
||||
Patch22: libgcrypt-1.6.2-fips-reqs.patch
|
||||
# do not use strict aliasing for bufhelp functions
|
||||
Patch23: libgcrypt-1.6.3-aliasing.patch
|
||||
# use only urandom if /dev/random cannot be opened
|
||||
Patch24: libgcrypt-1.6.3-urandom-only.patch
|
||||
|
||||
%define gcrylibdir %{_libdir}
|
||||
|
||||
@ -94,6 +96,8 @@ applications using libgcrypt.
|
||||
%patch20 -p1 -b .fips-keygen
|
||||
%patch22 -p1 -b .fips-reqs
|
||||
%patch23 -p1 -b .aliasing
|
||||
%patch24 -p1 -b .urandom-only
|
||||
|
||||
cp %{SOURCE4} cipher/
|
||||
cp %{SOURCE5} %{SOURCE6} tests/
|
||||
|
||||
@ -204,6 +208,11 @@ exit 0
|
||||
%license COPYING
|
||||
|
||||
%changelog
|
||||
* Tue Mar 24 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-3
|
||||
- touch only urandom in the selftest and when /dev/random is
|
||||
unavailable for example by SELinux confinement
|
||||
- fix the RSA selftest key (p q swap) (#1204517)
|
||||
|
||||
* Fri Mar 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-2
|
||||
- do not use strict aliasing for bufhelp functions (#1201219)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user