rpms/libgcrypt
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Always xor seed from /dev/urandom over /etc/gcrypt/rngseed

Browse Source
This commit is contained in:
Tomas Mraz 2011-06-20 21:40:03 +02:00
parent b0d0a7fac3
commit 9371d8c5fa
3 changed files with 58 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
libgcrypt-1.4.6-cavs.patch
View File

@ -51,7 +51,7 @@ diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c
diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_driver.pl diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_driver.pl
--- libgcrypt-1.4.6/tests/cavs_driver.pl.cavs 2009-04-02 11:25:34.000000000 +0200 --- libgcrypt-1.4.6/tests/cavs_driver.pl.cavs 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.6/tests/cavs_driver.pl 2011-05-27 21:32:14.000000000 +0200 +++ libgcrypt-1.4.6/tests/cavs_driver.pl 2011-06-20 20:00:13.000000000 +0200
@@ -1,9 +1,11 @@ @@ -1,9 +1,11 @@
#!/usr/bin/env perl #!/usr/bin/env perl
# #
@ -178,22 +178,22 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
-sub libgcrypt_dsa_pqggen($) { -sub libgcrypt_dsa_pqggen($) {
+sub libgcrypt_dsa_pqggen($$$) { +sub libgcrypt_dsa_pqggen($$$) {
my $mod = shift; + my $mod = shift;
+ my $qsize = shift; + my $qsize = shift;
+ my $seed = shift; + my $seed = shift;
+ +
+ my $program = "fipsdrv --keysize $mod --qsize $qsize dsa-pqg-gen"; + my $program = "fipsdrv --keysize $mod --qsize $qsize dsa-pqg-gen";
+ return pipe_through_program($seed, $program); + return pipe_through_program($seed, $program);
+} +}
+
- my $program = "fipsdrv --keysize $mod dsa-pqg-gen";
+sub libgcrypt_dsa_ggen($$$$) { +sub libgcrypt_dsa_ggen($$$$) {
+ my $mod = shift; my $mod = shift;
+ my $qsize = shift; + my $qsize = shift;
+ my $p = shift; + my $p = shift;
+ my $q = shift; + my $q = shift;
+ my $domain = "(domain (p #$p#)(q #$q#))"; + my $domain = "(domain (p #$p#)(q #$q#))";
+
- my $program = "fipsdrv --keysize $mod dsa-pqg-gen";
+ my $program = "fipsdrv --keysize $mod --qsize $qsize --key \'$domain\' dsa-g-gen"; + my $program = "fipsdrv --keysize $mod --qsize $qsize --key \'$domain\' dsa-g-gen";
return pipe_through_program("", $program); return pipe_through_program("", $program);
} }
@ -303,7 +303,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
# now change the counter to decimal as CAVS wants decimal # now change the counter to decimal as CAVS wants decimal
# counter value although all other is HEX # counter value although all other is HEX
@@ -1525,15 +1617,149 @@ sub dsa_pqggen_driver($$) { @@ -1525,15 +1617,166 @@ sub dsa_pqggen_driver($$) {
$out .= "P = $P\n"; $out .= "P = $P\n";
$out .= "Q = $Q\n"; $out .= "Q = $Q\n";
@ -341,6 +341,23 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
+ return $out; + return $out;
+} +}
+ +
+sub hexcomp($$) {
+ my $a = lc shift;
+ my $b = lc shift;
+
+ if (length $a < length $b) {
+ my $c = $a;
+ $a = $b;
+ $b = $a;
+ }
+
+ while (length $b < length $a) {
+ $b = "00$b";
+ }
+
+ return $a eq $b;
+}
+
+# DSA PQVer test +# DSA PQVer test
+# $1 modulus size +# $1 modulus size
+# $2 q size +# $2 q size
@ -369,7 +386,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
+ $out .= "Seed = $seed\n"; + $out .= "Seed = $seed\n";
+ $out .= "c = $c\n"; + $out .= "c = $c\n";
+ +
+ if ($P eq $p && $Q eq $q && $seed eq lc $seed2 && $c eq $c2) { + if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($seed, $seed2) && $c == $c2) {
+ $out .= "Result = P\n\n"; + $out .= "Result = P\n\n";
+ } + }
+ else { + else {
@ -413,8 +430,8 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
+ +
+ $c2 = hex($c2); + $c2 = hex($c2);
+ +
+ if ($P eq $p && $Q eq $q && $G eq $g && $seed eq lc $seed2 && + if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($G, $g) && hexcomp($seed, $seed2) &&
+ $c eq $c2 && hex($h) == hex($h2)) { + $c == $c2 && hex($h) == hex($h2)) {
+ $out .= "Result = P\n\n"; + $out .= "Result = P\n\n";
+ } + }
+ else { + else {
@ -457,7 +474,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
# DSA SigGen test # DSA SigGen test
# $1: Message to be signed in hex form # $1: Message to be signed in hex form
@@ -1658,12 +1884,16 @@ sub parse($$) { @@ -1658,12 +1901,16 @@ sub parse($$) {
my $klen = ""; my $klen = "";
my $tlen = ""; my $tlen = "";
my $modulus = ""; my $modulus = "";
@ -474,7 +491,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
my $xp1 = ""; my $xp1 = "";
my $xp2 = ""; my $xp2 = "";
my $Xp = ""; my $Xp = "";
@@ -1700,7 +1930,7 @@ sub parse($$) { @@ -1700,7 +1947,7 @@ sub parse($$) {
##### Extract cipher ##### Extract cipher
# XXX there may be more - to be added # XXX there may be more - to be added
@ -483,7 +500,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
if ($tmpline =~ /CBC/) { $mode="cbc"; } if ($tmpline =~ /CBC/) { $mode="cbc"; }
elsif ($tmpline =~ /ECB/) { $mode="ecb"; } elsif ($tmpline =~ /ECB/) { $mode="ecb"; }
elsif ($tmpline =~ /OFB/) { $mode="ofb"; } elsif ($tmpline =~ /OFB/) { $mode="ofb"; }
@@ -1749,7 +1979,15 @@ sub parse($$) { @@ -1749,7 +1996,15 @@ sub parse($$) {
if ($tt == 0) { if ($tt == 0) {
##### Identify the test type ##### Identify the test type
@ -500,7 +517,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
$tt = 13; $tt = 13;
die "Interface function rsa_derive for RSA key generation not defined for tested library" die "Interface function rsa_derive for RSA key generation not defined for tested library"
if (!defined($rsa_derive)); if (!defined($rsa_derive));
@@ -1760,11 +1998,11 @@ sub parse($$) { @@ -1760,11 +2015,11 @@ sub parse($$) {
} elsif ($tmpline =~ /SigGen/ && $opt{'D'}) { } elsif ($tmpline =~ /SigGen/ && $opt{'D'}) {
$tt = 11; $tt = 11;
die "Interface function dsa_sign or gen_dsakey for DSA sign not defined for tested library" die "Interface function dsa_sign or gen_dsakey for DSA sign not defined for tested library"
@ -514,7 +531,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
} elsif ($tmpline =~ /Hash sizes tested/) { } elsif ($tmpline =~ /Hash sizes tested/) {
$tt = 9; $tt = 9;
die "Interface function hmac for HMAC testing not defined for tested library" die "Interface function hmac for HMAC testing not defined for tested library"
@@ -1792,7 +2030,7 @@ sub parse($$) { @@ -1792,7 +2047,7 @@ sub parse($$) {
} elsif ($tmpline =~ /Monte|MCT|Carlo/) { } elsif ($tmpline =~ /Monte|MCT|Carlo/) {
$tt = 2; $tt = 2;
die "Interface function state_cipher for Stateful Cipher operation defined for tested library" die "Interface function state_cipher for Stateful Cipher operation defined for tested library"
@ -523,7 +540,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
} elsif ($cipher =~ /^sha/) { } elsif ($cipher =~ /^sha/) {
$tt = 3; $tt = 3;
die "Interface function hash for Hashing not defined for tested library" die "Interface function hash for Hashing not defined for tested library"
@@ -1875,18 +2113,44 @@ sub parse($$) { @@ -1875,18 +2130,44 @@ sub parse($$) {
die "Msg/Seed seen twice - input file crap" if ($pt ne ""); die "Msg/Seed seen twice - input file crap" if ($pt ne "");
$pt=$2; $pt=$2;
} }
@ -572,7 +589,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
# XXX maybe a secure temp file name is better here # XXX maybe a secure temp file name is better here
# but since it is not run on a security sensitive # but since it is not run on a security sensitive
# system, I hope that this is fine # system, I hope that this is fine
@@ -1932,11 +2196,16 @@ sub parse($$) { @@ -1932,11 +2213,16 @@ sub parse($$) {
if ($tlen ne ""); if ($tlen ne "");
$tlen=$1; $tlen=$1;
} }
@ -590,7 +607,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
elsif ($line =~ /^P\s*=\s*(.*)/) { #DSA SigVer elsif ($line =~ /^P\s*=\s*(.*)/) { #DSA SigVer
die "P seen twice - check input file" die "P seen twice - check input file"
if ($capital_p); if ($capital_p);
@@ -1965,6 +2234,16 @@ sub parse($$) { @@ -1965,6 +2251,16 @@ sub parse($$) {
if ($capital_r); if ($capital_r);
$capital_r = $1; $capital_r = $1;
} }
@ -607,7 +624,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
elsif ($line =~ /^xp1\s*=\s*(.*)/) { #RSA key gen elsif ($line =~ /^xp1\s*=\s*(.*)/) { #RSA key gen
die "xp1 seen twice - check input file" die "xp1 seen twice - check input file"
if ($xp1); if ($xp1);
@@ -2074,11 +2353,10 @@ sub parse($$) { @@ -2074,11 +2370,10 @@ sub parse($$) {
} }
} }
elsif ($tt == 10) { elsif ($tt == 10) {
@ -623,7 +640,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
} }
elsif ($tt == 11) { elsif ($tt == 11) {
if ($pt ne "" && $dsa_keyfile ne "") { if ($pt ne "" && $dsa_keyfile ne "") {
@@ -2141,6 +2419,74 @@ sub parse($$) { @@ -2141,6 +2436,74 @@ sub parse($$) {
$Xq = ""; $Xq = "";
} }
} }
@ -698,7 +715,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
elsif ($tt > 0) { elsif ($tt > 0) {
die "Test case $tt not defined"; die "Test case $tt not defined";
} }
@@ -2199,7 +2545,9 @@ sub main() { @@ -2199,7 +2562,9 @@ sub main() {
$state_rng = \&libgcrypt_state_rng; $state_rng = \&libgcrypt_state_rng;
$hmac = \&libgcrypt_hmac; $hmac = \&libgcrypt_hmac;
$dsa_pqggen = \&libgcrypt_dsa_pqggen; $dsa_pqggen = \&libgcrypt_dsa_pqggen;

37
libgcrypt-1.4.5-fips-cfgrandom.patch → libgcrypt-1.4.6-fips-cfgrandom.patch
View File

@ -1,6 +1,6 @@
diff -up libgcrypt-1.4.5/random/random-fips.c.cfgrandom libgcrypt-1.4.5/random/random-fips.c diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/random-fips.c
--- libgcrypt-1.4.5/random/random-fips.c.cfgrandom 2011-05-06 10:58:55.000000000 +0200 --- libgcrypt-1.4.6/random/random-fips.c.cfgrandom 2011-06-20 21:13:38.000000000 +0200
+++ libgcrypt-1.4.5/random/random-fips.c 2011-05-06 10:58:55.000000000 +0200 +++ libgcrypt-1.4.6/random/random-fips.c 2011-06-20 21:32:47.000000000 +0200
@@ -27,10 +27,10 @@ @@ -27,10 +27,10 @@
There are 3 random context which map to the different levels of There are 3 random context which map to the different levels of
random quality: random quality:
@ -28,18 +28,20 @@ diff -up libgcrypt-1.4.5/random/random-fips.c.cfgrandom libgcrypt-1.4.5/random/r
The gcry_create_nonce generator is keyed and seeded from the The gcry_create_nonce generator is keyed and seeded from the
GCRY_STRONG_RANDOM generator. It may also block if the GCRY_STRONG_RANDOM generator. It may also block if the
@@ -561,7 +564,7 @@ get_entropy (size_t nbytes) @@ -559,6 +562,10 @@ get_entropy (size_t nbytes)
entropy_collect_buffer_len = 0;
#if USE_RNDLINUX #if USE_RNDLINUX
+ _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
+ X931_AES_KEYLEN,
+ -1);
+ entropy_collect_buffer_len = 0;
rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0, rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
X931_AES_KEYLEN, X931_AES_KEYLEN,
- GCRY_STRONG_RANDOM); GCRY_STRONG_RANDOM);
+ -1); diff -up libgcrypt-1.4.6/random/rndlinux.c.cfgrandom libgcrypt-1.4.6/random/rndlinux.c
#elif USE_RNDW32 --- libgcrypt-1.4.6/random/rndlinux.c.cfgrandom 2009-04-02 11:25:34.000000000 +0200
do +++ libgcrypt-1.4.6/random/rndlinux.c 2011-06-20 21:34:09.000000000 +0200
{
diff -up libgcrypt-1.4.5/random/rndlinux.c.cfgrandom libgcrypt-1.4.5/random/rndlinux.c
--- libgcrypt-1.4.5/random/rndlinux.c.cfgrandom 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/random/rndlinux.c 2011-05-06 11:35:39.000000000 +0200
@@ -35,7 +35,9 @@ @@ -35,7 +35,9 @@
#include "g10lib.h" #include "g10lib.h"
#include "rand-internal.h" #include "rand-internal.h"
@ -96,7 +98,7 @@ diff -up libgcrypt-1.4.5/random/rndlinux.c.cfgrandom libgcrypt-1.4.5/random/rndl
+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0 ); + fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0 );
+ fd = fd_configured; + fd = fd_configured;
+ if (fd == -1) + if (fd == -1)
+ level = 1; + return -1;
+ } + }
+ +
if (level >= 2) if (level >= 2)
@ -115,12 +117,3 @@ diff -up libgcrypt-1.4.5/random/rndlinux.c.cfgrandom libgcrypt-1.4.5/random/rndl
fd = fd_urandom; fd = fd_urandom;
} }
@@ -163,5 +181,8 @@ _gcry_rndlinux_gather_random (void (*add
}
memset(buffer, 0, sizeof(buffer) );
+ if (level == -1)
+ _gcry_rndlinux_gather_random(add, origin, orig_length, 1);
+
return 0; /* success */
}

7
libgcrypt.spec
View File

@ -1,6 +1,6 @@
Name: libgcrypt Name: libgcrypt
Version: 1.4.6 Version: 1.4.6
Release: 3%{?dist} Release: 4%{?dist}
URL: http://www.gnupg.org/ URL: http://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.bz2 Source0: libgcrypt-%{version}-hobbled.tar.bz2
# The original libgcrypt sources now contain potentially patented ECC # The original libgcrypt sources now contain potentially patented ECC
@ -19,7 +19,7 @@ Patch4: libgcrypt-1.4.5-urandom.patch
# fix tests in the FIPS mode, fix the FIPS-186-3 DSA keygen # fix tests in the FIPS mode, fix the FIPS-186-3 DSA keygen
Patch5: libgcrypt-1.4.5-tests.patch Patch5: libgcrypt-1.4.5-tests.patch
# add configurable source of RNG seed in the FIPS mode # add configurable source of RNG seed in the FIPS mode
Patch6: libgcrypt-1.4.5-fips-cfgrandom.patch Patch6: libgcrypt-1.4.6-fips-cfgrandom.patch
# make the FIPS-186-3 DSA CAVS testable # make the FIPS-186-3 DSA CAVS testable
Patch7: libgcrypt-1.4.6-cavs.patch Patch7: libgcrypt-1.4.6-cavs.patch
@ -171,6 +171,9 @@ exit 0
%doc COPYING %doc COPYING
%changelog %changelog
* Mon Jun 20 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-4
- Always xor seed from /dev/urandom over /etc/gcrypt/rngseed
* Mon May 30 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-3 * Mon May 30 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-3
- Make the FIPS-186-3 DSA implementation CAVS testable - Make the FIPS-186-3 DSA implementation CAVS testable
- add configurable source of RNG seed /etc/gcrypt/rngseed - add configurable source of RNG seed /etc/gcrypt/rngseed