rpms/libgcrypt
5
0
Fork 0
Code Issues Pull Requests Releases Activity

libgcrypt-1.9.1-1

Browse Source
This commit is contained in:
Jakub Jelen 2021-01-29 14:11:06 +01:00
parent e12a034946
commit 93ba00ab6f
9 changed files with 37 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -24,3 +24,4 @@ libgcrypt-1.4.5-hobbled.tar.bz2
/libgcrypt-1.8.6-hobbled.tar.xz
/libgcrypt-1.8.7-hobbled.tar.xz
/libgcrypt-1.9.0-hobbled.tar.xz
/libgcrypt-1.9.1-hobbled.tar.xz

28
ecc-curves.c
View File

@ -1064,13 +1064,18 @@ mpi_ec_setup_elliptic_curve (mpi_ec_t ec, int flags,
if ((n+7)/8 != len)
{
if ((n+7)/8 < len && ec->dialect == ECC_DIALECT_ED25519)
if (ec->dialect == ECC_DIALECT_ED25519)
{
/*
* GnuPG (<= 2.2) or OpenPGP implementations with no
* SOS support may remove zeros at the beginning.
* Recover those zeros.
*/
/*
* Also, GnuPG (<= 2.2) may add additional zero at
* the beginning, when private key is moved from
* OpenPGP to gpg-agent. Remove such a zero-prefix.
*/
const unsigned char *buf;
unsigned char *value;
@ -1078,13 +1083,26 @@ mpi_ec_setup_elliptic_curve (mpi_ec_t ec, int flags,
if (!buf)
return GPG_ERR_INV_OBJ;
value = xtrycalloc_secure (1, len);
value = xtrymalloc_secure (len);
if (!value)
return gpg_err_code_from_syserror ();
memset (value, 0, len - (n+7)/8);
memcpy (value + len - (n+7)/8, buf, (n+7)/8);
mpi_set_opaque (ec->d, value, len);
if ((n+7)/8 < len)
/* Recover zeros. */
{
memset (value, 0, len - (n+7)/8);
memcpy (value + len - (n+7)/8, buf, (n+7)/8);
}
else if ((n+7)/8 == len + 1)
/* Remove a zero. */
memcpy (value, buf+1, len);
else
{
xfree (value);
return GPG_ERR_INV_OBJ;
}
mpi_set_opaque (ec->d, value, len*8);
}
else
{

35
libgcrypt-1.7.3-fips-reqs.patch
View File

@ -1,35 +0,0 @@
diff -up libgcrypt-1.7.3/src/visibility.c.fips-reqs libgcrypt-1.7.3/src/visibility.c
--- libgcrypt-1.7.3/src/visibility.c.fips-reqs 2016-03-23 12:59:34.000000000 +0100
+++ libgcrypt-1.7.3/src/visibility.c 2016-11-22 16:29:36.992042480 +0100
@@ -1288,6 +1288,8 @@ gcry_kdf_derive (const void *passphrase,
unsigned long iterations,
size_t keysize, void *keybuffer)
{
+ if (!fips_is_operational ())
+ return gpg_error (fips_not_operational ());
return gpg_error (_gcry_kdf_derive (passphrase, passphraselen, algo, hashalgo,
salt, saltlen, iterations,
keysize, keybuffer));
@@ -1343,6 +1345,13 @@ void
gcry_mpi_randomize (gcry_mpi_t w,
unsigned int nbits, enum gcry_random_level level)
{
+ if (!fips_is_operational ())
+ {
+ (void)fips_not_operational ();
+ fips_signal_fatal_error ("called in non-operational state");
+ fips_noreturn ();
+ }
+
_gcry_mpi_randomize (w, nbits, level);
}
@@ -1368,6 +1377,8 @@ gcry_prime_generate (gcry_mpi_t *prime,
gcry_random_level_t random_level,
unsigned int flags)
{
+ if (!fips_is_operational ())
+ return gpg_error (fips_not_operational ());
return gpg_error (_gcry_prime_generate (prime, prime_bits, factor_bits,
factors, cb_func, cb_arg,
random_level, flags));

9
libgcrypt-1.8.4-fips-keygen.patch
View File

@ -1,16 +1,15 @@
diff -up libgcrypt-1.8.4/cipher/dsa.c.fips-keygen libgcrypt-1.8.4/cipher/dsa.c
--- libgcrypt-1.8.4/cipher/dsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.4/cipher/dsa.c 2019-02-12 14:29:25.629513989 +0100
@@ -457,11 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un
@@ -457,13 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un
&prime_q, &prime_p,
r_counter,
r_seed, r_seedlen);
- else
- ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0,
+ else if (!domain->p || !domain->q)
+ ec = _gcry_generate_fips186_3_prime (nbits, qbits,
+ initial_seed.seed,
+ initial_seed.seedlen,
ec = _gcry_generate_fips186_3_prime (nbits, qbits,
initial_seed.seed,
initial_seed.seedlen,
&prime_q, &prime_p,
r_counter,
r_seed, r_seedlen, NULL);

2
libgcrypt-1.8.4-tests-fipsmode.patch
View File

@ -142,7 +142,7 @@ diff -up libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode libgcrypt-1.8.4/tests/pub
" (use-fips186)"
" (transient-key)"
" (derive-parms"
- " (seed #0cb1990c1fd3626055d7a0096f8fa99807399871#))))",
- " (seed #f770a4598ff756931fc529764513b103ce57d85f4ad8c5cf297c9b4d48241c5b#))))",
+ " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))",
0, 1);
if (rc)

6
libgcrypt-1.8.4-use-poll.patch
View File

@ -6,9 +6,9 @@ diff -up libgcrypt-1.8.4/random/rndlinux.c.use-poll libgcrypt-1.8.4/random/rndli
#include <unistd.h>
#include <fcntl.h>
+#include <poll.h>
#if defined(__linux__) || !defined(HAVE_GETENTROPY)
#ifdef HAVE_SYSCALL
# include <sys/syscall.h>
#if defined(__APPLE__) && defined(__MACH__)
extern int getentropy (void *buf, size_t buflen) __attribute__ ((weak_import));
#define HAVE_GETENTROPY
@@ -241,9 +242,8 @@ _gcry_rndlinux_gather_random (void (*add
return with something we will actually use 100ms. */
while (length)

31
libgcrypt-1.9.0-kdf-missing-terminator.patch
View File

@ -1,31 +0,0 @@
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Tue, 19 Jan 2021 18:04:30 +0000 (+0200)
Subject: kdf: add missing null-terminator for self-test test-vector array
X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=c6425a5537294dfe2beaafc9105f7af4ceac677f
kdf: add missing null-terminator for self-test test-vector array
* cipher/kdf.c (selftest_pbkdf2): Add null-terminator to TV array.
--
This was causing kdf self-test to fail on s390x builds.
GnuPG-bug-id: 5254
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
diff --git a/cipher/kdf.c b/cipher/kdf.c
index 3d707bd0..b916a3f8 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -452,7 +452,8 @@ selftest_pbkdf2 (int extended, selftest_report_func_t report)
"\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e\x84\xcf"
"\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f\xb8\xdd\x53\xe1"
"\xc6\x35\x51\x8c\x7d\xac\x47\xe9"
- }
+ },
+ { NULL }
};
const char *what;
const char *errtxt;

11
libgcrypt.spec
View File

@ -1,5 +1,5 @@
Name: libgcrypt
Version: 1.9.0
Version: 1.9.1
Release: 1%{?dist}
URL: https://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.xz
@ -36,8 +36,6 @@ Patch13: libgcrypt-1.6.1-mpicoder-gccopt.patch
Patch14: libgcrypt-1.7.3-ecc-test-fix.patch
# Run the FIPS mode initialization in the shared library constructor
Patch18: libgcrypt-1.8.3-fips-ctor.patch
# Block some operations if in FIPS non-operational state
Patch22: libgcrypt-1.7.3-fips-reqs.patch
# Do not try to open /dev/urandom if getrandom() works
Patch24: libgcrypt-1.8.5-getrandom.patch
# Continuous FIPS entropy test
@ -46,8 +44,6 @@ Patch26: libgcrypt-1.8.3-fips-enttest.patch
Patch27: libgcrypt-1.8.3-md-fips-enforce.patch
# FIPS module is redefined a little bit (implicit by kernel FIPS mode)
Patch30: libgcrypt-1.8.5-fips-module.patch
# Missing terminator in the kdf vectors causing s390x builds failing
Patch31: libgcrypt-1.9.0-kdf-missing-terminator.patch
%global gcrylibdir %{_libdir}
%global gcrysoname libgcrypt.so.20
@ -92,12 +88,10 @@ applications using libgcrypt.
%patch13 -p1 -b .gccopt
%patch14 -p1 -b .eccfix
%patch18 -p1 -b .fips-ctor
%patch22 -p1 -b .fips-reqs
%patch24 -p1 -b .getrandom
%patch26 -p1 -b .fips-enttest
%patch27 -p1 -b .fips-enforce
%patch30 -p1 -b .fips-module
%patch31 -p1 -b .kdf-terminator
cp %{SOURCE4} cipher/
cp %{SOURCE5} %{SOURCE6} tests/
@ -207,6 +201,9 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf
%license COPYING
%changelog
* Fri Jan 29 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.1-1
- New upstream release (#1922156, #1922097)
* Wed Jan 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.0-1
- New upstream release (#1917878)

2
sources
View File

@ -1 +1 @@
SHA512 (libgcrypt-1.9.0-hobbled.tar.xz) = d4ea9a1b732b05f605f0c99dd2b1e9747539bf2b6a8ff2fad7ab5350888f68b7f0b94bdd9253356ec9c8e6d3b87b5c76bc8dc4fbb3950acd8354b691f1f2ad3e
SHA512 (libgcrypt-1.9.1-hobbled.tar.xz) = 87c474c7b5054d7d6c75ca0d2458b2be197d7b8131b1e0a2017f391287a9e7bca666a9ac743c24210df869839518294c0091858245c96d10c5856f2473f35943