From 96a092be6b72c9b160392320a380ebddc0dd0c4b Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Wed, 9 Nov 2022 17:53:31 -0500 Subject: [PATCH] fix sporadic failures generating RSA keys in FIPS mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test suite occasionally fails with "error generating RSA key: Number is not prime" in FIPS mode¹. Apply the upstream fix, cd30ed3c (cipher: Change the bounds for RSA key generation round., 2022-04-20). ¹ https://dev.gnupg.org/T5919 --- ...e-bounds-for-RSA-key-generation-roun.patch | 55 +++++++++++++++++++ libgcrypt.spec | 6 ++ 2 files changed, 61 insertions(+) create mode 100644 0001-cipher-Change-the-bounds-for-RSA-key-generation-roun.patch diff --git a/0001-cipher-Change-the-bounds-for-RSA-key-generation-roun.patch b/0001-cipher-Change-the-bounds-for-RSA-key-generation-roun.patch new file mode 100644 index 0000000..3ec87e6 --- /dev/null +++ b/0001-cipher-Change-the-bounds-for-RSA-key-generation-roun.patch @@ -0,0 +1,55 @@ +From cd30ed3c0d715aa0c58a32a29cfb1476163a5b94 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Wed, 20 Apr 2022 15:09:41 +0900 +Subject: [PATCH] cipher: Change the bounds for RSA key generation round. + +* cipher/rsa.c (generate_fips): Use 10 for p, 20 for q. + +-- + +Constants from FIPS 186-5-draft. + +GnuPG-bug-id: 5919 +Signed-off-by: NIIBE Yutaka +--- + cipher/rsa.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index 486a34f0..771413b3 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -476,7 +476,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e, + + retry: + /* generate p and q */ +- for (i = 0; i < 5 * pbits; i++) ++ for (i = 0; i < 10 * pbits; i++) + { + ploop: + if (!testparms) +@@ -506,10 +506,10 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e, + else if (testparms) + goto err; + } +- if (i >= 5 * pbits) ++ if (i >= 10 * pbits) + goto err; + +- for (i = 0; i < 5 * pbits; i++) ++ for (i = 0; i < 20 * pbits; i++) + { + qloop: + if (!testparms) +@@ -555,7 +555,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e, + else if (testparms) + goto err; + } +- if (i >= 5 * pbits) ++ if (i >= 20 * pbits) + goto err; + + if (testparms) +-- +2.38.1 + diff --git a/libgcrypt.spec b/libgcrypt.spec index f458aab..89c1036 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -22,6 +22,10 @@ Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2 Source2: wk@g10code.com # Pass the annobin flags to the libgcrypt.so (#2016349) Patch1: libgcrypt-1.10.1-annobin.patch +# https://dev.gnupg.org/T5919 +# tests occasionally fail with "error generating RSA key: Number is not prime" +# https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=cd30ed3c0 +Patch2: 0001-cipher-Change-the-bounds-for-RSA-key-generation-roun.patch %global gcrylibdir %{_libdir} %global gcrysoname libgcrypt.so.20 @@ -58,6 +62,7 @@ applications using libgcrypt. %prep %setup -q %patch1 -p1 +%patch2 -p1 %build # This package has a configure test which uses ASMs, but does not link the @@ -177,6 +182,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt %changelog * Tue Nov 08 2022 Todd Zullinger - 1.10.1-5 - enable brainpool by default (#1413618) +- fix sporadic failures generating RSA keys in FIPS mode * Thu Jul 21 2022 Fedora Release Engineering - 1.10.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild