import libgcrypt-1.8.5-4.el8

This commit is contained in:
CentOS Sources 2020-07-28 10:17:23 -04:00 committed by Stepan Oksanichenko
parent a449de636b
commit 96daea1e33
18 changed files with 9432 additions and 459 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libgcrypt-1.8.3-hobbled.tar.xz
SOURCES/libgcrypt-1.8.5-hobbled.tar.xz

View File

@ -1 +1 @@
e89427b41b148a28583825079d45a7a64234fdbf SOURCES/libgcrypt-1.8.3-hobbled.tar.xz
1edcc623a15ed87ff832e021b4cb77fd94eb66c9 SOURCES/libgcrypt-1.8.5-hobbled.tar.xz

View File

@ -1057,7 +1057,7 @@ _gcry_ecc_get_mpi (const char *name, mpi_ec_t ec, int copy)
if (!strcmp (name, "q.x") && ec->Q && ec->Q->x)
return mpi_is_const (ec->Q->x) && !copy? ec->Q->x : mpi_copy (ec->Q->x);
if (!strcmp (name, "q.y") && ec->Q && ec->Q->y)
return mpi_is_const (ec->G->y) && !copy? ec->Q->y : mpi_copy (ec->Q->y);
return mpi_is_const (ec->Q->y) && !copy? ec->Q->y : mpi_copy (ec->Q->y);
/* If the base point has been requested, return it in standard
encoding. */

View File

@ -1,115 +0,0 @@
diff -up libgcrypt-1.8.0/cipher/dsa.c.tests libgcrypt-1.8.0/cipher/dsa.c
--- libgcrypt-1.8.0/cipher/dsa.c.tests 2016-04-07 17:30:08.000000000 +0200
+++ libgcrypt-1.8.0/cipher/dsa.c 2017-08-15 15:10:39.551600227 +0200
@@ -457,11 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un
&prime_q, &prime_p,
r_counter,
r_seed, r_seedlen);
- else
- ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0,
+ else if (!domain->p || !domain->q)
+ ec = _gcry_generate_fips186_3_prime (nbits, qbits,
+ initial_seed.seed,
+ initial_seed.seedlen,
&prime_q, &prime_p,
r_counter,
r_seed, r_seedlen, NULL);
+ else
+ {
+ /* Domain parameters p and q are given; use them. */
+ prime_p = mpi_copy (domain->p);
+ prime_q = mpi_copy (domain->q);
+ gcry_assert (mpi_get_nbits (prime_p) == nbits);
+ gcry_assert (mpi_get_nbits (prime_q) == qbits);
+ ec = 0;
+ }
sexp_release (initial_seed.sexp);
if (ec)
goto leave;
@@ -855,13 +866,12 @@ dsa_generate (const gcry_sexp_t genparms
sexp_release (l1);
sexp_release (domainsexp);
- /* Check that all domain parameters are available. */
- if (!domain.p || !domain.q || !domain.g)
+ /* Check that p and q domain parameters are available. */
+ if (!domain.p || !domain.q || (!domain.g && !(flags & PUBKEY_FLAG_USE_FIPS186)))
{
_gcry_mpi_release (domain.p);
_gcry_mpi_release (domain.q);
_gcry_mpi_release (domain.g);
- sexp_release (deriveparms);
return GPG_ERR_MISSING_VALUE;
}
diff -up libgcrypt-1.8.0/cipher/rsa.c.tests libgcrypt-1.8.0/cipher/rsa.c
--- libgcrypt-1.8.0/cipher/rsa.c.tests 2017-07-06 10:21:36.000000000 +0200
+++ libgcrypt-1.8.0/cipher/rsa.c 2017-08-15 15:10:39.551600227 +0200
@@ -696,7 +696,7 @@ generate_x931 (RSA_secret_key *sk, unsig
*swapped = 0;
- if (e_value == 1) /* Alias for a secure value. */
+ if (e_value == 1 || e_value == 0) /* Alias for a secure value. */
e_value = 65537;
/* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */
diff -up libgcrypt-1.8.0/tests/keygen.c.tests libgcrypt-1.8.0/tests/keygen.c
--- libgcrypt-1.8.0/tests/keygen.c.tests 2017-08-15 15:10:39.551600227 +0200
+++ libgcrypt-1.8.0/tests/keygen.c 2017-08-15 15:16:05.433176171 +0200
@@ -200,11 +200,11 @@ check_rsa_keys (void)
if (verbose)
- info ("creating 512 bit RSA key with e=257\n");
+ info ("creating 1024 bit RSA key with e=257\n");
rc = gcry_sexp_new (&keyparm,
"(genkey\n"
" (rsa\n"
- " (nbits 3:512)\n"
+ " (nbits 4:1024)\n"
" (rsa-use-e 3:257)\n"
" ))", 0, 1);
if (rc)
@@ -225,11 +225,11 @@ check_rsa_keys (void)
gcry_sexp_release (key);
if (verbose)
- info ("creating 512 bit RSA key with default e\n");
+ info ("creating 1024 bit RSA key with default e\n");
rc = gcry_sexp_new (&keyparm,
"(genkey\n"
" (rsa\n"
- " (nbits 3:512)\n"
+ " (nbits 4:1024)\n"
" (rsa-use-e 1:0)\n"
" ))", 0, 1);
if (rc)
@@ -309,12 +309,12 @@ check_dsa_keys (void)
}
if (verbose)
- info ("creating 1536 bit DSA key\n");
+ info ("creating 2048 bit DSA key\n");
rc = gcry_sexp_new (&keyparm,
"(genkey\n"
" (dsa\n"
- " (nbits 4:1536)\n"
- " (qbits 3:224)\n"
+ " (nbits 4:2048)\n"
+ " (qbits 3:256)\n"
" ))", 0, 1);
if (rc)
die ("error creating S-expression: %s\n", gpg_strerror (rc));
diff -up libgcrypt-1.8.0/tests/pubkey.c.tests libgcrypt-1.8.0/tests/pubkey.c
--- libgcrypt-1.8.0/tests/pubkey.c.tests 2017-01-18 15:24:25.000000000 +0100
+++ libgcrypt-1.8.0/tests/pubkey.c 2017-08-15 15:10:39.552600207 +0200
@@ -595,7 +595,7 @@ get_dsa_key_fips186_with_seed_new (gcry_
" (use-fips186)"
" (transient-key)"
" (derive-parms"
- " (seed #0cb1990c1fd3626055d7a0096f8fa99807399871#))))",
+ " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))",
0, 1);
if (rc)
die ("error creating S-expression: %s\n", gcry_strerror (rc));

View File

@ -1,196 +1,7 @@
diff -up libgcrypt-1.8.3/cipher/md.c.fips-ctor libgcrypt-1.8.3/cipher/md.c
--- libgcrypt-1.8.3/cipher/md.c.fips-ctor 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.3/cipher/md.c 2018-07-12 13:24:54.088403006 +0200
@@ -411,11 +411,8 @@ md_enable (gcry_md_hd_t hd, int algorith
if (!err && algorithm == GCRY_MD_MD5 && fips_mode ())
{
- _gcry_inactivate_fips_mode ("MD5 used");
if (_gcry_enforced_fips_mode () )
{
- /* We should never get to here because we do not register
- MD5 in enforced fips mode. But better throw an error. */
err = GPG_ERR_DIGEST_ALGO;
}
}
diff -up libgcrypt-1.8.3/src/fips.c.fips-ctor libgcrypt-1.8.3/src/fips.c
--- libgcrypt-1.8.3/src/fips.c.fips-ctor 2018-07-12 13:24:54.075402698 +0200
+++ libgcrypt-1.8.3/src/fips.c 2018-07-12 13:24:54.088403006 +0200
@@ -91,6 +91,31 @@ static void fips_new_state (enum module_
+/* Initialize the FSM lock - this function may only
+ be called once and is intended to be run from the library
+ constructor */
+void
+_gcry_initialize_fsm_lock (void)
+{
+ gpg_error_t err;
+ /* Intitialize the lock to protect the FSM. */
+ err = gpgrt_lock_init (&fsm_lock);
+ if (err)
+ {
+ /* If that fails we can't do anything but abort the
+ process. We need to use log_info so that the FSM won't
+ get involved. */
+ log_info ("FATAL: failed to create the FSM lock in libgcrypt: %s\n",
+ gpg_strerror (err));
+#ifdef HAVE_SYSLOG
+ syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
+ "creating FSM lock failed: %s - abort",
+ gpg_strerror (err));
+#endif /*HAVE_SYSLOG*/
+ abort ();
+ }
+}
+
/* Check whether the OS is in FIPS mode and record that in a module
local variable. If FORCE is passed as true, fips mode will be
enabled anyway. Note: This function is not thread-safe and should
@@ -100,7 +125,6 @@ void
_gcry_initialize_fips_mode (int force)
{
static int done;
- gpg_error_t err;
/* Make sure we are not accidentally called twice. */
if (done)
@@ -179,24 +203,6 @@ _gcry_initialize_fips_mode (int force)
/* Yes, we are in FIPS mode. */
FILE *fp;
- /* Intitialize the lock to protect the FSM. */
- err = gpgrt_lock_init (&fsm_lock);
- if (err)
- {
- /* If that fails we can't do anything but abort the
- process. We need to use log_info so that the FSM won't
- get involved. */
- log_info ("FATAL: failed to create the FSM lock in libgcrypt: %s\n",
- gpg_strerror (err));
-#ifdef HAVE_SYSLOG
- syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
- "creating FSM lock failed: %s - abort",
- gpg_strerror (err));
-#endif /*HAVE_SYSLOG*/
- abort ();
- }
-
-
/* If the FIPS force files exists, is readable and has a number
!= 0 on its first line, we enable the enforced fips mode. */
fp = fopen (FIPS_FORCE_FILE, "r");
@@ -359,16 +365,20 @@ _gcry_fips_is_operational (void)
{
int result;
- if (!fips_mode ())
+ lock_fsm ();
+ if (current_state == STATE_POWERON && !fips_mode ())
+ /* If we are at this point in POWERON state it means the FIPS
+ module installation was not completed. (/etc/system-fips
+ is not present.) */
result = 1;
else
{
- lock_fsm ();
- if (current_state == STATE_INIT)
+ if (current_state == STATE_INIT || current_state == STATE_SELFTEST)
{
- /* If we are still in the INIT state, we need to run the
- selftests so that the FSM can eventually get into
- operational state. Given that we would need a 2-phase
+ /* If we are still in the INIT (or SELFTEST) state,
+ we need to run (or finish) the selftests so
+ that the FSM can eventually get into operational
+ state. Given that we would need a 2-phase
initialization of libgcrypt, but that has traditionally
not been enforced, we use this on demand self-test
checking. Note that Proper applications would do the
@@ -384,9 +394,11 @@ _gcry_fips_is_operational (void)
lock_fsm ();
}
- result = (current_state == STATE_OPERATIONAL);
- unlock_fsm ();
+ result = (current_state == STATE_OPERATIONAL) || !fips_mode ();
+ /* We always run the selftests but ignore the result
+ in non-FIPS mode. */
}
+ unlock_fsm ();
return result;
}
@@ -709,9 +721,25 @@ _gcry_fips_run_selftests (int extended)
{
enum module_states result = STATE_ERROR;
gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED;
+ int in_poweron;
- if (fips_mode ())
- fips_new_state (STATE_SELFTEST);
+ lock_fsm ();
+ in_poweron = (current_state == STATE_POWERON);
+ unlock_fsm ();
+
+ fips_new_state (STATE_SELFTEST);
+
+ /* We first check the integrity of the binary.
+ If run from the constructor we are in POWERON state,
+ we return and finish the remaining selftests before
+ real use of the library. It will be in the POWERON
+ state meanwhile. */
+ if (in_poweron)
+ if (check_binary_integrity ())
+ goto leave;
+
+ if (in_poweron)
+ return 0;
if (run_cipher_selftests (extended))
goto leave;
@@ -730,18 +758,12 @@ _gcry_fips_run_selftests (int extended)
if (run_pubkey_selftests (extended))
goto leave;
- /* Now check the integrity of the binary. We do this this after
- having checked the HMAC code. */
- if (check_binary_integrity ())
- goto leave;
-
/* All selftests passed. */
result = STATE_OPERATIONAL;
ec = 0;
leave:
- if (fips_mode ())
- fips_new_state (result);
+ fips_new_state (result);
return ec;
}
@@ -797,6 +819,7 @@ fips_new_state (enum module_states new_s
{
case STATE_POWERON:
if (new_state == STATE_INIT
+ || new_state == STATE_SELFTEST
|| new_state == STATE_ERROR
|| new_state == STATE_FATALERROR)
ok = 1;
@@ -811,6 +834,8 @@ fips_new_state (enum module_states new_s
case STATE_SELFTEST:
if (new_state == STATE_OPERATIONAL
+ || new_state == STATE_INIT
+ || new_state == STATE_SELFTEST
|| new_state == STATE_ERROR
|| new_state == STATE_FATALERROR)
ok = 1;
diff -up libgcrypt-1.8.3/src/global.c.fips-ctor libgcrypt-1.8.3/src/global.c
--- libgcrypt-1.8.3/src/global.c.fips-ctor 2017-11-23 19:25:58.000000000 +0100
+++ libgcrypt-1.8.3/src/global.c 2018-07-17 19:15:43.933827112 +0200
@@ -141,6 +141,29 @@ global_init (void)
+++ libgcrypt-1.8.3/src/global.c 2020-04-17 16:29:59.258218015 +0200
@@ -141,6 +141,34 @@ global_init (void)
}
@ -202,25 +13,30 @@ diff -up libgcrypt-1.8.3/src/global.c.fips-ctor libgcrypt-1.8.3/src/global.c
+{
+ int rv;
+
+ /* We always need the FSM lock to be functional. */
+ _gcry_initialize_fsm_lock ();
+
+ rv = access (FIPS_MODULE_PATH, F_OK);
+ if (rv < 0 && errno != ENOENT)
+ rv = 0;
+
+ if (!rv)
+ {
+ /* We run the integrity check at this point. The remaining
+ selftests are run before use of the library by application. */
+ int no_secmem_save;
+
+ /* it should be always 0 at this point but let's keep on the safe side */
+ no_secmem_save = no_secure_memory;
+ no_secure_memory = 1;
+ /* force selftests */
+ global_init();
+ _gcry_fips_run_selftests (0);
+ if (!fips_mode())
+ _gcry_random_close_fds ();
+ no_secure_memory = no_secmem_save;
+ }
+}
+
/* This function is called by the macro fips_is_operational and makes
sure that the minimal initialization has been done. This is far
from a perfect solution and hides problems with an improper
@@ -671,8 +694,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
@@ -671,8 +699,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
case GCRYCTL_FIPS_MODE_P:
if (fips_mode ()
@ -230,7 +46,7 @@ diff -up libgcrypt-1.8.3/src/global.c.fips-ctor libgcrypt-1.8.3/src/global.c
rc = GPG_ERR_GENERAL; /* Used as TRUE value */
break;
@@ -749,9 +771,9 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
@@ -749,9 +776,9 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
break;
case GCRYCTL_SET_ENFORCED_FIPS_FLAG:
@ -242,15 +58,3 @@ diff -up libgcrypt-1.8.3/src/global.c.fips-ctor libgcrypt-1.8.3/src/global.c
_gcry_set_preferred_rng_type (0);
_gcry_set_enforced_fips_mode ();
}
diff -up libgcrypt-1.8.3/src/g10lib.h.fips-ctor libgcrypt-1.8.3/src/g10lib.h
--- libgcrypt-1.8.3/src/g10lib.h.fips-ctor 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.3/src/g10lib.h 2018-07-12 13:24:54.089403030 +0200
@@ -422,6 +422,8 @@ gpg_err_code_t _gcry_sexp_vextract_param
/*-- fips.c --*/
+void _gcry_initialize_fsm_lock (void);
+
void _gcry_initialize_fips_mode (int force);
int _gcry_fips_mode (void);

View File

@ -1,101 +0,0 @@
diff -up libgcrypt-1.8.3/random/random.c.getrandom libgcrypt-1.8.3/random/random.c
--- libgcrypt-1.8.3/random/random.c.getrandom 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.3/random/random.c 2018-07-10 15:38:34.303855808 +0200
@@ -110,8 +110,8 @@ _gcry_random_read_conf (void)
unsigned int result = 0;
fp = fopen (fname, "r");
- if (!fp)
- return result;
+ if (!fp) /* We make only_urandom the default. */
+ return RANDOM_CONF_ONLY_URANDOM;
for (;;)
{
diff -up libgcrypt-1.8.3/random/random-csprng.c.getrandom libgcrypt-1.8.3/random/random-csprng.c
--- libgcrypt-1.8.3/random/random-csprng.c.getrandom 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.3/random/random-csprng.c 2018-06-14 16:31:04.731179208 +0200
@@ -55,6 +55,10 @@
#ifdef __MINGW32__
#include <process.h>
#endif
+#if defined(__linux__) && defined(HAVE_SYSCALL)
+# include <sys/syscall.h>
+# include <linux/random.h>
+#endif
#include "g10lib.h"
#include "random.h"
#include "rand-internal.h"
@@ -1116,6 +1120,22 @@ getfnc_gather_random (void))(void (*)(co
enum random_origins, size_t, int);
#if USE_RNDLINUX
+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
+ long ret;
+ char buffer[1];
+
+ _gcry_pre_syscall ();
+ ret = syscall (__NR_getrandom,
+ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK);
+ _gcry_post_syscall ();
+ if (ret != -1 || errno != ENOSYS)
+ {
+ fnc = _gcry_rndlinux_gather_random;
+ return fnc;
+ }
+ else
+ /* The syscall is not supported - fallback to /dev/urandom. */
+#endif
if ( !access (NAME_OF_DEV_RANDOM, R_OK)
&& !access (NAME_OF_DEV_URANDOM, R_OK))
{
diff -up libgcrypt-1.8.3/random/rndlinux.c.getrandom libgcrypt-1.8.3/random/rndlinux.c
--- libgcrypt-1.8.3/random/rndlinux.c.getrandom 2018-06-14 16:31:04.722178971 +0200
+++ libgcrypt-1.8.3/random/rndlinux.c 2018-07-10 15:55:03.301075155 +0200
@@ -35,6 +35,7 @@
#include <poll.h>
#if defined(__linux__) && defined(HAVE_SYSCALL)
# include <sys/syscall.h>
+# include <linux/random.h>
#endif
#include "types.h"
@@ -204,6 +205,18 @@ _gcry_rndlinux_gather_random (void (*add
{
if (fd_urandom == -1)
{
+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
+ long ret;
+
+ _gcry_pre_syscall ();
+ ret = syscall (__NR_getrandom,
+ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK);
+ _gcry_post_syscall ();
+ if (ret > -1 || errno == EAGAIN || errno == EINTR)
+ fd_urandom = -2;
+ else
+ /* The syscall is not supported - fallback to /dev/urandom. */
+#endif
fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2));
ever_opened |= 2;
}
@@ -230,7 +243,7 @@ _gcry_rndlinux_gather_random (void (*add
* syscall and not a new device and thus we are not able to use
* select(2) to have a timeout. */
#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
- if (fd == fd_urandom)
+ if (fd == -2)
{
long ret;
size_t nbytes;
@@ -246,9 +259,7 @@ _gcry_rndlinux_gather_random (void (*add
_gcry_post_syscall ();
}
while (ret == -1 && errno == EINTR);
- if (ret == -1 && errno == ENOSYS)
- ; /* The syscall is not supported - fallback to /dev/urandom. */
- else
+ if (1)
{ /* The syscall is supported. Some sanity checks. */
if (ret == -1)
log_fatal ("unexpected error from getrandom: %s\n",

View File

@ -1,12 +1,18 @@
diff -up libgcrypt-1.8.3/cipher/md.c.fips-enforce libgcrypt-1.8.3/cipher/md.c
--- libgcrypt-1.8.3/cipher/md.c.fips-enforce 2018-11-01 15:40:36.051865535 +0100
+++ libgcrypt-1.8.3/cipher/md.c 2019-06-03 11:50:21.435401753 +0200
@@ -409,7 +409,7 @@ md_enable (gcry_md_hd_t hd, int algorith
--- libgcrypt-1.8.3/cipher/md.c.fips-enforce 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.3/cipher/md.c 2020-04-17 15:07:31.364945130 +0200
@@ -409,13 +409,10 @@ md_enable (gcry_md_hd_t hd, int algorith
}
- if (!err && algorithm == GCRY_MD_MD5 && fips_mode ())
+ if (!err && !spec->flags.fips && fips_mode ())
{
- _gcry_inactivate_fips_mode ("MD5 used");
if (_gcry_enforced_fips_mode () )
{
- /* We should never get to here because we do not register
- MD5 in enforced fips mode. But better throw an error. */
err = GPG_ERR_DIGEST_ALGO;
}
}

View File

@ -0,0 +1,65 @@
diff -up libgcrypt-1.8.4/cipher/dsa.c.fips-keygen libgcrypt-1.8.4/cipher/dsa.c
--- libgcrypt-1.8.4/cipher/dsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.4/cipher/dsa.c 2019-02-12 14:29:25.629513989 +0100
@@ -457,11 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un
&prime_q, &prime_p,
r_counter,
r_seed, r_seedlen);
- else
- ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0,
+ else if (!domain->p || !domain->q)
+ ec = _gcry_generate_fips186_3_prime (nbits, qbits,
+ initial_seed.seed,
+ initial_seed.seedlen,
&prime_q, &prime_p,
r_counter,
r_seed, r_seedlen, NULL);
+ else
+ {
+ /* Domain parameters p and q are given; use them. */
+ prime_p = mpi_copy (domain->p);
+ prime_q = mpi_copy (domain->q);
+ gcry_assert (mpi_get_nbits (prime_p) == nbits);
+ gcry_assert (mpi_get_nbits (prime_q) == qbits);
+ ec = 0;
+ }
sexp_release (initial_seed.sexp);
if (ec)
goto leave;
@@ -855,13 +866,12 @@ dsa_generate (const gcry_sexp_t genparms
sexp_release (l1);
sexp_release (domainsexp);
- /* Check that all domain parameters are available. */
- if (!domain.p || !domain.q || !domain.g)
+ /* Check that p and q domain parameters are available. */
+ if (!domain.p || !domain.q || (!domain.g && !(flags & PUBKEY_FLAG_USE_FIPS186)))
{
_gcry_mpi_release (domain.p);
_gcry_mpi_release (domain.q);
_gcry_mpi_release (domain.g);
- sexp_release (deriveparms);
return GPG_ERR_MISSING_VALUE;
}
diff -up libgcrypt-1.8.4/cipher/rsa.c.fips-keygen libgcrypt-1.8.4/cipher/rsa.c
--- libgcrypt-1.8.4/cipher/rsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.4/cipher/rsa.c 2019-02-12 14:29:25.630513971 +0100
@@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig
if (nbits < 1024 || (nbits & 0x1FF))
return GPG_ERR_INV_VALUE;
- if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072)
+ if (fips_mode() && nbits < 2048)
return GPG_ERR_INV_VALUE;
/* The random quality depends on the transient_key flag. */
@@ -696,7 +696,7 @@ generate_x931 (RSA_secret_key *sk, unsig
*swapped = 0;
- if (e_value == 1) /* Alias for a secure value. */
+ if (e_value == 1 || e_value == 0) /* Alias for a secure value. */
e_value = 65537;
/* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */

View File

@ -0,0 +1,184 @@
diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basic.c
--- libgcrypt-1.8.4/tests/basic.c.tests-fipsmode 2018-04-17 17:29:40.000000000 +0200
+++ libgcrypt-1.8.4/tests/basic.c 2019-02-12 13:30:48.935791024 +0100
@@ -6964,7 +6964,7 @@ check_ciphers (void)
check_one_cipher (algos[i], GCRY_CIPHER_MODE_CTR, 0);
if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_CCM_BLOCK_LEN)
check_one_cipher (algos[i], GCRY_CIPHER_MODE_CCM, 0);
- if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_GCM_BLOCK_LEN)
+ if (!in_fips_mode && gcry_cipher_get_algo_blklen (algos[i]) == GCRY_GCM_BLOCK_LEN)
check_one_cipher (algos[i], GCRY_CIPHER_MODE_GCM, 0);
if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_OCB_BLOCK_LEN)
check_one_cipher (algos[i], GCRY_CIPHER_MODE_OCB, 0);
@@ -7010,11 +7010,17 @@ check_cipher_modes(void)
check_cfb_cipher ();
check_ofb_cipher ();
check_ccm_cipher ();
- check_gcm_cipher ();
- check_poly1305_cipher ();
- check_ocb_cipher ();
+ if (!in_fips_mode)
+ {
+ check_gcm_cipher ();
+ check_poly1305_cipher ();
+ check_ocb_cipher ();
+ }
check_xts_cipher ();
- check_gost28147_cipher ();
+ if (!in_fips_mode)
+ {
+ check_gost28147_cipher ();
+ }
check_stream_cipher ();
check_stream_cipher_large_block ();
@@ -10001,7 +10007,7 @@ check_mac (void)
show_mac_not_available (algos[i].algo);
continue;
}
- if (gcry_mac_test_algo (algos[i].algo) && in_fips_mode)
+ if ((algos[i].algo == GCRY_MAC_GMAC_AES || gcry_mac_test_algo (algos[i].algo)) && in_fips_mode)
{
if (verbose)
fprintf (stderr, " algorithm %d not available in fips mode\n",
@@ -11095,8 +11101,6 @@ main (int argc, char **argv)
/* If we are in fips mode do some more tests. */
gcry_md_hd_t md;
- /* First trigger a self-test. */
- xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0);
if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0))
fail ("not in operational state after self-test\n");
@@ -11121,15 +11125,6 @@ main (int argc, char **argv)
gcry_md_close (md);
if (gcry_control (GCRYCTL_OPERATIONAL_P, 0))
fail ("expected error state but still in operational state\n");
- else
- {
- /* Now run a self-test and to get back into
- operational state. */
- xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0);
- if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0))
- fail ("did not reach operational after error "
- "and self-test\n");
- }
}
}
diff -up libgcrypt-1.8.4/tests/benchmark.c.tests-fipsmode libgcrypt-1.8.4/tests/benchmark.c
--- libgcrypt-1.8.4/tests/benchmark.c.tests-fipsmode 2019-02-12 11:31:44.859603883 +0100
+++ libgcrypt-1.8.4/tests/benchmark.c 2019-02-12 14:10:40.271999352 +0100
@@ -872,8 +872,10 @@ cipher_bench ( const char *algoname )
|| (blklen == 1 && modes[modeidx].mode != GCRY_CIPHER_MODE_STREAM))
continue;
- if (modes[modeidx].req_blocksize > 0
- && blklen != modes[modeidx].req_blocksize)
+ if ((modes[modeidx].req_blocksize > 0
+ && blklen != modes[modeidx].req_blocksize)
+ || (in_fips_mode
+ && modes[modeidx].mode == GCRY_CIPHER_MODE_GCM))
{
printf (" %7s %7s", "-", "-" );
continue;
diff -up libgcrypt-1.8.4/tests/bench-slope.c.tests-fipsmode libgcrypt-1.8.4/tests/bench-slope.c
--- libgcrypt-1.8.4/tests/bench-slope.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.4/tests/bench-slope.c 2019-02-12 14:14:33.618763325 +0100
@@ -1338,7 +1338,7 @@ cipher_bench_one (int algo, struct bench
return;
/* GCM has restrictions for block-size */
- if (mode.mode == GCRY_CIPHER_MODE_GCM && blklen != GCRY_GCM_BLOCK_LEN)
+ if (mode.mode == GCRY_CIPHER_MODE_GCM && (gcry_fips_mode_active () || blklen != GCRY_GCM_BLOCK_LEN))
return;
/* XTS has restrictions for block-size */
diff -up libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode libgcrypt-1.8.4/tests/pubkey.c
--- libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.4/tests/pubkey.c 2019-02-12 13:52:25.658746415 +0100
@@ -504,15 +504,30 @@ get_dsa_key_with_domain_new (gcry_sexp_t
rc = gcry_sexp_new
(&key_spec,
"(genkey (dsa (transient-key)(domain"
- "(p #d3aed1876054db831d0c1348fbb1ada72507e5fbf9a62cbd47a63aeb7859d6921"
- "4adeb9146a6ec3f43520f0fd8e3125dd8bbc5d87405d1ac5f82073cd762a3f8d7"
- "74322657c9da88a7d2f0e1a9ceb84a39cb40876179e6a76e400498de4bb9379b0"
- "5f5feb7b91eb8fea97ee17a955a0a8a37587a272c4719d6feb6b54ba4ab69#)"
- "(q #9c916d121de9a03f71fb21bc2e1c0d116f065a4f#)"
- "(g #8157c5f68ca40b3ded11c353327ab9b8af3e186dd2e8dade98761a0996dda99ab"
- "0250d3409063ad99efae48b10c6ab2bba3ea9a67b12b911a372a2bba260176fad"
- "b4b93247d9712aad13aa70216c55da9858f7a298deb670a403eb1e7c91b847f1e"
- "ccfbd14bd806fd42cf45dbb69cd6d6b43add2a78f7d16928eaa04458dea44#)"
+ " (p #a85378d8fd3f8d72ec7418080da21317e43ec4b62ba8c862"
+ " 3b7e4d04441dd1a0658662596493ca8e9e8fbb7e34aaddb6"
+ " 2e5d67b6d09a6e61b769e7c352aa2b10e20ca0636963b552"
+ " 3e86470decbbeda027e797e7b67635d4d49c30700e74af8a"
+ " 0ff156a801af57a26e7078f1d82f74908ecb6d07e70b3503"
+ " eed94fa32cf17a7fc3d6cf40dc7b00830e6a2566dc073e34"
+ " 3312517c6aa5152b4bfecd2e551fee346318a153423c996b"
+ " 0d5dcb9102aedd38798616f1f1e0d6c403525b1f9b3d4dc7"
+ " 66de2dfc4a56d7b8ba5963d60f3e16318870ad436952e557"
+ " 65374eab85e8ec17d6b9a4547b9b5f2752f3105be809b23a"
+ " 2c8d7469db02e24d592394a7dba069e9#)"
+ " (q #d277044e50f5a4e3f510a50a0b84fdffbca047ed27602056"
+ " 7441a0a5#)"
+ " (g #13d754e21fd241655da891c522a65a72a89bdc64ec9b54a8"
+ " 21ed4a898b490e0c4fcb72192a4a20f541f3f2925399f0ba"
+ " ecf929aafbf79dfe4332393b32cd2e2fcf272f32a627434a"
+ " 0df242b75b414df372121e53a553f222f836b000f016485b"
+ " 6bd0898451801dcd8de64cd5365696ffc532d528c506620a"
+ " 942a0305046d8f1876341f1e570bc3974ba6b9a438e97023"
+ " 02a2e6e67bfd06d32bc679962271d7b40cd72f386e64e0d7"
+ " ef86ca8ca5d14228dc2a4f16e3189886b5990674f4200f3a"
+ " 4cf65a3f0ddba1fa672dff2f5e143d10e4e97ae84f6da095"
+ " 35d5b9df259181a79b63b069e949972b02ba36b3586aab7e"
+ " 45f322f82e4e85ca3ab85591b3c2a966#)"
")))", 0, 1);
if (rc)
die ("error creating S-expression: %s\n", gcry_strerror (rc));
@@ -595,7 +610,7 @@ get_dsa_key_fips186_with_seed_new (gcry_
" (use-fips186)"
" (transient-key)"
" (derive-parms"
- " (seed #0cb1990c1fd3626055d7a0096f8fa99807399871#))))",
+ " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))",
0, 1);
if (rc)
die ("error creating S-expression: %s\n", gcry_strerror (rc));
diff -up libgcrypt-1.8.4/tests/t-cv25519.c.tests-fipsmode libgcrypt-1.8.4/tests/t-cv25519.c
--- libgcrypt-1.8.4/tests/t-cv25519.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.4/tests/t-cv25519.c 2019-02-12 14:02:35.935705390 +0100
@@ -560,6 +560,9 @@ main (int argc, char **argv)
xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+ /* Curve25519 isn't supported in fips mode */
+ if (gcry_fips_mode_active())
+ return 77;
start_timer ();
check_cv25519 ();
diff -up libgcrypt-1.8.4/tests/t-secmem.c.tests-fipsmode libgcrypt-1.8.4/tests/t-secmem.c
--- libgcrypt-1.8.4/tests/t-secmem.c.tests-fipsmode 2017-11-23 19:19:54.000000000 +0100
+++ libgcrypt-1.8.4/tests/t-secmem.c 2019-02-12 11:51:02.462190538 +0100
@@ -174,7 +174,8 @@ main (int argc, char **argv)
xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
xgcry_control (GCRYCTL_INIT_SECMEM, pool_size, 0);
- gcry_set_outofcore_handler (outofcore_handler, NULL);
+ if (!gcry_fips_mode_active ())
+ gcry_set_outofcore_handler (outofcore_handler, NULL);
xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
/* Libgcrypt prints a warning when the first overflow is allocated;
@@ -184,7 +185,8 @@ main (int argc, char **argv)
test_secmem ();
- test_secmem_overflow ();
+ if (!gcry_fips_mode_active ())
+ test_secmem_overflow ();
/* FIXME: We need to improve the tests, for example by registering
* our own log handler and comparing the output of
* PRIV_CTL_DUMP_SECMEM_STATS to expected pattern. */

View File

@ -1,6 +1,6 @@
diff -up libgcrypt-1.8.0/random/rndlinux.c.use-poll libgcrypt-1.8.0/random/rndlinux.c
--- libgcrypt-1.8.0/random/rndlinux.c.use-poll 2017-06-24 13:34:29.000000000 +0200
+++ libgcrypt-1.8.0/random/rndlinux.c 2017-08-15 15:37:37.604629377 +0200
diff -up libgcrypt-1.8.4/random/rndlinux.c.use-poll libgcrypt-1.8.4/random/rndlinux.c
--- libgcrypt-1.8.4/random/rndlinux.c.use-poll 2018-10-26 13:50:20.000000000 +0200
+++ libgcrypt-1.8.4/random/rndlinux.c 2018-11-20 15:51:56.760669058 +0100
@@ -32,6 +32,7 @@
#include <string.h>
#include <unistd.h>
@ -9,7 +9,7 @@ diff -up libgcrypt-1.8.0/random/rndlinux.c.use-poll libgcrypt-1.8.0/random/rndli
#if defined(__linux__) && defined(HAVE_SYSCALL)
# include <sys/syscall.h>
#endif
@@ -216,9 +217,8 @@ _gcry_rndlinux_gather_random (void (*add
@@ -241,9 +242,8 @@ _gcry_rndlinux_gather_random (void (*add
return with something we will actually use 100ms. */
while (length)
{
@ -18,9 +18,9 @@ diff -up libgcrypt-1.8.0/random/rndlinux.c.use-poll libgcrypt-1.8.0/random/rndli
int rc;
+ struct pollfd pfd;
/* If we have a modern Linux kernel and we want to read from the
* the non-blocking /dev/urandom, we first try to use the new
@@ -276,36 +276,25 @@ _gcry_rndlinux_gather_random (void (*add
/* If we have a modern Linux kernel, we first try to use the new
* getrandom syscall. That call guarantees that the kernel's
@@ -300,36 +300,25 @@ _gcry_rndlinux_gather_random (void (*add
any_need_entropy = 1;
}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,14 @@
diff -up libgcrypt-1.8.5/cipher/poly1305-armv7-neon.S.build libgcrypt-1.8.5/cipher/poly1305-armv7-neon.S
--- libgcrypt-1.8.5/cipher/poly1305-armv7-neon.S.build 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/cipher/poly1305-armv7-neon.S 2020-01-30 17:26:12.026404286 +0100
@@ -87,9 +87,8 @@ _gcry_poly1305_armv7_neon_init_ext:
.Lpoly1305_init_ext_neon_local:
stmfd sp!, {r4-r11, lr}
sub sp, sp, #32
- mov r14, r2
+ mov r14, #-1
and r2, r2, r2
- moveq r14, #-1
UNALIGNED_LDMIA4(r1, r2, r3, r4, r5)
GET_DATA_POINTER(r7,.Lpoly1305_init_constants_neon,r8)
mov r6, r2

View File

@ -0,0 +1,139 @@
diff -up libgcrypt-1.8.5/src/fips.c.fips-module libgcrypt-1.8.5/src/fips.c
--- libgcrypt-1.8.5/src/fips.c.fips-module 2020-04-20 19:07:45.924919645 +0200
+++ libgcrypt-1.8.5/src/fips.c 2020-04-20 19:10:33.690722470 +0200
@@ -35,10 +35,6 @@
#include "hmac256.h"
-/* The name of the file used to force libgcrypt into fips mode. */
-#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled"
-
-
/* The states of the finite state machine used in fips mode. */
enum module_states
{
@@ -122,54 +118,6 @@ _gcry_initialize_fips_mode (int force)
goto leave;
}
- /* For testing the system it is useful to override the system
- provided detection of the FIPS mode and force FIPS mode using a
- file. The filename is hardwired so that there won't be any
- confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
- actually used. The file itself may be empty. */
- if ( !access (FIPS_FORCE_FILE, F_OK) )
- {
- gcry_assert (!no_fips_mode_required);
- goto leave;
- }
-
- /* Checking based on /proc file properties. */
- {
- static const char procfname[] = "/proc/sys/crypto/fips_enabled";
- FILE *fp;
- int saved_errno;
-
- fp = fopen (procfname, "r");
- if (fp)
- {
- char line[256];
-
- if (fgets (line, sizeof line, fp) && atoi (line))
- {
- /* System is in fips mode. */
- fclose (fp);
- gcry_assert (!no_fips_mode_required);
- goto leave;
- }
- fclose (fp);
- }
- else if ((saved_errno = errno) != ENOENT
- && saved_errno != EACCES
- && !access ("/proc/version", F_OK) )
- {
- /* Problem reading the fips file despite that we have the proc
- file system. We better stop right away. */
- log_info ("FATAL: error reading `%s' in libgcrypt: %s\n",
- procfname, strerror (saved_errno));
-#ifdef HAVE_SYSLOG
- syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
- "reading `%s' failed: %s - abort",
- procfname, strerror (saved_errno));
-#endif /*HAVE_SYSLOG*/
- abort ();
- }
- }
-
/* Fips not not requested, set flag. */
no_fips_mode_required = 1;
diff -up libgcrypt-1.8.5/src/g10lib.h.fips-module libgcrypt-1.8.5/src/g10lib.h
--- libgcrypt-1.8.5/src/g10lib.h.fips-module 2020-04-20 19:07:45.918919759 +0200
+++ libgcrypt-1.8.5/src/g10lib.h 2020-04-20 19:11:05.003125740 +0200
@@ -422,6 +422,9 @@ gpg_err_code_t _gcry_sexp_vextract_param
/*-- fips.c --*/
+/* The name of the file used to force libgcrypt into fips mode. */
+#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled"
+
void _gcry_initialize_fips_mode (int force);
int _gcry_fips_mode (void);
diff -up libgcrypt-1.8.5/src/global.c.fips-module libgcrypt-1.8.5/src/global.c
--- libgcrypt-1.8.5/src/global.c.fips-module 2020-04-20 19:07:45.919919741 +0200
+++ libgcrypt-1.8.5/src/global.c 2020-04-20 19:07:45.950919149 +0200
@@ -160,6 +160,53 @@ void __attribute__ ((constructor)) _gcry
rv = access (FIPS_MODULE_PATH, F_OK);
if (rv < 0 && errno != ENOENT)
rv = 0;
+
+ /* For testing the system it is useful to override the system
+ provided detection of the FIPS mode and force FIPS mode using a
+ file. The filename is hardwired so that there won't be any
+ confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
+ actually used. The file itself may be empty. */
+ if ( !access (FIPS_FORCE_FILE, F_OK) )
+ {
+ rv = 0;
+ force_fips_mode = 1;
+ }
+
+ /* Checking based on /proc file properties. */
+ {
+ static const char procfname[] = "/proc/sys/crypto/fips_enabled";
+ FILE *fp;
+ int saved_errno;
+
+ fp = fopen (procfname, "r");
+ if (fp)
+ {
+ char line[256];
+
+ if (fgets (line, sizeof line, fp) && atoi (line))
+ {
+ /* System is in fips mode. */
+ rv = 0;
+ force_fips_mode = 1;
+ }
+ fclose (fp);
+ }
+ else if ((saved_errno = errno) != ENOENT
+ && saved_errno != EACCES
+ && !access ("/proc/version", F_OK) )
+ {
+ /* Problem reading the fips file despite that we have the proc
+ file system. We better stop right away. */
+ log_info ("FATAL: error reading `%s' in libgcrypt: %s\n",
+ procfname, strerror (saved_errno));
+#ifdef HAVE_SYSLOG
+ syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
+ "reading `%s' failed: %s - abort",
+ procfname, strerror (saved_errno));
+#endif /*HAVE_SYSLOG*/
+ abort ();
+ }
+ }
if (!rv)
{

View File

@ -0,0 +1,285 @@
diff -up libgcrypt-1.8.5/random/rand-internal.h.getrandom libgcrypt-1.8.5/random/rand-internal.h
--- libgcrypt-1.8.5/random/rand-internal.h.getrandom 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/random/rand-internal.h 2020-04-20 14:55:34.875949624 +0200
@@ -47,6 +47,7 @@ void _gcry_random_progress (const char *
/*-- random-csprng.c --*/
void _gcry_rngcsprng_initialize (int full);
+void _gcry_rngcsprng_deinit (void);
void _gcry_rngcsprng_close_fds (void);
void _gcry_rngcsprng_dump_stats (void);
void _gcry_rngcsprng_secure_alloc (void);
@@ -68,6 +69,7 @@ void _gcry_rngcsprng_fast_poll (void);
/*-- random-drbg.c --*/
void _gcry_rngdrbg_inititialize (int full);
+void _gcry_rngdrbg_deinit (void);
void _gcry_rngdrbg_close_fds (void);
void _gcry_rngdrbg_dump_stats (void);
int _gcry_rngdrbg_is_faked (void);
diff -up libgcrypt-1.8.5/random/random.c.getrandom libgcrypt-1.8.5/random/random.c
--- libgcrypt-1.8.5/random/random.c.getrandom 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/random/random.c 2020-04-20 14:55:34.876949605 +0200
@@ -110,8 +110,8 @@ _gcry_random_read_conf (void)
unsigned int result = 0;
fp = fopen (fname, "r");
- if (!fp)
- return result;
+ if (!fp) /* We make only_urandom the default. */
+ return RANDOM_CONF_ONLY_URANDOM;
for (;;)
{
@@ -228,6 +228,22 @@ _gcry_random_initialize (int full)
}
+/* Deinitialize this random subsystem. */
+void
+_gcry_random_deinit (void)
+{
+ if (fips_mode ())
+ _gcry_rngdrbg_deinit ();
+ else if (rng_types.standard)
+ _gcry_rngcsprng_deinit ();
+ else if (rng_types.fips)
+ _gcry_rngdrbg_deinit ();
+ else
+ _gcry_rngcsprng_deinit ();
+ /* not needed for system */
+}
+
+
/* If possible close file descriptors used by the RNG. */
void
_gcry_random_close_fds (void)
diff -up libgcrypt-1.8.5/random/random-csprng.c.getrandom libgcrypt-1.8.5/random/random-csprng.c
--- libgcrypt-1.8.5/random/random-csprng.c.getrandom 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/random/random-csprng.c 2020-04-20 15:04:27.182877975 +0200
@@ -55,6 +55,10 @@
#ifdef __MINGW32__
#include <process.h>
#endif
+#if defined(__linux__) && defined(HAVE_SYSCALL)
+# include <sys/syscall.h>
+# include <linux/random.h>
+#endif
#include "g10lib.h"
#include "random.h"
#include "rand-internal.h"
@@ -343,6 +347,21 @@ _gcry_rngcsprng_initialize (int full)
}
+void
+_gcry_rngcsprng_deinit (void)
+{
+ lock_pool();
+ pool_writepos = 0;
+ pool_readpos = 0;
+ pool_filled = 0;
+ pool_filled_counter = 0;
+ did_initial_extra_seeding = 0;
+ pool_balance = 0;
+ just_mixed = 0;
+ unlock_pool();
+}
+
+
/* Try to close the FDs of the random gather module. This is
currently only implemented for rndlinux. */
void
@@ -1116,6 +1135,22 @@ getfnc_gather_random (void))(void (*)(co
enum random_origins, size_t, int);
#if USE_RNDLINUX
+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
+ long ret;
+ char buffer[1];
+
+ _gcry_pre_syscall ();
+ ret = syscall (__NR_getrandom,
+ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK);
+ _gcry_post_syscall ();
+ if (ret != -1 || errno != ENOSYS)
+ {
+ fnc = _gcry_rndlinux_gather_random;
+ return fnc;
+ }
+ else
+ /* The syscall is not supported - fallback to /dev/urandom. */
+#endif
if ( !access (NAME_OF_DEV_RANDOM, R_OK)
&& !access (NAME_OF_DEV_URANDOM, R_OK))
{
diff -up libgcrypt-1.8.5/random/random-drbg.c.getrandom libgcrypt-1.8.5/random/random-drbg.c
--- libgcrypt-1.8.5/random/random-drbg.c.getrandom 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/random/random-drbg.c 2020-04-20 15:02:37.782947902 +0200
@@ -1811,6 +1811,22 @@ _gcry_rngdrbg_inititialize (int full)
}
/*
+ * Deinitialize the DRBG invoked by the libgcrypt API
+ * It will be automatically re-initialized on next call
+ */
+void
+_gcry_rngdrbg_deinit (void)
+{
+ drbg_lock ();
+ if (drbg_state)
+ {
+ drbg_uninstantiate (drbg_state);
+ drbg_state = NULL;
+ }
+ drbg_unlock ();
+}
+
+/*
* Backend handler function for GCRYCTL_DRBG_REINIT
*
* Select a different DRBG type and initialize it.
diff -up libgcrypt-1.8.5/random/random.h.getrandom libgcrypt-1.8.5/random/random.h
--- libgcrypt-1.8.5/random/random.h.getrandom 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/random/random.h 2020-04-20 14:55:34.877949586 +0200
@@ -29,6 +29,7 @@ void _gcry_register_random_progress (voi
void _gcry_set_preferred_rng_type (int type);
void _gcry_random_initialize (int full);
+void _gcry_random_deinit (void);
void _gcry_random_close_fds (void);
int _gcry_get_rng_type (int ignore_fips_mode);
void _gcry_random_dump_stats(void);
diff -up libgcrypt-1.8.5/random/rndlinux.c.getrandom libgcrypt-1.8.5/random/rndlinux.c
--- libgcrypt-1.8.5/random/rndlinux.c.getrandom 2020-04-20 15:01:50.159848963 +0200
+++ libgcrypt-1.8.5/random/rndlinux.c 2020-04-20 16:14:21.901610921 +0200
@@ -35,6 +35,7 @@
#include <poll.h>
#if defined(__linux__) && defined(HAVE_SYSCALL)
# include <sys/syscall.h>
+# include <linux/random.h>
#endif
#include "types.h"
@@ -147,12 +148,12 @@ _gcry_rndlinux_gather_random (void (*add
if (!add)
{
/* Special mode to close the descriptors. */
- if (fd_random != -1)
+ if (fd_random >= 0)
{
close (fd_random);
fd_random = -1;
}
- if (fd_urandom != -1)
+ if (fd_urandom >= 0)
{
close (fd_urandom);
fd_urandom = -1;
@@ -166,12 +167,12 @@ _gcry_rndlinux_gather_random (void (*add
apid = getpid ();
if (my_pid != apid)
{
- if (fd_random != -1)
+ if (fd_random >= 0)
{
close (fd_random);
fd_random = -1;
}
- if (fd_urandom != -1)
+ if (fd_urandom >= 0)
{
close (fd_urandom);
fd_urandom = -1;
@@ -216,7 +217,23 @@ _gcry_rndlinux_gather_random (void (*add
that we always require the device to be existent but want a more
graceful behaviour if the rarely needed close operation has been
used and the device needs to be re-opened later. */
- if (level >= GCRY_VERY_STRONG_RANDOM && !only_urandom)
+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
+ if (fd_urandom != -2 && !_gcry_in_constructor ())
+ {
+ long ret;
+
+ _gcry_pre_syscall ();
+ ret = syscall (__NR_getrandom,
+ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK);
+ _gcry_post_syscall ();
+ if (ret > -1 || errno == EAGAIN || errno == EINTR)
+ {
+ fd_urandom = -2;
+ fd_random = -2;
+ }
+ }
+#endif
+ if (level >= GCRY_VERY_STRONG_RANDOM && !only_urandom && !_gcry_in_constructor ())
{
if (fd_random == -1)
{
@@ -255,6 +272,7 @@ _gcry_rndlinux_gather_random (void (*add
* syscall and not a new device and thus we are not able to use
* select(2) to have a timeout. */
#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
+ if (fd == -2)
{
long ret;
size_t nbytes;
@@ -270,9 +288,7 @@ _gcry_rndlinux_gather_random (void (*add
_gcry_post_syscall ();
}
while (ret == -1 && errno == EINTR);
- if (ret == -1 && errno == ENOSYS)
- ; /* The syscall is not supported - fallback to pulling from fd. */
- else
+ if (1)
{ /* The syscall is supported. Some sanity checks. */
if (ret == -1)
log_fatal ("unexpected error from getrandom: %s\n",
diff -up libgcrypt-1.8.5/src/g10lib.h.getrandom libgcrypt-1.8.5/src/g10lib.h
--- libgcrypt-1.8.5/src/g10lib.h.getrandom 2020-04-20 15:08:16.528538580 +0200
+++ libgcrypt-1.8.5/src/g10lib.h 2020-04-20 15:08:28.641309399 +0200
@@ -464,6 +464,6 @@ gpg_err_code_t _gcry_fips_run_selftests
void _gcry_fips_noreturn (void);
#define fips_noreturn() (_gcry_fips_noreturn ())
-
+int _gcry_in_constructor (void);
#endif /* G10LIB_H */
diff -up libgcrypt-1.8.5/src/global.c.getrandom libgcrypt-1.8.5/src/global.c
--- libgcrypt-1.8.5/src/global.c.getrandom 2020-04-20 15:06:21.891707597 +0200
+++ libgcrypt-1.8.5/src/global.c 2020-04-20 15:07:29.018437509 +0200
@@ -145,10 +145,18 @@ global_init (void)
#define FIPS_MODULE_PATH "/etc/system-fips"
#endif
+static int in_constructor = 0;
+
+int _gcry_in_constructor(void)
+{
+ return in_constructor;
+}
+
void __attribute__ ((constructor)) _gcry_global_constructor (void)
{
int rv;
+ in_constructor = 1;
rv = access (FIPS_MODULE_PATH, F_OK);
if (rv < 0 && errno != ENOENT)
rv = 0;
@@ -163,10 +171,12 @@ void __attribute__ ((constructor)) _gcry
/* force selftests */
global_init();
_gcry_fips_run_selftests (0);
- if (!fips_mode())
- _gcry_random_close_fds ();
+ _gcry_random_close_fds ();
+ _gcry_random_deinit ();
no_secure_memory = no_secmem_save;
}
+
+ in_constructor = 0;
}
/* This function is called by the macro fips_is_operational and makes

View File

@ -0,0 +1,348 @@
diff -up libgcrypt-1.8.5/cipher/camellia-aesni-avx2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/camellia-aesni-avx2-amd64.S
--- libgcrypt-1.8.5/cipher/camellia-aesni-avx2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/cipher/camellia-aesni-avx2-amd64.S 2020-01-23 15:36:44.148972045 +0100
@@ -18,8 +18,9 @@
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
-#ifdef __x86_64
#include <config.h>
+
+#ifdef __x86_64
#if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \
defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \
defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX2_SUPPORT)
diff -up libgcrypt-1.8.5/cipher/camellia-aesni-avx-amd64.S.intel-cet libgcrypt-1.8.5/cipher/camellia-aesni-avx-amd64.S
--- libgcrypt-1.8.5/cipher/camellia-aesni-avx-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/cipher/camellia-aesni-avx-amd64.S 2020-01-23 15:36:44.145972088 +0100
@@ -18,8 +18,9 @@
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
-#ifdef __x86_64
#include <config.h>
+
+#ifdef __x86_64
#if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \
defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \
defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX_SUPPORT)
diff -up libgcrypt-1.8.5/cipher/chacha20-avx2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/chacha20-avx2-amd64.S
--- libgcrypt-1.8.5/cipher/chacha20-avx2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/cipher/chacha20-avx2-amd64.S 2020-01-23 15:36:16.780250066 +0100
@@ -48,6 +48,9 @@
.globl _gcry_chacha20_amd64_avx2_blocks
ELF(.type _gcry_chacha20_amd64_avx2_blocks,@function;)
_gcry_chacha20_amd64_avx2_blocks:
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
.Lchacha_blocks_avx2_local:
vzeroupper
pushq %rbx
diff -up libgcrypt-1.8.5/cipher/chacha20-sse2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/chacha20-sse2-amd64.S
--- libgcrypt-1.8.5/cipher/chacha20-sse2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/cipher/chacha20-sse2-amd64.S 2020-01-23 15:36:16.783250095 +0100
@@ -41,6 +41,9 @@
.globl _gcry_chacha20_amd64_sse2_blocks
ELF(.type _gcry_chacha20_amd64_sse2_blocks,@function;)
_gcry_chacha20_amd64_sse2_blocks:
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
.Lchacha_blocks_sse2_local:
pushq %rbx
pushq %rbp
diff -up libgcrypt-1.8.5/cipher/poly1305-avx2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/poly1305-avx2-amd64.S
--- libgcrypt-1.8.5/cipher/poly1305-avx2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/cipher/poly1305-avx2-amd64.S 2020-01-23 15:36:16.784250105 +0100
@@ -43,6 +43,9 @@
.globl _gcry_poly1305_amd64_avx2_init_ext
ELF(.type _gcry_poly1305_amd64_avx2_init_ext,@function;)
_gcry_poly1305_amd64_avx2_init_ext:
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
.Lpoly1305_init_ext_avx2_local:
xor %edx, %edx
vzeroupper
@@ -406,6 +409,9 @@ ELF(.size _gcry_poly1305_amd64_avx2_init
.globl _gcry_poly1305_amd64_avx2_blocks
ELF(.type _gcry_poly1305_amd64_avx2_blocks,@function;)
_gcry_poly1305_amd64_avx2_blocks:
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
.Lpoly1305_blocks_avx2_local:
vzeroupper
pushq %rbp
@@ -732,6 +738,9 @@ ELF(.size _gcry_poly1305_amd64_avx2_bloc
.globl _gcry_poly1305_amd64_avx2_finish_ext
ELF(.type _gcry_poly1305_amd64_avx2_finish_ext,@function;)
_gcry_poly1305_amd64_avx2_finish_ext:
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
.Lpoly1305_finish_ext_avx2_local:
vzeroupper
pushq %rbp
diff -up libgcrypt-1.8.5/cipher/poly1305-sse2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/poly1305-sse2-amd64.S
--- libgcrypt-1.8.5/cipher/poly1305-sse2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/cipher/poly1305-sse2-amd64.S 2020-01-23 15:36:16.787250134 +0100
@@ -42,6 +42,9 @@
.globl _gcry_poly1305_amd64_sse2_init_ext
ELF(.type _gcry_poly1305_amd64_sse2_init_ext,@function;)
_gcry_poly1305_amd64_sse2_init_ext:
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
.Lpoly1305_init_ext_x86_local:
xor %edx, %edx
pushq %r12
@@ -288,6 +291,9 @@ ELF(.size _gcry_poly1305_amd64_sse2_init
.globl _gcry_poly1305_amd64_sse2_finish_ext
ELF(.type _gcry_poly1305_amd64_sse2_finish_ext,@function;)
_gcry_poly1305_amd64_sse2_finish_ext:
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
.Lpoly1305_finish_ext_x86_local:
pushq %rbp
movq %rsp, %rbp
@@ -439,6 +445,9 @@ ELF(.size _gcry_poly1305_amd64_sse2_fini
.globl _gcry_poly1305_amd64_sse2_blocks
ELF(.type _gcry_poly1305_amd64_sse2_blocks,@function;)
_gcry_poly1305_amd64_sse2_blocks:
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
.Lpoly1305_blocks_x86_local:
pushq %rbp
movq %rsp, %rbp
diff -up libgcrypt-1.8.5/cipher/serpent-avx2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/serpent-avx2-amd64.S
--- libgcrypt-1.8.5/cipher/serpent-avx2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/cipher/serpent-avx2-amd64.S 2020-01-23 15:36:44.151972003 +0100
@@ -18,8 +18,9 @@
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
-#ifdef __x86_64
#include <config.h>
+
+#ifdef __x86_64
#if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \
defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && defined(USE_SERPENT) && \
defined(ENABLE_AVX2_SUPPORT)
diff -up libgcrypt-1.8.5/configure.ac.intel-cet libgcrypt-1.8.5/configure.ac
--- libgcrypt-1.8.5/configure.ac.intel-cet 2019-08-29 15:00:08.000000000 +0200
+++ libgcrypt-1.8.5/configure.ac 2020-01-23 15:35:28.147774463 +0100
@@ -95,6 +95,12 @@ AH_TOP([
AH_BOTTOM([
#define _GCRYPT_IN_LIBGCRYPT 1
+/* Add .note.gnu.property section for Intel CET in assembler sources
+ when CET is enabled. */
+#if defined(__ASSEMBLER__) && defined(__CET__)
+# include <cet.h>
+#endif
+
/* If the configure check for endianness has been disabled, get it from
OS macros. This is intended for making fat binary builds on OS X. */
#ifdef DISABLED_ENDIAN_CHECK
diff -up libgcrypt-1.8.5/mpi/config.links.intel-cet libgcrypt-1.8.5/mpi/config.links
--- libgcrypt-1.8.5/mpi/config.links.intel-cet 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/mpi/config.links 2020-01-23 15:35:46.398952954 +0100
@@ -382,6 +382,16 @@ if test x"$mpi_cpu_arch" = x ; then
mpi_cpu_arch="unknown"
fi
+# Add .note.gnu.property section for Intel CET in assembler sources
+# when CET is enabled. */
+if test x"$mpi_cpu_arch" = xx86 ; then
+ cat <<EOF >> ./mpi/asm-syntax.h
+
+#if defined(__ASSEMBLER__) && defined(__CET__)
+# include <cet.h>
+#endif
+EOF
+fi
# Make sysdep.h
echo '/* created by config.links - do not edit */' >./mpi/sysdep.h
diff -up libgcrypt-1.8.5/mpi/i386/mpih-add1.S.intel-cet libgcrypt-1.8.5/mpi/i386/mpih-add1.S
--- libgcrypt-1.8.5/mpi/i386/mpih-add1.S.intel-cet 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/mpi/i386/mpih-add1.S 2020-01-23 15:37:40.470175379 +0100
@@ -52,6 +52,10 @@ C_SYMBOL_NAME(_gcry_mpih_add_n:)
movl 20(%esp),%edx /* s2_ptr */
movl 24(%esp),%ecx /* size */
+#if defined __CET__ && (__CET__ & 1) != 0
+ pushl %ebx
+#endif
+
movl %ecx,%eax
shrl $3,%ecx /* compute count for unrolled loop */
negl %eax
@@ -63,6 +67,9 @@ C_SYMBOL_NAME(_gcry_mpih_add_n:)
subl %eax,%esi /* ... by a constant when we ... */
subl %eax,%edx /* ... enter the loop */
shrl $2,%eax /* restore previous value */
+#if defined __CET__ && (__CET__ & 1) != 0
+ leal -4(,%eax,4),%ebx /* Count for 4-byte endbr32 */
+#endif
#ifdef PIC
/* Calculate start address in loop for PIC. Due to limitations in some
assemblers, Loop-L0-3 cannot be put into the leal */
@@ -75,29 +82,53 @@ L0: leal (%eax,%eax,8),%eax
/* Calculate start address in loop for non-PIC. */
leal (Loop - 3)(%eax,%eax,8),%eax
#endif
+#if defined __CET__ && (__CET__ & 1) != 0
+ addl %ebx,%eax /* Adjust for endbr32 */
+#endif
jmp *%eax /* jump into loop */
ALIGN (3)
Loop: movl (%esi),%eax
adcl (%edx),%eax
movl %eax,(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 4(%esi),%eax
adcl 4(%edx),%eax
movl %eax,4(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 8(%esi),%eax
adcl 8(%edx),%eax
movl %eax,8(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 12(%esi),%eax
adcl 12(%edx),%eax
movl %eax,12(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 16(%esi),%eax
adcl 16(%edx),%eax
movl %eax,16(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 20(%esi),%eax
adcl 20(%edx),%eax
movl %eax,20(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 24(%esi),%eax
adcl 24(%edx),%eax
movl %eax,24(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 28(%esi),%eax
adcl 28(%edx),%eax
movl %eax,28(%edi)
@@ -110,6 +141,10 @@ Loop: movl (%esi),%eax
sbbl %eax,%eax
negl %eax
+#if defined __CET__ && (__CET__ & 1) != 0
+ popl %ebx
+#endif
+
popl %esi
popl %edi
ret
diff -up libgcrypt-1.8.5/mpi/i386/mpih-sub1.S.intel-cet libgcrypt-1.8.5/mpi/i386/mpih-sub1.S
--- libgcrypt-1.8.5/mpi/i386/mpih-sub1.S.intel-cet 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/mpi/i386/mpih-sub1.S 2020-01-23 15:37:40.472175351 +0100
@@ -53,6 +53,10 @@ C_SYMBOL_NAME(_gcry_mpih_sub_n:)
movl 20(%esp),%edx /* s2_ptr */
movl 24(%esp),%ecx /* size */
+#if defined __CET__ && (__CET__ & 1) != 0
+ pushl %ebx
+#endif
+
movl %ecx,%eax
shrl $3,%ecx /* compute count for unrolled loop */
negl %eax
@@ -64,6 +68,9 @@ C_SYMBOL_NAME(_gcry_mpih_sub_n:)
subl %eax,%esi /* ... by a constant when we ... */
subl %eax,%edx /* ... enter the loop */
shrl $2,%eax /* restore previous value */
+#if defined __CET__ && (__CET__ & 1) != 0
+ leal -4(,%eax,4),%ebx /* Count for 4-byte endbr32 */
+#endif
#ifdef PIC
/* Calculate start address in loop for PIC. Due to limitations in some
assemblers, Loop-L0-3 cannot be put into the leal */
@@ -76,29 +83,53 @@ L0: leal (%eax,%eax,8),%eax
/* Calculate start address in loop for non-PIC. */
leal (Loop - 3)(%eax,%eax,8),%eax
#endif
+#if defined __CET__ && (__CET__ & 1) != 0
+ addl %ebx,%eax /* Adjust for endbr32 */
+#endif
jmp *%eax /* jump into loop */
ALIGN (3)
Loop: movl (%esi),%eax
sbbl (%edx),%eax
movl %eax,(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 4(%esi),%eax
sbbl 4(%edx),%eax
movl %eax,4(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 8(%esi),%eax
sbbl 8(%edx),%eax
movl %eax,8(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 12(%esi),%eax
sbbl 12(%edx),%eax
movl %eax,12(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 16(%esi),%eax
sbbl 16(%edx),%eax
movl %eax,16(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 20(%esi),%eax
sbbl 20(%edx),%eax
movl %eax,20(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 24(%esi),%eax
sbbl 24(%edx),%eax
movl %eax,24(%edi)
+#ifdef _CET_ENDBR
+ _CET_ENDBR
+#endif
movl 28(%esi),%eax
sbbl 28(%edx),%eax
movl %eax,28(%edi)
@@ -111,6 +142,10 @@ Loop: movl (%esi),%eax
sbbl %eax,%eax
negl %eax
+#if defined __CET__ && (__CET__ & 1) != 0
+ popl %ebx
+#endif
+
popl %esi
popl %edi
ret

View File

@ -0,0 +1,158 @@
diff -up libgcrypt-1.8.5/cipher/kdf.c.kdf-selftest libgcrypt-1.8.5/cipher/kdf.c
--- libgcrypt-1.8.5/cipher/kdf.c.kdf-selftest 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/cipher/kdf.c 2020-06-15 18:14:26.494995669 +0200
@@ -305,3 +305,99 @@ _gcry_kdf_derive (const void *passphrase
leave:
return ec;
}
+
+
+/* PBKDF2 selftests.
+ * Copyright (C) 2008 Free Software Foundation, Inc.
+ * Copyright (C) 2019, 2020 Red Hat, Inc.
+ */
+
+/* Check one PBKDF2 call with HASH ALGO using the regular KDF
+ * API. (passphrase,passphraselen) is the password to be derived,
+ * (salt,saltlen) the salt for the key derivation,
+ * iterations is the number of the kdf iterations,
+ * and (expect,expectlen) the expected result. Returns NULL on
+ * success or a string describing the failure. */
+
+static const char *
+check_one (int algo,
+ const void *passphrase, size_t passphraselen,
+ const void *salt, size_t saltlen,
+ unsigned long iterations,
+ const void *expect, size_t expectlen)
+{
+ unsigned char key[512]; /* hardcoded to avoid allocation */
+ size_t keysize = expectlen;
+
+ if (keysize > sizeof(key))
+ return "invalid tests data";
+
+ if (_gcry_kdf_derive (passphrase, passphraselen, GCRY_KDF_PBKDF2,
+ algo, salt, saltlen, iterations,
+ keysize, key))
+ return "gcry_kdf_derive failed";
+
+ if (memcmp (key, expect, expectlen))
+ return "does not match";
+
+ return NULL;
+}
+
+static gpg_err_code_t
+run_pbkdf2_selftest (int extended, selftest_report_func_t report)
+{
+ const char *what;
+ const char *errtxt;
+
+ what = "Basic PBKDF2 SHA256";
+ errtxt = check_one (GCRY_MD_SHA256,
+ "password", 8,
+ "salt", 4,
+ 2,
+ "\xae\x4d\x0c\x95\xaf\x6b\x46\xd3\x2d\x0a\xdf\xf9\x28\xf0\x6d\xd0"
+ "\x2a\x30\x3f\x8e\xf3\xc2\x51\xdf\xd6\xe2\xd8\x5a\x95\x47\x4c\x43", 32);
+ if (errtxt)
+ goto failed;
+
+ if (extended)
+ {
+ what = "Extended PBKDF2 SHA256";
+ errtxt = check_one (GCRY_MD_SHA256,
+ "passwordPASSWORDpassword", 24,
+ "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36,
+ 4096,
+ "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e\x84\xcf"
+ "\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f\xb8\xdd\x53\xe1"
+ "\xc6\x35\x51\x8c\x7d\xac\x47\xe9", 40);
+ if (errtxt)
+ goto failed;
+ }
+
+ return 0; /* Succeeded. */
+
+ failed:
+ if (report)
+ report ("kdf", GCRY_KDF_PBKDF2, what, errtxt);
+ return GPG_ERR_SELFTEST_FAILED;
+}
+
+
+/* Run the selftests for KDF with KDF algorithm ALGO with optional
+ reporting function REPORT. */
+gpg_error_t
+_gcry_kdf_selftest (int algo, int extended, selftest_report_func_t report)
+{
+ gcry_err_code_t ec = 0;
+
+ if (algo == GCRY_KDF_PBKDF2)
+ {
+ ec = run_pbkdf2_selftest (extended, report);
+ }
+ else
+ {
+ ec = GPG_ERR_UNSUPPORTED_ALGORITHM;
+ if (report)
+ report ("kdf", algo, "module", "algorithm not available");
+ }
+ return gpg_error (ec);
+}
diff -up libgcrypt-1.8.5/src/cipher-proto.h.kdf-selftest libgcrypt-1.8.5/src/cipher-proto.h
--- libgcrypt-1.8.5/src/cipher-proto.h.kdf-selftest 2020-06-15 18:03:25.785353036 +0200
+++ libgcrypt-1.8.5/src/cipher-proto.h 2020-06-15 18:03:25.788353061 +0200
@@ -259,6 +259,8 @@ gcry_error_t _gcry_hmac_selftest (int al
selftest_report_func_t report);
gcry_error_t _gcry_cmac_selftest (int algo, int extended,
selftest_report_func_t report);
+gcry_error_t _gcry_kdf_selftest (int algo, int extended,
+ selftest_report_func_t report);
gcry_error_t _gcry_random_selftest (selftest_report_func_t report);
diff -up libgcrypt-1.8.5/src/fips.c.kdf-selftest libgcrypt-1.8.5/src/fips.c
--- libgcrypt-1.8.5/src/fips.c.kdf-selftest 2020-06-15 18:03:25.777352968 +0200
+++ libgcrypt-1.8.5/src/fips.c 2020-06-15 18:08:40.651028096 +0200
@@ -490,6 +490,29 @@ run_mac_selftests (int extended)
return anyerr;
}
+/* Run self-tests for all KDF algorithms. Return 0 on success. */
+static int
+run_kdf_selftests (int extended)
+{
+ static int algos[] =
+ {
+ GCRY_KDF_PBKDF2,
+ 0
+ };
+ int idx;
+ gpg_error_t err;
+ int anyerr = 0;
+
+ for (idx=0; algos[idx]; idx++)
+ {
+ err = _gcry_kdf_selftest (algos[idx], extended, reporter);
+ reporter ("kdf", algos[idx], NULL, err? gpg_strerror (err):NULL);
+ if (err)
+ anyerr = 1;
+ }
+ return anyerr;
+}
+
/* Run self-tests for all required public key algorithms. Return 0 on
success. */
@@ -673,6 +696,9 @@ _gcry_fips_run_selftests (int extended)
if (run_mac_selftests (extended))
goto leave;
+ if (run_kdf_selftests (extended))
+ goto leave;
+
/* Run random tests before the pubkey tests because the latter
require random. */
if (run_random_selftests ())

View File

@ -1,7 +1,7 @@
diff -up libgcrypt-1.6.2/src/fips.c.use-fipscheck libgcrypt-1.6.2/src/fips.c
--- libgcrypt-1.6.2/src/fips.c.use-fipscheck 2014-08-21 14:50:39.000000000 +0200
+++ libgcrypt-1.6.2/src/fips.c 2014-09-26 11:42:20.999588282 +0200
@@ -578,23 +578,50 @@ run_random_selftests (void)
diff -up libgcrypt-1.8.5/src/fips.c.use-fipscheck libgcrypt-1.8.5/src/fips.c
--- libgcrypt-1.8.5/src/fips.c.use-fipscheck 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.5/src/fips.c 2020-04-23 10:18:36.235764741 +0200
@@ -581,23 +581,50 @@ run_random_selftests (void)
return !!err;
}
@ -57,7 +57,7 @@ diff -up libgcrypt-1.6.2/src/fips.c.use-fipscheck libgcrypt-1.6.2/src/fips.c
key, strlen (key));
if (dlen < 0)
err = gpg_error_from_syserror ();
@@ -602,7 +629,7 @@ check_binary_integrity (void)
@@ -605,7 +632,7 @@ check_binary_integrity (void)
err = gpg_error (GPG_ERR_INTERNAL);
else
{
@ -66,7 +66,7 @@ diff -up libgcrypt-1.6.2/src/fips.c.use-fipscheck libgcrypt-1.6.2/src/fips.c
if (!fname)
err = gpg_error_from_syserror ();
else
@@ -611,7 +638,7 @@ check_binary_integrity (void)
@@ -614,7 +641,7 @@ check_binary_integrity (void)
char *p;
/* Prefix the basename with a dot. */
@ -75,15 +75,15 @@ diff -up libgcrypt-1.6.2/src/fips.c.use-fipscheck libgcrypt-1.6.2/src/fips.c
p = strrchr (fname, '/');
if (p)
p++;
diff -up libgcrypt-1.6.2/src/Makefile.in.use-fipscheck libgcrypt-1.6.2/src/Makefile.in
--- libgcrypt-1.6.2/src/Makefile.in.use-fipscheck 2014-08-21 15:14:08.000000000 +0200
+++ libgcrypt-1.6.2/src/Makefile.in 2014-09-26 11:41:13.271059281 +0200
@@ -449,7 +449,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \
diff -up libgcrypt-1.8.5/src/Makefile.am.use-fipscheck libgcrypt-1.8.5/src/Makefile.am
--- libgcrypt-1.8.5/src/Makefile.am.use-fipscheck 2020-04-23 10:18:36.237764702 +0200
+++ libgcrypt-1.8.5/src/Makefile.am 2020-04-23 10:19:03.186247455 +0200
@@ -125,7 +125,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \
../cipher/libcipher.la \
../random/librandom.la \
../mpi/libmpi.la \
- ../compat/libcompat.la $(GPG_ERROR_LIBS)
+ ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl
dumpsexp_SOURCES = dumpsexp.c
dumpsexp_CFLAGS = $(arch_gpg_error_cflags)

View File

@ -1,5 +1,5 @@
Name: libgcrypt
Version: 1.8.3
Version: 1.8.5
Release: 4%{?dist}
URL: http://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.xz
@ -18,13 +18,15 @@ Source6: t-mpi-point.c
Source7: random.conf
# make FIPS hmac compatible with fipscheck - non upstreamable
# update on soname bump
Patch2: libgcrypt-1.6.2-use-fipscheck.patch
# fix tests in the FIPS mode, allow CAVS testing of DSA keygen
Patch5: libgcrypt-1.8.0-tests.patch
Patch2: libgcrypt-1.8.5-use-fipscheck.patch
# modify FIPS RSA and DSA keygen to comply with requirements
Patch5: libgcrypt-1.8.4-fips-keygen.patch
# fix the tests to work correctly in the FIPS mode
Patch6: libgcrypt-1.8.4-tests-fipsmode.patch
# update the CAVS tests
Patch7: libgcrypt-1.7.3-fips-cavs.patch
# use poll instead of select when gathering randomness
Patch11: libgcrypt-1.8.0-use-poll.patch
Patch11: libgcrypt-1.8.4-use-poll.patch
# slight optimalization of mpicoder.c to silence Valgrind (#968288)
Patch13: libgcrypt-1.6.1-mpicoder-gccopt.patch
# fix tests to work with approved ECC
@ -34,13 +36,23 @@ Patch18: libgcrypt-1.8.3-fips-ctor.patch
# Block some operations if in FIPS non-operational state
Patch22: libgcrypt-1.7.3-fips-reqs.patch
# Do not try to open /dev/urandom if getrandom() works
Patch24: libgcrypt-1.8.3-getrandom.patch
Patch24: libgcrypt-1.8.5-getrandom.patch
# CMAC selftest for FIPS POST
Patch25: libgcrypt-1.8.3-cmac-selftest.patch
# Continuous FIPS entropy test
Patch26: libgcrypt-1.8.3-fips-enttest.patch
# Disable non-approved FIPS hashes in the enforced FIPS mode
Patch27: libgcrypt-1.8.3-md-fips-enforce.patch
# Intel CET support, in upstream master
Patch28: libgcrypt-1.8.5-intel-cet.patch
# Fix build on ARMv7
Patch29: libgcrypt-1.8.5-build.patch
# FIPS module is redefined a little bit (implicit by kernel FIPS mode)
Patch30: libgcrypt-1.8.5-fips-module.patch
# Backported AES performance improvements
Patch31: libgcrypt-1.8.5-aes-perf.patch
# FIPS selftest for PBKDF2
Patch32: libgcrypt-1.8.5-kdf-selftest.patch
%define gcrylibdir %{_libdir}
@ -54,12 +66,11 @@ BuildRequires: gawk, libgpg-error-devel >= 1.11, pkgconfig
BuildRequires: fipscheck
# This is needed only when patching the .texi doc.
BuildRequires: texinfo
Group: System Environment/Libraries
BuildRequires: autoconf, automake, libtool
%package devel
Summary: Development files for the %{name} package
License: LGPLv2+ and GPLv2+
Group: Development/Libraries
Requires(pre): /sbin/install-info
Requires(post): /sbin/install-info
Requires: libgpg-error-devel
@ -78,7 +89,8 @@ applications using libgcrypt.
%setup -q
%{SOURCE3}
%patch2 -p1 -b .use-fipscheck
%patch5 -p1 -b .tests
%patch5 -p1 -b .fips-keygen
%patch6 -p1 -b .tests-fipsmode
%patch7 -p1 -b .cavs
%patch11 -p1 -b .use-poll
%patch13 -p1 -b .gccopt
@ -89,11 +101,17 @@ applications using libgcrypt.
%patch25 -p1 -b .cmac-selftest
%patch26 -p1 -b .fips-enttest
%patch27 -p1 -b .fips-enforce
%patch28 -p1 -b .intel-cet
%patch29 -p1 -b .build
%patch30 -p1 -b .fips-module
%patch31 -p1 -b .aes-perf
%patch32 -p1 -b .kdf-selftest
cp %{SOURCE4} cipher/
cp %{SOURCE5} %{SOURCE6} tests/
%build
autoreconf -f
%configure --disable-static \
%ifarch sparc64
--disable-asm \
@ -161,6 +179,9 @@ popd
mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf
# Drop the pkgconfig as it would require an updated libgpg-error
rm $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/libgcrypt.pc
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
@ -200,6 +221,15 @@ exit 0
%license COPYING
%changelog
* Mon Jun 15 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-4
- add PBKDF2 selftest for FIPS POST
* Tue Apr 28 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-3
- new upstream version 1.8.5
- AES performance improvements backported from master branch
- FIPS module is implicit with kernel FIPS flag
- always run the FIPS selftests if FIPS module is installed
* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.3-4
- improve the continuous FIPS entropy test