rpms/libgcrypt
7
0
Fork 0
Code Issues Pull Requests Releases Activity

enable brainpool curves by default

Browse Source 
Thanks to the Fedora Legal team, we are now able to include Brainpool
ECC in Fedora.  Matthew Miller notified the Fedora Legal list.

References:
https://bugzilla.redhat.com/1413618
https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/752Z34MTHB6B4XRUW2TTAPEIUUK4O2LA/
This commit is contained in:
Todd Zullinger 2022-11-06 19:05:40 -05:00
parent 2fe61ab47d
commit 9e608ad3fa
2 changed files with 5 additions and 323 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

314
libgcrypt-1.10.0-disable-brainpool.patch
View File

@ -1,314 +0,0 @@
From f778433dd29fe07aa1791a0137f6f14febcce607 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 10 Sep 2021 18:39:00 +0200
Subject: [PATCH] Allow building libgcrypt without Brainpool curves
* README: Document possibility to build without brainpool curves
* cipher/ecc-curves.c: Conditionalize brainpool curves definitions
* configure.ac: Implement possibility to build without brainpool curves
* tests/curves.c: Skip brainpool curves if they are not built-in
* tests/keygrip.c: Skip brainpool curves if they are not built-in
* tests/bench-slope.c: Skip brainpoll curves in they are not built-in
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
README | 3 +++
cipher/ecc-curves.c | 4 ++++
configure.ac | 13 +++++++++++++
tests/bench-slope.c | 12 ++++++++++++
tests/curves.c | 46 ++++++++++++++++++++++++++++++---------------
tests/keygrip.c | 2 ++
6 files changed, 65 insertions(+), 15 deletions(-)
diff --git a/README b/README
index 4d7697dd..b290d01e 100644
--- a/README
+++ b/README
@@ -121,6 +121,9 @@
the list used with the current build the program
tests/version may be used.
+ --disable-brainpool
+ Do not build in support for Brainpool curves.
+
--disable-endian-check
Don't let configure test for the endianness but
try to use the OS provided macros at compile
diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c
index 7c86e12c..8fd95a9c 100644
--- a/cipher/ecc-curves.c
+++ b/cipher/ecc-curves.c
@@ -77,6 +77,7 @@ static const struct
{ "NIST P-521", "1.3.132.0.35" },
{ "NIST P-521", "nistp521" }, /* rfc5656. */
+#ifdef ENABLE_BRAINPOOL
{ "brainpoolP160r1", "1.3.36.3.3.2.8.1.1.1" },
{ "brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3" },
{ "brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5" },
@@ -84,6 +85,7 @@ static const struct
{ "brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9" },
{ "brainpoolP384r1", "1.3.36.3.3.2.8.1.1.11"},
{ "brainpoolP512r1", "1.3.36.3.3.2.8.1.1.13"},
+#endif /* ENABLE_BRAINPOOL */
{ "GOST2001-test", "1.2.643.2.2.35.0" },
{ "GOST2001-CryptoPro-A", "1.2.643.2.2.35.1" },
@@ -297,6 +299,7 @@ static const ecc_domain_parms_t domain_parms[] =
1
},
+#ifdef ENABLE_BRAINPOOL
{ "brainpoolP160r1", 160, 0,
MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
"0xe95e4a5f737059dc60dfc7ad95b3d8139515620f",
@@ -391,6 +394,7 @@ static const ecc_domain_parms_t domain_parms[] =
"b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892",
1
},
+#endif /* ENABLE_BRAINPOOL */
{
"GOST2001-test", 256, 0,
MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
diff --git a/configure.ac b/configure.ac
index 0e67baf9..a63f7360 100644
--- a/configure.ac
+++ b/configure.ac
@@ -595,6 +595,14 @@ AC_ARG_WITH(fips-module-version,
AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version",
[Define FIPS module version for certification])
+# Implementation of the --disable-brainpool switch.
+AC_MSG_CHECKING([whether brainpool curves support is requested])
+AC_ARG_ENABLE(brainpool,
+ AS_HELP_STRING([--disable-brainpool],
+ [Disable the brainpool curves]),
+ use_brainpool="$enableval",use_brainpool=yes)
+AC_MSG_RESULT($use_brainpool)
+
# Implementation of the --disable-jent-support switch.
AC_MSG_CHECKING([whether jitter entropy support is requested])
AC_ARG_ENABLE(jent-support,
@@ -2459,6 +2467,10 @@ if test x"$ppccryptosupport" = xyes ; then
AC_DEFINE(ENABLE_PPC_CRYPTO_SUPPORT,1,
[Enable support for POWER 8 (PowerISA 2.07) crypto extension.])
fi
+if test x"$use_brainpool" = xyes ; then
+ AC_DEFINE(ENABLE_BRAINPOOL, 1,
+ [Enable support for the brainpool curves.])
+fi
if test x"$jentsupport" = xyes ; then
AC_DEFINE(ENABLE_JENT_SUPPORT, 1,
[Enable support for the jitter entropy collector.])
@@ -3294,6 +3306,7 @@ GCRY_MSG_WRAP([Enabled digest algorithms:],[$enabled_digests])
GCRY_MSG_WRAP([Enabled kdf algorithms: ],[$enabled_kdfs])
GCRY_MSG_WRAP([Enabled pubkey algorithms:],[$enabled_pubkey_ciphers])
GCRY_MSG_SHOW([Random number generator: ],[$random])
+GCRY_MSG_SHOW([Enabled Brainpool curves: ],[$use_brainpool])
GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport])
GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities])
GCRY_MSG_SHOW([FIPS module version: ],[$fips_module_version])
diff --git a/tests/bench-slope.c b/tests/bench-slope.c
index 5c49ac25..1b5941af 100644
--- a/tests/bench-slope.c
+++ b/tests/bench-slope.c
@@ -2316,7 +2316,9 @@ enum bench_ecc_algo
ECC_ALGO_NIST_P384,
ECC_ALGO_NIST_P521,
ECC_ALGO_SECP256K1,
+#ifdef ENABLE_BRAINPOOL
ECC_ALGO_BRAINP256R1,
+#endif /* ENABLE_BRAINPOOL */
__MAX_ECC_ALGO
};
@@ -2366,7 +2368,9 @@ ecc_algo_fips_allowed (int algo)
case ECC_ALGO_NIST_P521:
return 1;
case ECC_ALGO_SECP256K1:
+#ifdef ENABLE_BRAINPOOL
case ECC_ALGO_BRAINP256R1:
+#endif /* ENABLE_BRAINPOOL */
case ECC_ALGO_ED25519:
case ECC_ALGO_ED448:
case ECC_ALGO_X25519:
@@ -2402,8 +2406,10 @@ ecc_algo_name (int algo)
return "NIST-P521";
case ECC_ALGO_SECP256K1:
return "secp256k1";
+#ifdef ENABLE_BRAINPOOL
case ECC_ALGO_BRAINP256R1:
return "brainpoolP256r1";
+#endif /* ENABLE_BRAINPOOL */
default:
return NULL;
}
@@ -2434,8 +2440,10 @@ ecc_algo_curve (int algo)
return "NIST P-521";
case ECC_ALGO_SECP256K1:
return "secp256k1";
+#ifdef ENABLE_BRAINPOOL
case ECC_ALGO_BRAINP256R1:
return "brainpoolP256r1";
+#endif /* ENABLE_BRAINPOOL */
default:
return NULL;
}
@@ -2466,8 +2474,10 @@ ecc_nbits (int algo)
return 521;
case ECC_ALGO_SECP256K1:
return 256;
+#ifdef ENABLE_BRAINPOOL
case ECC_ALGO_BRAINP256R1:
return 256;
+#endif /* ENABLE_BRAINPOOL */
default:
return 0;
}
@@ -2665,6 +2675,7 @@ bench_ecc_init (struct bench_obj *obj)
err = gcry_sexp_build (&hd->data, NULL,
"(data (flags raw) (value %m))", x);
break;
+#ifdef ENABLE_BRAINPOOL
case ECC_ALGO_BRAINP256R1:
err = gcry_sexp_build (&hd->key_spec, NULL,
"(genkey (ECDSA (curve brainpoolP256r1)))");
@@ -2673,6 +2684,7 @@ bench_ecc_init (struct bench_obj *obj)
err = gcry_sexp_build (&hd->data, NULL,
"(data (flags raw) (value %m))", x);
break;
+#endif /* ENABLE_BRAINPOOL */
}
gcry_mpi_release (x);
diff --git a/tests/curves.c b/tests/curves.c
index 3c738171..8eb79565 100644
--- a/tests/curves.c
+++ b/tests/curves.c
@@ -33,7 +33,11 @@
#include "t-common.h"
/* Number of curves defined in ../cipher/ecc-curves.c */
-#define N_CURVES 27
+#ifdef ENABLE_BRAINPOOL
+# define N_CURVES 27
+#else
+# define N_CURVES 20
+#endif
/* A real world sample public key. */
static char const sample_key_1[] =
@@ -52,6 +56,7 @@ static char const sample_key_1[] =
static char const sample_key_1_curve[] = "NIST P-256";
static unsigned int sample_key_1_nbits = 256;
+#ifdef ENABLE_BRAINPOOL
/* A made up sample public key. */
static char const sample_key_2[] =
"(public-key\n"
@@ -68,6 +73,7 @@ static char const sample_key_2[] =
" ))";
static char const sample_key_2_curve[] = "brainpoolP160r1";
static unsigned int sample_key_2_nbits = 160;
+#endif /* ENABLE_BRAINPOOL */
static int in_fips_mode;
@@ -113,6 +119,7 @@ check_matching (void)
gcry_sexp_release (key);
+#ifdef ENABLE_BRAINPOOL
if (!in_fips_mode)
{
err = gcry_sexp_new (&key, sample_key_2, 0, 1);
@@ -130,6 +137,7 @@ check_matching (void)
gcry_sexp_release (key);
}
+#endif /* ENABLE_BRAINPOOL */
}
#define TEST_ERROR_EXPECTED (1 << 0)
@@ -185,20 +193,26 @@ check_get_params (void)
{ GCRY_PK_ECC, "1.3.132.0.35" },
{ GCRY_PK_ECC, "nistp521" },
- { GCRY_PK_ECC, "brainpoolP160r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP192r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP224r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP256r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP320r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP384r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP512r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", TEST_NOFIPS },
+#ifdef ENABLE_BRAINPOOL
+# define BRAINPOOL_FLAGS TEST_NOFIPS
+#else
+# define BRAINPOOL_FLAGS TEST_ERROR_EXPECTED
+#endif /* ENABLE_BRAINPOOL */
+ { GCRY_PK_ECC, "brainpoolP160r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP192r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP224r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP256r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP320r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP384r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP512r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", BRAINPOOL_FLAGS },
+#undef BRAINPOOL_ERROR_EXPECTED
{ GCRY_PK_ECC, "GOST2001-test", TEST_NOFIPS },
{ GCRY_PK_ECC, "1.2.643.2.2.35.0", TEST_NOFIPS },
@@ -282,6 +296,7 @@ check_get_params (void)
gcry_sexp_release (param);
+#ifdef ENABLE_BRAINPOOL
if (!in_fips_mode)
{
param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve);
@@ -297,6 +312,7 @@ check_get_params (void)
gcry_sexp_release (param);
}
+#endif /* ENABLE_BRAINPOOL */
/* Some simple tests */
for (idx=0; idx < DIM (tv); idx++)
diff --git a/tests/keygrip.c b/tests/keygrip.c
index 49bd71bc..fc4c17be 100644
--- a/tests/keygrip.c
+++ b/tests/keygrip.c
@@ -149,6 +149,7 @@ static struct
" (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))",
"\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6"
},
+#ifdef ENABLE_BRAINPOOL
{
GCRY_PK_ECC,
"(public-key"
@@ -197,6 +198,7 @@ static struct
"\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F",
1
},
+#endif /*ENABLE_BRAINPOOL */
{ /* Ed25519 standard */
GCRY_PK_ECC,
"(public-key"
--
2.34.1

14
libgcrypt.spec
View File

@ -13,20 +13,15 @@ sha256sum:close()
print(string.sub(hash, 0, 16))
}
# disable brainpool curves by default
%bcond_with brainpool
Name: libgcrypt
Version: 1.10.1
Release: 4%{?dist}
Release: 5%{?dist}
URL: https://www.gnupg.org/
Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
Source2: wk@g10code.com
# brainpool curves are still not allowed to be shipped in Fedora
Patch1: libgcrypt-1.10.0-disable-brainpool.patch
# Pass the annobin flags to the libgcrypt.so (#2016349)
Patch2: libgcrypt-1.10.1-annobin.patch
Patch1: libgcrypt-1.10.1-annobin.patch
%global gcrylibdir %{_libdir}
%global gcrysoname libgcrypt.so.20
@ -63,7 +58,6 @@ applications using libgcrypt.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%build
# This package has a configure test which uses ASMs, but does not link the
@ -89,7 +83,6 @@ autoreconf -f
%endif
--enable-noexecstack \
--enable-hmac-binary-check=%{hmackey} \
%{!?with_brainpool:--disable-brainpool} \
--enable-digests="$DIGESTS" \
--enable-ciphers="$CIPHERS" \
--with-fips-module-version="$FIPS_MODULE_NAME %{version}-%{srpmhash}"
@ -182,6 +175,9 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
%license COPYING
%changelog
* Tue Nov 08 2022 Todd Zullinger <tmz@pobox.com> - 1.10.1-5
- enable brainpool by default (#1413618)
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild