From 9e608ad3fa1de990e0e874131c817aae1a86c0ba Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Sun, 6 Nov 2022 19:05:40 -0500 Subject: [PATCH] enable brainpool curves by default Thanks to the Fedora Legal team, we are now able to include Brainpool ECC in Fedora. Matthew Miller notified the Fedora Legal list. References: https://bugzilla.redhat.com/1413618 https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/752Z34MTHB6B4XRUW2TTAPEIUUK4O2LA/ --- libgcrypt-1.10.0-disable-brainpool.patch | 314 ----------------------- libgcrypt.spec | 14 +- 2 files changed, 5 insertions(+), 323 deletions(-) delete mode 100644 libgcrypt-1.10.0-disable-brainpool.patch diff --git a/libgcrypt-1.10.0-disable-brainpool.patch b/libgcrypt-1.10.0-disable-brainpool.patch deleted file mode 100644 index 8a9d980..0000000 --- a/libgcrypt-1.10.0-disable-brainpool.patch +++ /dev/null @@ -1,314 +0,0 @@ -From f778433dd29fe07aa1791a0137f6f14febcce607 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Fri, 10 Sep 2021 18:39:00 +0200 -Subject: [PATCH] Allow building libgcrypt without Brainpool curves - -* README: Document possibility to build without brainpool curves -* cipher/ecc-curves.c: Conditionalize brainpool curves definitions -* configure.ac: Implement possibility to build without brainpool curves -* tests/curves.c: Skip brainpool curves if they are not built-in -* tests/keygrip.c: Skip brainpool curves if they are not built-in -* tests/bench-slope.c: Skip brainpoll curves in they are not built-in - --- - -Signed-off-by: Jakub Jelen ---- - README | 3 +++ - cipher/ecc-curves.c | 4 ++++ - configure.ac | 13 +++++++++++++ - tests/bench-slope.c | 12 ++++++++++++ - tests/curves.c | 46 ++++++++++++++++++++++++++++++--------------- - tests/keygrip.c | 2 ++ - 6 files changed, 65 insertions(+), 15 deletions(-) - -diff --git a/README b/README -index 4d7697dd..b290d01e 100644 ---- a/README -+++ b/README -@@ -121,6 +121,9 @@ - the list used with the current build the program - tests/version may be used. - -+ --disable-brainpool -+ Do not build in support for Brainpool curves. -+ - --disable-endian-check - Don't let configure test for the endianness but - try to use the OS provided macros at compile -diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c -index 7c86e12c..8fd95a9c 100644 ---- a/cipher/ecc-curves.c -+++ b/cipher/ecc-curves.c -@@ -77,6 +77,7 @@ static const struct - { "NIST P-521", "1.3.132.0.35" }, - { "NIST P-521", "nistp521" }, /* rfc5656. */ - -+#ifdef ENABLE_BRAINPOOL - { "brainpoolP160r1", "1.3.36.3.3.2.8.1.1.1" }, - { "brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3" }, - { "brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5" }, -@@ -84,6 +85,7 @@ static const struct - { "brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9" }, - { "brainpoolP384r1", "1.3.36.3.3.2.8.1.1.11"}, - { "brainpoolP512r1", "1.3.36.3.3.2.8.1.1.13"}, -+#endif /* ENABLE_BRAINPOOL */ - - { "GOST2001-test", "1.2.643.2.2.35.0" }, - { "GOST2001-CryptoPro-A", "1.2.643.2.2.35.1" }, -@@ -297,6 +299,7 @@ static const ecc_domain_parms_t domain_parms[] = - 1 - }, - -+#ifdef ENABLE_BRAINPOOL - { "brainpoolP160r1", 160, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xe95e4a5f737059dc60dfc7ad95b3d8139515620f", -@@ -391,6 +394,7 @@ static const ecc_domain_parms_t domain_parms[] = - "b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892", - 1 - }, -+#endif /* ENABLE_BRAINPOOL */ - { - "GOST2001-test", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, -diff --git a/configure.ac b/configure.ac -index 0e67baf9..a63f7360 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -595,6 +595,14 @@ AC_ARG_WITH(fips-module-version, - AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version", - [Define FIPS module version for certification]) - -+# Implementation of the --disable-brainpool switch. -+AC_MSG_CHECKING([whether brainpool curves support is requested]) -+AC_ARG_ENABLE(brainpool, -+ AS_HELP_STRING([--disable-brainpool], -+ [Disable the brainpool curves]), -+ use_brainpool="$enableval",use_brainpool=yes) -+AC_MSG_RESULT($use_brainpool) -+ - # Implementation of the --disable-jent-support switch. - AC_MSG_CHECKING([whether jitter entropy support is requested]) - AC_ARG_ENABLE(jent-support, -@@ -2459,6 +2467,10 @@ if test x"$ppccryptosupport" = xyes ; then - AC_DEFINE(ENABLE_PPC_CRYPTO_SUPPORT,1, - [Enable support for POWER 8 (PowerISA 2.07) crypto extension.]) - fi -+if test x"$use_brainpool" = xyes ; then -+ AC_DEFINE(ENABLE_BRAINPOOL, 1, -+ [Enable support for the brainpool curves.]) -+fi - if test x"$jentsupport" = xyes ; then - AC_DEFINE(ENABLE_JENT_SUPPORT, 1, - [Enable support for the jitter entropy collector.]) -@@ -3294,6 +3306,7 @@ GCRY_MSG_WRAP([Enabled digest algorithms:],[$enabled_digests]) - GCRY_MSG_WRAP([Enabled kdf algorithms: ],[$enabled_kdfs]) - GCRY_MSG_WRAP([Enabled pubkey algorithms:],[$enabled_pubkey_ciphers]) - GCRY_MSG_SHOW([Random number generator: ],[$random]) -+GCRY_MSG_SHOW([Enabled Brainpool curves: ],[$use_brainpool]) - GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport]) - GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities]) - GCRY_MSG_SHOW([FIPS module version: ],[$fips_module_version]) -diff --git a/tests/bench-slope.c b/tests/bench-slope.c -index 5c49ac25..1b5941af 100644 ---- a/tests/bench-slope.c -+++ b/tests/bench-slope.c -@@ -2316,7 +2316,9 @@ enum bench_ecc_algo - ECC_ALGO_NIST_P384, - ECC_ALGO_NIST_P521, - ECC_ALGO_SECP256K1, -+#ifdef ENABLE_BRAINPOOL - ECC_ALGO_BRAINP256R1, -+#endif /* ENABLE_BRAINPOOL */ - __MAX_ECC_ALGO - }; - -@@ -2366,7 +2368,9 @@ ecc_algo_fips_allowed (int algo) - case ECC_ALGO_NIST_P521: - return 1; - case ECC_ALGO_SECP256K1: -+#ifdef ENABLE_BRAINPOOL - case ECC_ALGO_BRAINP256R1: -+#endif /* ENABLE_BRAINPOOL */ - case ECC_ALGO_ED25519: - case ECC_ALGO_ED448: - case ECC_ALGO_X25519: -@@ -2402,8 +2406,10 @@ ecc_algo_name (int algo) - return "NIST-P521"; - case ECC_ALGO_SECP256K1: - return "secp256k1"; -+#ifdef ENABLE_BRAINPOOL - case ECC_ALGO_BRAINP256R1: - return "brainpoolP256r1"; -+#endif /* ENABLE_BRAINPOOL */ - default: - return NULL; - } -@@ -2434,8 +2440,10 @@ ecc_algo_curve (int algo) - return "NIST P-521"; - case ECC_ALGO_SECP256K1: - return "secp256k1"; -+#ifdef ENABLE_BRAINPOOL - case ECC_ALGO_BRAINP256R1: - return "brainpoolP256r1"; -+#endif /* ENABLE_BRAINPOOL */ - default: - return NULL; - } -@@ -2466,8 +2474,10 @@ ecc_nbits (int algo) - return 521; - case ECC_ALGO_SECP256K1: - return 256; -+#ifdef ENABLE_BRAINPOOL - case ECC_ALGO_BRAINP256R1: - return 256; -+#endif /* ENABLE_BRAINPOOL */ - default: - return 0; - } -@@ -2665,6 +2675,7 @@ bench_ecc_init (struct bench_obj *obj) - err = gcry_sexp_build (&hd->data, NULL, - "(data (flags raw) (value %m))", x); - break; -+#ifdef ENABLE_BRAINPOOL - case ECC_ALGO_BRAINP256R1: - err = gcry_sexp_build (&hd->key_spec, NULL, - "(genkey (ECDSA (curve brainpoolP256r1)))"); -@@ -2673,6 +2684,7 @@ bench_ecc_init (struct bench_obj *obj) - err = gcry_sexp_build (&hd->data, NULL, - "(data (flags raw) (value %m))", x); - break; -+#endif /* ENABLE_BRAINPOOL */ - } - - gcry_mpi_release (x); -diff --git a/tests/curves.c b/tests/curves.c -index 3c738171..8eb79565 100644 ---- a/tests/curves.c -+++ b/tests/curves.c -@@ -33,7 +33,11 @@ - #include "t-common.h" - - /* Number of curves defined in ../cipher/ecc-curves.c */ --#define N_CURVES 27 -+#ifdef ENABLE_BRAINPOOL -+# define N_CURVES 27 -+#else -+# define N_CURVES 20 -+#endif - - /* A real world sample public key. */ - static char const sample_key_1[] = -@@ -52,6 +56,7 @@ static char const sample_key_1[] = - static char const sample_key_1_curve[] = "NIST P-256"; - static unsigned int sample_key_1_nbits = 256; - -+#ifdef ENABLE_BRAINPOOL - /* A made up sample public key. */ - static char const sample_key_2[] = - "(public-key\n" -@@ -68,6 +73,7 @@ static char const sample_key_2[] = - " ))"; - static char const sample_key_2_curve[] = "brainpoolP160r1"; - static unsigned int sample_key_2_nbits = 160; -+#endif /* ENABLE_BRAINPOOL */ - - static int in_fips_mode; - -@@ -113,6 +119,7 @@ check_matching (void) - - gcry_sexp_release (key); - -+#ifdef ENABLE_BRAINPOOL - if (!in_fips_mode) - { - err = gcry_sexp_new (&key, sample_key_2, 0, 1); -@@ -130,6 +137,7 @@ check_matching (void) - - gcry_sexp_release (key); - } -+#endif /* ENABLE_BRAINPOOL */ - } - - #define TEST_ERROR_EXPECTED (1 << 0) -@@ -185,20 +193,26 @@ check_get_params (void) - { GCRY_PK_ECC, "1.3.132.0.35" }, - { GCRY_PK_ECC, "nistp521" }, - -- { GCRY_PK_ECC, "brainpoolP160r1", TEST_NOFIPS }, -- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", TEST_NOFIPS }, -- { GCRY_PK_ECC, "brainpoolP192r1", TEST_NOFIPS }, -- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", TEST_NOFIPS }, -- { GCRY_PK_ECC, "brainpoolP224r1", TEST_NOFIPS }, -- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", TEST_NOFIPS }, -- { GCRY_PK_ECC, "brainpoolP256r1", TEST_NOFIPS }, -- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", TEST_NOFIPS }, -- { GCRY_PK_ECC, "brainpoolP320r1", TEST_NOFIPS }, -- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", TEST_NOFIPS }, -- { GCRY_PK_ECC, "brainpoolP384r1", TEST_NOFIPS }, -- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", TEST_NOFIPS }, -- { GCRY_PK_ECC, "brainpoolP512r1", TEST_NOFIPS }, -- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", TEST_NOFIPS }, -+#ifdef ENABLE_BRAINPOOL -+# define BRAINPOOL_FLAGS TEST_NOFIPS -+#else -+# define BRAINPOOL_FLAGS TEST_ERROR_EXPECTED -+#endif /* ENABLE_BRAINPOOL */ -+ { GCRY_PK_ECC, "brainpoolP160r1", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "brainpoolP192r1", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "brainpoolP224r1", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "brainpoolP256r1", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "brainpoolP320r1", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "brainpoolP384r1", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "brainpoolP512r1", BRAINPOOL_FLAGS }, -+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", BRAINPOOL_FLAGS }, -+#undef BRAINPOOL_ERROR_EXPECTED - - { GCRY_PK_ECC, "GOST2001-test", TEST_NOFIPS }, - { GCRY_PK_ECC, "1.2.643.2.2.35.0", TEST_NOFIPS }, -@@ -282,6 +296,7 @@ check_get_params (void) - - gcry_sexp_release (param); - -+#ifdef ENABLE_BRAINPOOL - if (!in_fips_mode) - { - param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve); -@@ -297,6 +312,7 @@ check_get_params (void) - - gcry_sexp_release (param); - } -+#endif /* ENABLE_BRAINPOOL */ - - /* Some simple tests */ - for (idx=0; idx < DIM (tv); idx++) -diff --git a/tests/keygrip.c b/tests/keygrip.c -index 49bd71bc..fc4c17be 100644 ---- a/tests/keygrip.c -+++ b/tests/keygrip.c -@@ -149,6 +149,7 @@ static struct - " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" - }, -+#ifdef ENABLE_BRAINPOOL - { - GCRY_PK_ECC, - "(public-key" -@@ -197,6 +198,7 @@ static struct - "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F", - 1 - }, -+#endif /*ENABLE_BRAINPOOL */ - { /* Ed25519 standard */ - GCRY_PK_ECC, - "(public-key" --- -2.34.1 - diff --git a/libgcrypt.spec b/libgcrypt.spec index 73d6e64..f458aab 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -13,20 +13,15 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -# disable brainpool curves by default -%bcond_with brainpool - Name: libgcrypt Version: 1.10.1 -Release: 4%{?dist} +Release: 5%{?dist} URL: https://www.gnupg.org/ Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2 Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig Source2: wk@g10code.com -# brainpool curves are still not allowed to be shipped in Fedora -Patch1: libgcrypt-1.10.0-disable-brainpool.patch # Pass the annobin flags to the libgcrypt.so (#2016349) -Patch2: libgcrypt-1.10.1-annobin.patch +Patch1: libgcrypt-1.10.1-annobin.patch %global gcrylibdir %{_libdir} %global gcrysoname libgcrypt.so.20 @@ -63,7 +58,6 @@ applications using libgcrypt. %prep %setup -q %patch1 -p1 -%patch2 -p1 %build # This package has a configure test which uses ASMs, but does not link the @@ -89,7 +83,6 @@ autoreconf -f %endif --enable-noexecstack \ --enable-hmac-binary-check=%{hmackey} \ - %{!?with_brainpool:--disable-brainpool} \ --enable-digests="$DIGESTS" \ --enable-ciphers="$CIPHERS" \ --with-fips-module-version="$FIPS_MODULE_NAME %{version}-%{srpmhash}" @@ -182,6 +175,9 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt %license COPYING %changelog +* Tue Nov 08 2022 Todd Zullinger - 1.10.1-5 +- enable brainpool by default (#1413618) + * Thu Jul 21 2022 Fedora Release Engineering - 1.10.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild