rpms/libgcrypt
7
0
Fork 0
Code Issues Pull Requests Releases Activity

new upstream version

Browse Source
This commit is contained in:
Tomas Mraz 2011-07-21 15:57:57 +02:00
parent 9371d8c5fa
commit b5054585fe
10 changed files with 157 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
libgcrypt-1.4.5-hobbled.tar.bz2
/libgcrypt-1.4.6-hobbled.tar.bz2
/libgcrypt-1.5.0-hobbled.tar.bz2

24
libgcrypt-1.4.5-ImplicitDSOLinking.patch
View File

@ -1,24 +0,0 @@
diff -up libgcrypt-1.4.5/tests/Makefile.am.ImplicitDSOLinking libgcrypt-1.4.5/tests/Makefile.am
--- libgcrypt-1.4.5/tests/Makefile.am.ImplicitDSOLinking 2009-04-02 04:25:34.000000000 -0500
+++ libgcrypt-1.4.5/tests/Makefile.am 2010-02-14 14:28:49.792383613 -0600
@@ -36,7 +36,7 @@ TESTS += benchmark
AM_CPPFLAGS = -I../src -I$(top_srcdir)/src
AM_CFLAGS = $(GPG_ERROR_CFLAGS)
-LDADD = ../src/libgcrypt.la $(DL_LIBS)
+LDADD = ../src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS)
EXTRA_PROGRAMS = testapi pkbench
noinst_PROGRAMS = $(TESTS) fipsdrv
diff -up libgcrypt-1.4.5/tests/Makefile.in.ImplicitDSOLinking libgcrypt-1.4.5/tests/Makefile.in
--- libgcrypt-1.4.5/tests/Makefile.in.ImplicitDSOLinking 2009-12-11 09:43:30.000000000 -0600
+++ libgcrypt-1.4.5/tests/Makefile.in 2010-02-14 14:29:30.232368780 -0600
@@ -334,7 +334,7 @@ top_srcdir = @top_srcdir@
# a built header.
AM_CPPFLAGS = -I../src -I$(top_srcdir)/src
AM_CFLAGS = $(GPG_ERROR_CFLAGS)
-LDADD = ../src/libgcrypt.la $(DL_LIBS)
+LDADD = ../src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS)
EXTRA_DIST = README rsa-16k.key cavs_tests.sh cavs_driver.pl
all: all-am

33
libgcrypt-1.4.5-urandom.patch
View File

@ -1,33 +0,0 @@
diff -up libgcrypt-1.4.5/random/random-fips.c.urandom libgcrypt-1.4.5/random/random-fips.c
--- libgcrypt-1.4.5/random/random-fips.c.urandom 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/random/random-fips.c 2011-02-01 11:33:59.000000000 +0100
@@ -29,8 +29,8 @@
Generator Seed and Key Kernel entropy (init/reseed)
------------------------------------------------------------
- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits
- GCRY_STRONG_RANDOM /dev/random 256/128 bits
+ GCRY_VERY_STRONG_RANDOM /dev/urandom 256/128 bits
+ GCRY_STRONG_RANDOM /dev/urandom 256/128 bits
gcry_create_nonce GCRY_STRONG_RANDOM n/a
All random generators return their data in 128 bit blocks. If the
@@ -40,8 +40,7 @@
(SEED_TTL) output blocks; the re-seeding is disabled in test mode.
The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are
- keyed and seeded from the /dev/random device. Thus these
- generators may block until the kernel has collected enough entropy.
+ keyed and seeded from the /dev/urandom device.
The gcry_create_nonce generator is keyed and seeded from the
GCRY_STRONG_RANDOM generator. It may also block if the
@@ -562,7 +561,7 @@ get_entropy (size_t nbytes)
#if USE_RNDLINUX
rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
X931_AES_KEYLEN,
- GCRY_VERY_STRONG_RANDOM);
+ GCRY_STRONG_RANDOM);
#elif USE_RNDW32
do
{

109
libgcrypt-1.4.6-cavs.patch → libgcrypt-1.5.0-fips-cavs.patch
View File

@ -1,7 +1,7 @@
diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c
--- libgcrypt-1.4.6/cipher/dsa.c.cavs 2011-05-26 22:03:17.000000000 +0200
+++ libgcrypt-1.4.6/cipher/dsa.c 2011-05-26 22:03:18.000000000 +0200
@@ -467,7 +467,6 @@ generate_fips186 (DSA_secret_key *sk, un
diff -up libgcrypt-1.5.0/cipher/dsa.c.cavs libgcrypt-1.5.0/cipher/dsa.c
--- libgcrypt-1.5.0/cipher/dsa.c.cavs 2011-07-21 14:56:35.000000000 +0200
+++ libgcrypt-1.5.0/cipher/dsa.c 2011-07-21 14:58:06.000000000 +0200
@@ -479,7 +479,6 @@ generate_fips186 (DSA_secret_key *sk, un
initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1,
&initial_seed.seedlen);
}
@ -9,8 +9,8 @@ diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c
if (use_fips186_2)
ec = _gcry_generate_fips186_2_prime (nbits, qbits,
initial_seed.seed,
@@ -475,13 +474,22 @@ generate_fips186 (DSA_secret_key *sk, un
&prime_q, &prime_p,
@@ -487,13 +486,22 @@ generate_fips186 (DSA_secret_key *sk, un
&prime_q, &prime_p,
r_counter,
r_seed, r_seedlen);
- else
@ -33,7 +33,7 @@ diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c
gcry_sexp_release (initial_seed.sexp);
if (ec)
goto leave;
@@ -772,13 +780,12 @@ dsa_generate_ext (int algo, unsigned int
@@ -784,13 +792,12 @@ dsa_generate_ext (int algo, unsigned int
gcry_sexp_release (l1);
gcry_sexp_release (domainsexp);
@ -49,9 +49,9 @@ diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c
return GPG_ERR_MISSING_VALUE;
}
diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_driver.pl
--- libgcrypt-1.4.6/tests/cavs_driver.pl.cavs 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.6/tests/cavs_driver.pl 2011-06-20 20:00:13.000000000 +0200
diff -up libgcrypt-1.5.0/tests/cavs_driver.pl.cavs libgcrypt-1.5.0/tests/cavs_driver.pl
--- libgcrypt-1.5.0/tests/cavs_driver.pl.cavs 2011-02-04 20:18:20.000000000 +0100
+++ libgcrypt-1.5.0/tests/cavs_driver.pl 2011-07-21 15:01:47.000000000 +0200
@@ -1,9 +1,11 @@
#!/usr/bin/env perl
#
@ -153,11 +153,11 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
# generate a new DSA key with the following properties:
# PEM format
-# $1 keyfile name
-# $1 keyfile name
-# return: file created, hash with keys of P, Q, G in hex format
+# $1: modulus size
+# $2: q size
+# $3 keyfile name
+# $3 keyfile name
+# return: file created with key, string with values of P, Q, G in hex format
my $gen_dsakey;
@ -165,7 +165,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
+# PEM format
+# $1: P in hex form
+# $2: Q in hex form
+# $3: G in hex form
+# $3: G in hex form
+# return: string with values of X, Y in hex format
+my $gen_dsakey_domain;
+
@ -173,7 +173,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
# $1: data to be signed in hex form
# $2: Key file in PEM format with the private key
@@ -500,17 +560,32 @@ sub libgcrypt_hmac($$$$) {
return pipe_through_program($msg, $program);
return pipe_through_program($msg, $program);
}
-sub libgcrypt_dsa_pqggen($) {
@ -313,11 +313,11 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
- $out .= "H = $H\n\n";
+ $out .= "domain_parameter_seed = $Seed\n";
+ $out .= "counter = $c\n\n";
+ }
+
+ return $out;
+}
+
}
return $out;
}
+# DSA GGen test
+# $1 modulus size
+# $2 q size
@ -436,11 +436,11 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
+ }
+ else {
+ $out .= "Result = F\n\n";
}
return $out;
}
+ }
+
+ return $out;
+}
+
+# DSA Keypair test
+# $1 modulus size
+# $2 q size
@ -725,9 +725,9 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
$dsa_sign = \&libgcrypt_dsa_sign;
$dsa_verify = \&libgcrypt_dsa_verify;
$dsa_genpubkey = \&libgcrypt_dsa_genpubkey;
diff -up libgcrypt-1.4.6/tests/cavs_tests.sh.cavs libgcrypt-1.4.6/tests/cavs_tests.sh
--- libgcrypt-1.4.6/tests/cavs_tests.sh.cavs 2011-05-26 21:02:02.000000000 +0200
+++ libgcrypt-1.4.6/tests/cavs_tests.sh 2011-05-26 22:20:20.000000000 +0200
diff -up libgcrypt-1.5.0/tests/cavs_tests.sh.cavs libgcrypt-1.5.0/tests/cavs_tests.sh
--- libgcrypt-1.5.0/tests/cavs_tests.sh.cavs 2011-02-04 20:18:20.000000000 +0100
+++ libgcrypt-1.5.0/tests/cavs_tests.sh 2011-07-21 15:02:16.000000000 +0200
@@ -55,7 +55,7 @@ function run_one_test () {
[ -d "$respdir" ] || mkdir "$respdir"
[ -f "$rspfile" ] && rm "$rspfile"
@ -735,12 +735,12 @@ diff -up libgcrypt-1.4.6/tests/cavs_tests.sh.cavs libgcrypt-1.4.6/tests/cavs_tes
- if echo "$reqfile" | grep '/DSA/req/' >/dev/null 2>/dev/null; then
+ if echo "$reqfile" | grep '/DSA.\?/req/' >/dev/null 2>/dev/null; then
dflag="-D"
fi
diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
--- libgcrypt-1.4.6/tests/fipsdrv.c.cavs 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.6/tests/fipsdrv.c 2011-05-27 18:03:11.000000000 +0200
@@ -893,9 +893,12 @@ print_mpi_line (gcry_mpi_t a, int no_lz)
fi
diff -up libgcrypt-1.5.0/tests/fipsdrv.c.cavs libgcrypt-1.5.0/tests/fipsdrv.c
--- libgcrypt-1.5.0/tests/fipsdrv.c.cavs 2011-02-04 20:18:20.000000000 +0100
+++ libgcrypt-1.5.0/tests/fipsdrv.c 2011-07-21 15:06:44.000000000 +0200
@@ -893,6 +893,9 @@ print_mpi_line (gcry_mpi_t a, int no_lz)
die ("gcry_mpi_aprint failed: %s\n", gpg_strerror (err));
p = buf;
@ -749,11 +749,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
+ p = buf;
if (no_lz && p[0] == '0' && p[1] == '0' && p[2])
p += 2;
-
+
printf ("%s\n", p);
if (ferror (stdout))
writerr++;
@@ -1675,14 +1678,14 @@ run_rsa_verify (const void *data, size_t
/* Generate a DSA key of size KEYSIZE and return the complete
S-expression. */
@ -764,7 +760,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
gpg_error_t err;
gcry_sexp_t keyspec, key;
err = gcry_sexp_build (&keyspec, NULL,
err = gcry_sexp_build (&keyspec, NULL,
- "(genkey (dsa (nbits %d)(use-fips186-2)))",
- keysize);
+ "(genkey (dsa (nbits %d)(qbits %d)(use-fips186)))",
@ -795,10 +791,16 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
if (err)
die ("gcry_sexp_build failed for DSA key generation: %s\n",
gpg_strerror (err));
@@ -1726,13 +1730,44 @@ dsa_gen_with_seed (int keysize, const vo
return key;
}
@@ -1720,6 +1724,37 @@ dsa_gen_with_seed (int keysize, const vo
err = gcry_pk_genkey (&key, keyspec);
if (err)
die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err));
+
+ gcry_sexp_release (keyspec);
+
+ return key;
+}
+
+/* Generate a DSA key with specified domain parameters and return the complete
+ S-expression. */
+static gcry_sexp_t
@ -812,7 +814,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
+ die ("gcry_sexp_build failed for domain spec: %s\n",
+ gpg_strerror (err));
+
+ err = gcry_sexp_build (&keyspec, NULL,
+ err = gcry_sexp_build (&keyspec, NULL,
+ "(genkey"
+ " (dsa"
+ " (use-fips186)"
@ -824,18 +826,13 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
+ err = gcry_pk_genkey (&key, keyspec);
+ if (err)
+ die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err));
+
+ gcry_sexp_release (keyspec);
+
+ return key;
+}
+
/* Print the domain parameter as well as the derive information. KEY
is the complete key as returned by dsa_gen. We print to stdout
gcry_sexp_release (keyspec);
@@ -1732,7 +1767,7 @@ dsa_gen_with_seed (int keysize, const vo
with one parameter per line in hex format using this order: p, q,
g, seed, counter, h. */
static void
static void
-print_dsa_domain_parameters (gcry_sexp_t key)
+print_dsa_domain_parameters (gcry_sexp_t key, int print_misc)
{
@ -1127,7 +1124,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
{
- int keysize;
+ int keysize, qsize;
keysize = keysize_string? atoi (keysize_string) : 0;
if (keysize < 1024 || keysize > 3072)
die ("invalid keysize specified; needs to be 1024 .. 3072\n");
@ -1140,7 +1137,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
+ else if (!strcmp (mode_string, "dsa-g-gen"))
+ {
+ int keysize, qsize;
+
+
+ keysize = keysize_string? atoi (keysize_string) : 0;
+ if (keysize < 1024 || keysize > 3072)
+ die ("invalid keysize specified; needs to be 1024 .. 3072\n");
@ -1161,7 +1158,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
{
- int keysize;
+ int keysize, qsize;
keysize = keysize_string? atoi (keysize_string) : 0;
if (keysize < 1024 || keysize > 3072)
die ("invalid keysize specified; needs to be 1024 .. 3072\n");

43
libgcrypt-1.4.6-fips-cfgrandom.patch → libgcrypt-1.5.0-fips-cfgrandom.patch
View File

@ -1,14 +1,14 @@
diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/random-fips.c
--- libgcrypt-1.4.6/random/random-fips.c.cfgrandom 2011-06-20 21:13:38.000000000 +0200
+++ libgcrypt-1.4.6/random/random-fips.c 2011-06-20 21:32:47.000000000 +0200
diff -up libgcrypt-1.5.0/random/random-fips.c.cfgrandom libgcrypt-1.5.0/random/random-fips.c
--- libgcrypt-1.5.0/random/random-fips.c.cfgrandom 2011-07-21 14:50:34.000000000 +0200
+++ libgcrypt-1.5.0/random/random-fips.c 2011-07-21 14:50:34.000000000 +0200
@@ -27,10 +27,10 @@
There are 3 random context which map to the different levels of
random quality:
- Generator Seed and Key Kernel entropy (init/reseed)
- ------------------------------------------------------------
- GCRY_VERY_STRONG_RANDOM /dev/urandom 256/128 bits
- GCRY_STRONG_RANDOM /dev/urandom 256/128 bits
- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits
- GCRY_STRONG_RANDOM /dev/random 256/128 bits
+ Generator Seed and Key Kernel entropy (init/reseed)
+ ---------------------------------------------------------------------------------------
+ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
@ -16,11 +16,12 @@ diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/r
gcry_create_nonce GCRY_STRONG_RANDOM n/a
All random generators return their data in 128 bit blocks. If the
@@ -40,7 +40,10 @@
@@ -40,8 +40,10 @@
(SEED_TTL) output blocks; the re-seeding is disabled in test mode.
The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are
- keyed and seeded from the /dev/urandom device.
- keyed and seeded from the /dev/random device. Thus these
- generators may block until the kernel has collected enough entropy.
+ keyed and seeded with data that is loaded from the /etc/gcrypt/rngseed
+ if the device or symlink to device exists xored with the data
+ from the /dev/urandom device. This allows the system administrator
@ -28,7 +29,7 @@ diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/r
The gcry_create_nonce generator is keyed and seeded from the
GCRY_STRONG_RANDOM generator. It may also block if the
@@ -559,6 +562,10 @@ get_entropy (size_t nbytes)
@@ -560,9 +562,13 @@ get_entropy (size_t nbytes)
entropy_collect_buffer_len = 0;
#if USE_RNDLINUX
@ -38,11 +39,15 @@ diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/r
+ entropy_collect_buffer_len = 0;
rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
X931_AES_KEYLEN,
GCRY_STRONG_RANDOM);
diff -up libgcrypt-1.4.6/random/rndlinux.c.cfgrandom libgcrypt-1.4.6/random/rndlinux.c
--- libgcrypt-1.4.6/random/rndlinux.c.cfgrandom 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.6/random/rndlinux.c 2011-06-20 21:34:09.000000000 +0200
@@ -35,7 +35,9 @@
- GCRY_VERY_STRONG_RANDOM);
+ GCRY_STRONG_RANDOM);
#elif USE_RNDW32
do
{
diff -up libgcrypt-1.5.0/random/rndlinux.c.cfgrandom libgcrypt-1.5.0/random/rndlinux.c
--- libgcrypt-1.5.0/random/rndlinux.c.cfgrandom 2011-02-04 20:16:03.000000000 +0100
+++ libgcrypt-1.5.0/random/rndlinux.c 2011-07-21 14:50:34.000000000 +0200
@@ -36,7 +36,9 @@
#include "g10lib.h"
#include "rand-internal.h"
@ -53,7 +58,7 @@ diff -up libgcrypt-1.4.6/random/rndlinux.c.cfgrandom libgcrypt-1.4.6/random/rndl
static int
@@ -56,13 +58,17 @@ set_cloexec_flag (int fd)
@@ -57,13 +59,17 @@ set_cloexec_flag (int fd)
* Used to open the /dev/random devices (Linux, xBSD, Solaris (if it exists)).
*/
static int
@ -73,21 +78,23 @@ diff -up libgcrypt-1.4.6/random/rndlinux.c.cfgrandom libgcrypt-1.4.6/random/rndl
if (set_cloexec_flag (fd))
log_error ("error setting FD_CLOEXEC on fd %d: %s\n",
@@ -91,11 +97,13 @@ _gcry_rndlinux_gather_random (void (*add
@@ -92,6 +98,7 @@ _gcry_rndlinux_gather_random (void (*add
{
static int fd_urandom = -1;
static int fd_random = -1;
+ static int fd_configured = -1;
int fd;
int n;
int warn=0;
byte buffer[768];
size_t n_hw;
@@ -100,6 +107,7 @@ _gcry_rndlinux_gather_random (void (*add
size_t last_so_far = 0;
int any_need_entropy = 0;
int delay;
+ size_t orig_length = length;
/* First read from a hardware source. However let it account only
for up to 50% of the requested bytes. */
@@ -106,16 +114,26 @@ _gcry_rndlinux_gather_random (void (*add
@@ -110,16 +118,26 @@ _gcry_rndlinux_gather_random (void (*add
length -= n_hw;
/* Open the requested device. */

12
libgcrypt-1.5.0-noecc.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up libgcrypt-1.5.0/tests/Makefile.noecc libgcrypt-1.5.0/tests/Makefile
--- libgcrypt-1.5.0/tests/Makefile.in.noecc 2011-07-21 15:34:33.000000000 +0200
+++ libgcrypt-1.5.0/tests/Makefile.in 2011-07-21 15:39:35.000000000 +0200
@@ -57,7 +57,7 @@ TESTS = version$(EXEEXT) t-mpi-bit$(EXEE
ac-data$(EXEEXT) basic$(EXEEXT) mpitests$(EXEEXT) \
tsexp$(EXEEXT) keygen$(EXEEXT) pubkey$(EXEEXT) hmac$(EXEEXT) \
keygrip$(EXEEXT) fips186-dsa$(EXEEXT) aeswrap$(EXEEXT) \
- curves$(EXEEXT) t-kdf$(EXEEXT) pkcs1v2$(EXEEXT) \
+ t-kdf$(EXEEXT) pkcs1v2$(EXEEXT) \
$(am__EXEEXT_1) benchmark$(EXEEXT)
# random.c uses fork() thus a test for W32 does not make any sense.

73
libgcrypt-1.4.5-tests.patch → libgcrypt-1.5.0-tests.patch
View File

@ -1,20 +1,23 @@
diff -up libgcrypt-1.4.5/cipher/dsa.c.tests libgcrypt-1.4.5/cipher/dsa.c
--- libgcrypt-1.4.5/cipher/dsa.c.tests 2009-08-21 10:18:30.000000000 +0200
+++ libgcrypt-1.4.5/cipher/dsa.c 2011-02-04 09:06:02.000000000 +0100
@@ -468,21 +468,20 @@ generate_fips186 (DSA_secret_key *sk, un
diff -up libgcrypt-1.5.0/cipher/dsa.c.tests libgcrypt-1.5.0/cipher/dsa.c
--- libgcrypt-1.5.0/cipher/dsa.c.tests 2011-06-13 12:24:46.000000000 +0200
+++ libgcrypt-1.5.0/cipher/dsa.c 2011-07-20 16:44:51.000000000 +0200
@@ -479,22 +479,21 @@ generate_fips186 (DSA_secret_key *sk, un
initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1,
&initial_seed.seedlen);
}
-
- /* Fixme: Enable 186-3 after it has been approved and after fixing
- the generation function. */
- /* if (use_fips186_2) */
- (void)use_fips186_2;
- ec = _gcry_generate_fips186_2_prime (nbits, qbits,
- ec = _gcry_generate_fips186_2_prime (nbits, qbits,
- initial_seed.seed,
+
+ if (use_fips186_2)
+ ec = _gcry_generate_fips186_2_prime (nbits, qbits,
initial_seed.seed,
+ initial_seed.seed,
initial_seed.seedlen,
&prime_q, &prime_p,
&prime_q, &prime_p,
r_counter,
r_seed, r_seedlen);
- /* else */
@ -32,9 +35,9 @@ diff -up libgcrypt-1.4.5/cipher/dsa.c.tests libgcrypt-1.4.5/cipher/dsa.c
gcry_sexp_release (initial_seed.sexp);
if (ec)
goto leave;
diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen.c
--- libgcrypt-1.4.5/cipher/primegen.c.tests 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/cipher/primegen.c 2011-02-04 09:06:34.000000000 +0100
diff -up libgcrypt-1.5.0/cipher/primegen.c.tests libgcrypt-1.5.0/cipher/primegen.c
--- libgcrypt-1.5.0/cipher/primegen.c.tests 2011-03-28 14:19:52.000000000 +0200
+++ libgcrypt-1.5.0/cipher/primegen.c 2011-07-21 14:36:03.000000000 +0200
@@ -1647,7 +1647,7 @@ _gcry_generate_fips186_3_prime (unsigned
gpg_err_code_t ec;
unsigned char seed_help_buffer[256/8]; /* Used to hold a generated SEED. */
@ -47,7 +50,7 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen
@@ -1737,7 +1737,7 @@ _gcry_generate_fips186_3_prime (unsigned
}
gcry_mpi_release (prime_q); prime_q = NULL;
ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG,
ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG,
- value_u, sizeof value_u, NULL));
+ value_u, qbits/8, NULL));
if (ec)
@ -59,7 +62,7 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen
}
- gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen);
+ gcry_md_hash_buffer (hashalgo, digest, seed_plus, seedlen);
gcry_mpi_release (tmpval); tmpval = NULL;
ec = gpg_err_code (gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG,
- digest, sizeof digest, NULL));
@ -81,21 +84,21 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen
if (r_q)
{
*r_q = prime_q;
diff -up libgcrypt-1.4.5/cipher/rsa.c.tests libgcrypt-1.4.5/cipher/rsa.c
--- libgcrypt-1.4.5/cipher/rsa.c.tests 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/cipher/rsa.c 2011-02-04 09:06:02.000000000 +0100
diff -up libgcrypt-1.5.0/cipher/rsa.c.tests libgcrypt-1.5.0/cipher/rsa.c
--- libgcrypt-1.5.0/cipher/rsa.c.tests 2011-06-10 10:53:41.000000000 +0200
+++ libgcrypt-1.5.0/cipher/rsa.c 2011-07-21 14:36:59.000000000 +0200
@@ -388,7 +388,7 @@ generate_x931 (RSA_secret_key *sk, unsig
*swapped = 0;
- if (e_value == 1) /* Alias for a secure value. */
+ if (e_value == 1 || e_value == 0) /* Alias for a secure value. */
e_value = 65537;
e_value = 65537;
/* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */
diff -up libgcrypt-1.4.5/random/random-fips.c.tests libgcrypt-1.4.5/random/random-fips.c
--- libgcrypt-1.4.5/random/random-fips.c.tests 2011-02-04 09:06:02.000000000 +0100
+++ libgcrypt-1.4.5/random/random-fips.c 2011-02-04 09:06:02.000000000 +0100
diff -up libgcrypt-1.5.0/random/random-fips.c.tests libgcrypt-1.5.0/random/random-fips.c
--- libgcrypt-1.5.0/random/random-fips.c.tests 2011-07-20 16:40:59.000000000 +0200
+++ libgcrypt-1.5.0/random/random-fips.c 2011-07-20 16:40:59.000000000 +0200
@@ -691,6 +691,7 @@ get_random (void *buffer, size_t length,
check_guards (rng_ctx);
@ -123,9 +126,9 @@ diff -up libgcrypt-1.4.5/random/random-fips.c.tests libgcrypt-1.4.5/random/rando
}
if (x931_aes_driver (buffer, length, rng_ctx))
diff -up libgcrypt-1.4.5/tests/ac.c.tests libgcrypt-1.4.5/tests/ac.c
--- libgcrypt-1.4.5/tests/ac.c.tests 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/tests/ac.c 2011-02-04 09:06:02.000000000 +0100
diff -up libgcrypt-1.5.0/tests/ac.c.tests libgcrypt-1.5.0/tests/ac.c
--- libgcrypt-1.5.0/tests/ac.c.tests 2011-02-04 20:18:20.000000000 +0100
+++ libgcrypt-1.5.0/tests/ac.c 2011-07-20 16:40:59.000000000 +0200
@@ -150,6 +150,9 @@ main (int argc, char **argv)
if (!gcry_check_version (GCRYPT_VERSION))
die ("version mismatch\n");
@ -136,9 +139,9 @@ diff -up libgcrypt-1.4.5/tests/ac.c.tests libgcrypt-1.4.5/tests/ac.c
if (debug)
gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
/* No valuable keys are create, so we can speed up our RNG. */
diff -up libgcrypt-1.4.5/tests/ac-data.c.tests libgcrypt-1.4.5/tests/ac-data.c
--- libgcrypt-1.4.5/tests/ac-data.c.tests 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/tests/ac-data.c 2011-02-04 09:06:02.000000000 +0100
diff -up libgcrypt-1.5.0/tests/ac-data.c.tests libgcrypt-1.5.0/tests/ac-data.c
--- libgcrypt-1.5.0/tests/ac-data.c.tests 2011-02-04 20:18:20.000000000 +0100
+++ libgcrypt-1.5.0/tests/ac-data.c 2011-07-20 16:40:59.000000000 +0200
@@ -198,6 +198,9 @@ main (int argc, char **argv)
if (!gcry_check_version (GCRYPT_VERSION))
die ("version mismatch\n");
@ -149,9 +152,9 @@ diff -up libgcrypt-1.4.5/tests/ac-data.c.tests libgcrypt-1.4.5/tests/ac-data.c
if (debug)
gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
diff -up libgcrypt-1.4.5/tests/ac-schemes.c.tests libgcrypt-1.4.5/tests/ac-schemes.c
--- libgcrypt-1.4.5/tests/ac-schemes.c.tests 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/tests/ac-schemes.c 2011-02-04 09:06:02.000000000 +0100
diff -up libgcrypt-1.5.0/tests/ac-schemes.c.tests libgcrypt-1.5.0/tests/ac-schemes.c
--- libgcrypt-1.5.0/tests/ac-schemes.c.tests 2011-02-04 20:18:20.000000000 +0100
+++ libgcrypt-1.5.0/tests/ac-schemes.c 2011-07-20 16:40:59.000000000 +0200
@@ -338,6 +338,9 @@ main (int argc, char **argv)
if (! gcry_check_version (GCRYPT_VERSION))
die ("version mismatch\n");
@ -162,16 +165,16 @@ diff -up libgcrypt-1.4.5/tests/ac-schemes.c.tests libgcrypt-1.4.5/tests/ac-schem
if (debug)
gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0);
diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c
--- libgcrypt-1.4.5/tests/keygen.c.tests 2009-04-02 11:25:34.000000000 +0200
+++ libgcrypt-1.4.5/tests/keygen.c 2011-02-04 09:06:02.000000000 +0100
diff -up libgcrypt-1.5.0/tests/keygen.c.tests libgcrypt-1.5.0/tests/keygen.c
--- libgcrypt-1.5.0/tests/keygen.c.tests 2011-02-04 20:18:20.000000000 +0100
+++ libgcrypt-1.5.0/tests/keygen.c 2011-07-21 14:39:03.000000000 +0200
@@ -148,12 +148,12 @@ check_rsa_keys (void)
}
if (verbose)
- fprintf (stderr, "creating 1536 bit DSA key\n");
+ fprintf (stderr, "creating 2048 bit DSA key\n");
rc = gcry_sexp_new (&keyparm,
rc = gcry_sexp_new (&keyparm,
"(genkey\n"
" (dsa\n"
- " (nbits 4:1536)\n"
@ -187,7 +190,7 @@ diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c
if (verbose)
- fprintf (stderr, "creating 512 bit RSA key with e=257\n");
+ fprintf (stderr, "creating 1024 bit RSA key with e=257\n");
rc = gcry_sexp_new (&keyparm,
rc = gcry_sexp_new (&keyparm,
"(genkey\n"
" (rsa\n"
- " (nbits 3:512)\n"
@ -201,7 +204,7 @@ diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c
if (verbose)
- fprintf (stderr, "creating 512 bit RSA key with default e\n");
+ fprintf (stderr, "creating 1024 bit RSA key with default secure e\n");
rc = gcry_sexp_new (&keyparm,
rc = gcry_sexp_new (&keyparm,
"(genkey\n"
" (rsa\n"
- " (nbits 3:512)\n"

25
libgcrypt-1.4.4-use-fipscheck.patch → libgcrypt-1.5.0-use-fipscheck.patch
View File

@ -1,6 +1,6 @@
diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c
--- libgcrypt-1.4.4/src/fips.c.use-fipscheck 2009-03-03 21:09:27.000000000 +0100
+++ libgcrypt-1.4.4/src/fips.c 2009-03-05 11:20:48.000000000 +0100
diff -up libgcrypt-1.5.0/src/fips.c.use-fipscheck libgcrypt-1.5.0/src/fips.c
--- libgcrypt-1.5.0/src/fips.c.use-fipscheck 2011-02-04 20:17:33.000000000 +0100
+++ libgcrypt-1.5.0/src/fips.c 2011-07-20 16:17:21.000000000 +0200
@@ -570,23 +570,48 @@ run_random_selftests (void)
return !!err;
}
@ -42,9 +42,10 @@ diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c
int dlen;
char *fname = NULL;
- const char key[] = "What am I, a doctor or a moonshuttle conductor?";
+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
-
- if (!dladdr ("gcry_check_version", &info))
+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
+
+ if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath)))
err = gpg_error_from_syserror ();
else
@ -72,15 +73,15 @@ diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c
p = strrchr (fname, '/');
if (p)
p++;
diff -up libgcrypt-1.4.4/src/Makefile.in.use-fipscheck libgcrypt-1.4.4/src/Makefile.in
--- libgcrypt-1.4.4/src/Makefile.in.use-fipscheck 2009-01-22 19:16:51.000000000 +0100
+++ libgcrypt-1.4.4/src/Makefile.in 2009-03-05 11:31:57.000000000 +0100
@@ -337,7 +337,7 @@ libgcrypt_la_LIBADD = \
diff -up libgcrypt-1.5.0/src/Makefile.in.use-fipscheck libgcrypt-1.5.0/src/Makefile.in
--- libgcrypt-1.5.0/src/Makefile.in.use-fipscheck 2011-06-29 10:58:01.000000000 +0200
+++ libgcrypt-1.5.0/src/Makefile.in 2011-07-20 16:19:33.000000000 +0200
@@ -375,7 +375,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \
../cipher/libcipher.la \
../random/librandom.la \
../mpi/libmpi.la \
- @LTLIBOBJS@ @GPG_ERROR_LIBS@
+ @LTLIBOBJS@ @GPG_ERROR_LIBS@ -ldl
- ../compat/libcompat.la $(GPG_ERROR_LIBS)
+ ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl
dumpsexp_SOURCES = dumpsexp.c
dumpsexp_LDADD =
dumpsexp_CFLAGS = $(arch_gpg_error_cflags)

27
libgcrypt.spec
View File

@ -1,6 +1,6 @@
Name: libgcrypt
Version: 1.4.6
Release: 4%{?dist}
Version: 1.5.0
Release: 1%{?dist}
URL: http://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.bz2
# The original libgcrypt sources now contain potentially patented ECC
@ -10,18 +10,17 @@ Source0: libgcrypt-%{version}-hobbled.tar.bz2
#Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
Source2: wk@g10code.com
Source3: hobble-libgcrypt
# do not run the ecc curves test
Patch1: libgcrypt-1.5.0-noecc.patch
# make FIPS hmac compatible with fipscheck - non upstreamable
Patch2: libgcrypt-1.4.4-use-fipscheck.patch
# fix ImplicitDSOLinking (missing -lgpg-error linkage in tests/), upstreamable
Patch3: libgcrypt-1.4.5-ImplicitDSOLinking.patch
# use /dev/urandom in the FIPS mode
Patch4: libgcrypt-1.4.5-urandom.patch
Patch2: libgcrypt-1.5.0-use-fipscheck.patch
# fix tests in the FIPS mode, fix the FIPS-186-3 DSA keygen
Patch5: libgcrypt-1.4.5-tests.patch
# add configurable source of RNG seed in the FIPS mode
Patch6: libgcrypt-1.4.6-fips-cfgrandom.patch
Patch5: libgcrypt-1.5.0-tests.patch
# add configurable source of RNG seed and seed by default
# from /dev/urandom in the FIPS mode
Patch6: libgcrypt-1.5.0-fips-cfgrandom.patch
# make the FIPS-186-3 DSA CAVS testable
Patch7: libgcrypt-1.4.6-cavs.patch
Patch7: libgcrypt-1.5.0-fips-cavs.patch
# Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction.
# Documentation and some utilities are GPLv2+ licensed. These files
@ -54,9 +53,8 @@ applications using libgcrypt.
%prep
%setup -q
%{SOURCE3}
%patch1 -p1 -b .noecc
%patch2 -p1 -b .use-fipscheck
%patch3 -p1 -b .ImplicitDSOLinking
%patch4 -p1 -b .urandom
%patch5 -p1 -b .tests
%patch6 -p1 -b .cfgrandom
%patch7 -p1 -b .cavs
@ -171,6 +169,9 @@ exit 0
%doc COPYING
%changelog
* Thu Jul 21 2011 Tomas Mraz <tmraz@redhat.com> 1.5.0-1
- new upstream version
* Mon Jun 20 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-4
- Always xor seed from /dev/urandom over /etc/gcrypt/rngseed

2
sources
View File

@ -1 +1 @@
f89395ced1cec0107d49524f5bf432f9 libgcrypt-1.4.6-hobbled.tar.bz2
35a73c1f2616ad904108ed8645c82f4c libgcrypt-1.5.0-hobbled.tar.bz2