From b5054585fee31a6c0a42cd6e42fca02e747d53f7 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 21 Jul 2011 15:57:57 +0200 Subject: [PATCH] new upstream version --- .gitignore | 1 + libgcrypt-1.4.5-ImplicitDSOLinking.patch | 24 ---- libgcrypt-1.4.5-urandom.patch | 33 ------ ...s.patch => libgcrypt-1.5.0-fips-cavs.patch | 109 +++++++++--------- ...ch => libgcrypt-1.5.0-fips-cfgrandom.patch | 43 ++++--- libgcrypt-1.5.0-noecc.patch | 12 ++ ...tests.patch => libgcrypt-1.5.0-tests.patch | 73 ++++++------ ...tch => libgcrypt-1.5.0-use-fipscheck.patch | 25 ++-- libgcrypt.spec | 27 ++--- sources | 2 +- 10 files changed, 157 insertions(+), 192 deletions(-) delete mode 100644 libgcrypt-1.4.5-ImplicitDSOLinking.patch delete mode 100644 libgcrypt-1.4.5-urandom.patch rename libgcrypt-1.4.6-cavs.patch => libgcrypt-1.5.0-fips-cavs.patch (95%) rename libgcrypt-1.4.6-fips-cfgrandom.patch => libgcrypt-1.5.0-fips-cfgrandom.patch (72%) create mode 100644 libgcrypt-1.5.0-noecc.patch rename libgcrypt-1.4.5-tests.patch => libgcrypt-1.5.0-tests.patch (77%) rename libgcrypt-1.4.4-use-fipscheck.patch => libgcrypt-1.5.0-use-fipscheck.patch (77%) diff --git a/.gitignore b/.gitignore index 3259611..2daa2a1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ libgcrypt-1.4.5-hobbled.tar.bz2 /libgcrypt-1.4.6-hobbled.tar.bz2 +/libgcrypt-1.5.0-hobbled.tar.bz2 diff --git a/libgcrypt-1.4.5-ImplicitDSOLinking.patch b/libgcrypt-1.4.5-ImplicitDSOLinking.patch deleted file mode 100644 index 7b4671f..0000000 --- a/libgcrypt-1.4.5-ImplicitDSOLinking.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up libgcrypt-1.4.5/tests/Makefile.am.ImplicitDSOLinking libgcrypt-1.4.5/tests/Makefile.am ---- libgcrypt-1.4.5/tests/Makefile.am.ImplicitDSOLinking 2009-04-02 04:25:34.000000000 -0500 -+++ libgcrypt-1.4.5/tests/Makefile.am 2010-02-14 14:28:49.792383613 -0600 -@@ -36,7 +36,7 @@ TESTS += benchmark - AM_CPPFLAGS = -I../src -I$(top_srcdir)/src - AM_CFLAGS = $(GPG_ERROR_CFLAGS) - --LDADD = ../src/libgcrypt.la $(DL_LIBS) -+LDADD = ../src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS) - - EXTRA_PROGRAMS = testapi pkbench - noinst_PROGRAMS = $(TESTS) fipsdrv -diff -up libgcrypt-1.4.5/tests/Makefile.in.ImplicitDSOLinking libgcrypt-1.4.5/tests/Makefile.in ---- libgcrypt-1.4.5/tests/Makefile.in.ImplicitDSOLinking 2009-12-11 09:43:30.000000000 -0600 -+++ libgcrypt-1.4.5/tests/Makefile.in 2010-02-14 14:29:30.232368780 -0600 -@@ -334,7 +334,7 @@ top_srcdir = @top_srcdir@ - # a built header. - AM_CPPFLAGS = -I../src -I$(top_srcdir)/src - AM_CFLAGS = $(GPG_ERROR_CFLAGS) --LDADD = ../src/libgcrypt.la $(DL_LIBS) -+LDADD = ../src/libgcrypt.la $(DL_LIBS) $(GPG_ERROR_LIBS) - EXTRA_DIST = README rsa-16k.key cavs_tests.sh cavs_driver.pl - all: all-am - diff --git a/libgcrypt-1.4.5-urandom.patch b/libgcrypt-1.4.5-urandom.patch deleted file mode 100644 index 0bccbfc..0000000 --- a/libgcrypt-1.4.5-urandom.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up libgcrypt-1.4.5/random/random-fips.c.urandom libgcrypt-1.4.5/random/random-fips.c ---- libgcrypt-1.4.5/random/random-fips.c.urandom 2009-04-02 11:25:34.000000000 +0200 -+++ libgcrypt-1.4.5/random/random-fips.c 2011-02-01 11:33:59.000000000 +0100 -@@ -29,8 +29,8 @@ - - Generator Seed and Key Kernel entropy (init/reseed) - ------------------------------------------------------------ -- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits -- GCRY_STRONG_RANDOM /dev/random 256/128 bits -+ GCRY_VERY_STRONG_RANDOM /dev/urandom 256/128 bits -+ GCRY_STRONG_RANDOM /dev/urandom 256/128 bits - gcry_create_nonce GCRY_STRONG_RANDOM n/a - - All random generators return their data in 128 bit blocks. If the -@@ -40,8 +40,7 @@ - (SEED_TTL) output blocks; the re-seeding is disabled in test mode. - - The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are -- keyed and seeded from the /dev/random device. Thus these -- generators may block until the kernel has collected enough entropy. -+ keyed and seeded from the /dev/urandom device. - - The gcry_create_nonce generator is keyed and seeded from the - GCRY_STRONG_RANDOM generator. It may also block if the -@@ -562,7 +561,7 @@ get_entropy (size_t nbytes) - #if USE_RNDLINUX - rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0, - X931_AES_KEYLEN, -- GCRY_VERY_STRONG_RANDOM); -+ GCRY_STRONG_RANDOM); - #elif USE_RNDW32 - do - { diff --git a/libgcrypt-1.4.6-cavs.patch b/libgcrypt-1.5.0-fips-cavs.patch similarity index 95% rename from libgcrypt-1.4.6-cavs.patch rename to libgcrypt-1.5.0-fips-cavs.patch index b23129b..ac999f9 100644 --- a/libgcrypt-1.4.6-cavs.patch +++ b/libgcrypt-1.5.0-fips-cavs.patch @@ -1,7 +1,7 @@ -diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c ---- libgcrypt-1.4.6/cipher/dsa.c.cavs 2011-05-26 22:03:17.000000000 +0200 -+++ libgcrypt-1.4.6/cipher/dsa.c 2011-05-26 22:03:18.000000000 +0200 -@@ -467,7 +467,6 @@ generate_fips186 (DSA_secret_key *sk, un +diff -up libgcrypt-1.5.0/cipher/dsa.c.cavs libgcrypt-1.5.0/cipher/dsa.c +--- libgcrypt-1.5.0/cipher/dsa.c.cavs 2011-07-21 14:56:35.000000000 +0200 ++++ libgcrypt-1.5.0/cipher/dsa.c 2011-07-21 14:58:06.000000000 +0200 +@@ -479,7 +479,6 @@ generate_fips186 (DSA_secret_key *sk, un initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1, &initial_seed.seedlen); } @@ -9,8 +9,8 @@ diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c if (use_fips186_2) ec = _gcry_generate_fips186_2_prime (nbits, qbits, initial_seed.seed, -@@ -475,13 +474,22 @@ generate_fips186 (DSA_secret_key *sk, un - &prime_q, &prime_p, +@@ -487,13 +486,22 @@ generate_fips186 (DSA_secret_key *sk, un + &prime_q, &prime_p, r_counter, r_seed, r_seedlen); - else @@ -33,7 +33,7 @@ diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c gcry_sexp_release (initial_seed.sexp); if (ec) goto leave; -@@ -772,13 +780,12 @@ dsa_generate_ext (int algo, unsigned int +@@ -784,13 +792,12 @@ dsa_generate_ext (int algo, unsigned int gcry_sexp_release (l1); gcry_sexp_release (domainsexp); @@ -49,9 +49,9 @@ diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c return GPG_ERR_MISSING_VALUE; } -diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_driver.pl ---- libgcrypt-1.4.6/tests/cavs_driver.pl.cavs 2009-04-02 11:25:34.000000000 +0200 -+++ libgcrypt-1.4.6/tests/cavs_driver.pl 2011-06-20 20:00:13.000000000 +0200 +diff -up libgcrypt-1.5.0/tests/cavs_driver.pl.cavs libgcrypt-1.5.0/tests/cavs_driver.pl +--- libgcrypt-1.5.0/tests/cavs_driver.pl.cavs 2011-02-04 20:18:20.000000000 +0100 ++++ libgcrypt-1.5.0/tests/cavs_driver.pl 2011-07-21 15:01:47.000000000 +0200 @@ -1,9 +1,11 @@ #!/usr/bin/env perl # @@ -153,11 +153,11 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr # generate a new DSA key with the following properties: # PEM format --# $1 keyfile name +-# $1 keyfile name -# return: file created, hash with keys of P, Q, G in hex format +# $1: modulus size +# $2: q size -+# $3 keyfile name ++# $3 keyfile name +# return: file created with key, string with values of P, Q, G in hex format my $gen_dsakey; @@ -165,7 +165,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr +# PEM format +# $1: P in hex form +# $2: Q in hex form -+# $3: G in hex form ++# $3: G in hex form +# return: string with values of X, Y in hex format +my $gen_dsakey_domain; + @@ -173,7 +173,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr # $1: data to be signed in hex form # $2: Key file in PEM format with the private key @@ -500,17 +560,32 @@ sub libgcrypt_hmac($$$$) { - return pipe_through_program($msg, $program); + return pipe_through_program($msg, $program); } -sub libgcrypt_dsa_pqggen($) { @@ -313,11 +313,11 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr - $out .= "H = $H\n\n"; + $out .= "domain_parameter_seed = $Seed\n"; + $out .= "counter = $c\n\n"; -+ } -+ -+ return $out; -+} -+ + } + + return $out; + } + +# DSA GGen test +# $1 modulus size +# $2 q size @@ -436,11 +436,11 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr + } + else { + $out .= "Result = F\n\n"; - } - - return $out; - } - ++ } ++ ++ return $out; ++} ++ +# DSA Keypair test +# $1 modulus size +# $2 q size @@ -725,9 +725,9 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr $dsa_sign = \&libgcrypt_dsa_sign; $dsa_verify = \&libgcrypt_dsa_verify; $dsa_genpubkey = \&libgcrypt_dsa_genpubkey; -diff -up libgcrypt-1.4.6/tests/cavs_tests.sh.cavs libgcrypt-1.4.6/tests/cavs_tests.sh ---- libgcrypt-1.4.6/tests/cavs_tests.sh.cavs 2011-05-26 21:02:02.000000000 +0200 -+++ libgcrypt-1.4.6/tests/cavs_tests.sh 2011-05-26 22:20:20.000000000 +0200 +diff -up libgcrypt-1.5.0/tests/cavs_tests.sh.cavs libgcrypt-1.5.0/tests/cavs_tests.sh +--- libgcrypt-1.5.0/tests/cavs_tests.sh.cavs 2011-02-04 20:18:20.000000000 +0100 ++++ libgcrypt-1.5.0/tests/cavs_tests.sh 2011-07-21 15:02:16.000000000 +0200 @@ -55,7 +55,7 @@ function run_one_test () { [ -d "$respdir" ] || mkdir "$respdir" [ -f "$rspfile" ] && rm "$rspfile" @@ -735,12 +735,12 @@ diff -up libgcrypt-1.4.6/tests/cavs_tests.sh.cavs libgcrypt-1.4.6/tests/cavs_tes - if echo "$reqfile" | grep '/DSA/req/' >/dev/null 2>/dev/null; then + if echo "$reqfile" | grep '/DSA.\?/req/' >/dev/null 2>/dev/null; then dflag="-D" - fi - -diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c ---- libgcrypt-1.4.6/tests/fipsdrv.c.cavs 2009-04-02 11:25:34.000000000 +0200 -+++ libgcrypt-1.4.6/tests/fipsdrv.c 2011-05-27 18:03:11.000000000 +0200 -@@ -893,9 +893,12 @@ print_mpi_line (gcry_mpi_t a, int no_lz) + fi + +diff -up libgcrypt-1.5.0/tests/fipsdrv.c.cavs libgcrypt-1.5.0/tests/fipsdrv.c +--- libgcrypt-1.5.0/tests/fipsdrv.c.cavs 2011-02-04 20:18:20.000000000 +0100 ++++ libgcrypt-1.5.0/tests/fipsdrv.c 2011-07-21 15:06:44.000000000 +0200 +@@ -893,6 +893,9 @@ print_mpi_line (gcry_mpi_t a, int no_lz) die ("gcry_mpi_aprint failed: %s\n", gpg_strerror (err)); p = buf; @@ -749,11 +749,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c + p = buf; if (no_lz && p[0] == '0' && p[1] == '0' && p[2]) p += 2; -- -+ - printf ("%s\n", p); - if (ferror (stdout)) - writerr++; + @@ -1675,14 +1678,14 @@ run_rsa_verify (const void *data, size_t /* Generate a DSA key of size KEYSIZE and return the complete S-expression. */ @@ -764,7 +760,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c gpg_error_t err; gcry_sexp_t keyspec, key; - err = gcry_sexp_build (&keyspec, NULL, + err = gcry_sexp_build (&keyspec, NULL, - "(genkey (dsa (nbits %d)(use-fips186-2)))", - keysize); + "(genkey (dsa (nbits %d)(qbits %d)(use-fips186)))", @@ -795,10 +791,16 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c if (err) die ("gcry_sexp_build failed for DSA key generation: %s\n", gpg_strerror (err)); -@@ -1726,13 +1730,44 @@ dsa_gen_with_seed (int keysize, const vo - return key; - } - +@@ -1720,6 +1724,37 @@ dsa_gen_with_seed (int keysize, const vo + err = gcry_pk_genkey (&key, keyspec); + if (err) + die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); ++ ++ gcry_sexp_release (keyspec); ++ ++ return key; ++} ++ +/* Generate a DSA key with specified domain parameters and return the complete + S-expression. */ +static gcry_sexp_t @@ -812,7 +814,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c + die ("gcry_sexp_build failed for domain spec: %s\n", + gpg_strerror (err)); + -+ err = gcry_sexp_build (&keyspec, NULL, ++ err = gcry_sexp_build (&keyspec, NULL, + "(genkey" + " (dsa" + " (use-fips186)" @@ -824,18 +826,13 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c + err = gcry_pk_genkey (&key, keyspec); + if (err) + die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); -+ -+ gcry_sexp_release (keyspec); -+ -+ return key; -+} -+ - /* Print the domain parameter as well as the derive information. KEY - is the complete key as returned by dsa_gen. We print to stdout + gcry_sexp_release (keyspec); + +@@ -1732,7 +1767,7 @@ dsa_gen_with_seed (int keysize, const vo with one parameter per line in hex format using this order: p, q, g, seed, counter, h. */ - static void + static void -print_dsa_domain_parameters (gcry_sexp_t key) +print_dsa_domain_parameters (gcry_sexp_t key, int print_misc) { @@ -1127,7 +1124,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c { - int keysize; + int keysize, qsize; - + keysize = keysize_string? atoi (keysize_string) : 0; if (keysize < 1024 || keysize > 3072) die ("invalid keysize specified; needs to be 1024 .. 3072\n"); @@ -1140,7 +1137,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c + else if (!strcmp (mode_string, "dsa-g-gen")) + { + int keysize, qsize; -+ ++ + keysize = keysize_string? atoi (keysize_string) : 0; + if (keysize < 1024 || keysize > 3072) + die ("invalid keysize specified; needs to be 1024 .. 3072\n"); @@ -1161,7 +1158,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c { - int keysize; + int keysize, qsize; - + keysize = keysize_string? atoi (keysize_string) : 0; if (keysize < 1024 || keysize > 3072) die ("invalid keysize specified; needs to be 1024 .. 3072\n"); diff --git a/libgcrypt-1.4.6-fips-cfgrandom.patch b/libgcrypt-1.5.0-fips-cfgrandom.patch similarity index 72% rename from libgcrypt-1.4.6-fips-cfgrandom.patch rename to libgcrypt-1.5.0-fips-cfgrandom.patch index 574d6a0..1384c25 100644 --- a/libgcrypt-1.4.6-fips-cfgrandom.patch +++ b/libgcrypt-1.5.0-fips-cfgrandom.patch @@ -1,14 +1,14 @@ -diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/random-fips.c ---- libgcrypt-1.4.6/random/random-fips.c.cfgrandom 2011-06-20 21:13:38.000000000 +0200 -+++ libgcrypt-1.4.6/random/random-fips.c 2011-06-20 21:32:47.000000000 +0200 +diff -up libgcrypt-1.5.0/random/random-fips.c.cfgrandom libgcrypt-1.5.0/random/random-fips.c +--- libgcrypt-1.5.0/random/random-fips.c.cfgrandom 2011-07-21 14:50:34.000000000 +0200 ++++ libgcrypt-1.5.0/random/random-fips.c 2011-07-21 14:50:34.000000000 +0200 @@ -27,10 +27,10 @@ There are 3 random context which map to the different levels of random quality: - Generator Seed and Key Kernel entropy (init/reseed) - ------------------------------------------------------------ -- GCRY_VERY_STRONG_RANDOM /dev/urandom 256/128 bits -- GCRY_STRONG_RANDOM /dev/urandom 256/128 bits +- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits +- GCRY_STRONG_RANDOM /dev/random 256/128 bits + Generator Seed and Key Kernel entropy (init/reseed) + --------------------------------------------------------------------------------------- + GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits @@ -16,11 +16,12 @@ diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/r gcry_create_nonce GCRY_STRONG_RANDOM n/a All random generators return their data in 128 bit blocks. If the -@@ -40,7 +40,10 @@ +@@ -40,8 +40,10 @@ (SEED_TTL) output blocks; the re-seeding is disabled in test mode. The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are -- keyed and seeded from the /dev/urandom device. +- keyed and seeded from the /dev/random device. Thus these +- generators may block until the kernel has collected enough entropy. + keyed and seeded with data that is loaded from the /etc/gcrypt/rngseed + if the device or symlink to device exists xored with the data + from the /dev/urandom device. This allows the system administrator @@ -28,7 +29,7 @@ diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/r The gcry_create_nonce generator is keyed and seeded from the GCRY_STRONG_RANDOM generator. It may also block if the -@@ -559,6 +562,10 @@ get_entropy (size_t nbytes) +@@ -560,9 +562,13 @@ get_entropy (size_t nbytes) entropy_collect_buffer_len = 0; #if USE_RNDLINUX @@ -38,11 +39,15 @@ diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/r + entropy_collect_buffer_len = 0; rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0, X931_AES_KEYLEN, - GCRY_STRONG_RANDOM); -diff -up libgcrypt-1.4.6/random/rndlinux.c.cfgrandom libgcrypt-1.4.6/random/rndlinux.c ---- libgcrypt-1.4.6/random/rndlinux.c.cfgrandom 2009-04-02 11:25:34.000000000 +0200 -+++ libgcrypt-1.4.6/random/rndlinux.c 2011-06-20 21:34:09.000000000 +0200 -@@ -35,7 +35,9 @@ +- GCRY_VERY_STRONG_RANDOM); ++ GCRY_STRONG_RANDOM); + #elif USE_RNDW32 + do + { +diff -up libgcrypt-1.5.0/random/rndlinux.c.cfgrandom libgcrypt-1.5.0/random/rndlinux.c +--- libgcrypt-1.5.0/random/rndlinux.c.cfgrandom 2011-02-04 20:16:03.000000000 +0100 ++++ libgcrypt-1.5.0/random/rndlinux.c 2011-07-21 14:50:34.000000000 +0200 +@@ -36,7 +36,9 @@ #include "g10lib.h" #include "rand-internal.h" @@ -53,7 +58,7 @@ diff -up libgcrypt-1.4.6/random/rndlinux.c.cfgrandom libgcrypt-1.4.6/random/rndl static int -@@ -56,13 +58,17 @@ set_cloexec_flag (int fd) +@@ -57,13 +59,17 @@ set_cloexec_flag (int fd) * Used to open the /dev/random devices (Linux, xBSD, Solaris (if it exists)). */ static int @@ -73,21 +78,23 @@ diff -up libgcrypt-1.4.6/random/rndlinux.c.cfgrandom libgcrypt-1.4.6/random/rndl if (set_cloexec_flag (fd)) log_error ("error setting FD_CLOEXEC on fd %d: %s\n", -@@ -91,11 +97,13 @@ _gcry_rndlinux_gather_random (void (*add +@@ -92,6 +98,7 @@ _gcry_rndlinux_gather_random (void (*add { static int fd_urandom = -1; static int fd_random = -1; + static int fd_configured = -1; int fd; int n; - int warn=0; byte buffer[768]; - size_t n_hw; +@@ -100,6 +107,7 @@ _gcry_rndlinux_gather_random (void (*add + size_t last_so_far = 0; + int any_need_entropy = 0; + int delay; + size_t orig_length = length; /* First read from a hardware source. However let it account only for up to 50% of the requested bytes. */ -@@ -106,16 +114,26 @@ _gcry_rndlinux_gather_random (void (*add +@@ -110,16 +118,26 @@ _gcry_rndlinux_gather_random (void (*add length -= n_hw; /* Open the requested device. */ diff --git a/libgcrypt-1.5.0-noecc.patch b/libgcrypt-1.5.0-noecc.patch new file mode 100644 index 0000000..7905c71 --- /dev/null +++ b/libgcrypt-1.5.0-noecc.patch @@ -0,0 +1,12 @@ +diff -up libgcrypt-1.5.0/tests/Makefile.noecc libgcrypt-1.5.0/tests/Makefile +--- libgcrypt-1.5.0/tests/Makefile.in.noecc 2011-07-21 15:34:33.000000000 +0200 ++++ libgcrypt-1.5.0/tests/Makefile.in 2011-07-21 15:39:35.000000000 +0200 +@@ -57,7 +57,7 @@ TESTS = version$(EXEEXT) t-mpi-bit$(EXEE + ac-data$(EXEEXT) basic$(EXEEXT) mpitests$(EXEEXT) \ + tsexp$(EXEEXT) keygen$(EXEEXT) pubkey$(EXEEXT) hmac$(EXEEXT) \ + keygrip$(EXEEXT) fips186-dsa$(EXEEXT) aeswrap$(EXEEXT) \ +- curves$(EXEEXT) t-kdf$(EXEEXT) pkcs1v2$(EXEEXT) \ ++ t-kdf$(EXEEXT) pkcs1v2$(EXEEXT) \ + $(am__EXEEXT_1) benchmark$(EXEEXT) + + # random.c uses fork() thus a test for W32 does not make any sense. diff --git a/libgcrypt-1.4.5-tests.patch b/libgcrypt-1.5.0-tests.patch similarity index 77% rename from libgcrypt-1.4.5-tests.patch rename to libgcrypt-1.5.0-tests.patch index d2f0256..277438f 100644 --- a/libgcrypt-1.4.5-tests.patch +++ b/libgcrypt-1.5.0-tests.patch @@ -1,20 +1,23 @@ -diff -up libgcrypt-1.4.5/cipher/dsa.c.tests libgcrypt-1.4.5/cipher/dsa.c ---- libgcrypt-1.4.5/cipher/dsa.c.tests 2009-08-21 10:18:30.000000000 +0200 -+++ libgcrypt-1.4.5/cipher/dsa.c 2011-02-04 09:06:02.000000000 +0100 -@@ -468,21 +468,20 @@ generate_fips186 (DSA_secret_key *sk, un +diff -up libgcrypt-1.5.0/cipher/dsa.c.tests libgcrypt-1.5.0/cipher/dsa.c +--- libgcrypt-1.5.0/cipher/dsa.c.tests 2011-06-13 12:24:46.000000000 +0200 ++++ libgcrypt-1.5.0/cipher/dsa.c 2011-07-20 16:44:51.000000000 +0200 +@@ -479,22 +479,21 @@ generate_fips186 (DSA_secret_key *sk, un + initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1, &initial_seed.seedlen); } - +- - /* Fixme: Enable 186-3 after it has been approved and after fixing - the generation function. */ - /* if (use_fips186_2) */ - (void)use_fips186_2; -- ec = _gcry_generate_fips186_2_prime (nbits, qbits, +- ec = _gcry_generate_fips186_2_prime (nbits, qbits, +- initial_seed.seed, ++ + if (use_fips186_2) + ec = _gcry_generate_fips186_2_prime (nbits, qbits, - initial_seed.seed, ++ initial_seed.seed, initial_seed.seedlen, - &prime_q, &prime_p, + &prime_q, &prime_p, r_counter, r_seed, r_seedlen); - /* else */ @@ -32,9 +35,9 @@ diff -up libgcrypt-1.4.5/cipher/dsa.c.tests libgcrypt-1.4.5/cipher/dsa.c gcry_sexp_release (initial_seed.sexp); if (ec) goto leave; -diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen.c ---- libgcrypt-1.4.5/cipher/primegen.c.tests 2009-04-02 11:25:34.000000000 +0200 -+++ libgcrypt-1.4.5/cipher/primegen.c 2011-02-04 09:06:34.000000000 +0100 +diff -up libgcrypt-1.5.0/cipher/primegen.c.tests libgcrypt-1.5.0/cipher/primegen.c +--- libgcrypt-1.5.0/cipher/primegen.c.tests 2011-03-28 14:19:52.000000000 +0200 ++++ libgcrypt-1.5.0/cipher/primegen.c 2011-07-21 14:36:03.000000000 +0200 @@ -1647,7 +1647,7 @@ _gcry_generate_fips186_3_prime (unsigned gpg_err_code_t ec; unsigned char seed_help_buffer[256/8]; /* Used to hold a generated SEED. */ @@ -47,7 +50,7 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen @@ -1737,7 +1737,7 @@ _gcry_generate_fips186_3_prime (unsigned } gcry_mpi_release (prime_q); prime_q = NULL; - ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG, + ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG, - value_u, sizeof value_u, NULL)); + value_u, qbits/8, NULL)); if (ec) @@ -59,7 +62,7 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen } - gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen); + gcry_md_hash_buffer (hashalgo, digest, seed_plus, seedlen); - + gcry_mpi_release (tmpval); tmpval = NULL; ec = gpg_err_code (gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG, - digest, sizeof digest, NULL)); @@ -81,21 +84,21 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen if (r_q) { *r_q = prime_q; -diff -up libgcrypt-1.4.5/cipher/rsa.c.tests libgcrypt-1.4.5/cipher/rsa.c ---- libgcrypt-1.4.5/cipher/rsa.c.tests 2009-04-02 11:25:34.000000000 +0200 -+++ libgcrypt-1.4.5/cipher/rsa.c 2011-02-04 09:06:02.000000000 +0100 +diff -up libgcrypt-1.5.0/cipher/rsa.c.tests libgcrypt-1.5.0/cipher/rsa.c +--- libgcrypt-1.5.0/cipher/rsa.c.tests 2011-06-10 10:53:41.000000000 +0200 ++++ libgcrypt-1.5.0/cipher/rsa.c 2011-07-21 14:36:59.000000000 +0200 @@ -388,7 +388,7 @@ generate_x931 (RSA_secret_key *sk, unsig *swapped = 0; - if (e_value == 1) /* Alias for a secure value. */ + if (e_value == 1 || e_value == 0) /* Alias for a secure value. */ - e_value = 65537; + e_value = 65537; /* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */ -diff -up libgcrypt-1.4.5/random/random-fips.c.tests libgcrypt-1.4.5/random/random-fips.c ---- libgcrypt-1.4.5/random/random-fips.c.tests 2011-02-04 09:06:02.000000000 +0100 -+++ libgcrypt-1.4.5/random/random-fips.c 2011-02-04 09:06:02.000000000 +0100 +diff -up libgcrypt-1.5.0/random/random-fips.c.tests libgcrypt-1.5.0/random/random-fips.c +--- libgcrypt-1.5.0/random/random-fips.c.tests 2011-07-20 16:40:59.000000000 +0200 ++++ libgcrypt-1.5.0/random/random-fips.c 2011-07-20 16:40:59.000000000 +0200 @@ -691,6 +691,7 @@ get_random (void *buffer, size_t length, check_guards (rng_ctx); @@ -123,9 +126,9 @@ diff -up libgcrypt-1.4.5/random/random-fips.c.tests libgcrypt-1.4.5/random/rando } if (x931_aes_driver (buffer, length, rng_ctx)) -diff -up libgcrypt-1.4.5/tests/ac.c.tests libgcrypt-1.4.5/tests/ac.c ---- libgcrypt-1.4.5/tests/ac.c.tests 2009-04-02 11:25:34.000000000 +0200 -+++ libgcrypt-1.4.5/tests/ac.c 2011-02-04 09:06:02.000000000 +0100 +diff -up libgcrypt-1.5.0/tests/ac.c.tests libgcrypt-1.5.0/tests/ac.c +--- libgcrypt-1.5.0/tests/ac.c.tests 2011-02-04 20:18:20.000000000 +0100 ++++ libgcrypt-1.5.0/tests/ac.c 2011-07-20 16:40:59.000000000 +0200 @@ -150,6 +150,9 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); @@ -136,9 +139,9 @@ diff -up libgcrypt-1.4.5/tests/ac.c.tests libgcrypt-1.4.5/tests/ac.c if (debug) gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); /* No valuable keys are create, so we can speed up our RNG. */ -diff -up libgcrypt-1.4.5/tests/ac-data.c.tests libgcrypt-1.4.5/tests/ac-data.c ---- libgcrypt-1.4.5/tests/ac-data.c.tests 2009-04-02 11:25:34.000000000 +0200 -+++ libgcrypt-1.4.5/tests/ac-data.c 2011-02-04 09:06:02.000000000 +0100 +diff -up libgcrypt-1.5.0/tests/ac-data.c.tests libgcrypt-1.5.0/tests/ac-data.c +--- libgcrypt-1.5.0/tests/ac-data.c.tests 2011-02-04 20:18:20.000000000 +0100 ++++ libgcrypt-1.5.0/tests/ac-data.c 2011-07-20 16:40:59.000000000 +0200 @@ -198,6 +198,9 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); @@ -149,9 +152,9 @@ diff -up libgcrypt-1.4.5/tests/ac-data.c.tests libgcrypt-1.4.5/tests/ac-data.c if (debug) gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); -diff -up libgcrypt-1.4.5/tests/ac-schemes.c.tests libgcrypt-1.4.5/tests/ac-schemes.c ---- libgcrypt-1.4.5/tests/ac-schemes.c.tests 2009-04-02 11:25:34.000000000 +0200 -+++ libgcrypt-1.4.5/tests/ac-schemes.c 2011-02-04 09:06:02.000000000 +0100 +diff -up libgcrypt-1.5.0/tests/ac-schemes.c.tests libgcrypt-1.5.0/tests/ac-schemes.c +--- libgcrypt-1.5.0/tests/ac-schemes.c.tests 2011-02-04 20:18:20.000000000 +0100 ++++ libgcrypt-1.5.0/tests/ac-schemes.c 2011-07-20 16:40:59.000000000 +0200 @@ -338,6 +338,9 @@ main (int argc, char **argv) if (! gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); @@ -162,16 +165,16 @@ diff -up libgcrypt-1.4.5/tests/ac-schemes.c.tests libgcrypt-1.4.5/tests/ac-schem if (debug) gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); -diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c ---- libgcrypt-1.4.5/tests/keygen.c.tests 2009-04-02 11:25:34.000000000 +0200 -+++ libgcrypt-1.4.5/tests/keygen.c 2011-02-04 09:06:02.000000000 +0100 +diff -up libgcrypt-1.5.0/tests/keygen.c.tests libgcrypt-1.5.0/tests/keygen.c +--- libgcrypt-1.5.0/tests/keygen.c.tests 2011-02-04 20:18:20.000000000 +0100 ++++ libgcrypt-1.5.0/tests/keygen.c 2011-07-21 14:39:03.000000000 +0200 @@ -148,12 +148,12 @@ check_rsa_keys (void) } if (verbose) - fprintf (stderr, "creating 1536 bit DSA key\n"); + fprintf (stderr, "creating 2048 bit DSA key\n"); - rc = gcry_sexp_new (&keyparm, + rc = gcry_sexp_new (&keyparm, "(genkey\n" " (dsa\n" - " (nbits 4:1536)\n" @@ -187,7 +190,7 @@ diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c if (verbose) - fprintf (stderr, "creating 512 bit RSA key with e=257\n"); + fprintf (stderr, "creating 1024 bit RSA key with e=257\n"); - rc = gcry_sexp_new (&keyparm, + rc = gcry_sexp_new (&keyparm, "(genkey\n" " (rsa\n" - " (nbits 3:512)\n" @@ -201,7 +204,7 @@ diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c if (verbose) - fprintf (stderr, "creating 512 bit RSA key with default e\n"); + fprintf (stderr, "creating 1024 bit RSA key with default secure e\n"); - rc = gcry_sexp_new (&keyparm, + rc = gcry_sexp_new (&keyparm, "(genkey\n" " (rsa\n" - " (nbits 3:512)\n" diff --git a/libgcrypt-1.4.4-use-fipscheck.patch b/libgcrypt-1.5.0-use-fipscheck.patch similarity index 77% rename from libgcrypt-1.4.4-use-fipscheck.patch rename to libgcrypt-1.5.0-use-fipscheck.patch index d6f45b2..1cef010 100644 --- a/libgcrypt-1.4.4-use-fipscheck.patch +++ b/libgcrypt-1.5.0-use-fipscheck.patch @@ -1,6 +1,6 @@ -diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c ---- libgcrypt-1.4.4/src/fips.c.use-fipscheck 2009-03-03 21:09:27.000000000 +0100 -+++ libgcrypt-1.4.4/src/fips.c 2009-03-05 11:20:48.000000000 +0100 +diff -up libgcrypt-1.5.0/src/fips.c.use-fipscheck libgcrypt-1.5.0/src/fips.c +--- libgcrypt-1.5.0/src/fips.c.use-fipscheck 2011-02-04 20:17:33.000000000 +0100 ++++ libgcrypt-1.5.0/src/fips.c 2011-07-20 16:17:21.000000000 +0200 @@ -570,23 +570,48 @@ run_random_selftests (void) return !!err; } @@ -42,9 +42,10 @@ diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c int dlen; char *fname = NULL; - const char key[] = "What am I, a doctor or a moonshuttle conductor?"; -+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP"; - +- - if (!dladdr ("gcry_check_version", &info)) ++ const char key[] = "orboDeJITITejsirpADONivirpUkvarP"; ++ + if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath))) err = gpg_error_from_syserror (); else @@ -72,15 +73,15 @@ diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c p = strrchr (fname, '/'); if (p) p++; -diff -up libgcrypt-1.4.4/src/Makefile.in.use-fipscheck libgcrypt-1.4.4/src/Makefile.in ---- libgcrypt-1.4.4/src/Makefile.in.use-fipscheck 2009-01-22 19:16:51.000000000 +0100 -+++ libgcrypt-1.4.4/src/Makefile.in 2009-03-05 11:31:57.000000000 +0100 -@@ -337,7 +337,7 @@ libgcrypt_la_LIBADD = \ +diff -up libgcrypt-1.5.0/src/Makefile.in.use-fipscheck libgcrypt-1.5.0/src/Makefile.in +--- libgcrypt-1.5.0/src/Makefile.in.use-fipscheck 2011-06-29 10:58:01.000000000 +0200 ++++ libgcrypt-1.5.0/src/Makefile.in 2011-07-20 16:19:33.000000000 +0200 +@@ -375,7 +375,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \ ../cipher/libcipher.la \ ../random/librandom.la \ ../mpi/libmpi.la \ -- @LTLIBOBJS@ @GPG_ERROR_LIBS@ -+ @LTLIBOBJS@ @GPG_ERROR_LIBS@ -ldl +- ../compat/libcompat.la $(GPG_ERROR_LIBS) ++ ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl dumpsexp_SOURCES = dumpsexp.c - dumpsexp_LDADD = + dumpsexp_CFLAGS = $(arch_gpg_error_cflags) diff --git a/libgcrypt.spec b/libgcrypt.spec index b430412..5fdee9d 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt -Version: 1.4.6 -Release: 4%{?dist} +Version: 1.5.0 +Release: 1%{?dist} URL: http://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.bz2 # The original libgcrypt sources now contain potentially patented ECC @@ -10,18 +10,17 @@ Source0: libgcrypt-%{version}-hobbled.tar.bz2 #Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig Source2: wk@g10code.com Source3: hobble-libgcrypt +# do not run the ecc curves test +Patch1: libgcrypt-1.5.0-noecc.patch # make FIPS hmac compatible with fipscheck - non upstreamable -Patch2: libgcrypt-1.4.4-use-fipscheck.patch -# fix ImplicitDSOLinking (missing -lgpg-error linkage in tests/), upstreamable -Patch3: libgcrypt-1.4.5-ImplicitDSOLinking.patch -# use /dev/urandom in the FIPS mode -Patch4: libgcrypt-1.4.5-urandom.patch +Patch2: libgcrypt-1.5.0-use-fipscheck.patch # fix tests in the FIPS mode, fix the FIPS-186-3 DSA keygen -Patch5: libgcrypt-1.4.5-tests.patch -# add configurable source of RNG seed in the FIPS mode -Patch6: libgcrypt-1.4.6-fips-cfgrandom.patch +Patch5: libgcrypt-1.5.0-tests.patch +# add configurable source of RNG seed and seed by default +# from /dev/urandom in the FIPS mode +Patch6: libgcrypt-1.5.0-fips-cfgrandom.patch # make the FIPS-186-3 DSA CAVS testable -Patch7: libgcrypt-1.4.6-cavs.patch +Patch7: libgcrypt-1.5.0-fips-cavs.patch # Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction. # Documentation and some utilities are GPLv2+ licensed. These files @@ -54,9 +53,8 @@ applications using libgcrypt. %prep %setup -q %{SOURCE3} +%patch1 -p1 -b .noecc %patch2 -p1 -b .use-fipscheck -%patch3 -p1 -b .ImplicitDSOLinking -%patch4 -p1 -b .urandom %patch5 -p1 -b .tests %patch6 -p1 -b .cfgrandom %patch7 -p1 -b .cavs @@ -171,6 +169,9 @@ exit 0 %doc COPYING %changelog +* Thu Jul 21 2011 Tomas Mraz 1.5.0-1 +- new upstream version + * Mon Jun 20 2011 Tomas Mraz 1.4.6-4 - Always xor seed from /dev/urandom over /etc/gcrypt/rngseed diff --git a/sources b/sources index be4fd16..28984ca 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f89395ced1cec0107d49524f5bf432f9 libgcrypt-1.4.6-hobbled.tar.bz2 +35a73c1f2616ad904108ed8645c82f4c libgcrypt-1.5.0-hobbled.tar.bz2