From e8971f3db396186ba2ad1bf5f389f9b5e0f60354 Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Fri, 29 Jan 2021 13:37:36 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/libgcrypt.git#93ba00ab6ffe91bb52a03bc4a9ddfdf6756afacf --- .gitignore | 1 + ecc-curves.c | 28 +++++++++++++--- libgcrypt-1.7.3-fips-reqs.patch | 35 -------------------- libgcrypt-1.8.4-fips-keygen.patch | 9 +++-- libgcrypt-1.8.4-tests-fipsmode.patch | 2 +- libgcrypt-1.8.4-use-poll.patch | 6 ++-- libgcrypt-1.9.0-kdf-missing-terminator.patch | 31 ----------------- libgcrypt.spec | 11 +++--- sources | 2 +- 9 files changed, 37 insertions(+), 88 deletions(-) delete mode 100644 libgcrypt-1.7.3-fips-reqs.patch delete mode 100644 libgcrypt-1.9.0-kdf-missing-terminator.patch diff --git a/.gitignore b/.gitignore index fed427b..0288827 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ libgcrypt-1.4.5-hobbled.tar.bz2 /libgcrypt-1.8.6-hobbled.tar.xz /libgcrypt-1.8.7-hobbled.tar.xz /libgcrypt-1.9.0-hobbled.tar.xz +/libgcrypt-1.9.1-hobbled.tar.xz diff --git a/ecc-curves.c b/ecc-curves.c index 4242117..a974bcf 100644 --- a/ecc-curves.c +++ b/ecc-curves.c @@ -1064,13 +1064,18 @@ mpi_ec_setup_elliptic_curve (mpi_ec_t ec, int flags, if ((n+7)/8 != len) { - if ((n+7)/8 < len && ec->dialect == ECC_DIALECT_ED25519) + if (ec->dialect == ECC_DIALECT_ED25519) { /* * GnuPG (<= 2.2) or OpenPGP implementations with no * SOS support may remove zeros at the beginning. * Recover those zeros. */ + /* + * Also, GnuPG (<= 2.2) may add additional zero at + * the beginning, when private key is moved from + * OpenPGP to gpg-agent. Remove such a zero-prefix. + */ const unsigned char *buf; unsigned char *value; @@ -1078,13 +1083,26 @@ mpi_ec_setup_elliptic_curve (mpi_ec_t ec, int flags, if (!buf) return GPG_ERR_INV_OBJ; - value = xtrycalloc_secure (1, len); + value = xtrymalloc_secure (len); if (!value) return gpg_err_code_from_syserror (); - memset (value, 0, len - (n+7)/8); - memcpy (value + len - (n+7)/8, buf, (n+7)/8); - mpi_set_opaque (ec->d, value, len); + if ((n+7)/8 < len) + /* Recover zeros. */ + { + memset (value, 0, len - (n+7)/8); + memcpy (value + len - (n+7)/8, buf, (n+7)/8); + } + else if ((n+7)/8 == len + 1) + /* Remove a zero. */ + memcpy (value, buf+1, len); + else + { + xfree (value); + return GPG_ERR_INV_OBJ; + } + + mpi_set_opaque (ec->d, value, len*8); } else { diff --git a/libgcrypt-1.7.3-fips-reqs.patch b/libgcrypt-1.7.3-fips-reqs.patch deleted file mode 100644 index ef7f765..0000000 --- a/libgcrypt-1.7.3-fips-reqs.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -up libgcrypt-1.7.3/src/visibility.c.fips-reqs libgcrypt-1.7.3/src/visibility.c ---- libgcrypt-1.7.3/src/visibility.c.fips-reqs 2016-03-23 12:59:34.000000000 +0100 -+++ libgcrypt-1.7.3/src/visibility.c 2016-11-22 16:29:36.992042480 +0100 -@@ -1288,6 +1288,8 @@ gcry_kdf_derive (const void *passphrase, - unsigned long iterations, - size_t keysize, void *keybuffer) - { -+ if (!fips_is_operational ()) -+ return gpg_error (fips_not_operational ()); - return gpg_error (_gcry_kdf_derive (passphrase, passphraselen, algo, hashalgo, - salt, saltlen, iterations, - keysize, keybuffer)); -@@ -1343,6 +1345,13 @@ void - gcry_mpi_randomize (gcry_mpi_t w, - unsigned int nbits, enum gcry_random_level level) - { -+ if (!fips_is_operational ()) -+ { -+ (void)fips_not_operational (); -+ fips_signal_fatal_error ("called in non-operational state"); -+ fips_noreturn (); -+ } -+ - _gcry_mpi_randomize (w, nbits, level); - } - -@@ -1368,6 +1377,8 @@ gcry_prime_generate (gcry_mpi_t *prime, - gcry_random_level_t random_level, - unsigned int flags) - { -+ if (!fips_is_operational ()) -+ return gpg_error (fips_not_operational ()); - return gpg_error (_gcry_prime_generate (prime, prime_bits, factor_bits, - factors, cb_func, cb_arg, - random_level, flags)); diff --git a/libgcrypt-1.8.4-fips-keygen.patch b/libgcrypt-1.8.4-fips-keygen.patch index 9d3a647..a3e241f 100644 --- a/libgcrypt-1.8.4-fips-keygen.patch +++ b/libgcrypt-1.8.4-fips-keygen.patch @@ -1,16 +1,15 @@ diff -up libgcrypt-1.8.4/cipher/dsa.c.fips-keygen libgcrypt-1.8.4/cipher/dsa.c --- libgcrypt-1.8.4/cipher/dsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100 +++ libgcrypt-1.8.4/cipher/dsa.c 2019-02-12 14:29:25.629513989 +0100 -@@ -457,11 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un +@@ -457,13 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un &prime_q, &prime_p, r_counter, r_seed, r_seedlen); - else -- ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0, + else if (!domain->p || !domain->q) -+ ec = _gcry_generate_fips186_3_prime (nbits, qbits, -+ initial_seed.seed, -+ initial_seed.seedlen, + ec = _gcry_generate_fips186_3_prime (nbits, qbits, + initial_seed.seed, + initial_seed.seedlen, &prime_q, &prime_p, r_counter, r_seed, r_seedlen, NULL); diff --git a/libgcrypt-1.8.4-tests-fipsmode.patch b/libgcrypt-1.8.4-tests-fipsmode.patch index d6e29d1..a415d18 100644 --- a/libgcrypt-1.8.4-tests-fipsmode.patch +++ b/libgcrypt-1.8.4-tests-fipsmode.patch @@ -142,7 +142,7 @@ diff -up libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode libgcrypt-1.8.4/tests/pub " (use-fips186)" " (transient-key)" " (derive-parms" -- " (seed #0cb1990c1fd3626055d7a0096f8fa99807399871#))))", +- " (seed #f770a4598ff756931fc529764513b103ce57d85f4ad8c5cf297c9b4d48241c5b#))))", + " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))", 0, 1); if (rc) diff --git a/libgcrypt-1.8.4-use-poll.patch b/libgcrypt-1.8.4-use-poll.patch index d55b6a3..01dcf82 100644 --- a/libgcrypt-1.8.4-use-poll.patch +++ b/libgcrypt-1.8.4-use-poll.patch @@ -6,9 +6,9 @@ diff -up libgcrypt-1.8.4/random/rndlinux.c.use-poll libgcrypt-1.8.4/random/rndli #include #include +#include - #if defined(__linux__) || !defined(HAVE_GETENTROPY) - #ifdef HAVE_SYSCALL - # include + #if defined(__APPLE__) && defined(__MACH__) + extern int getentropy (void *buf, size_t buflen) __attribute__ ((weak_import)); + #define HAVE_GETENTROPY @@ -241,9 +242,8 @@ _gcry_rndlinux_gather_random (void (*add return with something we will actually use 100ms. */ while (length) diff --git a/libgcrypt-1.9.0-kdf-missing-terminator.patch b/libgcrypt-1.9.0-kdf-missing-terminator.patch deleted file mode 100644 index 1d60f3f..0000000 --- a/libgcrypt-1.9.0-kdf-missing-terminator.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Jussi Kivilinna -Date: Tue, 19 Jan 2021 18:04:30 +0000 (+0200) -Subject: kdf: add missing null-terminator for self-test test-vector array -X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=c6425a5537294dfe2beaafc9105f7af4ceac677f - -kdf: add missing null-terminator for self-test test-vector array - -* cipher/kdf.c (selftest_pbkdf2): Add null-terminator to TV array. --- - -This was causing kdf self-test to fail on s390x builds. - -GnuPG-bug-id: 5254 -Signed-off-by: Jussi Kivilinna ---- - -diff --git a/cipher/kdf.c b/cipher/kdf.c -index 3d707bd0..b916a3f8 100644 ---- a/cipher/kdf.c -+++ b/cipher/kdf.c -@@ -452,7 +452,8 @@ selftest_pbkdf2 (int extended, selftest_report_func_t report) - "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e\x84\xcf" - "\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f\xb8\xdd\x53\xe1" - "\xc6\x35\x51\x8c\x7d\xac\x47\xe9" -- } -+ }, -+ { NULL } - }; - const char *what; - const char *errtxt; - diff --git a/libgcrypt.spec b/libgcrypt.spec index 3cc62db..971a4b1 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,5 +1,5 @@ Name: libgcrypt -Version: 1.9.0 +Version: 1.9.1 Release: 1%{?dist} URL: https://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz @@ -36,8 +36,6 @@ Patch13: libgcrypt-1.6.1-mpicoder-gccopt.patch Patch14: libgcrypt-1.7.3-ecc-test-fix.patch # Run the FIPS mode initialization in the shared library constructor Patch18: libgcrypt-1.8.3-fips-ctor.patch -# Block some operations if in FIPS non-operational state -Patch22: libgcrypt-1.7.3-fips-reqs.patch # Do not try to open /dev/urandom if getrandom() works Patch24: libgcrypt-1.8.5-getrandom.patch # Continuous FIPS entropy test @@ -46,8 +44,6 @@ Patch26: libgcrypt-1.8.3-fips-enttest.patch Patch27: libgcrypt-1.8.3-md-fips-enforce.patch # FIPS module is redefined a little bit (implicit by kernel FIPS mode) Patch30: libgcrypt-1.8.5-fips-module.patch -# Missing terminator in the kdf vectors causing s390x builds failing -Patch31: libgcrypt-1.9.0-kdf-missing-terminator.patch %global gcrylibdir %{_libdir} %global gcrysoname libgcrypt.so.20 @@ -92,12 +88,10 @@ applications using libgcrypt. %patch13 -p1 -b .gccopt %patch14 -p1 -b .eccfix %patch18 -p1 -b .fips-ctor -%patch22 -p1 -b .fips-reqs %patch24 -p1 -b .getrandom %patch26 -p1 -b .fips-enttest %patch27 -p1 -b .fips-enforce %patch30 -p1 -b .fips-module -%patch31 -p1 -b .kdf-terminator cp %{SOURCE4} cipher/ cp %{SOURCE5} %{SOURCE6} tests/ @@ -207,6 +201,9 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf %license COPYING %changelog +* Fri Jan 29 2021 Jakub Jelen - 1.9.1-1 +- New upstream release (#1922156, #1922097) + * Wed Jan 20 2021 Jakub Jelen - 1.9.0-1 - New upstream release (#1917878) diff --git a/sources b/sources index 69b2536..3fb2e74 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libgcrypt-1.9.0-hobbled.tar.xz) = d4ea9a1b732b05f605f0c99dd2b1e9747539bf2b6a8ff2fad7ab5350888f68b7f0b94bdd9253356ec9c8e6d3b87b5c76bc8dc4fbb3950acd8354b691f1f2ad3e +SHA512 (libgcrypt-1.9.1-hobbled.tar.xz) = 87c474c7b5054d7d6c75ca0d2458b2be197d7b8131b1e0a2017f391287a9e7bca666a9ac743c24210df869839518294c0091858245c96d10c5856f2473f35943