Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/libgcrypt.git#93ba00ab6ffe91bb52a03bc4a9ddfdf6756afacf
This commit is contained in:
DistroBaker 2021-01-29 13:37:36 +00:00
parent 570c9025e0
commit e8971f3db3
9 changed files with 37 additions and 88 deletions

1
.gitignore vendored
View File

@ -24,3 +24,4 @@ libgcrypt-1.4.5-hobbled.tar.bz2
/libgcrypt-1.8.6-hobbled.tar.xz /libgcrypt-1.8.6-hobbled.tar.xz
/libgcrypt-1.8.7-hobbled.tar.xz /libgcrypt-1.8.7-hobbled.tar.xz
/libgcrypt-1.9.0-hobbled.tar.xz /libgcrypt-1.9.0-hobbled.tar.xz
/libgcrypt-1.9.1-hobbled.tar.xz

View File

@ -1064,13 +1064,18 @@ mpi_ec_setup_elliptic_curve (mpi_ec_t ec, int flags,
if ((n+7)/8 != len) if ((n+7)/8 != len)
{ {
if ((n+7)/8 < len && ec->dialect == ECC_DIALECT_ED25519) if (ec->dialect == ECC_DIALECT_ED25519)
{ {
/* /*
* GnuPG (<= 2.2) or OpenPGP implementations with no * GnuPG (<= 2.2) or OpenPGP implementations with no
* SOS support may remove zeros at the beginning. * SOS support may remove zeros at the beginning.
* Recover those zeros. * Recover those zeros.
*/ */
/*
* Also, GnuPG (<= 2.2) may add additional zero at
* the beginning, when private key is moved from
* OpenPGP to gpg-agent. Remove such a zero-prefix.
*/
const unsigned char *buf; const unsigned char *buf;
unsigned char *value; unsigned char *value;
@ -1078,13 +1083,26 @@ mpi_ec_setup_elliptic_curve (mpi_ec_t ec, int flags,
if (!buf) if (!buf)
return GPG_ERR_INV_OBJ; return GPG_ERR_INV_OBJ;
value = xtrycalloc_secure (1, len); value = xtrymalloc_secure (len);
if (!value) if (!value)
return gpg_err_code_from_syserror (); return gpg_err_code_from_syserror ();
if ((n+7)/8 < len)
/* Recover zeros. */
{
memset (value, 0, len - (n+7)/8); memset (value, 0, len - (n+7)/8);
memcpy (value + len - (n+7)/8, buf, (n+7)/8); memcpy (value + len - (n+7)/8, buf, (n+7)/8);
mpi_set_opaque (ec->d, value, len); }
else if ((n+7)/8 == len + 1)
/* Remove a zero. */
memcpy (value, buf+1, len);
else
{
xfree (value);
return GPG_ERR_INV_OBJ;
}
mpi_set_opaque (ec->d, value, len*8);
} }
else else
{ {

View File

@ -1,35 +0,0 @@
diff -up libgcrypt-1.7.3/src/visibility.c.fips-reqs libgcrypt-1.7.3/src/visibility.c
--- libgcrypt-1.7.3/src/visibility.c.fips-reqs 2016-03-23 12:59:34.000000000 +0100
+++ libgcrypt-1.7.3/src/visibility.c 2016-11-22 16:29:36.992042480 +0100
@@ -1288,6 +1288,8 @@ gcry_kdf_derive (const void *passphrase,
unsigned long iterations,
size_t keysize, void *keybuffer)
{
+ if (!fips_is_operational ())
+ return gpg_error (fips_not_operational ());
return gpg_error (_gcry_kdf_derive (passphrase, passphraselen, algo, hashalgo,
salt, saltlen, iterations,
keysize, keybuffer));
@@ -1343,6 +1345,13 @@ void
gcry_mpi_randomize (gcry_mpi_t w,
unsigned int nbits, enum gcry_random_level level)
{
+ if (!fips_is_operational ())
+ {
+ (void)fips_not_operational ();
+ fips_signal_fatal_error ("called in non-operational state");
+ fips_noreturn ();
+ }
+
_gcry_mpi_randomize (w, nbits, level);
}
@@ -1368,6 +1377,8 @@ gcry_prime_generate (gcry_mpi_t *prime,
gcry_random_level_t random_level,
unsigned int flags)
{
+ if (!fips_is_operational ())
+ return gpg_error (fips_not_operational ());
return gpg_error (_gcry_prime_generate (prime, prime_bits, factor_bits,
factors, cb_func, cb_arg,
random_level, flags));

View File

@ -1,16 +1,15 @@
diff -up libgcrypt-1.8.4/cipher/dsa.c.fips-keygen libgcrypt-1.8.4/cipher/dsa.c diff -up libgcrypt-1.8.4/cipher/dsa.c.fips-keygen libgcrypt-1.8.4/cipher/dsa.c
--- libgcrypt-1.8.4/cipher/dsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100 --- libgcrypt-1.8.4/cipher/dsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.4/cipher/dsa.c 2019-02-12 14:29:25.629513989 +0100 +++ libgcrypt-1.8.4/cipher/dsa.c 2019-02-12 14:29:25.629513989 +0100
@@ -457,11 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un @@ -457,13 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un
&prime_q, &prime_p, &prime_q, &prime_p,
r_counter, r_counter,
r_seed, r_seedlen); r_seed, r_seedlen);
- else - else
- ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0,
+ else if (!domain->p || !domain->q) + else if (!domain->p || !domain->q)
+ ec = _gcry_generate_fips186_3_prime (nbits, qbits, ec = _gcry_generate_fips186_3_prime (nbits, qbits,
+ initial_seed.seed, initial_seed.seed,
+ initial_seed.seedlen, initial_seed.seedlen,
&prime_q, &prime_p, &prime_q, &prime_p,
r_counter, r_counter,
r_seed, r_seedlen, NULL); r_seed, r_seedlen, NULL);

View File

@ -142,7 +142,7 @@ diff -up libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode libgcrypt-1.8.4/tests/pub
" (use-fips186)" " (use-fips186)"
" (transient-key)" " (transient-key)"
" (derive-parms" " (derive-parms"
- " (seed #0cb1990c1fd3626055d7a0096f8fa99807399871#))))", - " (seed #f770a4598ff756931fc529764513b103ce57d85f4ad8c5cf297c9b4d48241c5b#))))",
+ " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))", + " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))",
0, 1); 0, 1);
if (rc) if (rc)

View File

@ -6,9 +6,9 @@ diff -up libgcrypt-1.8.4/random/rndlinux.c.use-poll libgcrypt-1.8.4/random/rndli
#include <unistd.h> #include <unistd.h>
#include <fcntl.h> #include <fcntl.h>
+#include <poll.h> +#include <poll.h>
#if defined(__linux__) || !defined(HAVE_GETENTROPY) #if defined(__APPLE__) && defined(__MACH__)
#ifdef HAVE_SYSCALL extern int getentropy (void *buf, size_t buflen) __attribute__ ((weak_import));
# include <sys/syscall.h> #define HAVE_GETENTROPY
@@ -241,9 +242,8 @@ _gcry_rndlinux_gather_random (void (*add @@ -241,9 +242,8 @@ _gcry_rndlinux_gather_random (void (*add
return with something we will actually use 100ms. */ return with something we will actually use 100ms. */
while (length) while (length)

View File

@ -1,31 +0,0 @@
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Tue, 19 Jan 2021 18:04:30 +0000 (+0200)
Subject: kdf: add missing null-terminator for self-test test-vector array
X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=c6425a5537294dfe2beaafc9105f7af4ceac677f
kdf: add missing null-terminator for self-test test-vector array
* cipher/kdf.c (selftest_pbkdf2): Add null-terminator to TV array.
--
This was causing kdf self-test to fail on s390x builds.
GnuPG-bug-id: 5254
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
diff --git a/cipher/kdf.c b/cipher/kdf.c
index 3d707bd0..b916a3f8 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -452,7 +452,8 @@ selftest_pbkdf2 (int extended, selftest_report_func_t report)
"\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e\x84\xcf"
"\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f\xb8\xdd\x53\xe1"
"\xc6\x35\x51\x8c\x7d\xac\x47\xe9"
- }
+ },
+ { NULL }
};
const char *what;
const char *errtxt;

View File

@ -1,5 +1,5 @@
Name: libgcrypt Name: libgcrypt
Version: 1.9.0 Version: 1.9.1
Release: 1%{?dist} Release: 1%{?dist}
URL: https://www.gnupg.org/ URL: https://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.xz Source0: libgcrypt-%{version}-hobbled.tar.xz
@ -36,8 +36,6 @@ Patch13: libgcrypt-1.6.1-mpicoder-gccopt.patch
Patch14: libgcrypt-1.7.3-ecc-test-fix.patch Patch14: libgcrypt-1.7.3-ecc-test-fix.patch
# Run the FIPS mode initialization in the shared library constructor # Run the FIPS mode initialization in the shared library constructor
Patch18: libgcrypt-1.8.3-fips-ctor.patch Patch18: libgcrypt-1.8.3-fips-ctor.patch
# Block some operations if in FIPS non-operational state
Patch22: libgcrypt-1.7.3-fips-reqs.patch
# Do not try to open /dev/urandom if getrandom() works # Do not try to open /dev/urandom if getrandom() works
Patch24: libgcrypt-1.8.5-getrandom.patch Patch24: libgcrypt-1.8.5-getrandom.patch
# Continuous FIPS entropy test # Continuous FIPS entropy test
@ -46,8 +44,6 @@ Patch26: libgcrypt-1.8.3-fips-enttest.patch
Patch27: libgcrypt-1.8.3-md-fips-enforce.patch Patch27: libgcrypt-1.8.3-md-fips-enforce.patch
# FIPS module is redefined a little bit (implicit by kernel FIPS mode) # FIPS module is redefined a little bit (implicit by kernel FIPS mode)
Patch30: libgcrypt-1.8.5-fips-module.patch Patch30: libgcrypt-1.8.5-fips-module.patch
# Missing terminator in the kdf vectors causing s390x builds failing
Patch31: libgcrypt-1.9.0-kdf-missing-terminator.patch
%global gcrylibdir %{_libdir} %global gcrylibdir %{_libdir}
%global gcrysoname libgcrypt.so.20 %global gcrysoname libgcrypt.so.20
@ -92,12 +88,10 @@ applications using libgcrypt.
%patch13 -p1 -b .gccopt %patch13 -p1 -b .gccopt
%patch14 -p1 -b .eccfix %patch14 -p1 -b .eccfix
%patch18 -p1 -b .fips-ctor %patch18 -p1 -b .fips-ctor
%patch22 -p1 -b .fips-reqs
%patch24 -p1 -b .getrandom %patch24 -p1 -b .getrandom
%patch26 -p1 -b .fips-enttest %patch26 -p1 -b .fips-enttest
%patch27 -p1 -b .fips-enforce %patch27 -p1 -b .fips-enforce
%patch30 -p1 -b .fips-module %patch30 -p1 -b .fips-module
%patch31 -p1 -b .kdf-terminator
cp %{SOURCE4} cipher/ cp %{SOURCE4} cipher/
cp %{SOURCE5} %{SOURCE6} tests/ cp %{SOURCE5} %{SOURCE6} tests/
@ -207,6 +201,9 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf
%license COPYING %license COPYING
%changelog %changelog
* Fri Jan 29 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.1-1
- New upstream release (#1922156, #1922097)
* Wed Jan 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.0-1 * Wed Jan 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.0-1
- New upstream release (#1917878) - New upstream release (#1917878)

View File

@ -1 +1 @@
SHA512 (libgcrypt-1.9.0-hobbled.tar.xz) = d4ea9a1b732b05f605f0c99dd2b1e9747539bf2b6a8ff2fad7ab5350888f68b7f0b94bdd9253356ec9c8e6d3b87b5c76bc8dc4fbb3950acd8354b691f1f2ad3e SHA512 (libgcrypt-1.9.1-hobbled.tar.xz) = 87c474c7b5054d7d6c75ca0d2458b2be197d7b8131b1e0a2017f391287a9e7bca666a9ac743c24210df869839518294c0091858245c96d10c5856f2473f35943