import nettle-3.8-3.el9_0
This commit is contained in:
parent
ae60fd978b
commit
2ab53e94f0
3
.gitignore
vendored
3
.gitignore
vendored
@ -1 +1,2 @@
|
|||||||
SOURCES/nettle-3.7.3-hobbled.tar.xz
|
SOURCES/gmp-6.2.1.tar.xz
|
||||||
|
SOURCES/nettle-3.8-hobbled.tar.xz
|
||||||
|
@ -1 +1,2 @@
|
|||||||
128dc3ced096462fef4233404b542ed6dfe40b87 SOURCES/nettle-3.7.3-hobbled.tar.xz
|
0578d48607ec0e272177d175fd1807c30b00fdf2 SOURCES/gmp-6.2.1.tar.xz
|
||||||
|
c809f048a71b322453c18e30986a18e600306d77 SOURCES/nettle-3.8-hobbled.tar.xz
|
||||||
|
3515
SOURCES/gmp-6.2.1-intel-cet.patch
Normal file
3515
SOURCES/gmp-6.2.1-intel-cet.patch
Normal file
File diff suppressed because it is too large
Load Diff
53
SOURCES/gmp-6.2.1-zeroize-allocator.patch
Normal file
53
SOURCES/gmp-6.2.1-zeroize-allocator.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
diff -r e3123b88d012 memory.c
|
||||||
|
--- a/memory.c Tue Aug 16 22:02:45 2022 +0200
|
||||||
|
+++ b/memory.c Fri Aug 19 06:25:37 2022 +0900
|
||||||
|
@@ -29,7 +29,8 @@
|
||||||
|
see https://www.gnu.org/licenses/. */
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
-#include <stdlib.h> /* for malloc, realloc, free */
|
||||||
|
+#include <stdlib.h> /* for malloc, free */
|
||||||
|
+#include <string.h> /* for memcpy, explicit_bzero */
|
||||||
|
|
||||||
|
#include "gmp-impl.h"
|
||||||
|
|
||||||
|
@@ -98,11 +99,28 @@
|
||||||
|
new_size += 2 * GMP_LIMB_BYTES;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- ret = realloc (oldptr, new_size);
|
||||||
|
- if (ret == 0)
|
||||||
|
+ if (new_size == 0)
|
||||||
|
+ {
|
||||||
|
+ explicit_bzero (oldptr, old_size);
|
||||||
|
+ free (oldptr);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+ else if (old_size == new_size)
|
||||||
|
+ return oldptr;
|
||||||
|
+ else
|
||||||
|
{
|
||||||
|
- fprintf (stderr, "GNU MP: Cannot reallocate memory (old_size=%lu new_size=%lu)\n", (long) old_size, (long) new_size);
|
||||||
|
- abort ();
|
||||||
|
+ /* We can't simply call realloc, as it may allocate memory from
|
||||||
|
+ a different arena. */
|
||||||
|
+ ret = malloc (new_size);
|
||||||
|
+ if (ret == NULL)
|
||||||
|
+ {
|
||||||
|
+ fprintf (stderr, "GNU MP: Cannot reallocate memory (old_size=%lu new_size=%lu)\n", (long) old_size, (long) new_size);
|
||||||
|
+ explicit_bzero(oldptr, old_size);
|
||||||
|
+ abort();
|
||||||
|
+ }
|
||||||
|
+ memcpy (ret, oldptr, MIN(old_size, new_size));
|
||||||
|
+ explicit_bzero (oldptr, old_size);
|
||||||
|
+ free (oldptr);
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef DEBUG
|
||||||
|
@@ -141,5 +159,6 @@
|
||||||
|
blk_ptr = p - 1;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
+ explicit_bzero (blk_ptr, blk_size);
|
||||||
|
free (blk_ptr);
|
||||||
|
}
|
@ -1,40 +0,0 @@
|
|||||||
From 952c2d890902782ee90b6ed273f1d8b4e95dbff1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <dueno@redhat.com>
|
|
||||||
Date: Sun, 21 Mar 2021 11:13:36 +0100
|
|
||||||
Subject: [PATCH] nettle-benchmark: suppress -Wmaybe-uninitialized warnings
|
|
||||||
|
|
||||||
---
|
|
||||||
examples/nettle-benchmark.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/examples/nettle-benchmark.c b/examples/nettle-benchmark.c
|
|
||||||
index ca6346e0..518b947d 100644
|
|
||||||
--- a/examples/nettle-benchmark.c
|
|
||||||
+++ b/examples/nettle-benchmark.c
|
|
||||||
@@ -392,6 +392,7 @@ time_umac(void)
|
|
||||||
|
|
||||||
uint8_t key[16];
|
|
||||||
|
|
||||||
+ init_key(sizeof(key), key);
|
|
||||||
umac32_set_key (&ctx32, key);
|
|
||||||
info.ctx = &ctx32;
|
|
||||||
info.update = (nettle_hash_update_func *) umac32_update;
|
|
||||||
@@ -434,6 +435,7 @@ time_cmac(void)
|
|
||||||
|
|
||||||
uint8_t key[16];
|
|
||||||
|
|
||||||
+ init_key(sizeof(key), key);
|
|
||||||
cmac_aes128_set_key (&ctx, key);
|
|
||||||
info.ctx = &ctx;
|
|
||||||
info.update = (nettle_hash_update_func *) cmac_aes128_update;
|
|
||||||
@@ -451,6 +453,7 @@ time_poly1305_aes(void)
|
|
||||||
struct poly1305_aes_ctx ctx;
|
|
||||||
uint8_t key[32];
|
|
||||||
|
|
||||||
+ init_key(sizeof(key), key);
|
|
||||||
poly1305_aes_set_key (&ctx, key);
|
|
||||||
info.ctx = &ctx;
|
|
||||||
info.update = (nettle_hash_update_func *) poly1305_aes_update;
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
334
SOURCES/nettle-3.8-zeroize-stack.patch
Normal file
334
SOURCES/nettle-3.8-zeroize-stack.patch
Normal file
@ -0,0 +1,334 @@
|
|||||||
|
From 894b22e6d851512776bd62e85e749d6950ce16fc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <dueno@redhat.com>
|
||||||
|
Date: Wed, 24 Aug 2022 17:19:57 +0900
|
||||||
|
Subject: [PATCH] Clear any intermediate data allocate on stack
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
||||||
|
---
|
||||||
|
cbc.c | 3 +++
|
||||||
|
cfb.c | 13 +++++++++++++
|
||||||
|
ctr.c | 4 ++++
|
||||||
|
ctr16.c | 2 ++
|
||||||
|
ecc-random.c | 3 +++
|
||||||
|
ecdsa-keygen.c | 2 ++
|
||||||
|
ecdsa-sign.c | 2 ++
|
||||||
|
ed25519-sha512-sign.c | 2 ++
|
||||||
|
ed448-shake256-sign.c | 2 ++
|
||||||
|
gostdsa-sign.c | 2 ++
|
||||||
|
hmac.c | 10 +++++++---
|
||||||
|
nettle-internal.h | 5 +++++
|
||||||
|
pbkdf2.c | 5 ++++-
|
||||||
|
pss-mgf1.c | 5 ++++-
|
||||||
|
pss.c | 4 ++++
|
||||||
|
15 files changed, 59 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/cbc.c b/cbc.c
|
||||||
|
index 76b6492d..b9da3aa0 100644
|
||||||
|
--- a/cbc.c
|
||||||
|
+++ b/cbc.c
|
||||||
|
@@ -128,6 +128,9 @@ cbc_decrypt(const void *ctx, nettle_cipher_func *f,
|
||||||
|
length - block_size);
|
||||||
|
/* Writes first block. */
|
||||||
|
memxor3(dst, buffer, initial_iv, block_size);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(buffer, buffer_size);
|
||||||
|
+ TMP_CLEAR(initial_iv, block_size);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/cfb.c b/cfb.c
|
||||||
|
index b9da3159..b1b01b9e 100644
|
||||||
|
--- a/cfb.c
|
||||||
|
+++ b/cfb.c
|
||||||
|
@@ -83,6 +83,8 @@ cfb_encrypt(const void *ctx, nettle_cipher_func *f,
|
||||||
|
/* We do not care about updating IV here. This is the last call in
|
||||||
|
* message sequence and one has to set IV afterwards anyway */
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(buffer, block_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Don't allocate any more space than this on the stack */
|
||||||
|
@@ -115,6 +117,8 @@ cfb_decrypt(const void *ctx, nettle_cipher_func *f,
|
||||||
|
|
||||||
|
f(ctx, block_size, buffer, iv);
|
||||||
|
memxor3(dst + length, src + length, buffer, left);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(buffer, block_size);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
@@ -160,6 +164,9 @@ cfb_decrypt(const void *ctx, nettle_cipher_func *f,
|
||||||
|
f(ctx, block_size, buffer, iv);
|
||||||
|
memxor(dst, buffer, left);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(buffer, buffer_size);
|
||||||
|
+ TMP_CLEAR(initial_iv, block_size);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -196,6 +203,9 @@ cfb8_encrypt(const void *ctx, nettle_cipher_func *f,
|
||||||
|
pos ++;
|
||||||
|
}
|
||||||
|
memcpy(iv, buffer + pos, block_size);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(buffer, block_size * 2);
|
||||||
|
+ TMP_CLEAR(outbuf, block_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -235,4 +245,7 @@ cfb8_decrypt(const void *ctx, nettle_cipher_func *f,
|
||||||
|
}
|
||||||
|
|
||||||
|
memcpy(iv, buffer + i, block_size);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(buffer, block_size * 2);
|
||||||
|
+ TMP_CLEAR(outbuf, block_size * 2);
|
||||||
|
}
|
||||||
|
diff --git a/ctr.c b/ctr.c
|
||||||
|
index 8c6b4626..217d1abb 100644
|
||||||
|
--- a/ctr.c
|
||||||
|
+++ b/ctr.c
|
||||||
|
@@ -137,6 +137,8 @@ ctr_crypt(const void *ctx, nettle_cipher_func *f,
|
||||||
|
f(ctx, block_size, block, ctr);
|
||||||
|
INCREMENT(block_size, ctr);
|
||||||
|
memxor3(dst + filled, src + filled, block, length - filled);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(block, block_size);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
@@ -173,5 +175,7 @@ ctr_crypt(const void *ctx, nettle_cipher_func *f,
|
||||||
|
INCREMENT(block_size, ctr);
|
||||||
|
memxor(dst, buffer, length);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(buffer, buffer_size);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/ctr16.c b/ctr16.c
|
||||||
|
index d744d2a9..ec0abd72 100644
|
||||||
|
--- a/ctr16.c
|
||||||
|
+++ b/ctr16.c
|
||||||
|
@@ -102,5 +102,7 @@ _nettle_ctr_crypt16(const void *ctx, nettle_cipher_func *f,
|
||||||
|
done:
|
||||||
|
memxor3 (dst + i, src + i, buffer->b, length - i);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(buffer, MIN(blocks, CTR_BUFFER_LIMIT / 16));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/ecc-random.c b/ecc-random.c
|
||||||
|
index a7b48d6a..676f5933 100644
|
||||||
|
--- a/ecc-random.c
|
||||||
|
+++ b/ecc-random.c
|
||||||
|
@@ -36,6 +36,7 @@
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include <assert.h>
|
||||||
|
+#include <string.h>
|
||||||
|
|
||||||
|
#include "ecc.h"
|
||||||
|
#include "ecc-internal.h"
|
||||||
|
@@ -79,4 +80,6 @@ ecc_scalar_random (struct ecc_scalar *x,
|
||||||
|
TMP_ALLOC (scratch, ECC_MOD_RANDOM_ITCH (x->ecc->q.size));
|
||||||
|
|
||||||
|
ecc_mod_random (&x->ecc->q, x->p, random_ctx, random, scratch);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR (scratch, ECC_MOD_RANDOM_ITCH (x->ecc->q.size));
|
||||||
|
}
|
||||||
|
diff --git a/ecdsa-keygen.c b/ecdsa-keygen.c
|
||||||
|
index 870282b0..05dd827a 100644
|
||||||
|
--- a/ecdsa-keygen.c
|
||||||
|
+++ b/ecdsa-keygen.c
|
||||||
|
@@ -59,4 +59,6 @@ ecdsa_generate_keypair (struct ecc_point *pub,
|
||||||
|
ecc_mod_random (&ecc->q, key->p, random_ctx, random, p);
|
||||||
|
ecc->mul_g (ecc, p, key->p, p + 3*ecc->p.size);
|
||||||
|
ecc->h_to_a (ecc, 0, pub->p, p, p + 3*ecc->p.size);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR (p, itch);
|
||||||
|
}
|
||||||
|
diff --git a/ecdsa-sign.c b/ecdsa-sign.c
|
||||||
|
index e6fb3287..e6b960bf 100644
|
||||||
|
--- a/ecdsa-sign.c
|
||||||
|
+++ b/ecdsa-sign.c
|
||||||
|
@@ -68,4 +68,6 @@ ecdsa_sign (const struct ecc_scalar *key,
|
||||||
|
mpz_limbs_finish (signature->s, size);
|
||||||
|
}
|
||||||
|
while (mpz_sgn (signature->r) == 0 || mpz_sgn (signature->s) == 0);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR (k, size + ECC_ECDSA_SIGN_ITCH (size));
|
||||||
|
}
|
||||||
|
diff --git a/ed25519-sha512-sign.c b/ed25519-sha512-sign.c
|
||||||
|
index 389a157e..52a46ea5 100644
|
||||||
|
--- a/ed25519-sha512-sign.c
|
||||||
|
+++ b/ed25519-sha512-sign.c
|
||||||
|
@@ -38,6 +38,7 @@
|
||||||
|
|
||||||
|
#include "ecc-internal.h"
|
||||||
|
#include "sha2.h"
|
||||||
|
+#include <string.h>
|
||||||
|
|
||||||
|
void
|
||||||
|
ed25519_sha512_sign (const uint8_t *pub,
|
||||||
|
@@ -61,6 +62,7 @@ ed25519_sha512_sign (const uint8_t *pub,
|
||||||
|
length, msg, signature, scratch_out);
|
||||||
|
|
||||||
|
gmp_free_limbs (scratch, itch);
|
||||||
|
+ explicit_bzero (digest, sizeof(digest));
|
||||||
|
#undef k1
|
||||||
|
#undef k2
|
||||||
|
#undef scratch_out
|
||||||
|
diff --git a/ed448-shake256-sign.c b/ed448-shake256-sign.c
|
||||||
|
index c524593d..01abf457 100644
|
||||||
|
--- a/ed448-shake256-sign.c
|
||||||
|
+++ b/ed448-shake256-sign.c
|
||||||
|
@@ -39,6 +39,7 @@
|
||||||
|
#include "ecc-internal.h"
|
||||||
|
#include "eddsa-internal.h"
|
||||||
|
#include "sha3.h"
|
||||||
|
+#include <string.h>
|
||||||
|
|
||||||
|
void
|
||||||
|
ed448_shake256_sign (const uint8_t *pub,
|
||||||
|
@@ -63,6 +64,7 @@ ed448_shake256_sign (const uint8_t *pub,
|
||||||
|
length, msg, signature, scratch_out);
|
||||||
|
|
||||||
|
gmp_free_limbs (scratch, itch);
|
||||||
|
+ explicit_bzero (digest, sizeof(digest));
|
||||||
|
#undef k1
|
||||||
|
#undef k2
|
||||||
|
#undef scratch_out
|
||||||
|
diff --git a/gostdsa-sign.c b/gostdsa-sign.c
|
||||||
|
index 892c0742..a7e0c21d 100644
|
||||||
|
--- a/gostdsa-sign.c
|
||||||
|
+++ b/gostdsa-sign.c
|
||||||
|
@@ -71,4 +71,6 @@ gostdsa_sign (const struct ecc_scalar *key,
|
||||||
|
mpz_limbs_finish (signature->s, size);
|
||||||
|
}
|
||||||
|
while (mpz_sgn (signature->r) == 0 || mpz_sgn (signature->s) == 0);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR (k, size + ECC_GOSTDSA_SIGN_ITCH (size));
|
||||||
|
}
|
||||||
|
diff --git a/hmac.c b/hmac.c
|
||||||
|
index 6ac5e11a..0ac33bed 100644
|
||||||
|
--- a/hmac.c
|
||||||
|
+++ b/hmac.c
|
||||||
|
@@ -55,6 +55,8 @@ hmac_set_key(void *outer, void *inner, void *state,
|
||||||
|
{
|
||||||
|
TMP_DECL(pad, uint8_t, NETTLE_MAX_HASH_BLOCK_SIZE);
|
||||||
|
TMP_ALLOC(pad, hash->block_size);
|
||||||
|
+ TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE);
|
||||||
|
+ TMP_ALLOC(digest, hash->digest_size);
|
||||||
|
|
||||||
|
hash->init(outer);
|
||||||
|
hash->init(inner);
|
||||||
|
@@ -64,9 +66,6 @@ hmac_set_key(void *outer, void *inner, void *state,
|
||||||
|
/* Reduce key to the algorithm's hash size. Use the area pointed
|
||||||
|
* to by state for the temporary state. */
|
||||||
|
|
||||||
|
- TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE);
|
||||||
|
- TMP_ALLOC(digest, hash->digest_size);
|
||||||
|
-
|
||||||
|
hash->init(state);
|
||||||
|
hash->update(state, key_length, key);
|
||||||
|
hash->digest(state, hash->digest_size, digest);
|
||||||
|
@@ -88,6 +87,9 @@ hmac_set_key(void *outer, void *inner, void *state,
|
||||||
|
hash->update(inner, hash->block_size, pad);
|
||||||
|
|
||||||
|
memcpy(state, inner, hash->context_size);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(pad, hash->block_size);
|
||||||
|
+ TMP_CLEAR(digest, hash->digest_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -114,4 +116,6 @@ hmac_digest(const void *outer, const void *inner, void *state,
|
||||||
|
hash->digest(state, length, dst);
|
||||||
|
|
||||||
|
memcpy(state, inner, hash->context_size);
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(digest, hash->digest_size);
|
||||||
|
}
|
||||||
|
diff --git a/nettle-internal.h b/nettle-internal.h
|
||||||
|
index ddc483de..9fc55514 100644
|
||||||
|
--- a/nettle-internal.h
|
||||||
|
+++ b/nettle-internal.h
|
||||||
|
@@ -72,6 +72,11 @@
|
||||||
|
do { assert((size_t)(size) <= (sizeof(name))); } while (0)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#include <string.h> /* explicit_bzero */
|
||||||
|
+
|
||||||
|
+#define TMP_CLEAR(name, size) (explicit_bzero (name, sizeof (*name) * (size)))
|
||||||
|
+#define TMP_CLEAR_ALIGN(name, size) (explicit_bzero (name, size))
|
||||||
|
+
|
||||||
|
/* Arbitrary limits which apply to systems that don't have alloca */
|
||||||
|
#define NETTLE_MAX_HASH_BLOCK_SIZE 128
|
||||||
|
#define NETTLE_MAX_HASH_DIGEST_SIZE 64
|
||||||
|
diff --git a/pbkdf2.c b/pbkdf2.c
|
||||||
|
index 291d138a..a8ecba5b 100644
|
||||||
|
--- a/pbkdf2.c
|
||||||
|
+++ b/pbkdf2.c
|
||||||
|
@@ -92,8 +92,11 @@ pbkdf2 (void *mac_ctx,
|
||||||
|
if (length <= digest_size)
|
||||||
|
{
|
||||||
|
memcpy (dst, T, length);
|
||||||
|
- return;
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
memcpy (dst, T, digest_size);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR (U, digest_size);
|
||||||
|
+ TMP_CLEAR (T, digest_size);
|
||||||
|
}
|
||||||
|
diff --git a/pss-mgf1.c b/pss-mgf1.c
|
||||||
|
index 3f5e204b..3644c642 100644
|
||||||
|
--- a/pss-mgf1.c
|
||||||
|
+++ b/pss-mgf1.c
|
||||||
|
@@ -66,8 +66,11 @@ pss_mgf1(const void *seed, const struct nettle_hash *hash,
|
||||||
|
if (length <= hash->digest_size)
|
||||||
|
{
|
||||||
|
hash->digest(state, length, mask);
|
||||||
|
- return;
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
hash->digest(state, hash->digest_size, mask);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ TMP_CLEAR(h, hash->digest_size);
|
||||||
|
+ TMP_CLEAR_ALIGN(state, hash->context_size);
|
||||||
|
}
|
||||||
|
diff --git a/pss.c b/pss.c
|
||||||
|
index d28e7b13..8106ebf2 100644
|
||||||
|
--- a/pss.c
|
||||||
|
+++ b/pss.c
|
||||||
|
@@ -77,6 +77,7 @@ pss_encode_mgf1(mpz_t m, size_t bits,
|
||||||
|
if (key_size < hash->digest_size + salt_length + 2)
|
||||||
|
{
|
||||||
|
TMP_GMP_FREE(em);
|
||||||
|
+ TMP_CLEAR_ALIGN(state, hash->context_size);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -111,6 +112,7 @@ pss_encode_mgf1(mpz_t m, size_t bits,
|
||||||
|
|
||||||
|
nettle_mpz_set_str_256_u(m, key_size, em);
|
||||||
|
TMP_GMP_FREE(em);
|
||||||
|
+ TMP_CLEAR_ALIGN(state, hash->context_size);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -194,5 +196,7 @@ pss_verify_mgf1(const mpz_t m, size_t bits,
|
||||||
|
ret = 1;
|
||||||
|
cleanup:
|
||||||
|
TMP_GMP_FREE(em);
|
||||||
|
+ TMP_CLEAR(h2, hash->digest_size);
|
||||||
|
+ TMP_CLEAR_ALIGN(state, hash->context_size);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.37.2
|
||||||
|
|
@ -14,24 +14,32 @@
|
|||||||
%bcond_without fips
|
%bcond_without fips
|
||||||
|
|
||||||
Name: nettle
|
Name: nettle
|
||||||
Version: 3.7.3
|
Version: 3.8
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: A low-level cryptographic library
|
Summary: A low-level cryptographic library
|
||||||
|
|
||||||
License: LGPLv3+ or GPLv2+
|
License: LGPLv3+ or GPLv2+
|
||||||
URL: http://www.lysator.liu.se/~nisse/nettle/
|
URL: http://www.lysator.liu.se/~nisse/nettle/
|
||||||
Source0: %{name}-%{version}-hobbled.tar.xz
|
Source0: %{name}-%{version}-hobbled.tar.xz
|
||||||
#Source0: http://www.lysator.liu.se/~nisse/archive/%{name}-%{version}.tar.gz
|
#Source0: http://www.lysator.liu.se/~nisse/archive/%%{name}-%%{version}.tar.gz
|
||||||
%if 0%{?bootstrap}
|
%if 0%{?bootstrap}
|
||||||
Source1: %{name}-%{version_old}-hobbled.tar.xz
|
Source1: %{name}-%{version_old}-hobbled.tar.xz
|
||||||
Source2: nettle-3.5-remove-ecc-testsuite.patch
|
Source2: nettle-3.5-remove-ecc-testsuite.patch
|
||||||
%endif
|
%endif
|
||||||
Patch0: nettle-3.4-annocheck.patch
|
Patch: nettle-3.4-annocheck.patch
|
||||||
Patch1: nettle-3.7.2-suppress-maybe-uninit.patch
|
Patch: nettle-3.8-zeroize-stack.patch
|
||||||
|
|
||||||
|
Source100: gmp-6.2.1.tar.xz
|
||||||
|
# Taken from the main gmp package
|
||||||
|
Source101: gmp-6.2.1-intel-cet.patch
|
||||||
|
Source102: gmp-6.2.1-zeroize-allocator.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: gmp-devel, m4
|
%if !%{with fips}
|
||||||
|
BuildRequires: gmp-devel
|
||||||
|
%endif
|
||||||
|
BuildRequires: m4
|
||||||
BuildRequires: libtool, automake, autoconf, gettext-devel
|
BuildRequires: libtool, automake, autoconf, gettext-devel
|
||||||
%if %{with fips}
|
%if %{with fips}
|
||||||
BuildRequires: fipscheck
|
BuildRequires: fipscheck
|
||||||
@ -59,6 +67,18 @@ applications with nettle.
|
|||||||
%prep
|
%prep
|
||||||
%autosetup -Tb 0 -p1
|
%autosetup -Tb 0 -p1
|
||||||
|
|
||||||
|
%if %{with fips}
|
||||||
|
mkdir -p bundled_gmp
|
||||||
|
pushd bundled_gmp
|
||||||
|
tar --strip-components=1 -xf %{SOURCE100}
|
||||||
|
patch -p1 < %{SOURCE101}
|
||||||
|
patch -p1 < %{SOURCE102}
|
||||||
|
popd
|
||||||
|
|
||||||
|
# Prevent -lgmp appearing in the compiler command line in dependent components
|
||||||
|
sed -i '/^Libs.private:/d' hogweed.pc.in
|
||||||
|
%endif
|
||||||
|
|
||||||
%if 0%{?bootstrap}
|
%if 0%{?bootstrap}
|
||||||
mkdir -p bootstrap_ver
|
mkdir -p bootstrap_ver
|
||||||
pushd bootstrap_ver
|
pushd bootstrap_ver
|
||||||
@ -78,8 +98,22 @@ sed 's/ecc-secp192r1.c//g' -i Makefile.in
|
|||||||
sed 's/ecc-secp224r1.c//g' -i Makefile.in
|
sed 's/ecc-secp224r1.c//g' -i Makefile.in
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
%if %{with fips}
|
||||||
|
pushd bundled_gmp
|
||||||
autoreconf -ifv
|
autoreconf -ifv
|
||||||
%configure --enable-shared --enable-fat
|
%configure --disable-cxx --disable-shared --enable-fat --with-pic
|
||||||
|
%make_build
|
||||||
|
popd
|
||||||
|
%endif
|
||||||
|
|
||||||
|
autoreconf -ifv
|
||||||
|
|
||||||
|
%configure --enable-shared --enable-fat \
|
||||||
|
%if %{with fips}
|
||||||
|
--with-include-path=$PWD/bundled_gmp --with-lib-path=$PWD/bundled_gmp/.libs \
|
||||||
|
%endif
|
||||||
|
%{nil}
|
||||||
|
|
||||||
%make_build
|
%make_build
|
||||||
|
|
||||||
%if 0%{?bootstrap}
|
%if 0%{?bootstrap}
|
||||||
@ -171,6 +205,16 @@ make check
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 25 2022 Daiki Ueno <dueno@redhat.com> - 3.8-3
|
||||||
|
- Rebuild in new side-tag
|
||||||
|
|
||||||
|
* Thu Aug 18 2022 Daiki Ueno <dueno@redhat.com> - 3.8-2
|
||||||
|
- Bundle GMP to privatize memory functions
|
||||||
|
- Zeroize stack allocated intermediate data
|
||||||
|
|
||||||
|
* Tue Jun 28 2022 Daiki Ueno <dueno@redhat.com> - 3.8-1
|
||||||
|
- Update to nettle 3.8 (#2100350)
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.7.3-2
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.7.3-2
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
Related: rhbz#1991688
|
Related: rhbz#1991688
|
||||||
|
Loading…
Reference in New Issue
Block a user