rpms
/
libgcrypt
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import libgcrypt-1.10.0-7.el9_0

Browse Source
c9 imports/c9/libgcrypt-1.10.0-7.el9_0
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
commit 271df921f4
14 changed files with 5146 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/libgcrypt-1.10.0.tar.bz2

1
.libgcrypt.metadata
Unescape View File

@ -0,0 +1 @@
363feb8187f6c59b6b10721af6a94558db8ec3af SOURCES/libgcrypt-1.10.0.tar.bz2

51
SOURCES/libgcrypt-1.10.0-allow-short-salt.patch
Unescape View File

@ -0,0 +1,51 @@
From 58c92098d053aae7c78cc42bdd7c80c13efc89bb Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 24 Jun 2022 08:59:31 +0900
Subject: [PATCH] hmac,hkdf: Allow use of shorter salt for HKDF.
* cipher/md.c (prepare_macpads): Move the check to...
* src/visibility.c (gcry_mac_setkey): ... here.
* tests/t-kdf.c (check_hkdf): No failure is expected.
--
GnuPG-bug-id: 6039
Fixes-commit: 76aad97dd312e83f2f9b8d086553f2b72ab6546f
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
cipher/md.c | 3 ---
src/visibility.c | 3 +++
tests/t-kdf.c | 12 +-----------
3 files changed, 4 insertions(+), 14 deletions(-)
diff --git a/cipher/md.c b/cipher/md.c
index 4f4fc9bf..34336b5c 100644
--- a/cipher/md.c
+++ b/cipher/md.c
@@ -903,9 +903,6 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen)
{
GcryDigestEntry *r;
- if (fips_mode () && keylen < 14)
- return GPG_ERR_INV_VALUE;
-
if (!a->ctx->list)
return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled. */
diff --git a/src/visibility.c b/src/visibility.c
index c98247d8..aee5bffb 100644
--- a/src/visibility.c
+++ b/src/visibility.c
@@ -946,6 +946,9 @@ gcry_mac_setkey (gcry_mac_hd_t hd, const void *key, size_t keylen)
if (!fips_is_operational ())
return gpg_error (fips_not_operational ());
+ if (fips_mode () && keylen < 14)
+ return GPG_ERR_INV_VALUE;
+
return gpg_error (_gcry_mac_setkey (hd, key, keylen));
}
--
2.37.1

70
SOURCES/libgcrypt-1.10.0-allow-small-RSA-verify.patch
Unescape View File

@ -0,0 +1,70 @@
From ca2afc9fb64d9a9b2f8930ba505d9ab6c8a57667 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 12 May 2022 10:56:47 +0200
Subject: [PATCH] cipher: Allow verification of small RSA signatures in FIPS
mode
* cipher/rsa.c (rsa_check_keysize): Formatting.
(rsa_check_verify_keysize): New function.
(rsa_verify): Allow using smaller keys for verification.
--
GnuPG-bug-id: 5975
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/rsa.c | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/cipher/rsa.c b/cipher/rsa.c
index c6319b67..9f2b36e8 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -352,13 +352,35 @@ generate_std (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
static gpg_err_code_t
rsa_check_keysize (unsigned int nbits)
{
- if (fips_mode() && nbits < 2048)
+ if (fips_mode () && nbits < 2048)
return GPG_ERR_INV_VALUE;
return GPG_ERR_NO_ERROR;
}
+/* Check the RSA key length is acceptable for signature verification
+ *
+ * FIPS allows signature verification with RSA keys of size
+ * 1024, 1280, 1536 and 1792 in legacy mode, but this is up to the
+ * calling application to decide if the signature is legacy and
+ * should be accepted.
+ */
+static gpg_err_code_t
+rsa_check_verify_keysize (unsigned int nbits)
+{
+ if (fips_mode ())
+ {
+ if ((nbits >= 1024 && (nbits % 256) == 0) || nbits >= 2048)
+ return GPG_ERR_NO_ERROR;
+
+ return GPG_ERR_INV_VALUE;
+ }
+
+ return GPG_ERR_NO_ERROR;
+}
+
+
/****************
* Generate a key pair with a key of size NBITS.
* USE_E = 0 let Libcgrypt decide what exponent to use.
@@ -1602,7 +1624,7 @@ rsa_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
gcry_mpi_t result = NULL;
unsigned int nbits = rsa_get_nbits (keyparms);
- rc = rsa_check_keysize (nbits);
+ rc = rsa_check_verify_keysize (nbits);
if (rc)
return rc;
--
2.37.1

239
SOURCES/libgcrypt-1.10.0-disable-brainpool.patch
Unescape View File

@ -0,0 +1,239 @@
From d651e25be0bc0c11f4d3d7c72be8cfbbe82b3874 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 10 Sep 2021 18:39:00 +0200
Subject: [PATCH] Allow building libgcrypt without Brainpool curves
* README: Document possibility to build without brainpool curves
* cipher/ecc-curves.c: Conditionalize brainpool curves definitions
* configure.ac: Implement possibility to build without brainpool curves
* tests/curves.c: Skip brainpool curves if they are not built-in
* tests/keygrip.c: Skip brainpool curves if they are not built-in
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
README | 3 +++
cipher/ecc-curves.c | 4 ++++
configure.ac | 13 +++++++++++++
tests/curves.c | 46 ++++++++++++++++++++++++++++++---------------
tests/keygrip.c | 2 ++
5 files changed, 53 insertions(+), 15 deletions(-)
diff --git a/README b/README
index 436b6cd4..1044109c 100644
--- a/README
+++ b/README
@@ -127,6 +127,9 @@
the list used with the current build the program
tests/version may be used.
+ --disable-brainpool
+ Do not build in support for Brainpool curves.
+
--disable-endian-check
Don't let configure test for the endianness but
try to use the OS provided macros at compile
diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c
index 7c86e12c..8fd95a9c 100644
--- a/cipher/ecc-curves.c
+++ b/cipher/ecc-curves.c
@@ -77,6 +77,7 @@ static const struct
{ "NIST P-521", "1.3.132.0.35" },
{ "NIST P-521", "nistp521" }, /* rfc5656. */
+#ifdef ENABLE_BRAINPOOL
{ "brainpoolP160r1", "1.3.36.3.3.2.8.1.1.1" },
{ "brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3" },
{ "brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5" },
@@ -84,6 +85,7 @@ static const struct
{ "brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9" },
{ "brainpoolP384r1", "1.3.36.3.3.2.8.1.1.11"},
{ "brainpoolP512r1", "1.3.36.3.3.2.8.1.1.13"},
+#endif /* ENABLE_BRAINPOOL */
{ "GOST2001-test", "1.2.643.2.2.35.0" },
{ "GOST2001-CryptoPro-A", "1.2.643.2.2.35.1" },
@@ -297,6 +299,7 @@ static const ecc_domain_parms_t domain_parms[] =
1
},
+#ifdef ENABLE_BRAINPOOL
{ "brainpoolP160r1", 160, 0,
MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
"0xe95e4a5f737059dc60dfc7ad95b3d8139515620f",
@@ -391,6 +394,7 @@ static const ecc_domain_parms_t domain_parms[] =
"b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892",
1
},
+#endif /* ENABLE_BRAINPOOL */
{
"GOST2001-test", 256, 0,
MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
diff --git a/configure.ac b/configure.ac
index 6efbf139..f4ac1887 100644
--- a/configure.ac
+++ b/configure.ac
@@ -614,6 +614,14 @@ AC_ARG_WITH(fips-module-version,
AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version",
[Define FIPS module version for certification])
+# Implementation of the --disable-brainpool switch.
+AC_MSG_CHECKING([whether we want to disable the use of brainpool curves])
+AC_ARG_ENABLE(brainpool,
+ AS_HELP_STRING([--disable-brainpool],
+ [Disable the brainpool curves]),
+ use_brainpool="$enableval",use_brainpool=yes)
+AC_MSG_RESULT($use_brainpool)
+
# Implementation of the --disable-jent-support switch.
AC_MSG_CHECKING([whether jitter entropy support is requested])
AC_ARG_ENABLE(jent-support,
@@ -2466,6 +2474,10 @@ if test x"$ppccryptosupport" = xyes ; then
AC_DEFINE(ENABLE_PPC_CRYPTO_SUPPORT,1,
[Enable support for POWER 8 (PowerISA 2.07) crypto extension.])
fi
+if test x"$use_brainpool" = xyes ; then
+ AC_DEFINE(ENABLE_BRAINPOOL, 1,
+ [Enable support for the brainpool curves.])
+fi
if test x"$jentsupport" = xyes ; then
AC_DEFINE(ENABLE_JENT_SUPPORT, 1,
[Enable support for the jitter entropy collector.])
@@ -3296,6 +3308,7 @@ GCRY_MSG_WRAP([Enabled digest algorithms:],[$enabled_digests])
GCRY_MSG_WRAP([Enabled kdf algorithms: ],[$enabled_kdfs])
GCRY_MSG_WRAP([Enabled pubkey algorithms:],[$enabled_pubkey_ciphers])
GCRY_MSG_SHOW([Random number generator: ],[$random])
+GCRY_MSG_SHOW([Enabled Brainpool curves: ],[$use_brainpool])
GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport])
GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities])
GCRY_MSG_SHOW([FIPS module version: ],[$fips_module_version])
diff --git a/tests/curves.c b/tests/curves.c
index 3c738171..8eb79565 100644
--- a/tests/curves.c
+++ b/tests/curves.c
@@ -33,7 +33,11 @@
#include "t-common.h"
/* Number of curves defined in ../cipher/ecc-curves.c */
-#define N_CURVES 27
+#ifdef ENABLE_BRAINPOOL
+# define N_CURVES 27
+#else
+# define N_CURVES 20
+#endif
/* A real world sample public key. */
static char const sample_key_1[] =
@@ -52,6 +56,7 @@ static char const sample_key_1[] =
static char const sample_key_1_curve[] = "NIST P-256";
static unsigned int sample_key_1_nbits = 256;
+#ifdef ENABLE_BRAINPOOL
/* A made up sample public key. */
static char const sample_key_2[] =
"(public-key\n"
@@ -68,6 +73,7 @@ static char const sample_key_2[] =
" ))";
static char const sample_key_2_curve[] = "brainpoolP160r1";
static unsigned int sample_key_2_nbits = 160;
+#endif /* ENABLE_BRAINPOOL */
static int in_fips_mode;
@@ -113,6 +119,7 @@ check_matching (void)
gcry_sexp_release (key);
+#ifdef ENABLE_BRAINPOOL
if (!in_fips_mode)
{
err = gcry_sexp_new (&key, sample_key_2, 0, 1);
@@ -130,6 +137,7 @@ check_matching (void)
gcry_sexp_release (key);
}
+#endif /* ENABLE_BRAINPOOL */
}
#define TEST_ERROR_EXPECTED (1 << 0)
@@ -185,20 +193,26 @@ check_get_params (void)
{ GCRY_PK_ECC, "1.3.132.0.35" },
{ GCRY_PK_ECC, "nistp521" },
- { GCRY_PK_ECC, "brainpoolP160r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP192r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP224r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP256r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP320r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP384r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", TEST_NOFIPS },
- { GCRY_PK_ECC, "brainpoolP512r1", TEST_NOFIPS },
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", TEST_NOFIPS },
+#ifdef ENABLE_BRAINPOOL
+# define BRAINPOOL_FLAGS TEST_NOFIPS
+#else
+# define BRAINPOOL_FLAGS TEST_ERROR_EXPECTED
+#endif /* ENABLE_BRAINPOOL */
+ { GCRY_PK_ECC, "brainpoolP160r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP192r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP224r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP256r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP320r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP384r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "brainpoolP512r1", BRAINPOOL_FLAGS },
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", BRAINPOOL_FLAGS },
+#undef BRAINPOOL_ERROR_EXPECTED
{ GCRY_PK_ECC, "GOST2001-test", TEST_NOFIPS },
{ GCRY_PK_ECC, "1.2.643.2.2.35.0", TEST_NOFIPS },
@@ -282,6 +296,7 @@ check_get_params (void)
gcry_sexp_release (param);
+#ifdef ENABLE_BRAINPOOL
if (!in_fips_mode)
{
param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve);
@@ -297,6 +312,7 @@ check_get_params (void)
gcry_sexp_release (param);
}
+#endif /* ENABLE_BRAINPOOL */
/* Some simple tests */
for (idx=0; idx < DIM (tv); idx++)
diff --git a/tests/keygrip.c b/tests/keygrip.c
index 49bd71bc..fc4c17be 100644
--- a/tests/keygrip.c
+++ b/tests/keygrip.c
@@ -149,6 +149,7 @@ static struct
" (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))",
"\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6"
},
+#ifdef ENABLE_BRAINPOOL
{
GCRY_PK_ECC,
"(public-key"
@@ -197,6 +198,7 @@ static struct
"\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F",
1
},
+#endif /*ENABLE_BRAINPOOL */
{ /* Ed25519 standard */
GCRY_PK_ECC,
"(public-key"
--
2.34.1

50
SOURCES/libgcrypt-1.10.0-fips-getrandom.patch
Unescape View File

@ -0,0 +1,50 @@
From 0a5e608b8b18d4f41e4d7434c6262bf11507f859 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 16 Aug 2022 15:30:43 +0200
Subject: [PATCH] random: Use getrandom (GRND_RANDOM) in FIPS mode
The SP800-90C (clarified in IG D.K.) requires the following when
different DRBGs are chained:
* the parent needs to be reseeded before generate operation
* the reseed & generate needs to be atomic
In RHEL, this is addressed by change in the kernel, that will do this
automatically, when the getentropy () is called with GRND_RANDOM flag.
* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Use
GRND_RANDOM in FIPS Mode
---
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
random/rndgetentropy.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/random/rndgetentropy.c b/random/rndgetentropy.c
index 7580873e..db4b09ed 100644
--- a/random/rndgetentropy.c
+++ b/random/rndgetentropy.c
@@ -82,9 +82,18 @@ _gcry_rndgetentropy_gather_random (void (*add)(const void*, size_t,
* never blocking once the kernel is seeded. */
do
{
- nbytes = length < sizeof (buffer)? length : sizeof (buffer);
_gcry_pre_syscall ();
- ret = getentropy (buffer, nbytes);
+ if (fips_mode ())
+ {
+ /* The getrandom API returns maximum 32 B of strong entropy */
+ nbytes = length < 32 ? length : 32;
+ ret = getrandom (buffer, nbytes, GRND_RANDOM);
+ }
+ else
+ {
+ nbytes = length < sizeof (buffer) ? length : sizeof (buffer);
+ ret = getentropy (buffer, nbytes);
+ }
_gcry_post_syscall ();
}
while (ret == -1 && errno == EINTR);
--
2.37.1

120
SOURCES/libgcrypt-1.10.0-fips-kdf.patch
Unescape View File

@ -0,0 +1,120 @@
From 857e6f467d0fc9fd858a73d84122695425970075 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Tue, 27 Sep 2022 13:26:16 +0900
Subject: [PATCH] kdf:pkdf2: Require longer input when FIPS mode.
* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
--
GnuPG-bug-id: 6039
Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
cipher/kdf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/cipher/kdf.c b/cipher/kdf.c
index 3e51e115..81523320 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
return GPG_ERR_INV_VALUE;
#endif
+ /* HMAC requires longer input for approved use case. */
+ if (fips_mode () && passphraselen < 14)
+ return GPG_ERR_INV_VALUE;
/* Step 2 */
l = ((dklen - 1)/ hlen) + 1;
--
2.37.3
From 3c04b692de1e7b45b764ff8d66bf84609b012e3a Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobias.heider@canonical.com>
Date: Tue, 27 Sep 2022 13:31:05 +0900
Subject: [PATCH] kdf:pkdf2: Check minimum allowed key size when running in
FIPS mode.
* cipher/kdf.c (_gcry_kdf_pkdf2): Add output length check.
--
GnuPG-bug-id: 6219
---
cipher/kdf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/cipher/kdf.c b/cipher/kdf.c
index 81523320..67c60df8 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -160,6 +160,10 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
return GPG_ERR_INV_VALUE;
#endif
+ /* Check minimum key size */
+ if (fips_mode () && dklen < 14)
+ return GPG_ERR_INV_VALUE;
+
/* HMAC requires longer input for approved use case. */
if (fips_mode () && passphraselen < 14)
return GPG_ERR_INV_VALUE;
--
2.37.3
From e5a5e847b66eb6b80e60a2dffa347268f059aee3 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 4 Oct 2022 12:44:54 +0200
Subject: [PATCH] tests: Reproducer for short dklen in FIPS mode
* tests/t-kdf.c (check_pbkdf2): Add test vector with short dklen and
verify it fails in FIPS mode
--
GnuPG-bug-id: 6219
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/t-kdf.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/tests/t-kdf.c b/tests/t-kdf.c
index c0192d7b..716fb53e 100644
--- a/tests/t-kdf.c
+++ b/tests/t-kdf.c
@@ -909,6 +909,14 @@ check_pbkdf2 (void)
"\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9"
"\xb5\x24\xaf\x60\x12\x06\x2f\xe0\x37\xa6"
},
+ {
+ "password", 8,
+ "salt", 4,
+ GCRY_MD_SHA1,
+ 1,
+ 10, /* too short dklen for FIPS */
+ "\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9"
+ },
{
"password", 8,
"salt", 4,
@@ -1109,7 +1117,7 @@ check_pbkdf2 (void)
GCRY_KDF_PBKDF2, tv[tvidx].hashalgo,
tv[tvidx].salt, tv[tvidx].saltlen,
tv[tvidx].c, tv[tvidx].dklen, outbuf);
- if (in_fips_mode && tvidx > 6)
+ if (in_fips_mode && tvidx > 7)
{
if (!err)
fail ("pbkdf2 test %d unexpectedly passed in FIPS mode: %s\n",
@@ -1118,7 +1126,7 @@ check_pbkdf2 (void)
}
if (err)
{
- if (in_fips_mode && tv[tvidx].plen < 14)
+ if (in_fips_mode && (tv[tvidx].plen < 14 || tv[tvidx].dklen < 14))
{
if (verbose)
fprintf (stderr,
--
2.37.3

55
SOURCES/libgcrypt-1.10.0-fips-keygen.patch
Unescape View File

@ -0,0 +1,55 @@
From cd30ed3c0d715aa0c58a32a29cfb1476163a5b94 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Wed, 20 Apr 2022 15:09:41 +0900
Subject: [PATCH] cipher: Change the bounds for RSA key generation round.
* cipher/rsa.c (generate_fips): Use 10 for p, 20 for q.
--
Constants from FIPS 186-5-draft.
GnuPG-bug-id: 5919
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
cipher/rsa.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/cipher/rsa.c b/cipher/rsa.c
index 486a34f0..771413b3 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -476,7 +476,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
retry:
/* generate p and q */
- for (i = 0; i < 5 * pbits; i++)
+ for (i = 0; i < 10 * pbits; i++)
{
ploop:
if (!testparms)
@@ -506,10 +506,10 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
else if (testparms)
goto err;
}
- if (i >= 5 * pbits)
+ if (i >= 10 * pbits)
goto err;
- for (i = 0; i < 5 * pbits; i++)
+ for (i = 0; i < 20 * pbits; i++)
{
qloop:
if (!testparms)
@@ -555,7 +555,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
else if (testparms)
goto err;
}
- if (i >= 5 * pbits)
+ if (i >= 20 * pbits)
goto err;
if (testparms)
--
2.37.3

1199
SOURCES/libgcrypt-1.10.0-fips-selftest.patch
View File

File diff suppressed because it is too large Load Diff

29
SOURCES/libgcrypt-1.10.0-ppc-hwf.patch
Unescape View File

@ -0,0 +1,29 @@
From 29bfb3ebbc63d7ed18b916c5c6946790fb3d15df Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Fri, 1 Apr 2022 09:49:20 +0300
Subject: [PATCH] hwf-ppc: fix missing HWF_PPC_ARCH_3_10 in HW feature
* src/hwf-ppc.c (ppc_features): Add HWF_PPC_ARCH_3_10.
--
GnuPG-bug-id: T5913
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
src/hwf-ppc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/hwf-ppc.c b/src/hwf-ppc.c
index 7801f8b0..11d14dc1 100644
--- a/src/hwf-ppc.c
+++ b/src/hwf-ppc.c
@@ -103,6 +103,7 @@ static const struct feature_map_s ppc_features[] =
{ 0, PPC_FEATURE2_VEC_CRYPTO, HWF_PPC_VCRYPTO },
#endif
{ 0, PPC_FEATURE2_ARCH_3_00, HWF_PPC_ARCH_3_00 },
+ { 0, PPC_FEATURE2_ARCH_3_10, HWF_PPC_ARCH_3_10 },
};
#endif
--
2.34.1

621
SOURCES/libgcrypt-1.10.0-sha3-large.patch
Unescape View File

@ -0,0 +1,621 @@
From 2c1bb2f34f2812888f75c476037afae6d9e21798 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 23 Sep 2022 18:39:20 +0200
Subject: [PATCH] keccak: Use size_t to avoid integer overflow
Any input to the SHA3 functions > 4GB was giving wrong result when it
was invoked in one-shot, while working correctly when it was fed by
chunks. It turned out that the calculation in the `keccak_write`
overflows the `unsigned int` type (`nlanes * 8` does not fit 32b when
the `inlen` > 4GB).
* cipher/keccak-armv7-neon.S: Fix function name in comment and change
parameter type to size_t
* cipher/keccak.c (keccak_ops_t): Change absorb function signature to
use size_t
(keccak_absorb_lanes64_avx512): Change nlanes type to size_t
(_gcry_keccak_absorb_lanes64_armv7_neon): Ditto.
(keccak_absorb_lanes64_armv7_neon): Ditto.
(keccak_absorb_lanes32bi): Ditto.
(keccak_absorb_lanes32bi_bmi2): Ditto.
(keccak_write): Change nlanes variable to use size_t and avoid
overflow when calculating count.
* cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): Change
nlanes argument to use size_t.
---
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/keccak-armv7-neon.S | 10 +++++-----
cipher/keccak.c | 20 ++++++++++----------
cipher/keccak_permute_64.h | 2 +-
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/cipher/keccak-armv7-neon.S b/cipher/keccak-armv7-neon.S
index 0bec8d50..28a284a1 100644
--- a/cipher/keccak-armv7-neon.S
+++ b/cipher/keccak-armv7-neon.S
@@ -467,11 +467,11 @@ _gcry_keccak_permute_armv7_neon:
.ltorg
.size _gcry_keccak_permute_armv7_neon,.-_gcry_keccak_permute_armv7_neon;
-@//unsigned _gcry_keccak_permute_armv7_neon(u64 *state, @r4
-@ int pos, @r1
-@ const byte *lanes, @r2
-@ unsigned int nlanes, @r3
-@ int blocklanes) @ r5 callable from C
+@//unsigned _gcry_keccak_absorb_lanes64_armv7_neon(u64 *state, @r4
+@ int pos, @r1
+@ const byte *lanes, @r2
+@ size_t nlanes, @r3
+@ int blocklanes) @ r5 callable from C
.p2align 3
.global _gcry_keccak_absorb_lanes64_armv7_neon
.type _gcry_keccak_absorb_lanes64_armv7_neon,%function;
diff --git a/cipher/keccak.c b/cipher/keccak.c
index e7e42473..6c385f71 100644
--- a/cipher/keccak.c
+++ b/cipher/keccak.c
@@ -131,7 +131,7 @@ typedef struct
{
unsigned int (*permute)(KECCAK_STATE *hd);
unsigned int (*absorb)(KECCAK_STATE *hd, int pos, const byte *lanes,
- unsigned int nlanes, int blocklanes);
+ size_t nlanes, int blocklanes);
unsigned int (*extract) (KECCAK_STATE *hd, unsigned int pos, byte *outbuf,
unsigned int outlen);
} keccak_ops_t;
@@ -513,7 +513,7 @@ static const keccak_ops_t keccak_avx512_64_ops =
unsigned int _gcry_keccak_permute_armv7_neon(u64 *state);
unsigned int _gcry_keccak_absorb_lanes64_armv7_neon(u64 *state, int pos,
const byte *lanes,
- unsigned int nlanes,
+ size_t nlanes,
int blocklanes);
static unsigned int keccak_permute64_armv7_neon(KECCAK_STATE *hd)
@@ -523,7 +523,7 @@ static unsigned int keccak_permute64_armv7_neon(KECCAK_STATE *hd)
static unsigned int
keccak_absorb_lanes64_armv7_neon(KECCAK_STATE *hd, int pos, const byte *lanes,
- unsigned int nlanes, int blocklanes)
+ size_t nlanes, int blocklanes)
{
if (blocklanes < 0)
{
@@ -571,7 +571,7 @@ static const keccak_ops_t keccak_armv7_neon_64_ops =
static unsigned int
keccak_absorb_lanes32bi(KECCAK_STATE *hd, int pos, const byte *lanes,
- unsigned int nlanes, int blocklanes)
+ size_t nlanes, int blocklanes)
{
unsigned int burn = 0;
@@ -653,7 +653,7 @@ keccak_absorb_lane32bi_bmi2(u32 *lane, u32 x0, u32 x1)
static unsigned int
keccak_absorb_lanes32bi_bmi2(KECCAK_STATE *hd, int pos, const byte *lanes,
- unsigned int nlanes, int blocklanes)
+ size_t nlanes, int blocklanes)
{
unsigned int burn = 0;
@@ -873,7 +873,8 @@ keccak_write (void *context, const void *inbuf_arg, size_t inlen)
const byte *inbuf = inbuf_arg;
unsigned int nburn, burn = 0;
unsigned int count, i;
- unsigned int pos, nlanes;
+ unsigned int pos;
+ size_t nlanes;
#ifdef USE_S390X_CRYPTO
if (ctx->kimd_func)
@@ -918,8 +919,7 @@ keccak_write (void *context, const void *inbuf_arg, size_t inlen)
burn = nburn > burn ? nburn : burn;
inlen -= nlanes * 8;
inbuf += nlanes * 8;
- count += nlanes * 8;
- count = count % bsize;
+ count = ((size_t) count + nlanes * 8) % bsize;
}
if (inlen)
diff --git a/cipher/keccak_permute_64.h b/cipher/keccak_permute_64.h
index b28c871e..45ef462f 100644
--- a/cipher/keccak_permute_64.h
+++ b/cipher/keccak_permute_64.h
@@ -292,7 +292,7 @@ KECCAK_F1600_PERMUTE_FUNC_NAME(KECCAK_STATE *hd)
static unsigned int
KECCAK_F1600_ABSORB_FUNC_NAME(KECCAK_STATE *hd, int pos, const byte *lanes,
- unsigned int nlanes, int blocklanes)
+ size_t nlanes, int blocklanes)
{
unsigned int burn = 0;
--
GitLab
From 910dcbcef36e1cd3de3dde192d829a1513273e14 Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Sun, 25 Sep 2022 22:23:22 +0300
Subject: [PATCH] tests/hashtest: add hugeblock & disable-hwf options and 6 gig
test vectors
* .gitignore: Add 'tests/hashtest-6g'.
* configure.ac: Add 'tests/hashtest-6g'.
* tests/Makefile: Add 'hashtest-6g'.
* tests/hashtest-6g.in: New.
* tests/hashtest-256g.in: Add SHA3-512 to algos.
* tests/hashtest.c (use_hugeblock): New.
(testvectors): Add 256 GiB test vectors for BLAKE2S, BLAKE2B and
whirlpool; Add 6 GiB test vectors for SHA1, SHA256, SHA512, SHA3, SM3,
BLAKE2S, BLAKE2B, WHIRLPOOL, CRC32 and CRC24.
(run_longtest); Use huge 5 GiB pattern block when requested.
(main): Add '--hugeblock' and '--disable-hwf' options.
* tests/testdrv.c: Add 'hashtest-6g'; Add SHA3 to 'hashtest-256g'.
---
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
.gitignore | 1 +
configure.ac | 1 +
tests/Makefile.am | 9 +-
tests/hashtest-256g.in | 2 +-
tests/hashtest-6g.in | 7 ++
tests/hashtest.c | 249 +++++++++++++++++++++++++++++++++++++++--
tests/testdrv.c | 7 +-
7 files changed, 261 insertions(+), 15 deletions(-)
create mode 100644 tests/hashtest-6g.in
diff --git a/configure.ac b/configure.ac
index c8f24dcc..c39257b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3511,6 +3511,7 @@ src/libgcrypt.pc
src/versioninfo.rc
tests/Makefile
])
+AC_CONFIG_FILES([tests/hashtest-6g], [chmod +x tests/hashtest-6g])
AC_CONFIG_FILES([tests/hashtest-256g], [chmod +x tests/hashtest-256g])
AC_CONFIG_FILES([tests/basic-disable-all-hwf], [chmod +x tests/basic-disable-all-hwf])
AC_OUTPUT
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 302d923b..75aa5cf7 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -44,13 +44,14 @@ tests_bin_last = benchmark bench-slope
tests_sh = basic-disable-all-hwf
-tests_sh_last = hashtest-256g
+tests_sh_last = hashtest-6g hashtest-256g
TESTS = $(tests_bin) $(tests_sh) $(tests_bin_last) $(tests_sh_last)
# Force sequential run of some tests.
bench-slope.log: benchmark.log
-hashtest-256g.log: bench-slope.log
+hashtest-6g.log: bench-slope.log
+hashtest-256g.log: hashtest-6g.log
TESTS_ENVIRONMENT = GCRYPT_IN_REGRESSION_TEST=1
@@ -76,8 +77,8 @@ CLEANFILES = testdrv-build
EXTRA_DIST = README rsa-16k.key \
pkcs1v2-oaep.h pkcs1v2-pss.h pkcs1v2-v15c.h pkcs1v2-v15s.h \
t-ed25519.inp t-ed448.inp t-dsa.inp t-ecdsa.inp t-rsa-15.inp \
- t-rsa-pss.inp stopwatch.h hashtest-256g.in sha3-224.h \
- sha3-256.h sha3-384.h sha3-512.h blake2b.h blake2s.h \
+ t-rsa-pss.inp stopwatch.h hashtest-6g.in hashtest-256g.in \
+ sha3-224.h sha3-256.h sha3-384.h sha3-512.h blake2b.h blake2s.h \
basic-disable-all-hwf.in basic_all_hwfeature_combinations.sh
LDADD = $(standard_ldadd) $(GPG_ERROR_LIBS) @LDADD_FOR_TESTS_KLUDGE@
diff --git a/tests/hashtest-256g.in b/tests/hashtest-256g.in
index a52b8692..44b69897 100755
--- a/tests/hashtest-256g.in
+++ b/tests/hashtest-256g.in
@@ -1,6 +1,6 @@
#!/bin/sh
-algos="SHA1 SHA256 SHA512 SM3"
+algos="SHA1 SHA256 SHA512 SHA3-512 SM3"
test "@RUN_LARGE_DATA_TESTS@" = yes || exit 77
echo " now running 256 GiB tests for $algos - this takes looong"
diff --git a/tests/hashtest-6g.in b/tests/hashtest-6g.in
new file mode 100644
index 00000000..b3f3e2ff
--- /dev/null
+++ b/tests/hashtest-6g.in
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+algos="SHA1 SHA256 SHA512 SHA3-512 SM3 BLAKE2S_256 BLAKE2B_512 CRC32 CRC24RFC2440"
+
+test "@RUN_LARGE_DATA_TESTS@" = yes || exit 77
+echo " now running 6 GiB tests for $algos - this can take long"
+exec ./hashtest@EXEEXT@ --hugeblock --gigs 6 $algos
diff --git a/tests/hashtest.c b/tests/hashtest.c
index 4c9704f3..9389e50c 100644
--- a/tests/hashtest.c
+++ b/tests/hashtest.c
@@ -34,6 +34,7 @@
#define PGM "hashtest"
#include "t-common.h"
+static int use_hugeblock;
static int missing_test_vectors;
static struct {
@@ -113,6 +114,169 @@ static struct {
{ GCRY_MD_SM3, 256, +64,
"ed34869dbadd62e3bec1f511004d7bbfc9cafa965477cc48843b248293bbe867" },
+ { GCRY_MD_BLAKE2S_256, 256, -64,
+ "8a3d4f712275e8e8da70c76501cce364c75f8dd09748be58cf63c9ce38d62627" },
+ { GCRY_MD_BLAKE2S_256, 256, -1,
+ "0c01c9ad1e60e27dc889f2c9034a949ca8b9a9dc90dd99be64963af306d47b92" },
+ { GCRY_MD_BLAKE2S_256, 256, +0,
+ "f8c43d5c4bad93aca702c8c466987c5ac5e640a29b37dd9904252ff27b2348a0" },
+ { GCRY_MD_BLAKE2S_256, 256, +1,
+ "24c34b167b4eea1a7eb7d572ff3cf669a9856ea91bb112e9ef2ccd4b1aceccb4" },
+ { GCRY_MD_BLAKE2S_256, 256, +64,
+ "2f8d754f98e2d4ed7744389f89d0bdb9b770c9fa215b8badd3129ea1364af867" },
+
+ { GCRY_MD_BLAKE2B_512, 256, -64,
+ "36d32ae4deeacab4119401c52e2aec5545675bd2dce4f67871ddc73671a05f94"
+ "e8332c2a31f32f5601878606a571aa7b43029dac3ae71cf9ef141d05651dc4bf" },
+ { GCRY_MD_BLAKE2B_512, 256, -1,
+ "b5dc439f51664a6c9cbc87e2de98ce608ac4064a779e5140909d75d2120c9b2a"
+ "a1d4ae7be9c1ba97025be91ddcfbe42c791c3231cffbfa4b5368ba18f9590e1b" },
+ { GCRY_MD_BLAKE2B_512, 256, +0,
+ "c413d011ba9abbf118dd96bfc827f5fd94493d8350df9f7aff834faace5adba2"
+ "0c3037069dfb2c81718ffc7b418ce1c1320d334b6fe8cddfb5d2dd19eb530853" },
+ { GCRY_MD_BLAKE2B_512, 256, +1,
+ "b6dfb821f1c8167fb33995c29485010da56abd539c3d04ab9c222844301b8bba"
+ "6f57a48e45a748e40847084b93f26706aae82212550671c736becffcc6fb1496" },
+ { GCRY_MD_BLAKE2B_512, 256, +64,
+ "8c21316a4a02044e302d503d0fe669d905c40d9d80ecd5aafc8e30f1df06736f"
+ "51fdaf6002160bb8fe4e868eaad9623fc5ecdd728bcbfee4a19b386503710f48" },
+
+ { GCRY_MD_WHIRLPOOL, 256, -64,
+ "aabf62344c1aa82d2dc7605f339b3571d540f1f320f97e6a8c0229645ee61f1f"
+ "da796acde2f96caa1c56eb2c2f9a6029a6242ad690479def66feac44334cc3af" },
+ { GCRY_MD_WHIRLPOOL, 256, -1,
+ "9a35ec14aa9cefd40e04295d45d39f3111a98c2d76d90c54a7d2b8f2f5b9302b"
+ "79663eab6b6674625c3ae3e4b5dbb3b0a2f5b2f49a7a59cd1723e2b16a3efea2" },
+ { GCRY_MD_WHIRLPOOL, 256, +0,
+ "818ad31a5110b6217cc6ffa099d554aaadc9566bf5291e104a5d58b21d51ae4d"
+ "c216c6de888d1359066c584e24e6606f530a3fce80ef78aed8564de4a28801c8" },
+ { GCRY_MD_WHIRLPOOL, 256, +1,
+ "298805f5fc68488712427c1bcb27581d91aa04337c1c6b4657489ed3d239bb8b"
+ "c70ef654065d380ac1f5596aca5cb59e6da8044b5a067e32ea4cd94ca606f9f3" },
+ { GCRY_MD_WHIRLPOOL, 256, +64,
+ "7bd35c3bee621bc0fb8907904b3b84d6cf4fae4c22cc64fbc744c8c5c8de806d"
+ "0f11a27892d531dc907426597737762c83e3ddcdc62f50d16d130aaefaeec436" },
+
+ { GCRY_MD_SHA1, 6, -64,
+ "eeee82d952403313bd63d6d7c8e342df0a1eea77" },
+ { GCRY_MD_SHA1, 6, -1,
+ "8217b9f987d67db5880bcfff1d6763a6514d629f" },
+ { GCRY_MD_SHA1, 6, +0,
+ "2b38aa63c05668217e5331320a4aee0adad7fc3b" },
+ { GCRY_MD_SHA1, 6, +1,
+ "f3222de4d0704554cff0a537bc95b30f15daa94f" },
+ { GCRY_MD_SHA1, 6, +64,
+ "b3bdd8065bb92d8208d55d28fad2281c6fbf2601" },
+
+ { GCRY_MD_SHA256, 6, -64,
+ "a2d5add5be904b70d6ef9bcd5feb9c6cfc2be0799732a122d9eccb576ff5a922" },
+ { GCRY_MD_SHA256, 6, -1,
+ "88293b7e0e5a47fdef1148c6e510f95272770db6b5296958380209ba57db7a5d" },
+ { GCRY_MD_SHA256, 6, +0,
+ "ccee8e8dfc366eba67471e49c45057b0041be0d2206c6de1aa765ce07ecfc434" },
+ { GCRY_MD_SHA256, 6, +1,
+ "f4a89e92b38e0e61ee17079dc31411de06cfe1f77c83095ae1a2e7aa0205d94b" },
+ { GCRY_MD_SHA256, 6, +64,
+ "338708608c2356ed2927a85b08fe745223c6140243fb3a87f309e12b31b946a8" },
+
+ { GCRY_MD_SHA512, 6, -64,
+ "658f52850932633c00b2f1d65b874c540ab84e2c0fe84a8a6c35f8e90e6f6a9c"
+ "2f7e0ccca5064783562a42ad8f47eab48687aaf6998b04ee94441e82c14e834d" },
+ { GCRY_MD_SHA512, 6, -1,
+ "9ead6d66b46a3a72d77c7990874cfebc1575e5bfda6026430d76b3db6cc62d52"
+ "4ca0dd2674b9c24208b2e780d75542572eee8df6724acadcc23a03eed8f82f0a" },
+ { GCRY_MD_SHA512, 6, +0,
+ "03e4549eb28bd0fb1606c321f1498503b5e889bec8d799cf0688567c7f8ac0d9"
+ "a7ec4e84d1d729d6a359797656e286617c3ef82abb51991bb576aaf05f7b6573" },
+ { GCRY_MD_SHA512, 6, +1,
+ "ffe52f6385ccde6fa7d45845787d8f9993fdcb5833fb58b13c424a84e39ea50f"
+ "52d40e254fe667cb0104ffe3837dc8d0eee3c81721cb8eac10d5851dfb1f91db" },
+ { GCRY_MD_SHA512, 6, +64,
+ "4a19da3d5eaaa79ac1eaff5e4062f23ee56573411f8d302f7bf3c6da8779bd00"
+ "a936e9ad7f535597a49162ed308b0cced7724667f97a1bb24540152fcfe3ec95" },
+
+ { GCRY_MD_SHA3_512, 6, -64,
+ "a99f2913d3beb9b45273402e30daa4d25c7a5e9eb8cf6039996eb2292a45c04c"
+ "b9e3a1a187f71920626f465ed6cf7dc34047ec5578e05516374bb9c56683903a" },
+ { GCRY_MD_SHA3_512, 6, -1,
+ "fca50bde79c55e5fc4c9d97e66eb5cfacef7032395848731e645ca42f07f8d38"
+ "be1d593727c2a82b9a9bc058ebc9744971f867fa920cfa902023448243ac017b" },
+ { GCRY_MD_SHA3_512, 6, +0,
+ "c61bb345c0a553edaa89fd38114ac9799b6d307ba8e3cde53552ad4c77cfe4b7"
+ "2671d82c1519c8e7b23153a9268e2939239564fc7c2060608aa42955e938840d" },
+ { GCRY_MD_SHA3_512, 6, +1,
+ "502a83d8d1b977312806382a45c1cc9c0e7db437ca962e37eb181754d59db686"
+ "14d91df286d510411adf69f7c9befc1027bdc0c33a48a5dd6ae0957b9061e7ca" },
+ { GCRY_MD_SHA3_512, 6, +64,
+ "207bfb83ae788ddd4531188567f0892bbddbbc88d69bc196b2357bee3e668706"
+ "c27f832ecb50e9ae5b63e9f384bdc37373958d4a14f3825146d2f6b1a65d8e51" },
+
+ { GCRY_MD_SM3, 6, -64,
+ "41d96d19cef4c942b0f5f4cdc3e1afe440dc62c0bc103a2c0e9eee9e1733a74a" },
+ { GCRY_MD_SM3, 6, -1,
+ "b7689cc4ef6c7dc795b9e5e6998e5cc3dc1daec02bc1181cdbef8d6812b4957a" },
+ { GCRY_MD_SM3, 6, +0,
+ "c6eae4a82052423cf98017bde4dee8769947c66120a1a2ff79f0f0dc945a3272" },
+ { GCRY_MD_SM3, 6, +1,
+ "f6590f161fee11529585c7a9dfc725f8b81951e49b616844097a3dbdc9ffdbec" },
+ { GCRY_MD_SM3, 6, +64,
+ "f3277fa90c47afe5e4fc52374aadf8e96bc29c2b5a7a4ebf5d704245ada837ea" },
+
+ { GCRY_MD_BLAKE2S_256, 6, -64,
+ "0f3c17610777c34d40a0d11a93d5e5ed444ce16edefebabd0bc8e30392d5c2db" },
+ { GCRY_MD_BLAKE2S_256, 6, -1,
+ "92cbcf142c45de9d64da9791c51dce4e32b58f74d9f3d201b1ea74deac765f51" },
+ { GCRY_MD_BLAKE2S_256, 6, +0,
+ "b20702cb5a0bee2ab104f38eb513429589310a7edde81dd1f40043be7d16d0de" },
+ { GCRY_MD_BLAKE2S_256, 6, +1,
+ "bfc17dc74930989841da05aac08402bf0dcb4a597b17c52402a516ea7e541cdf" },
+ { GCRY_MD_BLAKE2S_256, 6, +64,
+ "d85588cdf5a00bec1327da02f22f1a10b68dd9d6b730f30a3aa65af3a51c1722" },
+
+ { GCRY_MD_BLAKE2B_512, 6, -64,
+ "30b6015f94524861b04b83f0455be10a993460e0f8f0fd755fc3d0270b0c7d00"
+ "039a6e01684ce0689ce4ef70932bd19a676acf4b4ea521c30337d2f445fc2055" },
+ { GCRY_MD_BLAKE2B_512, 6, -1,
+ "49abef820ad7fc5e6ed9b63acddce639a69dcd749b0798b140216649bc3b927c"
+ "637dbe1cb39a41bbafe7f8b675401ccdcf69a7fba227ae4cda5cd28b9ff36776" },
+ { GCRY_MD_BLAKE2B_512, 6, +0,
+ "4182a7307a89391b78af9dbc3ba1e8d643708abbed5919086aa6e2bc65ae9597"
+ "e40229450c86ac5d3117b006427dd0131f5ae4c1a1d64c81420d2731536c81d8" },
+ { GCRY_MD_BLAKE2B_512, 6, +1,
+ "33c0d9e65b1b18e9556134a08c1e725c19155bbf6ed4349d7d6d678f1827fef3"
+ "74b6e3381471f3d3fff7ffbcb9474ce9038143b99e25cd5f8afbb336313d4648" },
+ { GCRY_MD_BLAKE2B_512, 6, +64,
+ "d2d7f388611af78a2ea40b06f99993cff156afd25cbc47695bdb567d4d35b992"
+ "0ff8c325c359a2bdeddf54ececc671ac7b981031e90a7d63d6e0415ec4484282" },
+
+ { GCRY_MD_WHIRLPOOL, 6, -64,
+ "247707d1f9cf31b90ee68527144b1c20ad5ce96293bdccd1a81c8f40bc9df10c"
+ "e7441ac3b3097162d6fbf4d4b67b8fa09de451e2d920f16aad78c47ab00cb833" },
+ { GCRY_MD_WHIRLPOOL, 6, -1,
+ "af49e4a553bdbec1fdafc41713029e0fb1666894753c0ab3ecb280fc5af6eff8"
+ "253120745a229d7a8b5831711e4fd16ed0741258504d8a47e2b42aa2f1886968" },
+ { GCRY_MD_WHIRLPOOL, 6, +0,
+ "f269ffa424bc2aad2da654f01783fc9b2b431219f2b05784d718da0935e78792"
+ "9207b000ebbfb63dfdcc8adf8e5bd321d9616c1b8357430b9be6cb4640df8609" },
+ { GCRY_MD_WHIRLPOOL, 6, +1,
+ "52b77eb13129151b69b63c09abb655dc9cb046cafd4cbf7d4a82ae04b61ef9e6"
+ "531dde04cae7c5ab400ed8ee8da2e3f490d177289b2b3aa29b12b292954b902c" },
+ { GCRY_MD_WHIRLPOOL, 6, +64,
+ "60a950c92f3f08abbc81c41c86ce0463679ffd5ab420e988e15b210615b454ae"
+ "69607d14a1806fa44aacf8c926fbdcee998af46f56e0c642d3fb4ee54c8fb917" },
+
+ { GCRY_MD_CRC32, 6, -64, "20739052" },
+ { GCRY_MD_CRC32, 6, -1, "971a5a74" },
+ { GCRY_MD_CRC32, 6, +0, "bf48113c" },
+ { GCRY_MD_CRC32, 6, +1, "c7678ad5" },
+ { GCRY_MD_CRC32, 6, +64, "1efa7255" },
+
+ { GCRY_MD_CRC24_RFC2440, 6, -64, "747e81" },
+ { GCRY_MD_CRC24_RFC2440, 6, -1, "deb97d" },
+ { GCRY_MD_CRC24_RFC2440, 6, +0, "7d5bea" },
+ { GCRY_MD_CRC24_RFC2440, 6, +1, "acc351" },
+ { GCRY_MD_CRC24_RFC2440, 6, +64, "9d9032" },
+
{ 0 }
};
@@ -251,12 +415,38 @@ run_longtest (int algo, int gigs)
gcry_md_hd_t hd_post = NULL;
gcry_md_hd_t hd_post2 = NULL;
char pattern[1024];
- int i, g;
+ char *hugepattern = NULL;
+ size_t hugesize;
+ size_t hugegigs;
+ int i, g, gppos, gptot;
const unsigned char *digest;
unsigned int digestlen;
memset (pattern, 'a', sizeof pattern);
+ if (use_hugeblock)
+ {
+ hugegigs = 5;
+ if (sizeof(size_t) >= 8)
+ {
+ hugesize = hugegigs*1024*1024*1024;
+ hugepattern = malloc(hugesize);
+ if (hugepattern != NULL)
+ memset(hugepattern, 'a', hugesize);
+ else
+ show_note ("failed to allocate %d GiB huge pattern block: %s",
+ hugegigs, strerror(errno));
+ }
+ else
+ show_note ("cannot allocate %d GiB huge pattern block on 32-bit system",
+ hugegigs);
+ }
+ if (hugepattern == NULL)
+ {
+ hugegigs = 0;
+ hugesize = 0;
+ }
+
err = gcry_md_open (&hd, algo, 0);
if (err)
{
@@ -267,9 +457,17 @@ run_longtest (int algo, int gigs)
digestlen = gcry_md_get_algo_dlen (algo);
-
- for (g=0; g < gigs; g++)
+ gppos = 0;
+ gptot = 0;
+ for (g=0; g < gigs; )
{
+ if (gppos >= 16)
+ {
+ gptot += 16;
+ gppos -= 16;
+ show_note ("%d GiB so far hashed with %s", gptot,
+ gcry_md_algo_name (algo));
+ }
if (g == gigs - 1)
{
for (i = 0; i < 1024*1023; i++)
@@ -283,16 +481,24 @@ run_longtest (int algo, int gigs)
die ("gcry_md_copy failed for %s (%d): %s",
gcry_md_algo_name (algo), algo, gpg_strerror (err));
gcry_md_write (hd, pattern, sizeof pattern);
+ g++;
+ gppos++;
+ }
+ else if (hugepattern != NULL && gigs - g > hugegigs)
+ {
+ gcry_md_write (hd, hugepattern, hugesize);
+ g += hugegigs;
+ gppos += hugegigs;
}
else
{
for (i = 0; i < 1024*1024; i++)
gcry_md_write (hd, pattern, sizeof pattern);
+ g++;
+ gppos++;
}
- if (g && !(g % 16))
- show_note ("%d GiB so far hashed with %s", g, gcry_md_algo_name (algo));
}
- if (g >= 16)
+ if (g >= 16 && gppos)
show_note ("%d GiB hashed with %s", g, gcry_md_algo_name (algo));
err = gcry_md_copy (&hd_post, hd);
@@ -335,6 +541,8 @@ run_longtest (int algo, int gigs)
gcry_md_close (hd_pre2);
gcry_md_close (hd_post);
gcry_md_close (hd_post2);
+
+ free(hugepattern);
}
@@ -361,9 +569,12 @@ main (int argc, char **argv)
{
fputs ("usage: " PGM " [options] [algos]\n"
"Options:\n"
- " --verbose print timings etc.\n"
- " --debug flyswatter\n"
- " --gigs N Run a test on N GiB\n",
+ " --verbose print timings etc.\n"
+ " --debug flyswatter\n"
+ " --hugeblock Use 5 GiB pattern block\n"
+ " --gigs N Run a test on N GiB\n"
+ " --disable-hwf <features> Disable hardware acceleration feature(s)\n"
+ " for benchmarking.\n",
stdout);
exit (0);
}
@@ -378,6 +589,11 @@ main (int argc, char **argv)
debug++;
argc--; argv++;
}
+ else if (!strcmp (*argv, "--hugeblock"))
+ {
+ use_hugeblock = 1;
+ argc--; argv++;
+ }
else if (!strcmp (*argv, "--gigs"))
{
argc--; argv++;
@@ -387,6 +603,21 @@ main (int argc, char **argv)
argc--; argv++;
}
}
+ else if (!strcmp (*argv, "--disable-hwf"))
+ {
+ argc--;
+ argv++;
+ if (argc)
+ {
+ if (gcry_control (GCRYCTL_DISABLE_HWF, *argv, NULL))
+ fprintf (stderr,
+ PGM
+ ": unknown hardware feature `%s' - option ignored\n",
+ *argv);
+ argc--;
+ argv++;
+ }
+ }
else if (!strncmp (*argv, "--", 2))
die ("unknown option '%s'", *argv);
}
diff --git a/tests/testdrv.c b/tests/testdrv.c
index 0ccde326..bfca4c23 100644
--- a/tests/testdrv.c
+++ b/tests/testdrv.c
@@ -78,7 +78,12 @@ static struct {
{ "t-ed448" },
{ "benchmark" },
{ "bench-slope" },
- { "hashtest-256g", "hashtest", "--gigs 256 SHA1 SHA256 SHA512 SM3",
+ { "hashtest-6g", "hashtest", "--hugeblock --gigs 6 SHA1 SHA256 SHA512 "
+ "SHA3-512 SM3 BLAKE2S_256 "
+ "BLAKE2B_512 CRC32 "
+ "CRC24RFC2440",
+ LONG_RUNNING },
+ { "hashtest-256g", "hashtest", "--gigs 256 SHA1 SHA256 SHA512 SHA3-512 SM3",
LONG_RUNNING },
{ NULL }
};
--
2.34.1
From 567bc62e1c3046594088de7209fee7c545ece1e3 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 30 Sep 2022 14:54:14 +0200
Subject: [PATCH] tests: Avoid memory leak
* tests/hashtest.c (run_longtest): Avoid memory leak on error
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/hashtest.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/hashtest.c b/tests/hashtest.c
index 9389e50c..379f7c40 100644
--- a/tests/hashtest.c
+++ b/tests/hashtest.c
@@ -452,6 +452,7 @@ run_longtest (int algo, int gigs)
{
fail ("gcry_md_open failed for %s (%d): %s",
gcry_md_algo_name (algo), algo, gpg_strerror (err));
+ free(hugepattern);
return;
}
--
2.37.3

BIN
SOURCES/libgcrypt-1.10.0.tar.bz2.sig
View File

Binary file not shown.

2007
SOURCES/wk@g10code.com
View File

File diff suppressed because it is too large Load Diff

703
SPECS/libgcrypt.spec
Unescape View File

@ -0,0 +1,703 @@
# This is taken from gnutls.spec
%define srpmhash() %{lua:
local files = rpm.expand("%_specdir/libgcrypt.spec")
for i, p in ipairs(patches) do
files = files.." "..p
end
for i, p in ipairs(sources) do
files = files.." "..p
end
local sha256sum = assert(io.popen("cat "..files.."| sha256sum"))
local hash = sha256sum:read("*a")
sha256sum:close()
print(string.sub(hash, 0, 16))
}
Name: libgcrypt
Version: 1.10.0
Release: 7%{?dist}
URL: https://www.gnupg.org/
Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
Source2: wk@g10code.com
Patch1: libgcrypt-1.10.0-disable-brainpool.patch
Patch3: libgcrypt-1.10.0-ppc-hwf.patch
Patch4: libgcrypt-1.10.0-allow-small-RSA-verify.patch
Patch5: libgcrypt-1.10.0-allow-short-salt.patch
Patch6: libgcrypt-1.10.0-fips-getrandom.patch
# https://dev.gnupg.org/T6127
# https://lists.gnupg.org/pipermail/gcrypt-devel/2022-September/005379.html
Patch7: libgcrypt-1.10.0-fips-selftest.patch
# https://dev.gnupg.org/T6217
Patch9: libgcrypt-1.10.0-sha3-large.patch
# https://dev.gnupg.org/T5919
Patch10: libgcrypt-1.10.0-fips-keygen.patch
# https://dev.gnupg.org/T6219
Patch11: libgcrypt-1.10.0-fips-kdf.patch
%global gcrylibdir %{_libdir}
%global gcrysoname libgcrypt.so.20
%global hmackey orboDeJITITejsirpADONivirpUkvarP
# Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction.
# Documentation and some utilities are GPLv2+ licensed. These files
# are in the devel subpackage.
License: LGPLv2+
Summary: A general-purpose cryptography library
BuildRequires: gcc
BuildRequires: gawk, libgpg-error-devel >= 1.11, pkgconfig
# This is needed only when patching the .texi doc.
BuildRequires: texinfo
BuildRequires: autoconf, automake, libtool
BuildRequires: make
%package devel
Summary: Development files for the %{name} package
License: LGPLv2+ and GPLv2+
Requires: libgpg-error-devel
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: pkgconfig
%description
Libgcrypt is a general purpose crypto library based on the code used
in GNU Privacy Guard. This is a development version.
%description devel
Libgcrypt is a general purpose crypto library based on the code used
in GNU Privacy Guard. This package contains files needed to develop
applications using libgcrypt.
%prep
%setup -q
%patch1 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%build
# This package has a configure test which uses ASMs, but does not link the
# resultant .o files. As such the ASM test is always successful, even on
# architectures were the ASM is not valid when compiling with LTO.
#
# -ffat-lto-objects is sufficient to address this issue. It is the default
# for F33, but is expected to only be enabled for packages that need it in
# F34, so we use it here explicitly
%define _lto_cflags -flto=auto -ffat-lto-objects
# should be all algorithms except SM3 and SM4
export DIGESTS='crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2'
export CIPHERS='arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20'
eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
autoreconf -f
%configure --disable-static \
%ifarch sparc64
--disable-asm \
%endif
--enable-noexecstack \
--enable-hmac-binary-check=%{hmackey} \
--disable-brainpool \
--enable-digests="$DIGESTS" \
--enable-ciphers="$CIPHERS" \
--with-fips-module-version="$FIPS_MODULE_NAME %{version}-%{srpmhash}"
sed -i -e '/^sys_lib_dlsearch_path_spec/s,/lib /usr/lib,/usr/lib /lib64 /usr/lib64 /lib,g' libtool
%make_build
%check
make check
# try in faked FIPS mode too
LIBGCRYPT_FORCE_FIPS_MODE=1 make check
# Add generation of HMAC checksums of the final stripped binaries
%define libpath $RPM_BUILD_ROOT%{gcrylibdir}/%{gcrysoname}.?.?
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
dd if=/dev/zero of=%{libpath}.hmac bs=32 count=1 \
objcopy --update-section .rodata1=%{libpath}.hmac %{libpath} %{libpath}.empty \
src/hmac256 --binary %{hmackey} %{libpath}.empty > %{libpath}.hmac \
objcopy --update-section .rodata1=%{libpath}.hmac %{libpath}.empty %{libpath}.new \
mv -f %{libpath}.new %{libpath} \
rm -f %{libpath}.hmac %{libpath}.empty
%{nil}
%install
%make_install
# Change /usr/lib64 back to /usr/lib. This saves us from having to patch the
# script to "know" that -L/usr/lib64 should be suppressed, and also removes
# a file conflict between 32- and 64-bit versions of this package.
# Also replace my_host with none.
sed -i -e 's,^libdir="/usr/lib.*"$,libdir="/usr/lib",g' $RPM_BUILD_ROOT/%{_bindir}/libgcrypt-config
sed -i -e 's,^my_host=".*"$,my_host="none",g' $RPM_BUILD_ROOT/%{_bindir}/libgcrypt-config
rm -f ${RPM_BUILD_ROOT}/%{_infodir}/dir ${RPM_BUILD_ROOT}/%{_libdir}/*.la
/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_libdir}
%if "%{gcrylibdir}" != "%{_libdir}"
# Relocate the shared libraries to %{gcrylibdir}.
mkdir -p $RPM_BUILD_ROOT%{gcrylibdir}
for shlib in $RPM_BUILD_ROOT%{_libdir}/*.so* ; do
if test -L "$shlib" ; then
rm "$shlib"
else
mv "$shlib" $RPM_BUILD_ROOT%{gcrylibdir}/
fi
done
# Add soname symlink.
/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}/
%endif
# Overwrite development symlinks.
pushd $RPM_BUILD_ROOT/%{gcrylibdir}
for shlib in lib*.so.?? ; do
target=$RPM_BUILD_ROOT/%{_libdir}/`echo "$shlib" | sed -e 's,\.so.*,,g'`.so
%if "%{gcrylibdir}" != "%{_libdir}"
shlib=%{gcrylibdir}/$shlib
%endif
ln -sf $shlib $target
done
popd
# Create /etc/gcrypt (hardwired, not dependent on the configure invocation) so
# that _someone_ owns it.
mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
%ldconfig_scriptlets
%files
%dir /etc/gcrypt
%{gcrylibdir}/libgcrypt.so.*.*
%{gcrylibdir}/%{gcrysoname}
%license COPYING.LIB
%doc AUTHORS NEWS THANKS
%files devel
%{_bindir}/%{name}-config
%{_bindir}/dumpsexp
%{_bindir}/hmac256
%{_bindir}/mpicalc
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/libgcrypt.pc
%{_datadir}/aclocal/*
%{_mandir}/man1/*
%{_infodir}/gcrypt.info*
%license COPYING
%changelog
* Thu Oct 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-7
- Properly enforce KDF limits in FIPS mode (#2130275)
- Fix memory leak in large digest test (#2129150)
- Fix function name FIPS service indicator by disabling PK encryption and decryption (#2130275)
- Skip RSA encryption/decryption selftest in FIPS mode (#2130275)
* Tue Sep 27 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-6
- Fix SHA3 digests with large inputs (#2129150)
- Fix FIPS RSA PCT (#2128455)
- Fix RSA FIPS Keygen that non-deterministically fails (#2130275)
- Get max 32B from getrandom in FIPS mode (#2130275)
* Wed Aug 17 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-5
- Allow signature verification with smaller RSA keys (#2083846)
- Allow short salt for KDF (#2114870)
- Reseed the kernel DRBG by using GRND_RANDOM (#2118695)
- Address FIPS review comments around selftests (#2118695)
- Disable RSA-OAEP in FIPS mode (#2118695)
* Fri May 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-4
- Backport ppc hardware flags detection (#2051307)
- Disable PKCS#1.5 encryption in FIPS mode (#2061328)
* Thu Mar 31 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-3
- Use correct FIPS module name (#2067123)
* Thu Feb 17 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-2
- Systematic FIPS module name with other FIPS modules
* Wed Feb 02 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-1
- Final release (#2026636)
* Thu Jan 27 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-0.3
- Fix broken soname in the previous beta
* Thu Jan 27 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-0.2
- Provide compat soname symlink as the new release is backward compatible
* Wed Jan 26 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-0.1
- New upstream pre-release (#2026636)
- Upstream all patches
- Implement FIPS 140-3 support
* Tue Oct 12 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-5
- Allow HW optimizations in FIPS mode (#1990059)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.3-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jun 15 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-3
- Fix for CVE-2021-33560 (#1970098)
* Wed Apr 28 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-2
- Restore the CET protection (#1954049)
* Tue Apr 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-1
- New upstream release (#1951325)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.2-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Apr 15 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-3
- Fix issues reported by coverity
* Mon Mar 29 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-2
- Fix OCB tag creation on s390x (failing gnupg2 tests)
* Wed Feb 17 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-1
- New upstream release (#1929630)
* Fri Jan 29 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.1-1
- New upstream release (#1922156, #1922097)
* Wed Jan 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.0-1
- New upstream release (#1917878)
* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 1.8.7-1
- new upstream release (#1891123)
* Fri Aug 21 2020 Jeff Law <law@redhat.com> - 1.8.6-4
- Re-enable LTO
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-2
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.6-1
- new upstream version 1.8.6
* Wed Jul 1 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-7
- use the hmac256 tool to calculate the library hmac
* Tue Jun 30 2020 Jeff Law <law@redhat.com>
- Disable LTO
* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-6
- Fix regression - missing -ldl linkage
* Wed Apr 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-5
- AES performance improvements backported from master branch
* Mon Apr 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-4
- FIPS selftest is run directly from the constructor
- FIPS module is implicit with kernel FIPS flag
* Thu Jan 30 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-3
- fix the build on ARMv7
* Thu Jan 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-2
- Intel CET support by H. J. Lu
* Tue Sep 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.5-1
- new upstream version 1.8.5
- add CMAC selftest for FIPS POST
- add continuous FIPS entropy test
- disable non-approved FIPS hashes in the enforced FIPS mode
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Feb 12 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.4-3
- fix the build tests to pass in the FIPS mode
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Nov 20 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.4-1
- new upstream version 1.8.4
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jul 12 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.3-2
- make only_urandom a default in non-presence of configuration file
- run the full FIPS selftests only when the library is called from
application
* Thu Jun 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.3-1
- new upstream version 1.8.3
* Tue Feb 6 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.2-2
- fix behavior when getrandom syscall is not present (#1542453)
* Thu Dec 21 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.2-1
- new upstream version 1.8.2
* Tue Dec 5 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-3
- do not try to access() /dev/urandom either if getrandom() works
* Mon Dec 4 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-2
- do not try to open /dev/urandom if getrandom() works (#1380866)
* Tue Sep 5 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-1
- new upstream version 1.8.1
* Wed Aug 16 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.0-1
- new upstream version 1.8.0
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Thu Jun 29 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.8-1
- new upstream version 1.7.8
* Fri Jun 2 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.7-1
- new upstream version 1.7.7
- GOST is now enabled
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Mon Jan 30 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.6-1
- new upstream version 1.7.6
* Fri Dec 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.7.5-1
- new upstream version 1.7.5
* Wed Nov 23 2016 Tomáš Mráz <tmraz@redhat.com> 1.7.3-1
- new upstream version 1.7.3
* Wed Aug 17 2016 Tomáš Mráz <tmraz@redhat.com> 1.6.6-1
- new upstream version with important security fix (CVE-2016-6316)
* Thu Jul 21 2016 Tomáš Mráz <tmraz@redhat.com> 1.6.5-1
- new upstream version fixing low impact issue CVE-2015-7511
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Sep 9 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.4-1
- new upstream version
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Fri Apr 3 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-4
- deinitialize the RNG after the selftest is run
* Tue Mar 24 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-3
- touch only urandom in the selftest and when /dev/random is
unavailable for example by SELinux confinement
- fix the RSA selftest key (p q swap) (#1204517)
* Fri Mar 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-2
- do not use strict aliasing for bufhelp functions (#1201219)
* Fri Mar 6 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-1
- new upstream version
* Wed Feb 25 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.2-4
- do not initialize secure memory during the selftest (#1195850)
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1.6.2-3
- Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
* Wed Jan 14 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.2-2
- fix buildability of programs using gcrypt.h with -ansi (#1182200)
* Mon Dec 8 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.2-1
- new upstream version
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Jul 17 2014 Tom Callaway <spot@fedoraproject.org> - 1.6.1-6
- fix license handling
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue May 20 2014 Kyle McMartin <kyle@fedoraproject.org> 1.6.1-4
- Re-enable below algos, apply patch from upstream list to make
that code -fPIC friendly. (rhbz#1069792)
* Mon May 19 2014 Kyle McMartin <kyle@fedoraproject.org> 1.6.1-3
- Disable rijndael, cast5, camellia ARM assembly, as it's non-PIC as
presently written, which results in .text relocations in the shared
library. (rhbz#1069792)
* Thu Apr 24 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.1-2
- drop the temporary compat shared library version
- fix the soname version in -use-fipscheck.patch
* Fri Feb 28 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.1-1
- new upstream version breaking ABI compatibility
- this release temporarily includes old compatibility .so
* Tue Jan 21 2014 Tomáš Mráz <tmraz@redhat.com> 1.5.3-3
- add back the nistp521r1 EC curve
- fix a bug in the Whirlpool hash implementation
- speed up the PBKDF2 computation
* Sun Oct 20 2013 Tom Callaway <spot@fedoraproject.org> - 1.5.3-2
- add cleared ECC support
* Fri Jul 26 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.3-1
- new upstream version fixing cache side-channel attack on RSA private keys
* Thu Jun 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-3
- silence false error detected by valgrind (#968288)
* Thu Apr 25 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-2
- silence strict aliasing warning in Rijndael
- apply UsrMove
- spec file cleanups
* Fri Apr 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-1
- new upstream version
* Wed Mar 20 2013 Tomas Mraz <tmraz@redhat.com> 1.5.1-1
- new upstream version
* Tue Mar 5 2013 Tomas Mraz <tmraz@redhat.com> 1.5.0-11
- use poll() instead of select() when gathering randomness (#913773)
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Jan 3 2013 Tomas Mraz <tmraz@redhat.com> 1.5.0-9
- allow empty passphrase in PBKDF2 needed for cryptsetup (=891266)
* Mon Dec 3 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-8
- fix multilib conflict in libgcrypt-config
- fix minor memory leaks and other bugs found by Coverity scan
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Apr 5 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-5
- Correctly rebuild the info documentation
* Wed Apr 4 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-4
- Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Mon Aug 15 2011 Kalev Lember <kalevlember@gmail.com> 1.5.0-2
- Rebuilt for rpm bug #728707
* Thu Jul 21 2011 Tomas Mraz <tmraz@redhat.com> 1.5.0-1
- new upstream version
* Mon Jun 20 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-4
- Always xor seed from /dev/urandom over /etc/gcrypt/rngseed
* Mon May 30 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-3
- Make the FIPS-186-3 DSA implementation CAVS testable
- add configurable source of RNG seed /etc/gcrypt/rngseed
in the FIPS mode (#700388)
* Fri Feb 11 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-1
- new upstream version with minor changes
* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.5-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Fri Feb 4 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-6
- fix a bug in the fips-186-3 dsa parameter generation code
* Tue Feb 1 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-5
- use /dev/urandom for seeding in the FIPS mode
- make the tests to pass in the FIPS mode also fixing
the FIPS-186-3 DSA keygen
* Sun Feb 14 2010 Rex Dieter <rdieter@fedoraproject.org> 1.4.5-4
- FTBFS libgcrypt-1.4.5-3.fc13: ImplicitDSOLinking (#564973)
* Wed Feb 3 2010 Tomas Mraz <tmraz@redhat.com> 1.4.5-3
- drop the S390 build workaround as it is no longer needed
- additional spec file cleanups for merge review (#226008)
* Mon Dec 21 2009 Tomas Mraz <tmraz@redhat.com> 1.4.5-1
- workaround for build on S390 (#548825)
- spec file cleanups
- upgrade to new minor upstream release
* Tue Aug 11 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-8
- fix warning when installed with --excludedocs (#515961)
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.4-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Thu Jun 18 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-6
- and now really apply the padlock patch
* Wed Jun 17 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-5
- fix VIA padlock RNG inline assembly call (#505724)
* Thu Mar 5 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-4
- with the integrity verification check the library needs to link to libdl
(#488702)
* Tue Mar 3 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-3
- add hmac FIPS integrity verification check
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Fri Jan 30 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-1
- update to 1.4.4
- do not abort when the fips mode kernel flag is inaccessible
due to permissions (#470219)
- hobble the library to drop the ECC support
* Mon Oct 20 2008 Dennis Gilmore <dennis@ausil.us> 1.4.3-2
- disable asm on sparc64
* Thu Sep 18 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.3-1
- update to 1.4.3
- own /etc/gcrypt
* Mon Sep 15 2008 Nalin Dahyabhai <nalin@redhat.com>
- invoke make with %%{?_smp_mflags} to build faster on multi-processor
systems (Steve Grubb)
* Mon Sep 8 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-1
- update to 1.4.2
* Tue Apr 29 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-1
- update to 1.4.1
- bump libgpgerror-devel requirement to 1.4, matching the requirement enforced
by the configure script
* Thu Apr 3 2008 Joe Orton <jorton@redhat.com> 1.4.0-3
- add patch from upstream to fix severe performance regression
in entropy gathering
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.4.0-2
- Autorebuild for GCC 4.3
* Mon Dec 10 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.4.0-1
- update to 1.4.0
* Tue Oct 16 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-6
- use ldconfig to build the soname symlink for packaging along with the
shared library (#334731)
* Wed Aug 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-5
- add missing gawk buildrequirement
- switch from explicitly specifying the /dev/random RNG to just verifying
that the non-LGPL ones were disabled by the configure script
* Thu Aug 16 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-4
- clarify license
- force use of the linux /dev/random RNG, to avoid accidentally falling back
to others which would affect the license of the resulting library
* Mon Jul 30 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-3
- disable static libraries (part of #249815)
* Fri Jul 27 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-2
- move libgcrypt shared library to /%%{_lib} (#249815)
* Tue Feb 6 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-1
- update to 1.2.4
* Mon Jan 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.3-2
- make use of install-info more failsafe (Ville Skyttä, #223705)
* Fri Sep 1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.2.3-1
- update to 1.2.3
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-3.1
- rebuild
* Mon Jun 05 2006 Jesse Keating <jkeating@redhat.com> 1.2.2-3
- Added missing buildreq pkgconfig
* Tue May 16 2006 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-2
- remove file conflicts in libgcrypt-config by making the 64-bit version
think the libraries are in /usr/lib (which is wrong, but which it also
prunes from the suggest --libs output, so no harm done, hopefully)
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-1.2.1
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-1.2
- rebuilt for new gcc4.1 snapshot and glibc changes
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
* Wed Oct 5 2005 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-1
- update to 1.2.2
* Wed Mar 16 2005 Nalin Dahyabhai <nalin@redhat.com> 1.2.1-1
- update to 1.2.1
* Fri Jul 30 2004 Florian La Roche <Florian.LaRoche@redhat.de>
- another try to package the symlink
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Sun May 2 2004 Bill Nottingham <notting@redhat.com> - 1.2.0-1
- update to official 1.2.0
* Fri Apr 16 2004 Bill Nottingham <notting@redhat.com> - 1.1.94-1
- update to 1.1.94
* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Sat Feb 21 2004 Florian La Roche <Florian.LaRoche@redhat.de>
- add symlinks to shared libs at compile time
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Thu Mar 20 2003 Jeff Johnson <jbj@redhat.com> 1.1.12-1
- upgrade to 1.1.12 (beta).
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Sun May 26 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Tue May 21 2002 Jeff Johnson <jbj@redhat.com>
- update to 1.1.7
- change license to LGPL.
- include splint annotations patch.
- install info pages.
* Tue Apr 2 2002 Nalin Dahyabhai <nalin@redhat.com> 1.1.6-1
- update to 1.1.6
* Thu Jan 10 2002 Nalin Dahyabhai <nalin@redhat.com> 1.1.5-1
- fix the Source tag so that it's a real URL
* Thu Dec 20 2001 Nalin Dahyabhai <nalin@redhat.com>
- initial package
Write Preview
Loading…
Cancel
Save