2 changed files with 248 additions and 14 deletions
--- a/SOURCES/scrub-2.6.1-openssl-instead-of-libgcrypt.patch
+++ b/SOURCES/scrub-2.6.1-openssl-instead-of-libgcrypt.patch
@ -0,0 +1,211 @@
+From 8775096e070a5dc033248f1068b0bc37d5244265 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Mon, 19 Aug 2024 14:45:08 +0100
+Subject: [PATCH] Add OpenSSL as an alternative to libgcrypt
+
+If OpenSSL is not explicitly required (ie.g with --with-openssl),
+the default keeps being:
+
+1. try to use a HW random generator
+2. attempt to use libgcrypt
+3. fall back to custom AES implementation, if libgcrypt is
+   not available
+
+If OpenSSL is explictly required, step #2 replaces libgcrypt
+with openssl.
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ configure.ac  | 42 +++++++++++++++++++++++++++++++++++-------
+ src/genrand.c | 34 +++++++++++++++++++---------------
+ src/scrub.c   |  4 ++--
+ 3 files changed, 56 insertions(+), 24 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 504051f..c1a087d 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -69,19 +69,47 @@ AC_CHECK_FUNCS( \
+ )
+ X_AC_CHECK_PTHREADS
+ 
+
+# Sanity check; we cannot have both --with-libgcrypt AND --with-openssl
+# together.
+AS_IF([test "x$with_openssl" = "xyes"], [
+  AS_IF([test "x$with_libgcrypt" = "xyes"],
+    [AC_MSG_ERROR([You can use either --with-openssl or --with-libgcrypt, not both at once])]
+  )
+])
+
+##
+# OpenSSL libcrypto library
+##
+have_openssl=no
+AC_ARG_WITH(openssl, AS_HELP_STRING([--with-openssl], [build with OpenSSL libcrypto]))
+
+if test "x$with_openssl" = "xyes"; then
+  AC_SEARCH_LIBS([RAND_bytes], [crypto],
+    [AC_DEFINE([HAVE_OPENSSL], [1], [OpenSSL libcrypto available])
+      have_openssl=yes
+    ], [AC_MSG_ERROR([OpenSSL libcrypto required])]
+  )
+fi
+
+ ##
+ # gcrypt library
+ ##
+ have_libgcrypt=no
+ AC_ARG_WITH(libgcrypt, AS_HELP_STRING([--without-libgcrypt], [build without libgcrypt;
+                                          fallback to custom AES implementation]))
+-AS_IF([test "x$with_libgcrypt" != "xno"],
+-  [AM_PATH_LIBGCRYPT([1.5.0],
+-    [AC_DEFINE([HAVE_LIBGCRYPT], [1], [libgcrypt API available])
+-      gcrypt_CFLAGS="$LIBGCRYPT_CFLAGS"
+-      gcrypt_LIBS="$LIBGCRYPT_LIBS"
+-      have_libgcrypt=yes
+-    ]
+
+# Technically there is no need for testing this again, as we already
+# error'ed out early if both options were enabled at once.
+AS_IF([test "x$with_openssl" != "xyes"], [
+  AS_IF([test "x$with_libgcrypt" != "xno"], [
+    AM_PATH_LIBGCRYPT([1.5.0],
+      [AC_DEFINE([HAVE_LIBGCRYPT], [1], [libgcrypt API available])
+        gcrypt_CFLAGS="$LIBGCRYPT_CFLAGS"
+        gcrypt_LIBS="$LIBGCRYPT_LIBS"
+        have_libgcrypt=yes
+      ]
+    )]
+   )]
+ )
+ AM_CONDITIONAL([LIBGCRYPT], [test "$have_libgcrypt" = "yes"])
+diff --git a/src/genrand.c b/src/genrand.c
+index f9ac610..d37daa8 100644
+--- a/src/genrand.c
+++ b/src/genrand.c
+@@ -41,18 +41,20 @@
+ #include "genrand.h"
+ #include "hwrand.h"
+ 
+-#ifdef HAVE_LIBGCRYPT
+-#include <gcrypt.h>
+-#else
+#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
+ #include "aes.h"
+-#endif /* HAVE_LIBGCRYPT. */
+#elif defined(HAVE_LIBGCRYPT)
+#include <gcrypt.h>
+#elif defined(HAVE_OPENSSL)
+#include <openssl/rand.h>
+#endif /* !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL) */
+ 
+ extern char *prog;
+ 
+ static bool no_hwrand = false;
+ static hwrand_t gen_hwrand;
+ 
+-#ifndef HAVE_LIBGCRYPT
+#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
+ #define PATH_URANDOM    "/dev/urandom"
+ 
+ #define PAYLOAD_SZ  16
+@@ -146,26 +148,26 @@ churnrand(void)
+ error:
+     return -1;
+ }
+-#endif /* HAVE_LIBGCRYPT. */
+#endif /* !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL) */
+ 
+ /* Initialize the module.
+  */
+ int
+ initrand(void)
+ {
+-#ifndef HAVE_LIBGCRYPT
+#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
+     struct timeval tv;
+-#else
+#elif defined(HAVE_LIBCRYPT)
+     if (!gcry_check_version(GCRYPT_VERSION)) {
+         goto error;
+     }
+     gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+-#endif /* HAVE_LIBGCRYPT */
+#endif /* !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL) */
+ 
+     if (!no_hwrand)
+         gen_hwrand = init_hwrand();
+ 
+-#ifndef HAVE_LIBGCRYPT
+#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
+     /* Always initialize the software random number generator as backup */
+ 
+     if (gettimeofday(&tv, NULL) < 0)
+@@ -178,7 +180,7 @@ initrand(void)
+ #endif
+     if (churnrand() < 0)
+         goto error;
+-#endif /* HAVE_LIBGCRYPT. */
+#endif /* !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL) */
+     return 0;
+ error:
+     return -1;
+@@ -189,11 +191,11 @@ error:
+ void 
+ genrand(unsigned char *buf, int buflen)
+ {
+-#ifndef HAVE_LIBGCRYPT
+#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
+     int i;
+     unsigned char out[PAYLOAD_SZ];
+     int cpylen = PAYLOAD_SZ;
+-#endif /* HAVE_LIBGCRYPT. */
+#endif
+ 
+     if (gen_hwrand) {
+         bool hwok = gen_hwrand(buf, buflen);
+@@ -201,7 +203,7 @@ genrand(unsigned char *buf, int buflen)
+             return;
+     }
+ 
+-#ifndef HAVE_LIBGCRYPT
+#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
+     for (i = 0; i < buflen; i += cpylen) {
+         aes_encrypt(&ctx, ctr, out);
+         incr128(ctr);
+@@ -210,8 +212,10 @@ genrand(unsigned char *buf, int buflen)
+         memcpy(&buf[i], out, cpylen);
+     }
+     assert(i == buflen);
+-#else
+#elif defined(HAVE_LIBGCRYPT)
+     gcry_randomize(buf, buflen, GCRY_STRONG_RANDOM);
+#elif defined(HAVE_OPENSSL)
+    assert(RAND_bytes(buf, buflen) == 1);
+ #endif /* HAVE_LIBGCRYPT. */
+ }
+ 
+diff --git a/src/scrub.c b/src/scrub.c
+index 55abf72..f76a2b2 100644
+--- a/src/scrub.c
+++ b/src/scrub.c
+@@ -465,13 +465,13 @@ scrub(char *path, off_t size, const sequence_t *seq, int bufsize,
+             case PAT_RANDOM:
+                 printf("%s: %-8s", prog, "random");
+                 progress_create(&p, pcol);
+-#ifndef HAVE_LIBGCRYPT
+#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
+                 if (churnrand() < 0) {
+                     fprintf(stderr, "%s: churnrand: %s\n", prog,
+                              strerror(errno));
+                     exit(1);
+                 }
+-#endif /* HAVE_LIBGCRYPT. */
+#endif /* !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL) */
+                 written = fillfile(path, size, buf, bufsize, 
+                                    (progress_t)progress_update, p, 
+                                    (refill_t)genrand, sparse, enospc, extentonly);
+-- 
+2.44.0
+
--- a/SPECS/scrub.spec
+++ b/SPECS/scrub.spec
@ -1,8 +1,8 @@
 Name:		scrub
 Version:	2.6.1
-Release:	4%{?dist}
+Release:	10%{?dist}
 Summary:	Disk scrubbing program
-License:	GPLv2+
+License:	GPL-2.0-or-later
 URL:		https://github.com/chaos/scrub/
 Source0:	https://github.com/chaos/scrub/releases/download/%{version}/scrub-%{version}.tar.gz
 # https://github.com/chaos/scrub/commit/b90fcb2330d00dbd1e9aeaa2e1a9807f8b80b922.patch
@ -13,11 +13,20 @@ Patch2:		scrub-2.6.1-extentonly.patch
 Patch3:		scrub-2.5.2-test-use-power-2-filesizes.patch
 # https://github.com/chaos/scrub/commit/864a454f16ac3e47103064b0e4fe3a9111593e49
 Patch4:		scrub-2.6.1-analyzer-fixes.patch
+# https://github.com/chaos/scrub/commit/04dfc6cc89c108b2bb7ae13faebf91ac151513ea
+Patch5:		scrub-2.6.1-openssl-instead-of-libgcrypt.patch
+
 BuildRequires:	make
 BuildRequires:	gcc
+BuildRequires:	openssl-devel
+# While we don't link against libgcrypt anymore, we
+# need its -devel package installed in build time
+# for the autoreconf step to succeed.
 BuildRequires:	libgcrypt-devel
 BuildRequires:	autoconf, automake, libtool

+Requires:	openssl-libs
+
 %description
 Scrub writes patterns on files or disk devices to make
 retrieving the data more difficult.  It operates in one of three
@ -28,16 +37,12 @@ entry) is destroyed; or 3) a regular file is created, expanded until
 the file system is full, then scrubbed as in 2).

 %prep
-%setup -q
-%patch0 -p1 -b .symlinks-to-block-devices
-%patch1 -p1 -b .libgcrypt
-%patch2 -p1 -b .extent-only
-%patch3 -p1 -b .test-use-power-2-filesizes
-%patch4 -p1 -b .analyzer-fixes
+%autosetup -p1
+
 autoreconf -ifv --include=config

 %build
-%configure
+%configure --with-openssl
 %{make_build}

 %install
@ -51,12 +56,30 @@ autoreconf -ifv --include=config
 %{_mandir}/man1/scrub.1*

 %changelog
-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.1-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Tue Aug 20 2024 Sergio Correia <scorreia@redhat.com> - 2.6.1-10
+- Use OpenSSL instead of libgcrypt
+  Resolves: RHEL-55250
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.6.1-9
+- Bump release for June 2024 mass rebuild
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.1-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

 * Thu Mar 18 2021 Tom Callaway <spot@fedoraproject.org> - 2.6.1-2
 - apply analyzer fixes from upstream