2 changed files with 251 additions and 14 deletions
--- a/SOURCES/scrub-2.6.1-openssl-instead-of-libgcrypt.patch
+++ b/SOURCES/scrub-2.6.1-openssl-instead-of-libgcrypt.patch
@ -0,0 +1,211 @@
 From 8775096e070a5dc033248f1068b0bc37d5244265 Mon Sep 17 00:00:00 2001
 From: Sergio Correia <scorreia@redhat.com>
 Date: Mon, 19 Aug 2024 14:45:08 +0100
 Subject: [PATCH] Add OpenSSL as an alternative to libgcrypt
 If OpenSSL is not explicitly required (ie.g with --with-openssl),
 the default keeps being:
 1. try to use a HW random generator
 2. attempt to use libgcrypt
 3. fall back to custom AES implementation, if libgcrypt is
   not available
 If OpenSSL is explictly required, step #2 replaces libgcrypt
 with openssl.
 Signed-off-by: Sergio Correia <scorreia@redhat.com>
 ---
 configure.ac  | 42 +++++++++++++++++++++++++++++++++++-------
 src/genrand.c | 34 +++++++++++++++++++---------------
 src/scrub.c   |  4 ++--
 3 files changed, 56 insertions(+), 24 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 504051f..c1a087d 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -69,19 +69,47 @@ AC_CHECK_FUNCS( \
 )
 X_AC_CHECK_PTHREADS
 +
 +# Sanity check; we cannot have both --with-libgcrypt AND --with-openssl
 +# together.
 +AS_IF([test "x$with_openssl" = "xyes"], [
 +  AS_IF([test "x$with_libgcrypt" = "xyes"],
 +    [AC_MSG_ERROR([You can use either --with-openssl or --with-libgcrypt, not both at once])]
 +  )
 +])
 +
 +##
 +# OpenSSL libcrypto library
 +##
 +have_openssl=no
 +AC_ARG_WITH(openssl, AS_HELP_STRING([--with-openssl], [build with OpenSSL libcrypto]))
 +
 +if test "x$with_openssl" = "xyes"; then
 +  AC_SEARCH_LIBS([RAND_bytes], [crypto],
 +    [AC_DEFINE([HAVE_OPENSSL], [1], [OpenSSL libcrypto available])
 +      have_openssl=yes
 +    ], [AC_MSG_ERROR([OpenSSL libcrypto required])]
 +  )
 +fi
 +
 ##
 # gcrypt library
 ##
 have_libgcrypt=no
 AC_ARG_WITH(libgcrypt, AS_HELP_STRING([--without-libgcrypt], [build without libgcrypt;
                                          fallback to custom AES implementation]))
 -AS_IF([test "x$with_libgcrypt" != "xno"],
 -  [AM_PATH_LIBGCRYPT([1.5.0],
 -    [AC_DEFINE([HAVE_LIBGCRYPT], [1], [libgcrypt API available])
 -      gcrypt_CFLAGS="$LIBGCRYPT_CFLAGS"
 -      gcrypt_LIBS="$LIBGCRYPT_LIBS"
 -      have_libgcrypt=yes
 -    ]
 +
 +# Technically there is no need for testing this again, as we already
 +# error'ed out early if both options were enabled at once.
 +AS_IF([test "x$with_openssl" != "xyes"], [
 +  AS_IF([test "x$with_libgcrypt" != "xno"], [
 +    AM_PATH_LIBGCRYPT([1.5.0],
 +      [AC_DEFINE([HAVE_LIBGCRYPT], [1], [libgcrypt API available])
 +        gcrypt_CFLAGS="$LIBGCRYPT_CFLAGS"
 +        gcrypt_LIBS="$LIBGCRYPT_LIBS"
 +        have_libgcrypt=yes
 +      ]
 +    )]
   )]
 )
 AM_CONDITIONAL([LIBGCRYPT], [test "$have_libgcrypt" = "yes"])
 diff --git a/src/genrand.c b/src/genrand.c
 index f9ac610..d37daa8 100644
 --- a/src/genrand.c
 +++ b/src/genrand.c
@@ -41,18 +41,20 @@
 #include "genrand.h"
 #include "hwrand.h"
 -#ifdef HAVE_LIBGCRYPT
 -#include <gcrypt.h>
 -#else
 +#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
 #include "aes.h"
 -#endif /* HAVE_LIBGCRYPT. */
 +#elif defined(HAVE_LIBGCRYPT)
 +#include <gcrypt.h>
 +#elif defined(HAVE_OPENSSL)
 +#include <openssl/rand.h>
 +#endif /* !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL) */
 extern char *prog;
 static bool no_hwrand = false;
 static hwrand_t gen_hwrand;
 -#ifndef HAVE_LIBGCRYPT
 +#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
 #define PATH_URANDOM    "/dev/urandom"
 #define PAYLOAD_SZ  16
@@ -146,26 +148,26 @@ churnrand(void)
 error:
     return -1;
 }
 -#endif /* HAVE_LIBGCRYPT. */
 +#endif /* !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL) */
 /* Initialize the module.
  */
 int
 initrand(void)
 {
 -#ifndef HAVE_LIBGCRYPT
 +#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
     struct timeval tv;
 -#else
 +#elif defined(HAVE_LIBCRYPT)
     if (!gcry_check_version(GCRYPT_VERSION)) {
         goto error;
     }
     gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
 -#endif /* HAVE_LIBGCRYPT */
 +#endif /* !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL) */
     if (!no_hwrand)
         gen_hwrand = init_hwrand();
 -#ifndef HAVE_LIBGCRYPT
 +#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
     /* Always initialize the software random number generator as backup */
     if (gettimeofday(&tv, NULL) < 0)
@@ -178,7 +180,7 @@ initrand(void)
 #endif
     if (churnrand() < 0)
         goto error;
 -#endif /* HAVE_LIBGCRYPT. */
 +#endif /* !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL) */
     return 0;
 error:
     return -1;
@@ -189,11 +191,11 @@ error:
 void 
 genrand(unsigned char *buf, int buflen)
 {
 -#ifndef HAVE_LIBGCRYPT
 +#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
     int i;
     unsigned char out[PAYLOAD_SZ];
     int cpylen = PAYLOAD_SZ;
 -#endif /* HAVE_LIBGCRYPT. */
 +#endif
     if (gen_hwrand) {
         bool hwok = gen_hwrand(buf, buflen);
@@ -201,7 +203,7 @@ genrand(unsigned char *buf, int buflen)
             return;
     }
 -#ifndef HAVE_LIBGCRYPT
 +#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
     for (i = 0; i < buflen; i += cpylen) {
         aes_encrypt(&ctx, ctr, out);
         incr128(ctr);
@@ -210,8 +212,10 @@ genrand(unsigned char *buf, int buflen)
         memcpy(&buf[i], out, cpylen);
     }
     assert(i == buflen);
 -#else
 +#elif defined(HAVE_LIBGCRYPT)
     gcry_randomize(buf, buflen, GCRY_STRONG_RANDOM);
 +#elif defined(HAVE_OPENSSL)
 +    assert(RAND_bytes(buf, buflen) == 1);
 #endif /* HAVE_LIBGCRYPT. */
 }
 diff --git a/src/scrub.c b/src/scrub.c
 index 55abf72..f76a2b2 100644
 --- a/src/scrub.c
 +++ b/src/scrub.c
@@ -465,13 +465,13 @@ scrub(char *path, off_t size, const sequence_t *seq, int bufsize,
             case PAT_RANDOM:
                 printf("%s: %-8s", prog, "random");
                 progress_create(&p, pcol);
 -#ifndef HAVE_LIBGCRYPT
 +#if !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL)
                 if (churnrand() < 0) {
                     fprintf(stderr, "%s: churnrand: %s\n", prog,
                              strerror(errno));
                     exit(1);
                 }
 -#endif /* HAVE_LIBGCRYPT. */
 +#endif /* !defined(HAVE_LIBGCRYPT) && !defined(HAVE_OPENSSL) */
                 written = fillfile(path, size, buf, bufsize, 
                                    (progress_t)progress_update, p, 
                                    (refill_t)genrand, sparse, enospc, extentonly);
 -- 
 2.44.0
--- a/SPECS/scrub.spec
+++ b/SPECS/scrub.spec
@ -1,8 +1,8 @@
 Name:		scrub
 Version:	2.6.1
-Release:	4%{?dist}
+Release:	10%{?dist}
 Summary:	Disk scrubbing program
-License:	GPLv2+
+License:	GPL-2.0-or-later
 URL:		https://github.com/chaos/scrub/
 Source0:	https://github.com/chaos/scrub/releases/download/%{version}/scrub-%{version}.tar.gz
 # https://github.com/chaos/scrub/commit/b90fcb2330d00dbd1e9aeaa2e1a9807f8b80b922.patch
@ -13,11 +13,20 @@ Patch2:		scrub-2.6.1-extentonly.patch
 Patch3:		scrub-2.5.2-test-use-power-2-filesizes.patch
 # https://github.com/chaos/scrub/commit/864a454f16ac3e47103064b0e4fe3a9111593e49
 Patch4:		scrub-2.6.1-analyzer-fixes.patch
 # https://github.com/chaos/scrub/commit/04dfc6cc89c108b2bb7ae13faebf91ac151513ea
 Patch5:		scrub-2.6.1-openssl-instead-of-libgcrypt.patch
 BuildRequires:	make
 BuildRequires:	gcc
 BuildRequires:	openssl-devel
 # While we don't link against libgcrypt anymore, we
 # need its -devel package installed in build time
 # for the autoreconf step to succeed.
 BuildRequires:	libgcrypt-devel
 BuildRequires:	autoconf, automake, libtool
 Requires:	openssl-libs
 %description
 Scrub writes patterns on files or disk devices to make
 retrieving the data more difficult.  It operates in one of three
@ -28,16 +37,12 @@ entry) is destroyed; or 3) a regular file is created, expanded until
 the file system is full, then scrubbed as in 2).
 %prep
-%setup -q
+%autosetup -p1
-%patch0 -p1 -b .symlinks-to-block-devices
+
 %patch1 -p1 -b .libgcrypt
 %patch2 -p1 -b .extent-only
 %patch3 -p1 -b .test-use-power-2-filesizes
 %patch4 -p1 -b .analyzer-fixes
 autoreconf -ifv --include=config
 %build
-%configure
+%configure --with-openssl
 %{make_build}
 %install
@ -51,12 +56,33 @@ autoreconf -ifv --include=config
 %{_mandir}/man1/scrub.1*
 %changelog
-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.1-4
+* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2.6.1-10
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Rebuilt for MSVSphere 10
-  Related: rhbz#1991688
+
 * Tue Aug 20 2024 Sergio Correia <scorreia@redhat.com> - 2.6.1-10
 - Use OpenSSL instead of libgcrypt
  Resolves: RHEL-55250
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.6.1-9
 - Bump release for June 2024 mass rebuild
 * Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.1-3
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Thu Mar 18 2021 Tom Callaway <spot@fedoraproject.org> - 2.6.1-2
 - apply analyzer fixes from upstream