Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2013-07-25 15:07:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgcrypt" Changes: -------- --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2013-06-18 10:31:50.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new/libgcrypt.changes 2013-07-25 15:07:22.000000000 +0200 @@ -1,0 +2,13 @@ +Thu Jul 25 09:15:43 UTC 2013 - [email protected] + +- port SLE enhancenments to Factory (bnc#831028) + * add libgcrypt-unresolved-dladdr.patch (bnc#701267) + * add libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff (bnc#724841) + * add libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff +- install .hmac256.hmac (bnc#704068) +- enable varuous new options in configure (m-guard, hmac binary check and + random device linux) +- build with all ciphers, pubkeys and digest by default as whitelist + simply allowed them all + +------------------------------------------------------------------- @@ -9 +22 @@ -- Library must by built with large file support in +- Library must be built with large file support in New: ---- libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff libgcrypt-unresolved-dladdr.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libgcrypt.spec ++++++ --- /var/tmp/diff_new_pack.enGdLi/_old 2013-07-25 15:07:23.000000000 +0200 +++ /var/tmp/diff_new_pack.enGdLi/_new 2013-07-25 15:07:23.000000000 +0200 @@ -16,8 +16,13 @@ # -Name: libgcrypt +%define build_hmac256 1 +%define separate_hmac256_binary 0 + %define libsoname %{name}11 +%define sosuffix 11.8.1 + +Name: libgcrypt Url: http://directory.fsf.org/wiki/Libgcrypt Version: 1.5.2 Release: 0 @@ -33,10 +38,18 @@ Patch1: %{name}-strict-aliasing.patch Patch3: %{name}-1.4.1-rijndael_no_strict_aliasing.patch Patch4: %{name}-sparcv9.diff +#PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS) +#was: libgcrypt-1.5.0-as-needed.patch +Patch5: libgcrypt-unresolved-dladdr.patch +#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine +Patch6: libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff +#PATCH-FIX-SUSE: N/A +Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: automake >= 1.11 BuildRequires: libgpg-error-devel >= 1.8 BuildRequires: libtool +# not for base packages to avoid huge cycles #BuildRequires: gpg-offline %description @@ -49,14 +62,6 @@ Summary: The GNU Crypto Library License: GPL-2.0+ and LGPL-2.1+ Group: Development/Libraries/C and C++ -# bug437293 -%ifarch ppc64 -Obsoletes: %{name}-64bit -%endif -# -# libgcrypt last used in 10.3 -Obsoletes: %{name} < %{version} -Provides: %{name} = %{version} %description -n %{libsoname} Libgcrypt is a general purpose crypto library based on the code used in @@ -69,11 +74,6 @@ Requires: %{libsoname} = %{version} Requires: glibc-devel Requires: libgpg-error-devel >= 1.8 -# bug437293 -%ifarch ppc64 -Obsoletes: %{name}-devel-64bit -%endif -# PreReq: %install_info_prereq %description devel @@ -85,41 +85,76 @@ This package contains needed files to compile and link against the library. +%if 0%{?separate_hmac256_binary} + +%package hmac256 +Summary: The GNU Crypto Library +License: GPL-2.0+ and LGPL-2.1+ +Group: Development/Libraries/C and C++ +Requires: libgcrypt11 = %version +Requires: libgpg-error-devel +PreReq: %install_info_prereq + +%description hmac256 +Libgcrypt is a general purpose library of cryptographic building +blocks. It is originally based on code used by GnuPG. It does not +provide any implementation of OpenPGP or other protocols. Thorough +understanding of applied cryptography is required to use Libgcrypt. + +%endif # #if separate_hmac256_binary + %prep %setup -q -n %{name}-%{version} %patch0 -p1 %patch1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build -# define ciphers to build -ENABLE_CIPHER="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea" -ENABLE_PUBKEY="dsa elgamal rsa ecc" -ENABLE_DIGEST="crc md4 md5 rmd160 sha1 sha256 sha512 tiger whirlpool" -# +echo building with build_hmac256 set to %{build_hmac256} %{?suse_update_config} autoreconf -fi export CFLAGS="%optflags $(getconf LFS_CFLAGS)" %configure --with-pic \ --enable-noexecstack \ --disable-static \ + --enable-m-guard \ %ifarch %sparc --disable-asm \ %endif - --enable-ciphers="$ENABLE_CIPHER" \ - --enable-pubkey-ciphers="$ENABLE_PUBKEY" \ - --enable-digests="$ENABLE_DIGEST" + --enable-hmac-binary-check \ + --enable-random=linux %{__make} %{?_smp_mflags} +%if 0%{?build_hmac256} +# this is a hack that re-defines the __os_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. +# +# this shows up earlier because otherwise the %expand of +# the macro is too late. +%{expand:%%global __os_install_post {%__os_install_post + +%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \ + < %{buildroot}/%{_bindir}/hmac256 > %{buildroot}/%{_bindir}/.hmac256.hmac +%{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \ + < %{buildroot}/%{_libdir}/libgcrypt.so.%{sosuffix} > %{buildroot}/%{_libdir}/.libgcrypt.so.11.hmac +}} +%endif + %check # Nice idea. however this uses /dev/random, which hangs # on hardware without random feeds. -#make check +# so lets not run it inside OBS +# make check %install make DESTDIR=$RPM_BUILD_ROOT install -# + rm %{buildroot}%{_libdir}/%{name}.la %post -n %{libsoname} -p /sbin/ldconfig @@ -140,6 +175,9 @@ %defattr(-,root,root) %doc AUTHORS COPYING COPYING.LIB ChangeLog NEWS README THANKS TODO %{_libdir}/%{name}.so.11* +%if 0%{?build_hmac256} +%{_libdir}/.libgcrypt.so.11.hmac +%endif # %if 0%{?build_hmac256} %files devel %defattr(-,root,root) @@ -147,10 +185,16 @@ %_infodir/gcrypt.info-1.gz %_infodir/gcrypt.info-2.gz %_bindir/dumpsexp -%_bindir/hmac256 %_bindir/%{name}-config %_libdir/%{name}.so %_includedir/gcrypt*.h %_datadir/aclocal/%{name}.m4 +%if 0%{?separate_hmac256_binary} + +%files hmac256 +%defattr(-,root,root) +%endif # %if 0%{?separate_hmac256_binary} +%{_bindir}/hmac256 +%{_bindir}/.hmac256.hmac %changelog ++++++ libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff ++++++ From: [email protected] Subject: LIBGCRYPT_FORCE_FIPS_MODE env environ LIBGCRYPT_FORCE_FIPS_MODE forces FIPS mode of libgcrypt Index: libgcrypt-1.5.2/src/fips.c =================================================================== --- libgcrypt-1.5.2.orig/src/fips.c +++ libgcrypt-1.5.2/src/fips.c @@ -123,6 +123,17 @@ _gcry_initialize_fips_mode (int force) goto leave; } + /* for convenience, so that a process can run fips-enabled, but + not necessarily all of them, enable FIPS mode via environment + variable LIBGCRYPT_FORCE_FIPS_MODE. */ + + if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL) + { + gcry_assert (!no_fips_mode_required); + goto leave; + } + + /* For testing the system it is useful to override the system provided detection of the FIPS mode and force FIPS mode using a file. The filename is hardwired so that there won't be any ++++++ libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff ++++++ From: [email protected] Subject: /etc/gcrypt/rngseed symlink logic error in evaluation of routine to open /dev/{u,}random or /etc/gcrypt/rngseed (open_device()) causes abort() in cases where do_randomize(nbytes, level) is called with level == 1 (GCRY_STRONG_RANDOM). References: bnc#724841 https://bugzilla.novell.com/show_bug.cgi?id=724841 --- random/random-csprng.c | 2 +- random/random-fips.c | 10 +++++----- random/rndlinux.c | 48 ++++++++++++++++++++++++++++++++++++++++++------ 3 files changed, 48 insertions(+), 12 deletions(-) Index: libgcrypt-1.5.2/random/random-csprng.c =================================================================== --- libgcrypt-1.5.2.orig/random/random-csprng.c +++ libgcrypt-1.5.2/random/random-csprng.c @@ -827,7 +827,7 @@ read_seed_file (void) * entropy drivers, however the rndlinux driver will use * /dev/urandom and return some stuff - Do not read too much as we * want to be friendly to the scare system entropy resource. */ - read_random_source ( RANDOM_ORIGIN_INIT, 16, GCRY_WEAK_RANDOM ); + read_random_source ( RANDOM_ORIGIN_INIT, 16, -1 ); allow_seed_file_update = 1; return 1; Index: libgcrypt-1.5.2/random/random-fips.c =================================================================== --- libgcrypt-1.5.2.orig/random/random-fips.c +++ libgcrypt-1.5.2/random/random-fips.c @@ -27,10 +27,10 @@ There are 3 random context which map to the different levels of random quality: - Generator Seed and Key Kernel entropy (init/reseed) - ------------------------------------------------------------ - GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits - GCRY_STRONG_RANDOM /dev/random 256/128 bits + Generator Seed and Key Kernel entropy (init/reseed) + --------------------------------------------------------------------------------------- + GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits + GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits gcry_create_nonce GCRY_STRONG_RANDOM n/a All random generators return their data in 128 bit blocks. If the @@ -562,7 +562,7 @@ get_entropy (size_t nbytes) #if USE_RNDLINUX rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0, X931_AES_KEYLEN, - GCRY_VERY_STRONG_RANDOM); + -1); #elif USE_RNDW32 do { Index: libgcrypt-1.5.2/random/rndlinux.c =================================================================== --- libgcrypt-1.5.2.orig/random/rndlinux.c +++ libgcrypt-1.5.2/random/rndlinux.c @@ -36,7 +36,8 @@ #include "g10lib.h" #include "rand-internal.h" -static int open_device ( const char *name ); +static int open_device ( const char *name, int fatal ); +#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed" static int @@ -57,13 +58,17 @@ set_cloexec_flag (int fd) * Used to open the /dev/random devices (Linux, xBSD, Solaris (if it exists)). */ static int -open_device ( const char *name ) +open_device ( const char *name, int fatal) { int fd; fd = open ( name, O_RDONLY ); if ( fd == -1 ) - log_fatal ("can't open %s: %s\n", name, strerror(errno) ); + { + if (fatal) + log_fatal ("can't open %s: %s\n", name, strerror(errno) ); + return fd; + } if (set_cloexec_flag (fd)) log_error ("error setting FD_CLOEXEC on fd %d: %s\n", @@ -92,10 +97,12 @@ _gcry_rndlinux_gather_random (void (*add { static int fd_urandom = -1; static int fd_random = -1; + static int fd_configured = -1; int fd; int n; byte buffer[768]; size_t n_hw; + size_t orig_length = length; size_t want = length; size_t last_so_far = 0; int any_need_entropy = 0; @@ -110,16 +117,42 @@ _gcry_rndlinux_gather_random (void (*add length -= n_hw; /* Open the requested device. */ + + /* Clarification: path how "level == -1" comes about: + gcry_random_bytes( ... , GCRY_STRONG_RANDOM) (public) -> + do_randomize(buffer, nbytes, level) -> + _gcry_rngcsprng_randomize(buffer, length, level) -> + read_pool (p, n, level) -> + read_seed_file(), + random_poll() -> + read_random_source(..., ..., GCRY_STRONG_RANDOM), + read_random_source(... , ..., , -1 ) (note: -1) -> + slow_gather_fnc(..., ..., ..., level) + function pointer set by getfnc_gather_random() to + _gcry_rndlinux_gather_random() , which is here. + */ + + + if (level == -1) + { + if (fd_configured == -1) + fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0 ); + fd = fd_configured; + if (fd == -1) + level = 1; + } + + if (level >= 2) { if( fd_random == -1 ) - fd_random = open_device ( NAME_OF_DEV_RANDOM ); + fd_random = open_device ( NAME_OF_DEV_RANDOM, 1 ); fd = fd_random; } - else + else if (level != -1) { if( fd_urandom == -1 ) - fd_urandom = open_device ( NAME_OF_DEV_URANDOM ); + fd_urandom = open_device ( NAME_OF_DEV_URANDOM, 1 ); fd = fd_urandom; } @@ -187,6 +220,9 @@ _gcry_rndlinux_gather_random (void (*add } memset(buffer, 0, sizeof(buffer) ); + if (level == -1) + _gcry_rndlinux_gather_random(add, origin, orig_length, 1); + if (any_need_entropy) _gcry_random_progress ("need_entropy", 'X', (int)want, (int)want); ++++++ libgcrypt-unresolved-dladdr.patch ++++++ From: [email protected] Subject: unresolved dladdr symbol When linking with --as-needed, some symbols are ommited. Add a DL_LIBS for dladdr symbol to fix the issue. References: bnc#701267 https://bugzilla.novell.com/show_bug.cgi?id=701267 Original-name: libgcrypt-1.5.0-as-needed.patch Index: libgcrypt-1.5.2/src/Makefile.am =================================================================== --- libgcrypt-1.5.2.orig/src/Makefile.am +++ libgcrypt-1.5.2/src/Makefile.am @@ -110,7 +110,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \ ../cipher/libcipher.la \ ../random/librandom.la \ ../mpi/libmpi.la \ - ../compat/libcompat.la $(GPG_ERROR_LIBS) + ../compat/libcompat.la $(GPG_ERROR_LIBS) $(DL_LIBS) dumpsexp_SOURCES = dumpsexp.c -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
