Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2018-04-03 12:11:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgcrypt"
Tue Apr 3 12:11:16 2018 rev:70 rq:592209 version:1.8.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2018-03-01
12:05:47.542440493 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new/libgcrypt.changes 2018-04-03
12:11:20.525020848 +0200
@@ -1,0 +2,9 @@
+Thu Mar 29 06:37:44 UTC 2018 - [email protected]
+
+- Extended the fipsdrv dsa-sign and dsa-verify commands with the
+ --algo parameter for the FIPS testing of DSA SigVer and SigGen
+ (bsc#1064455).
+ * Added libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
+ * Added libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
+
+-------------------------------------------------------------------
New:
----
libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libgcrypt.spec ++++++
--- /var/tmp/diff_new_pack.2xc1PK/_old 2018-04-03 12:11:21.600982132 +0200
+++ /var/tmp/diff_new_pack.2xc1PK/_new 2018-04-03 12:11:21.600982132 +0200
@@ -56,6 +56,10 @@
#PATCH-FIX-SUSE run FIPS self-test from constructor
Patch32: libgcrypt-fips_run_selftest_at_constructor.patch
Patch34: libgcrypt-1.6.3-aliasing.patch
+#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign
+Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
+#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
+Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.25
@@ -152,6 +156,8 @@
%endif
%patch13 -p1
%patch14 -p1
+%patch35 -p1
+%patch36 -p1
%build
echo building with build_hmac256 set to %{build_hmac256}
++++++ libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch ++++++
Index: libgcrypt-1.6.1/tests/fipsdrv.c
===================================================================
--- libgcrypt-1.6.1.orig/tests/fipsdrv.c
+++ libgcrypt-1.6.1/tests/fipsdrv.c
@@ -2190,11 +2190,12 @@ dsa_hash_from_key(gcry_sexp_t s_key)
return GCRY_MD_NONE;
}
-�
+
/* Sign DATA of length DATALEN using the key taken from the S-expression
encoded KEYFILE. */
static void
-run_dsa_sign (const void *data, size_t datalen, const char *keyfile)
+run_dsa_sign (const void *data, size_t datalen,
+ int hashalgo, const char *keyfile)
{
gpg_error_t err;
@@ -2202,13 +2203,20 @@ run_dsa_sign (const void *data, size_t d
char hash[128];
gcry_mpi_t tmpmpi;
int algo;
+ int algo_len;
+ int hashalgo_len;
s_key = read_sexp_from_file (keyfile);
algo = dsa_hash_from_key(s_key);
+ algo_len = gcry_md_get_algo_dlen(algo);
+ hashalgo_len = gcry_md_get_algo_dlen(hashalgo);
- gcry_md_hash_buffer (algo, hash, data, datalen);
+ if (hashalgo_len < algo_len)
+ algo_len = hashalgo_len;
+
+ gcry_md_hash_buffer (hashalgo, hash, data, datalen);
err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash,
- gcry_md_get_algo_dlen(algo), NULL);
+ algo_len, NULL);
if (!err)
{
err = gcry_sexp_build (&s_data, NULL,
@@ -3000,14 +3008,21 @@ main (int argc, char **argv)
}
else if (!strcmp (mode_string, "dsa-sign"))
{
+ int algo;
+
if (!key_string)
die ("option --key is required in this mode\n");
if (access (key_string, R_OK))
die ("option --key needs to specify an existing keyfile\n");
+ if (!algo_string)
+ die ("option --algo is required in this mode\n");
+ algo = gcry_md_map_name (algo_string);
+ if (!algo)
+ die ("digest algorithm `%s' is not supported\n", algo_string);
if (!data)
die ("no data available (do not use --chunk)\n");
- run_dsa_sign (data, datalen, key_string);
+ run_dsa_sign (data, datalen, algo, key_string);
}
else if (!strcmp (mode_string, "dsa-verify"))
{
++++++ libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch ++++++
--- libgcrypt-1.6.1-orig/tests/fipsdrv.c 2017-10-20 10:39:56.080098385
+0000
+++ libgcrypt-1.6.1-orig/tests/fipsdrv.c 2017-10-20 10:41:15.780098385
+0000
@@ -2288,7 +2288,7 @@ run_dsa_sign (const void *data, size_t d
S-expression in KEYFILE against the S-expression formatted
signature in SIGFILE. */
static void
-run_dsa_verify (const void *data, size_t datalen,
+run_dsa_verify (const void *data, size_t datalen, int hashalgo,
const char *keyfile, const char *sigfile)
{
@@ -2297,15 +2297,23 @@ run_dsa_verify (const void *data, size_t
char hash[128];
gcry_mpi_t tmpmpi;
int algo;
+ int algo_len;
+ int hashalgo_len;
s_key = read_sexp_from_file (keyfile);
algo = dsa_hash_from_key(s_key);
- gcry_md_hash_buffer (algo, hash, data, datalen);
+ algo_len = gcry_md_get_algo_dlen(algo);
+ hashalgo_len = gcry_md_get_algo_dlen(hashalgo);
+
+ if (hashalgo_len < algo_len)
+ algo_len = hashalgo_len;
+
+ gcry_md_hash_buffer (hashalgo, hash, data, datalen);
/* Note that we can't simply use %b with HASH to build the
S-expression, because that might yield a negative value. */
err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash,
- gcry_md_get_algo_dlen(algo), NULL);
+ algo_len, NULL);
if (!err)
{
err = gcry_sexp_build (&s_data, NULL,
@@ -3011,10 +3019,17 @@ main (int argc, char **argv)
}
else if (!strcmp (mode_string, "dsa-verify"))
{
+ int algo;
+
if (!key_string)
die ("option --key is required in this mode\n");
if (access (key_string, R_OK))
die ("option --key needs to specify an existing keyfile\n");
+ if (!algo_string)
+ die ("option --algo is required in this mode\n");
+ algo = gcry_md_map_name (algo_string);
+ if (!algo)
+ die ("digest algorithm `%s' is not supported\n", algo_string);
if (!data)
die ("no data available (do not use --chunk)\n");
if (!signature_string)
@@ -3022,7 +3037,7 @@ main (int argc, char **argv)
if (access (signature_string, R_OK))
die ("option --signature needs to specify an existing file\n");
- run_dsa_verify (data, datalen, key_string, signature_string);
+ run_dsa_verify (data, datalen, algo, key_string, signature_string);
}
else if (!strcmp (mode_string, "ecdsa-gen-key"))
{
