commit libgcrypt for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Leap:15.2
checked in at 2020-05-26 18:32:15
Comparing /work/SRC/openSUSE:Leap:15.2/libgcrypt (Old)
and /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.2738 (New)
Package is "libgcrypt"
Tue May 26 18:32:15 2020 rev:46 rq:808345 version:1.8.2
Changes:
--- /work/SRC/openSUSE:Leap:15.2/libgcrypt/libgcrypt.changes2020-05-12
11:32:07.227709086 +0200
+++ /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.2738/libgcrypt.changes
2020-05-26 18:32:21.681573301 +0200
@@ -1,0 +2,8 @@
+Tue May 19 11:25:37 UTC 2020 - Pedro Monreal Gonzalez
+
+- FIPS: RSA/DSA/ECC test_keys() print out debug messages [bsc#1171872]
+ * Print the debug messages in test_keys() only in debug mode.
+- Update patches: libgcrypt-PCT-RSA.patch libgcrypt-PCT-DSA.patch
+ libgcrypt-PCT-ECC.patch
+
+---
Other differences:
--
++ libgcrypt-PCT-DSA.patch ++
--- /var/tmp/diff_new_pack.WQipT2/_old 2020-05-26 18:32:22.589575285 +0200
+++ /var/tmp/diff_new_pack.WQipT2/_new 2020-05-26 18:32:22.589575285 +0200
@@ -2,7 +2,7 @@
===
--- libgcrypt-1.8.2.orig/cipher/dsa.c
+++ libgcrypt-1.8.2/cipher/dsa.c
-@@ -181,24 +181,91 @@ test_keys (DSA_secret_key *sk, unsigned
+@@ -181,24 +181,101 @@ test_keys (DSA_secret_key *sk, unsigned
/* Create a random plaintext. */
_gcry_mpi_randomize (data, qbits, GCRY_WEAK_RANDOM);
@@ -23,7 +23,8 @@
+
+ if (_gcry_md_open (, GCRY_MD_SHA256, 0))
+{
-+ log_debug ("gcry_pk_sign failed\n");
++ if (DBG_CIPHER)
++log_debug ("gcry_pk_sign/open failed\n");
+ goto leave;
+}
+
@@ -31,6 +32,7 @@
+ _gcry_md_write (hd, buf, buflen);
+
+ xfree (buf);
++ buf = NULL;
+
+ /* build DSA private key sexp in s_skey */
+ sexp_build (_skey, NULL, "(private-key (dsa(p %m)(q %m)(g %m)(y %m)(x
%m)))",
@@ -38,20 +40,23 @@
+ sexp_build (_hash, NULL, "(data (flags pkcs1)(hash-algo sha256))");
+ if (_gcry_pk_sign_md (_sig, hd, s_hash, s_skey))
+{
-+ log_debug ("gcry_pk_sign failed\n");
++ if (DBG_CIPHER)
++log_debug ("gcry_pk_sign failed\n");
+ goto leave;
+}
+
+ /* Check that the signature and the original plaintext differ. */
+ if (_gcry_sexp_extract_param (r_sig, NULL, "rs", _sig_mpi, _sig_mpi,
NULL))
+{
-+ log_debug ("extracting signature data failed\n");
++ if (DBG_CIPHER)
++log_debug ("extracting signature data failed\n");
+ goto leave;
+}
+
+ if ( !verify (r_sig_mpi, s_sig_mpi, data, ))
+{
-+ log_debug ("Signature failed\n");
++ if (DBG_CIPHER)
++log_debug ("Signature failed\n");
+ goto leave; /* Signature matches but should not. */
+}
+
@@ -64,17 +69,22 @@
+ sexp_build (_hash, NULL, "(data (flags pkcs1)(hash-algo sha256))");
+
+ if (_gcry_md_open (, GCRY_MD_SHA256, 0))
-+log_debug ("gcry_md_open failed\n");
++{
++ if (DBG_CIPHER)
++log_debug ("gcry_md_open failed\n");
++}
+
+ _gcry_mpi_aprint (GCRYMPI_FMT_STD, , , data);
+ _gcry_md_write (hd, buf, buflen);
+
+ xfree (buf);
++ buf = NULL;
+
+ /* verify the signature */
+ if (_gcry_pk_verify_md (r_sig, hd, s_hash, s_pkey))
+{
-+ log_debug ("gcry_pk_verify failed\n");
++ if (DBG_CIPHER)
++log_debug ("gcry_pk_verify failed\n");
+ goto leave; /* Signature does not match. */
+}
++ libgcrypt-PCT-ECC.patch ++
--- /var/tmp/diff_new_pack.WQipT2/_old 2020-05-26 18:32:22.605575320 +0200
+++ /var/tmp/diff_new_pack.WQipT2/_new 2020-05-26 18:32:22.605575320 +0200
@@ -70,7 +70,7 @@
ECC_public_key pk;
gcry_mpi_t test = mpi_new (nbits);
mpi_point_struct R_;
-@@ -297,17 +310,161 @@ test_keys (ECC_secret_key *sk, unsigned
+@@ -297,17 +310,190 @@ test_keys (ECC_secret_key *sk, unsigned
_gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
@@ -91,13 +91,18 @@
+ int flags = 0;
+
+ if (_gcry_md_open (, GCRY_MD_SHA256, 0))
-+log_debug ("gcry_pk_sign failed: _gcry_md_open\n");
++{
++ if (DBG_CIPHER)
++log_debug ("gcry_pk_sign failed: _gcry_md_open\n");
++}
+
+ _gcry_mpi_aprint (GCRYMPI_FMT_STD, , , test);
+ _gcry_md_write (hd, buf, buflen);
+
+ xfree (buf);
-+
++ buf = NULL;
+
+- if (_gcry_ecc_ecdsa_verify (test, , r, s))
+ sexp_build (_hash, NULL, "(data (flags rfc6979)(hash-algo sha256))");
+
+ /* Assemble the point Q from affine coordinates by simple
@@ -109,7 +114,11 @@
+ ctx = _gcry_mpi_ec_p_internal_new (sk->E.model, sk->E.dialect, flags,
+ sk->E.p, sk->E.a, sk->E.b);
+ if
commit libgcrypt for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Leap:15.2
checked in at 2020-05-12 11:31:51
Comparing /work/SRC/openSUSE:Leap:15.2/libgcrypt (Old)
and /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.2738 (New)
Package is "libgcrypt"
Tue May 12 11:31:51 2020 rev:45 rq:801282 version:1.8.2
Changes:
--- /work/SRC/openSUSE:Leap:15.2/libgcrypt/libgcrypt.changes2020-05-04
08:22:18.676320007 +0200
+++ /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.2738/libgcrypt.changes
2020-05-12 11:32:07.227709086 +0200
@@ -1,0 +2,11 @@
+Mon Apr 27 08:55:12 UTC 2020 - Pedro Monreal Gonzalez
+
+- FIPS: libgcrypt: Double free in test_keys() on failed signature
+ verification [bsc#1169944]
+ * Use safer gcry_mpi_release() instead of mpi_free()
+- Update patches:
+ * libgcrypt-PCT-DSA.patch
+ * libgcrypt-PCT-RSA.patch
+ * libgcrypt-PCT-ECC.patch
+
+---
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.ReYxTO/_old 2020-05-12 11:32:08.223711179 +0200
+++ /var/tmp/diff_new_pack.ReYxTO/_new 2020-05-12 11:32:08.227711187 +0200
@@ -139,7 +139,7 @@
Requires: %{libsoname} = %{version}
Requires: glibc-devel
Requires: libgpg-error-devel >= 1.13
-#Requires(post): %{install_info_prereq}
+Requires(post): %{install_info_prereq}
%description devel
Libgcrypt is a general purpose library of cryptographic building
++ libgcrypt-PCT-DSA.patch ++
--- /var/tmp/diff_new_pack.ReYxTO/_old 2020-05-12 11:32:08.367711481 +0200
+++ /var/tmp/diff_new_pack.ReYxTO/_new 2020-05-12 11:32:08.367711481 +0200
@@ -2,7 +2,7 @@
===
--- libgcrypt-1.8.2.orig/cipher/dsa.c
+++ libgcrypt-1.8.2/cipher/dsa.c
-@@ -181,24 +181,88 @@ test_keys (DSA_secret_key *sk, unsigned
+@@ -181,24 +181,91 @@ test_keys (DSA_secret_key *sk, unsigned
/* Create a random plaintext. */
_gcry_mpi_randomize (data, qbits, GCRY_WEAK_RANDOM);
@@ -16,6 +16,8 @@
+ gcry_sexp_t r_sig = NULL;
+ gcry_sexp_t s_hash = NULL;
+ gcry_md_hd_t hd = NULL;
++ gcry_mpi_t r_sig_mpi = NULL;
++ gcry_mpi_t s_sig_mpi = NULL;
+ unsigned char *buf = NULL;
+ size_t buflen;
+
@@ -28,6 +30,8 @@
+ _gcry_mpi_aprint (GCRYMPI_FMT_STD, , , data);
+ _gcry_md_write (hd, buf, buflen);
+
++ xfree (buf);
++
+ /* build DSA private key sexp in s_skey */
+ sexp_build (_skey, NULL, "(private-key (dsa(p %m)(q %m)(g %m)(y %m)(x
%m)))",
+ sk->p, sk->q, sk->g, sk->y, sk->x);
@@ -39,8 +43,6 @@
+}
+
+ /* Check that the signature and the original plaintext differ. */
-+ gcry_mpi_t r_sig_mpi = NULL;
-+ gcry_mpi_t s_sig_mpi = NULL;
+ if (_gcry_sexp_extract_param (r_sig, NULL, "rs", _sig_mpi, _sig_mpi,
NULL))
+{
+ log_debug ("extracting signature data failed\n");
@@ -55,7 +57,6 @@
+
+ _gcry_sexp_release (s_hash);
+ _gcry_md_close (hd);
-+ xfree (buf);
+
+ /* build DSA public key sexp in s_pkey */
+ sexp_build (_pkey, NULL, "(public-key (dsa(p %m)(q %m)(g %m)(y %m)))",
@@ -68,6 +69,8 @@
+ _gcry_mpi_aprint (GCRYMPI_FMT_STD, , , data);
+ _gcry_md_write (hd, buf, buflen);
+
++ xfree (buf);
++
+ /* verify the signature */
+ if (_gcry_pk_verify_md (r_sig, hd, s_hash, s_pkey))
+{
@@ -91,14 +94,14 @@
_gcry_mpi_release (sig_b);
_gcry_mpi_release (sig_a);
_gcry_mpi_release (data);
++
+ _gcry_sexp_release (s_skey);
+ _gcry_sexp_release (s_pkey);
+ _gcry_sexp_release (s_hash);
+ _gcry_sexp_release (r_sig);
-+ mpi_free (r_sig_mpi);
-+ mpi_free (s_sig_mpi);
++ _gcry_mpi_release (r_sig_mpi);
++ _gcry_mpi_release (s_sig_mpi);
+ _gcry_md_close (hd);
-+ xfree (buf);
+
return result;
}
++ libgcrypt-PCT-ECC.patch ++
--- /var/tmp/diff_new_pack.ReYxTO/_old 2020-05-12 11:32:08.379711506 +0200
+++ /var/tmp/diff_new_pack.ReYxTO/_new 2020-05-12 11:32:08.379711506 +0200
@@ -70,7 +70,7 @@
ECC_public_key pk;
gcry_mpi_t test = mpi_new (nbits);
mpi_point_struct R_;
-@@ -297,17 +310,149 @@ test_keys (ECC_secret_key *sk, unsigned
+@@ -297,17 +310,161 @@ test_keys (ECC_secret_key *sk, unsigned
_gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
@@ -79,21 +79,25 @@
+ /* Use the gcry_pk_sign_md API in order to comply with FIPS 140-2,
+ * which requires full signature operation for PCT (hashing +
+ * asymmetric operation). */
++ gcry_sexp_t r_sig = NULL;
++ gcry_sexp_t s_skey = NULL;
++ gcry_sexp_t s_pkey = NULL;
++ gcry_sexp_t s_hash = NULL;
++ gcry_mpi_t s_sig_mpi = NULL;
+ gcry_md_hd_t hd = NULL;
+ unsigned char *buf = NULL;
+ size_t buflen;
++ mpi_ec_t ctx;
++ int flags = 0;
++
+ if
commit libgcrypt for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Leap:15.2
checked in at 2020-05-04 08:22:17
Comparing /work/SRC/openSUSE:Leap:15.2/libgcrypt (Old)
and /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.2738 (New)
Package is "libgcrypt"
Mon May 4 08:22:17 2020 rev:44 rq:797127 version:1.8.2
Changes:
--- /work/SRC/openSUSE:Leap:15.2/libgcrypt/libgcrypt.changes2020-04-12
15:37:58.401993146 +0200
+++ /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.2738/libgcrypt.changes
2020-05-04 08:22:18.676320007 +0200
@@ -1,0 +2,32 @@
+Thu Apr 16 16:45:23 UTC 2020 - Vítězslav Čížek
+
+- Ship the FIPS checksum file in the shared library package and
+ create a separate trigger file for the FIPS selftests (bsc#1169569)
+ * add libgcrypt-fips_selftest_trigger_file.patch
+ * refresh libgcrypt-global_init-constructor.patch
+- Remove libgcrypt-binary_integrity_in_non-FIPS.patch obsoleted
+ by libgcrypt-global_init-constructor.patch
+
+---
+Wed Apr 15 13:55:27 UTC 2020 - Pedro Monreal Gonzalez
+
+- FIPS: Verify that the generated signature and the original input
+ differ in test_keys function for RSA, DSA and ECC: [bsc#1165539]
+- Add zero-padding when qx and qy have different lengths when
+ assembling the Q point from affine coordinates.
+- Refreshed patches:
+ * libgcrypt-PCT-DSA.patch
+ * libgcrypt-PCT-RSA.patch
+ * libgcrypt-PCT-ECC.patch
+
+---
+Mon Mar 30 10:48:02 UTC 2020 - Pedro Monreal Gonzalez
+
+- FIPS: Switch the PCT to use the new signature operation [bsc#1165539]
+ * Patches for DSA, RSA and ECDSA test_keys functions:
+- libgcrypt-PCT-DSA.patch
+- libgcrypt-PCT-RSA.patch
+- libgcrypt-PCT-ECC.patch
+- Update patch: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch
+
+---
Old:
libgcrypt-binary_integrity_in_non-FIPS.patch
New:
libgcrypt-PCT-DSA.patch
libgcrypt-PCT-ECC.patch
libgcrypt-PCT-RSA.patch
libgcrypt-fips_selftest_trigger_file.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.5MMGvE/_old 2020-05-04 08:22:19.496321764 +0200
+++ /var/tmp/diff_new_pack.5MMGvE/_new 2020-05-04 08:22:19.496321764 +0200
@@ -18,7 +18,8 @@
%define build_hmac256 1
%define separate_hmac256_binary 0
-%define libsoname %{name}20
+%define libsover 20
+%define libsoname %{name}%{libsover}
%define cavs_dir %{_libexecdir}/%{name}/cavs
Name: libgcrypt
Version:1.8.2
@@ -60,7 +61,6 @@
#PATCH-FIX-UPSTREAM bsc#1097410 fix novel side-channel attack
Patch37:CVE-2018-0495.patch
Patch39:libgcrypt-1.8.3-fips-ctor.patch
-Patch41:libgcrypt-binary_integrity_in_non-FIPS.patch
Patch42:libgcrypt-fips_rsa_no_enforced_mode.patch
Patch43:libgcrypt-1.8.4-allow_FSM_same_state.patch
#PATCH-FIX-UPSTREAM bsc#1138939 CVE-2019-12904 C implementation of AES is
@@ -95,6 +95,11 @@
Patch62:libgcrypt-ecc-ecdsa-no-blinding.patch
#PATCH-FIX-UPSTREAM bsc#1167674 FIPS: Fix drbg to be threadsafe
Patch63:libgcrypt-check-re-open-dev_random-after-fork.patch
+#PATCH-FIX-SUSE bsc#1165539 FIPS: Use the new signature operation in PCT
+Patch64:libgcrypt-PCT-RSA.patch
+Patch65:libgcrypt-PCT-DSA.patch
+Patch66:libgcrypt-PCT-ECC.patch
+Patch67:libgcrypt-fips_selftest_trigger_file.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.25
@@ -134,7 +139,7 @@
Requires: %{libsoname} = %{version}
Requires: glibc-devel
Requires: libgpg-error-devel >= 1.13
-Requires(post): %{install_info_prereq}
+#Requires(post): %{install_info_prereq}
%description devel
Libgcrypt is a general purpose library of cryptographic building
@@ -194,7 +199,6 @@
%patch36 -p1
%patch37 -p1
%patch39 -p1
-%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
@@ -217,6 +221,10 @@
%patch61 -p1
%patch62 -p1
%patch63 -p1
+%patch64 -p1
+%patch65 -p1
+%patch66 -p1
+%patch67 -p1
%build
echo building with build_hmac256 set to %{build_hmac256}
@@ -272,6 +280,11 @@
mv %{buildroot}%{_bindir}/fipsdrv %{buildroot}%{cavs_dir}
mv %{buildroot}%{_bindir}/drbg_test %{buildroot}%{cavs_dir}
+# create the FIPS "module is complete" trigger file
+%if 0%{?build_hmac256}
+touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips
+%endif
+
%post -n %{libsoname} -p /sbin/ldconfig
%postun -n %{libsoname} -p /sbin/ldconfig
%post devel
@@ -283,10 +296,13 @@
%files -n %{libsoname}
%license COPYING.LIB
%{_libdir}/%{name}.so.*
+%if 0%{?build_hmac256}
+%{_libdir}/.libgcrypt.so.*.hmac
commit libgcrypt for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Leap:15.2
checked in at 2020-04-12 15:37:55
Comparing /work/SRC/openSUSE:Leap:15.2/libgcrypt (Old)
and /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.3248 (New)
Package is "libgcrypt"
Sun Apr 12 15:37:55 2020 rev:43 rq:791689 version:1.8.2
Changes:
--- /work/SRC/openSUSE:Leap:15.2/libgcrypt/libgcrypt.changes2020-03-20
05:52:26.508044915 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.3248/libgcrypt.changes
2020-04-12 15:37:58.401993146 +0200
@@ -1,0 +2,28 @@
+Thu Mar 26 19:28:18 UTC 2020 - Pedro Monreal Gonzalez
+
+- FIPS: Fix drbg to be threadsafe [bsc#1167674]
+ * Detect fork and re-open devices in_gcry_rndlinux_gather_random
+ * libgcrypt-check-re-open-dev_random-after-fork.patch
+
+---
+Thu Mar 26 18:09:47 UTC 2020 - Pedro Monreal Gonzalez
+
+- FIPS: Run self-tests from constructor during power-on [bsc#1166748]
+ * Set up global_init as the constructor function:
+- libgcrypt-global_init-constructor.patch
+ * Relax the entropy requirements on selftest. This is especially
+important for virtual machines to boot properly before the RNG
+is available:
+- libgcrypt-random_selftests-testentropy.patch
+- libgcrypt-rsa-no-blinding.patch
+- libgcrypt-ecc-ecdsa-no-blinding.patch
+ * Fix benchmark regression test in FIPS mode:
+- libgcrypt-FIPS-GMAC_AES-benckmark.patch
+
+---
+Thu Mar 12 16:54:33 UTC 2020 - Pedro Monreal Gonzalez
+
+- Remove check not needed in _gcry_global_constructor [bsc#1164950]
+ * Update libgcrypt-Restore-self-tests-from-constructor.patch
+
+---
New:
libgcrypt-FIPS-GMAC_AES-benckmark.patch
libgcrypt-Restore-self-tests-from-constructor.patch
libgcrypt-check-re-open-dev_random-after-fork.patch
libgcrypt-ecc-ecdsa-no-blinding.patch
libgcrypt-global_init-constructor.patch
libgcrypt-random_selftests-testentropy.patch
libgcrypt-rsa-no-blinding.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.4Fi5oE/_old 2020-04-12 15:37:59.605994058 +0200
+++ /var/tmp/diff_new_pack.4Fi5oE/_new 2020-04-12 15:37:59.609994060 +0200
@@ -86,6 +86,15 @@
Patch55:libgcrypt-ECDSA_check_coordinates_range.patch
#PATCH-FIX-SUSE bsc#1164950 Run self-tests from the constructor
Patch56:libgcrypt-invoke-global_init-from-constructor.patch
+#PATCH-FIX-SUSE bsc#1164950 Restore the self-tests from the constructor
+Patch57:libgcrypt-Restore-self-tests-from-constructor.patch
+Patch58:libgcrypt-FIPS-GMAC_AES-benckmark.patch
+Patch59:libgcrypt-global_init-constructor.patch
+Patch60:libgcrypt-random_selftests-testentropy.patch
+Patch61:libgcrypt-rsa-no-blinding.patch
+Patch62:libgcrypt-ecc-ecdsa-no-blinding.patch
+#PATCH-FIX-UPSTREAM bsc#1167674 FIPS: Fix drbg to be threadsafe
+Patch63:libgcrypt-check-re-open-dev_random-after-fork.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.25
@@ -201,6 +210,13 @@
%patch54 -p1
%patch55 -p1
%patch56 -p1
+%patch57 -p1
+%patch58 -p1
+%patch59 -p1
+%patch60 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
%build
echo building with build_hmac256 set to %{build_hmac256}
++ libgcrypt-FIPS-GMAC_AES-benckmark.patch ++
Index: libgcrypt-1.8.2/tests/benchmark.c
===
--- libgcrypt-1.8.2.orig/tests/benchmark.c
+++ libgcrypt-1.8.2/tests/benchmark.c
@@ -598,7 +598,7 @@ mac_bench ( const char *algoname )
if (!algoname)
{
for (i=1; i < 600; i++)
-if (in_fips_mode && i == GCRY_MAC_HMAC_MD5)
+if (in_fips_mode && (i == GCRY_MAC_HMAC_MD5 || i == GCRY_MAC_GMAC_AES))
; /* Don't use MD5 in fips mode. */
else if ( !gcry_mac_test_algo (i) )
mac_bench (gcry_mac_algo_name (i));
++ libgcrypt-Restore-self-tests-from-constructor.patch ++
Index: libgcrypt-1.8.2/src/global.c
===
--- libgcrypt-1.8.2.orig/src/global.c
+++ libgcrypt-1.8.2/src/global.c
@@ -140,8 +140,9 @@ global_init (void)
/* We always need the FSM lock to be functional. */
_gcry_initialize_fsm_lock ();
- /* Run the self-tests from the constructor. */
- global_init ();
+ /* We run the integrity check at this point. The remaining
+ selftests are run before use of the library by application. */
+ _gcry_fips_run_selftests (0);
}
/* This function is called by the macro
commit libgcrypt for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Leap:15.2
checked in at 2020-03-20 05:52:20
Comparing /work/SRC/openSUSE:Leap:15.2/libgcrypt (Old)
and /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.3160 (New)
Package is "libgcrypt"
Fri Mar 20 05:52:20 2020 rev:42 rq:782016 version:1.8.2
Changes:
--- /work/SRC/openSUSE:Leap:15.2/libgcrypt/libgcrypt.changes2020-01-15
15:21:03.886430671 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.3160/libgcrypt.changes
2020-03-20 05:52:26.508044915 +0100
@@ -1,0 +2,32 @@
+Tue Feb 25 22:13:24 UTC 2020 - Pedro Monreal Gonzalez
+
+- FIPS: Run the self-tests from the constructor [bsc#1164950]
+ * Add libgcrypt-invoke-global_init-from-constructor.patch
+
+---
+Mon Jan 20 16:10:13 UTC 2020 - Vítězslav Čížek
+
+- ECDSA: Check range of coordinates (bsc#1161216)
+ * add libgcrypt-ECDSA_check_coordinates_range.patch
+
+---
+Fri Jan 17 17:35:15 UTC 2020 - Pedro Monreal Gonzalez
+
+- FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
+- FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
+- FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
+ * Add patch from Fedora libgcrypt-1.8.4-fips-keygen.patch
+
+---
+Fri Jan 17 16:33:15 UTC 2020 - Pedro Monreal Gonzalez
+
+- FIPS: keywrap gives incorrect results [bsc#1161218]
+ * Add libgcrypt-AES-KW-fix-in-place-encryption.patch
+
+---
+Wed Dec 11 10:18:23 UTC 2019 - Pedro Monreal Gonzalez
+
+- FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]
+ * Add libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch
+
+---
New:
libgcrypt-1.8.4-fips-keygen.patch
libgcrypt-AES-KW-fix-in-place-encryption.patch
libgcrypt-ECDSA_check_coordinates_range.patch
libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch
libgcrypt-invoke-global_init-from-constructor.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.Pv6A8u/_old 2020-03-20 05:52:27.288045434 +0100
+++ /var/tmp/diff_new_pack.Pv6A8u/_new 2020-03-20 05:52:27.292045437 +0100
@@ -76,6 +76,16 @@
#PATCH-FIX-SUSE Fix test in FIPS mode
Patch50:libgcrypt-dsa-rfc6979-test-fix.patch
Patch51:libgcrypt-fix-tests-fipsmode.patch
+#PATCH-FIX-SUSE bsc#1155337 FIPS: RSA/DSA/ECDSA are missing hashing operation
+Patch52:libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch
+#PATCH-FIX-UPSTREAM bsc#1161218 FIPS: libgcrypt keywrap gives incorrect results
+Patch53:libgcrypt-AES-KW-fix-in-place-encryption.patch
+#PATCH-FIX-SUSE bsc#1161220 FIPS: libgcrypt RSA siggen/keygen: 4k not supported
+Patch54:libgcrypt-1.8.4-fips-keygen.patch
+#PATCH-FIX-UPSTREAM bsc#1161216 Check range of EC coordinates
+Patch55:libgcrypt-ECDSA_check_coordinates_range.patch
+#PATCH-FIX-SUSE bsc#1164950 Run self-tests from the constructor
+Patch56:libgcrypt-invoke-global_init-from-constructor.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.25
@@ -186,6 +196,11 @@
%patch49 -p1
%patch50 -p1
%patch51 -p1
+%patch52 -p1
+%patch53 -p1
+%patch54 -p1
+%patch55 -p1
+%patch56 -p1
%build
echo building with build_hmac256 set to %{build_hmac256}
@@ -224,7 +239,6 @@
# Nice idea. however this uses /dev/random, which hangs
# on hardware without random feeds.
# so lets not run it inside OBS
-# make -d %{?_smp_mflags} check
make %{?_smp_mflags} check
# export LIBGCRYPT_FORCE_FIPS_MODE=1
# make -k check || true
++ libgcrypt-1.8.4-fips-keygen.patch ++
Index: libgcrypt-1.8.2/cipher/dsa.c
===
--- libgcrypt-1.8.2.orig/cipher/dsa.c
+++ libgcrypt-1.8.2/cipher/dsa.c
@@ -457,11 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un
_q, _p,
r_counter,
r_seed, r_seedlen);
- else
-ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0,
+ else if (!domain->p || !domain->q)
+ec = _gcry_generate_fips186_3_prime (nbits, qbits,
+ initial_seed.seed,
+ initial_seed.seedlen,
_q, _p,
r_counter,
