commit libgcrypt for openSUSE:Factory
Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2018-04-03 12:11:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libgcrypt" Tue Apr 3 12:11:16 2018 rev:70 rq:592209 version:1.8.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2018-03-01 12:05:47.542440493 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new/libgcrypt.changes 2018-04-03 12:11:20.525020848 +0200 @@ -1,0 +2,9 @@ +Thu Mar 29 06:37:44 UTC 2018 - pmonrealgonzalez@suse.com + +- Extended the fipsdrv dsa-sign and dsa-verify commands with the + --algo parameter for the FIPS testing of DSA SigVer and SigGen + (bsc#1064455). + * Added libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch + * Added libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch + +------------------------------------------------------------------- New: ---- libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libgcrypt.spec ++++++ --- /var/tmp/diff_new_pack.2xc1PK/_old 2018-04-03 12:11:21.600982132 +0200 +++ /var/tmp/diff_new_pack.2xc1PK/_new 2018-04-03 12:11:21.600982132 +0200 @@ -56,6 +56,10 @@ #PATCH-FIX-SUSE run FIPS self-test from constructor Patch32: libgcrypt-fips_run_selftest_at_constructor.patch Patch34: libgcrypt-1.6.3-aliasing.patch +#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign +Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch +#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify +Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.25 @@ -152,6 +156,8 @@ %endif %patch13 -p1 %patch14 -p1 +%patch35 -p1 +%patch36 -p1 %build echo building with build_hmac256 set to %{build_hmac256} ++++++ libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch ++++++ Index: libgcrypt-1.6.1/tests/fipsdrv.c =================================================================== --- libgcrypt-1.6.1.orig/tests/fipsdrv.c +++ libgcrypt-1.6.1/tests/fipsdrv.c @@ -2190,11 +2190,12 @@ dsa_hash_from_key(gcry_sexp_t s_key) return GCRY_MD_NONE; } - + /* Sign DATA of length DATALEN using the key taken from the S-expression encoded KEYFILE. */ static void -run_dsa_sign (const void *data, size_t datalen, const char *keyfile) +run_dsa_sign (const void *data, size_t datalen, + int hashalgo, const char *keyfile) { gpg_error_t err; @@ -2202,13 +2203,20 @@ run_dsa_sign (const void *data, size_t d char hash[128]; gcry_mpi_t tmpmpi; int algo; + int algo_len; + int hashalgo_len; s_key = read_sexp_from_file (keyfile); algo = dsa_hash_from_key(s_key); + algo_len = gcry_md_get_algo_dlen(algo); + hashalgo_len = gcry_md_get_algo_dlen(hashalgo); - gcry_md_hash_buffer (algo, hash, data, datalen); + if (hashalgo_len < algo_len) + algo_len = hashalgo_len; + + gcry_md_hash_buffer (hashalgo, hash, data, datalen); err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, - gcry_md_get_algo_dlen(algo), NULL); + algo_len, NULL); if (!err) { err = gcry_sexp_build (&s_data, NULL, @@ -3000,14 +3008,21 @@ main (int argc, char **argv) } else if (!strcmp (mode_string, "dsa-sign")) { + int algo; + if (!key_string) die ("option --key is required in this mode\n"); if (access (key_string, R_OK)) die ("option --key needs to specify an existing keyfile\n"); + if (!algo_string) + die ("option --algo is required in this mode\n"); + algo = gcry_md_map_name (algo_string); + if (!algo) + die ("digest algorithm `%s' is not supported\n", algo_string); if (!data) die ("no data available (do not use --chunk)\n"); - run_dsa_sign (data, datalen, key_string); + run_dsa_sign (data, datalen, algo, key_string); } else if (!strcmp (mode_string, "dsa-verify")) { ++++++ libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch ++++++ --- libgcrypt-1.6.1-orig/tests/fipsdrv.c 2017-10-20 10:39:56.080098385 +0000 +++ libgcrypt-1.6.1-orig/tests/fipsdrv.c 2017-10-20 10:41:15.780098385 +0000 @@ -2288,7 +2288,7 @@ run_dsa_sign (const void *data, size_t d S-expression in KEYFILE against the S-expression formatted signature in SIGFILE. */ static void -run_dsa_verify (const void *data, size_t datalen, +run_dsa_verify (const void *data, size_t datalen, int hashalgo, const char *keyfile, const char *sigfile) { @@ -2297,15 +2297,23 @@ run_dsa_verify (const void *data, size_t char hash[128]; gcry_mpi_t tmpmpi; int algo; + int algo_len; + int hashalgo_len; s_key = read_sexp_from_file (keyfile); algo = dsa_hash_from_key(s_key); - gcry_md_hash_buffer (algo, hash, data, datalen); + algo_len = gcry_md_get_algo_dlen(algo); + hashalgo_len = gcry_md_get_algo_dlen(hashalgo); + + if (hashalgo_len < algo_len) + algo_len = hashalgo_len; + + gcry_md_hash_buffer (hashalgo, hash, data, datalen); /* Note that we can't simply use %b with HASH to build the S-expression, because that might yield a negative value. */ err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, - gcry_md_get_algo_dlen(algo), NULL); + algo_len, NULL); if (!err) { err = gcry_sexp_build (&s_data, NULL, @@ -3011,10 +3019,17 @@ main (int argc, char **argv) } else if (!strcmp (mode_string, "dsa-verify")) { + int algo; + if (!key_string) die ("option --key is required in this mode\n"); if (access (key_string, R_OK)) die ("option --key needs to specify an existing keyfile\n"); + if (!algo_string) + die ("option --algo is required in this mode\n"); + algo = gcry_md_map_name (algo_string); + if (!algo) + die ("digest algorithm `%s' is not supported\n", algo_string); if (!data) die ("no data available (do not use --chunk)\n"); if (!signature_string) @@ -3022,7 +3037,7 @@ main (int argc, char **argv) if (access (signature_string, R_OK)) die ("option --signature needs to specify an existing file\n"); - run_dsa_verify (data, datalen, key_string, signature_string); + run_dsa_verify (data, datalen, algo, key_string, signature_string); } else if (!strcmp (mode_string, "ecdsa-gen-key")) {
participants (1)
-
root@hilbert.suse.de