![toshaan@powerel.org](/assets/img/avatar_default.png)
commit
cbffd33d37
10 changed files with 4414 additions and 0 deletions
@ -0,0 +1,51 @@
@@ -0,0 +1,51 @@
|
||||
From 58c92098d053aae7c78cc42bdd7c80c13efc89bb Mon Sep 17 00:00:00 2001 |
||||
From: NIIBE Yutaka <gniibe@fsij.org> |
||||
Date: Fri, 24 Jun 2022 08:59:31 +0900 |
||||
Subject: [PATCH] hmac,hkdf: Allow use of shorter salt for HKDF. |
||||
|
||||
* cipher/md.c (prepare_macpads): Move the check to... |
||||
* src/visibility.c (gcry_mac_setkey): ... here. |
||||
* tests/t-kdf.c (check_hkdf): No failure is expected. |
||||
|
||||
-- |
||||
|
||||
GnuPG-bug-id: 6039 |
||||
Fixes-commit: 76aad97dd312e83f2f9b8d086553f2b72ab6546f |
||||
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> |
||||
--- |
||||
cipher/md.c | 3 --- |
||||
src/visibility.c | 3 +++ |
||||
tests/t-kdf.c | 12 +----------- |
||||
3 files changed, 4 insertions(+), 14 deletions(-) |
||||
|
||||
diff --git a/cipher/md.c b/cipher/md.c |
||||
index 4f4fc9bf..34336b5c 100644 |
||||
--- a/cipher/md.c |
||||
+++ b/cipher/md.c |
||||
@@ -903,9 +903,6 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen) |
||||
{ |
||||
GcryDigestEntry *r; |
||||
|
||||
- if (fips_mode () && keylen < 14) |
||||
- return GPG_ERR_INV_VALUE; |
||||
- |
||||
if (!a->ctx->list) |
||||
return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled. */ |
||||
|
||||
diff --git a/src/visibility.c b/src/visibility.c |
||||
index c98247d8..aee5bffb 100644 |
||||
--- a/src/visibility.c |
||||
+++ b/src/visibility.c |
||||
@@ -946,6 +946,9 @@ gcry_mac_setkey (gcry_mac_hd_t hd, const void *key, size_t keylen) |
||||
if (!fips_is_operational ()) |
||||
return gpg_error (fips_not_operational ()); |
||||
|
||||
+ if (fips_mode () && keylen < 14) |
||||
+ return GPG_ERR_INV_VALUE; |
||||
+ |
||||
return gpg_error (_gcry_mac_setkey (hd, key, keylen)); |
||||
} |
||||
|
||||
-- |
||||
2.37.1 |
||||
|
@ -0,0 +1,70 @@
@@ -0,0 +1,70 @@
|
||||
From ca2afc9fb64d9a9b2f8930ba505d9ab6c8a57667 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Thu, 12 May 2022 10:56:47 +0200 |
||||
Subject: [PATCH] cipher: Allow verification of small RSA signatures in FIPS |
||||
mode |
||||
|
||||
* cipher/rsa.c (rsa_check_keysize): Formatting. |
||||
(rsa_check_verify_keysize): New function. |
||||
(rsa_verify): Allow using smaller keys for verification. |
||||
-- |
||||
|
||||
GnuPG-bug-id: 5975 |
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com> |
||||
--- |
||||
cipher/rsa.c | 26 ++++++++++++++++++++++++-- |
||||
1 file changed, 24 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/cipher/rsa.c b/cipher/rsa.c |
||||
index c6319b67..9f2b36e8 100644 |
||||
--- a/cipher/rsa.c |
||||
+++ b/cipher/rsa.c |
||||
@@ -352,13 +352,35 @@ generate_std (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e, |
||||
static gpg_err_code_t |
||||
rsa_check_keysize (unsigned int nbits) |
||||
{ |
||||
- if (fips_mode() && nbits < 2048) |
||||
+ if (fips_mode () && nbits < 2048) |
||||
return GPG_ERR_INV_VALUE; |
||||
|
||||
return GPG_ERR_NO_ERROR; |
||||
} |
||||
|
||||
|
||||
+/* Check the RSA key length is acceptable for signature verification |
||||
+ * |
||||
+ * FIPS allows signature verification with RSA keys of size |
||||
+ * 1024, 1280, 1536 and 1792 in legacy mode, but this is up to the |
||||
+ * calling application to decide if the signature is legacy and |
||||
+ * should be accepted. |
||||
+ */ |
||||
+static gpg_err_code_t |
||||
+rsa_check_verify_keysize (unsigned int nbits) |
||||
+{ |
||||
+ if (fips_mode ()) |
||||
+ { |
||||
+ if ((nbits >= 1024 && (nbits % 256) == 0) || nbits >= 2048) |
||||
+ return GPG_ERR_NO_ERROR; |
||||
+ |
||||
+ return GPG_ERR_INV_VALUE; |
||||
+ } |
||||
+ |
||||
+ return GPG_ERR_NO_ERROR; |
||||
+} |
||||
+ |
||||
+ |
||||
/**************** |
||||
* Generate a key pair with a key of size NBITS. |
||||
* USE_E = 0 let Libcgrypt decide what exponent to use. |
||||
@@ -1602,7 +1624,7 @@ rsa_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) |
||||
gcry_mpi_t result = NULL; |
||||
unsigned int nbits = rsa_get_nbits (keyparms); |
||||
|
||||
- rc = rsa_check_keysize (nbits); |
||||
+ rc = rsa_check_verify_keysize (nbits); |
||||
if (rc) |
||||
return rc; |
||||
|
||||
-- |
||||
2.37.1 |
||||
|
@ -0,0 +1,239 @@
@@ -0,0 +1,239 @@
|
||||
From d651e25be0bc0c11f4d3d7c72be8cfbbe82b3874 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 10 Sep 2021 18:39:00 +0200 |
||||
Subject: [PATCH] Allow building libgcrypt without Brainpool curves |
||||
|
||||
* README: Document possibility to build without brainpool curves |
||||
* cipher/ecc-curves.c: Conditionalize brainpool curves definitions |
||||
* configure.ac: Implement possibility to build without brainpool curves |
||||
* tests/curves.c: Skip brainpool curves if they are not built-in |
||||
* tests/keygrip.c: Skip brainpool curves if they are not built-in |
||||
|
||||
-- |
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com> |
||||
--- |
||||
README | 3 +++ |
||||
cipher/ecc-curves.c | 4 ++++ |
||||
configure.ac | 13 +++++++++++++ |
||||
tests/curves.c | 46 ++++++++++++++++++++++++++++++--------------- |
||||
tests/keygrip.c | 2 ++ |
||||
5 files changed, 53 insertions(+), 15 deletions(-) |
||||
|
||||
diff --git a/README b/README |
||||
index 436b6cd4..1044109c 100644 |
||||
--- a/README |
||||
+++ b/README |
||||
@@ -127,6 +127,9 @@ |
||||
the list used with the current build the program |
||||
tests/version may be used. |
||||
|
||||
+ --disable-brainpool |
||||
+ Do not build in support for Brainpool curves. |
||||
+ |
||||
--disable-endian-check |
||||
Don't let configure test for the endianness but |
||||
try to use the OS provided macros at compile |
||||
diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c |
||||
index 7c86e12c..8fd95a9c 100644 |
||||
--- a/cipher/ecc-curves.c |
||||
+++ b/cipher/ecc-curves.c |
||||
@@ -77,6 +77,7 @@ static const struct |
||||
{ "NIST P-521", "1.3.132.0.35" }, |
||||
{ "NIST P-521", "nistp521" }, /* rfc5656. */ |
||||
|
||||
+#ifdef ENABLE_BRAINPOOL |
||||
{ "brainpoolP160r1", "1.3.36.3.3.2.8.1.1.1" }, |
||||
{ "brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3" }, |
||||
{ "brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5" }, |
||||
@@ -84,6 +85,7 @@ static const struct |
||||
{ "brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9" }, |
||||
{ "brainpoolP384r1", "1.3.36.3.3.2.8.1.1.11"}, |
||||
{ "brainpoolP512r1", "1.3.36.3.3.2.8.1.1.13"}, |
||||
+#endif /* ENABLE_BRAINPOOL */ |
||||
|
||||
{ "GOST2001-test", "1.2.643.2.2.35.0" }, |
||||
{ "GOST2001-CryptoPro-A", "1.2.643.2.2.35.1" }, |
||||
@@ -297,6 +299,7 @@ static const ecc_domain_parms_t domain_parms[] = |
||||
1 |
||||
}, |
||||
|
||||
+#ifdef ENABLE_BRAINPOOL |
||||
{ "brainpoolP160r1", 160, 0, |
||||
MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, |
||||
"0xe95e4a5f737059dc60dfc7ad95b3d8139515620f", |
||||
@@ -391,6 +394,7 @@ static const ecc_domain_parms_t domain_parms[] = |
||||
"b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892", |
||||
1 |
||||
}, |
||||
+#endif /* ENABLE_BRAINPOOL */ |
||||
{ |
||||
"GOST2001-test", 256, 0, |
||||
MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, |
||||
diff --git a/configure.ac b/configure.ac |
||||
index 6efbf139..f4ac1887 100644 |
||||
--- a/configure.ac |
||||
+++ b/configure.ac |
||||
@@ -614,6 +614,14 @@ AC_ARG_WITH(fips-module-version, |
||||
AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version", |
||||
[Define FIPS module version for certification]) |
||||
|
||||
+# Implementation of the --disable-brainpool switch. |
||||
+AC_MSG_CHECKING([whether we want to disable the use of brainpool curves]) |
||||
+AC_ARG_ENABLE(brainpool, |
||||
+ AS_HELP_STRING([--disable-brainpool], |
||||
+ [Disable the brainpool curves]), |
||||
+ use_brainpool="$enableval",use_brainpool=yes) |
||||
+AC_MSG_RESULT($use_brainpool) |
||||
+ |
||||
# Implementation of the --disable-jent-support switch. |
||||
AC_MSG_CHECKING([whether jitter entropy support is requested]) |
||||
AC_ARG_ENABLE(jent-support, |
||||
@@ -2466,6 +2474,10 @@ if test x"$ppccryptosupport" = xyes ; then |
||||
AC_DEFINE(ENABLE_PPC_CRYPTO_SUPPORT,1, |
||||
[Enable support for POWER 8 (PowerISA 2.07) crypto extension.]) |
||||
fi |
||||
+if test x"$use_brainpool" = xyes ; then |
||||
+ AC_DEFINE(ENABLE_BRAINPOOL, 1, |
||||
+ [Enable support for the brainpool curves.]) |
||||
+fi |
||||
if test x"$jentsupport" = xyes ; then |
||||
AC_DEFINE(ENABLE_JENT_SUPPORT, 1, |
||||
[Enable support for the jitter entropy collector.]) |
||||
@@ -3296,6 +3308,7 @@ GCRY_MSG_WRAP([Enabled digest algorithms:],[$enabled_digests]) |
||||
GCRY_MSG_WRAP([Enabled kdf algorithms: ],[$enabled_kdfs]) |
||||
GCRY_MSG_WRAP([Enabled pubkey algorithms:],[$enabled_pubkey_ciphers]) |
||||
GCRY_MSG_SHOW([Random number generator: ],[$random]) |
||||
+GCRY_MSG_SHOW([Enabled Brainpool curves: ],[$use_brainpool]) |
||||
GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport]) |
||||
GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities]) |
||||
GCRY_MSG_SHOW([FIPS module version: ],[$fips_module_version]) |
||||
diff --git a/tests/curves.c b/tests/curves.c |
||||
index 3c738171..8eb79565 100644 |
||||
--- a/tests/curves.c |
||||
+++ b/tests/curves.c |
||||
@@ -33,7 +33,11 @@ |
||||
#include "t-common.h" |
||||
|
||||
/* Number of curves defined in ../cipher/ecc-curves.c */ |
||||
-#define N_CURVES 27 |
||||
+#ifdef ENABLE_BRAINPOOL |
||||
+# define N_CURVES 27 |
||||
+#else |
||||
+# define N_CURVES 20 |
||||
+#endif |
||||
|
||||
/* A real world sample public key. */ |
||||
static char const sample_key_1[] = |
||||
@@ -52,6 +56,7 @@ static char const sample_key_1[] = |
||||
static char const sample_key_1_curve[] = "NIST P-256"; |
||||
static unsigned int sample_key_1_nbits = 256; |
||||
|
||||
+#ifdef ENABLE_BRAINPOOL |
||||
/* A made up sample public key. */ |
||||
static char const sample_key_2[] = |
||||
"(public-key\n" |
||||
@@ -68,6 +73,7 @@ static char const sample_key_2[] = |
||||
" ))"; |
||||
static char const sample_key_2_curve[] = "brainpoolP160r1"; |
||||
static unsigned int sample_key_2_nbits = 160; |
||||
+#endif /* ENABLE_BRAINPOOL */ |
||||
|
||||
static int in_fips_mode; |
||||
|
||||
@@ -113,6 +119,7 @@ check_matching (void) |
||||
|
||||
gcry_sexp_release (key); |
||||
|
||||
+#ifdef ENABLE_BRAINPOOL |
||||
if (!in_fips_mode) |
||||
{ |
||||
err = gcry_sexp_new (&key, sample_key_2, 0, 1); |
||||
@@ -130,6 +137,7 @@ check_matching (void) |
||||
|
||||
gcry_sexp_release (key); |
||||
} |
||||
+#endif /* ENABLE_BRAINPOOL */ |
||||
} |
||||
|
||||
#define TEST_ERROR_EXPECTED (1 << 0) |
||||
@@ -185,20 +193,26 @@ check_get_params (void) |
||||
{ GCRY_PK_ECC, "1.3.132.0.35" }, |
||||
{ GCRY_PK_ECC, "nistp521" }, |
||||
|
||||
- { GCRY_PK_ECC, "brainpoolP160r1", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "brainpoolP192r1", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "brainpoolP224r1", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "brainpoolP256r1", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "brainpoolP320r1", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "brainpoolP384r1", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "brainpoolP512r1", TEST_NOFIPS }, |
||||
- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", TEST_NOFIPS }, |
||||
+#ifdef ENABLE_BRAINPOOL |
||||
+# define BRAINPOOL_FLAGS TEST_NOFIPS |
||||
+#else |
||||
+# define BRAINPOOL_FLAGS TEST_ERROR_EXPECTED |
||||
+#endif /* ENABLE_BRAINPOOL */ |
||||
+ { GCRY_PK_ECC, "brainpoolP160r1", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "brainpoolP192r1", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "brainpoolP224r1", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "brainpoolP256r1", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "brainpoolP320r1", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "brainpoolP384r1", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "brainpoolP512r1", BRAINPOOL_FLAGS }, |
||||
+ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", BRAINPOOL_FLAGS }, |
||||
+#undef BRAINPOOL_ERROR_EXPECTED |
||||
|
||||
{ GCRY_PK_ECC, "GOST2001-test", TEST_NOFIPS }, |
||||
{ GCRY_PK_ECC, "1.2.643.2.2.35.0", TEST_NOFIPS }, |
||||
@@ -282,6 +296,7 @@ check_get_params (void) |
||||
|
||||
gcry_sexp_release (param); |
||||
|
||||
+#ifdef ENABLE_BRAINPOOL |
||||
if (!in_fips_mode) |
||||
{ |
||||
param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve); |
||||
@@ -297,6 +312,7 @@ check_get_params (void) |
||||
|
||||
gcry_sexp_release (param); |
||||
} |
||||
+#endif /* ENABLE_BRAINPOOL */ |
||||
|
||||
/* Some simple tests */ |
||||
for (idx=0; idx < DIM (tv); idx++) |
||||
diff --git a/tests/keygrip.c b/tests/keygrip.c |
||||
index 49bd71bc..fc4c17be 100644 |
||||
--- a/tests/keygrip.c |
||||
+++ b/tests/keygrip.c |
||||
@@ -149,6 +149,7 @@ static struct |
||||
" (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", |
||||
"\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" |
||||
}, |
||||
+#ifdef ENABLE_BRAINPOOL |
||||
{ |
||||
GCRY_PK_ECC, |
||||
"(public-key" |
||||
@@ -197,6 +198,7 @@ static struct |
||||
"\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F", |
||||
1 |
||||
}, |
||||
+#endif /*ENABLE_BRAINPOOL */ |
||||
{ /* Ed25519 standard */ |
||||
GCRY_PK_ECC, |
||||
"(public-key" |
||||
-- |
||||
2.34.1 |
||||
|
@ -0,0 +1,151 @@
@@ -0,0 +1,151 @@
|
||||
From 34d8fc576b3a06dd205f45327a971eb6771e808c Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Wed, 17 Aug 2022 09:01:44 +0200 |
||||
Subject: [PATCH 1/2] Disable RSA-OAEP padding in FIPS mode |
||||
|
||||
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block OAEP padding |
||||
in FIPS mode for encryption |
||||
* cipher/rsa.c (rsa_decrypt): Block OAEP padding in FIPS mode for |
||||
decryption |
||||
--- |
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com> |
||||
--- |
||||
cipher/pubkey-util.c | 5 ++++- |
||||
cipher/rsa.c | 3 ++- |
||||
2 files changed, 6 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c |
||||
index 4953caf3..244dd5d4 100644 |
||||
--- a/cipher/pubkey-util.c |
||||
+++ b/cipher/pubkey-util.c |
||||
@@ -1092,7 +1092,10 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi, |
||||
const void * value; |
||||
size_t valuelen; |
||||
|
||||
- if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen ) |
||||
+ /* The RSA OAEP encryption requires some more assurances in FIPS */ |
||||
+ if (fips_mode ()) |
||||
+ rc = GPG_ERR_INV_FLAG; |
||||
+ else if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen ) |
||||
rc = GPG_ERR_INV_OBJ; |
||||
else |
||||
{ |
||||
diff --git a/cipher/rsa.c b/cipher/rsa.c |
||||
index 96dba090..87f57b55 100644 |
||||
--- a/cipher/rsa.c |
||||
+++ b/cipher/rsa.c |
||||
@@ -1457,7 +1457,8 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) |
||||
rc = GPG_ERR_INV_DATA; |
||||
goto leave; |
||||
} |
||||
- if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1)) |
||||
+ if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1 || |
||||
+ ctx.encoding == PUBKEY_ENC_OAEP)) |
||||
{ |
||||
rc = GPG_ERR_INV_FLAG; |
||||
goto leave; |
||||
-- |
||||
2.37.1 |
||||
|
||||
|
||||
From c6d64e697c2748a49e875060aa753fc568c5f772 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Wed, 17 Aug 2022 10:31:19 +0200 |
||||
Subject: [PATCH 2/2] tests: Expect the OEAP tests to fail in FIPS mode |
||||
|
||||
* tests/basic.c (check_pubkey_crypt): Expect the OAEP padding encryption |
||||
to fail in FIPS mode |
||||
* tests/pkcs1v2.c (check_oaep): Expect the OAEP tests to fail in FIPS |
||||
mode |
||||
--- |
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com> |
||||
--- |
||||
tests/basic.c | 14 +++++++++----- |
||||
tests/pkcs1v2.c | 13 +++++++++++++ |
||||
2 files changed, 22 insertions(+), 5 deletions(-) |
||||
|
||||
diff --git a/tests/basic.c b/tests/basic.c |
||||
index 26980e15..b4102c9f 100644 |
||||
--- a/tests/basic.c |
||||
+++ b/tests/basic.c |
||||
@@ -16892,21 +16892,24 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, |
||||
"(flags oaep)", |
||||
1, |
||||
0, |
||||
- 0 }, |
||||
+ 0, |
||||
+ FLAG_NOFIPS }, |
||||
{ GCRY_PK_RSA, |
||||
"(data\n (flags oaep)\n (hash-algo sha1)\n" |
||||
" (value #11223344556677889900AA#))\n", |
||||
"(flags oaep)(hash-algo sha1)", |
||||
1, |
||||
0, |
||||
- 0 }, |
||||
+ 0, |
||||
+ FLAG_NOFIPS }, |
||||
{ GCRY_PK_RSA, |
||||
"(data\n (flags oaep)\n (hash-algo sha1)\n (label \"test\")\n" |
||||
" (value #11223344556677889900AA#))\n", |
||||
"(flags oaep)(hash-algo sha1)(label \"test\")", |
||||
1, |
||||
0, |
||||
- 0 }, |
||||
+ 0, |
||||
+ FLAG_NOFIPS }, |
||||
{ GCRY_PK_RSA, |
||||
"(data\n (flags oaep)\n (hash-algo sha1)\n (label \"test\")\n" |
||||
" (value #11223344556677889900AA#)\n" |
||||
@@ -16914,7 +16917,8 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, |
||||
"(flags oaep)(hash-algo sha1)(label \"test\")", |
||||
1, |
||||
0, |
||||
- 0 }, |
||||
+ 0, |
||||
+ FLAG_NOFIPS }, |
||||
{ 0, |
||||
"(data\n (flags )\n" " (value #11223344556677889900AA#))\n", |
||||
NULL, |
||||
@@ -16960,7 +16964,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, |
||||
"(flags pkcs1)", |
||||
1, |
||||
0, |
||||
- GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL }, |
||||
+ GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL | FLAG_NOFIPS }, |
||||
{ 0, |
||||
"(data\n (flags pss)\n" |
||||
" (value #11223344556677889900AA#))\n", |
||||
diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c |
||||
index 6c7f3d81..2fd495d5 100644 |
||||
--- a/tests/pkcs1v2.c |
||||
+++ b/tests/pkcs1v2.c |
||||
@@ -186,11 +186,24 @@ check_oaep (void) |
||||
err = gcry_pk_encrypt (&ciph, plain, pub_key); |
||||
if (err) |
||||
{ |
||||
+ if (in_fips_mode) |
||||
+ { |
||||
+ gcry_sexp_release (plain); |
||||
+ plain = NULL; |
||||
+ continue; |
||||
+ } |
||||
show_sexp ("plain:\n", ciph); |
||||
fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (err)); |
||||
} |
||||
else |
||||
{ |
||||
+ if (in_fips_mode) |
||||
+ { |
||||
+ fail ("The OAEP encryption unexpectedly worked in FIPS mode\n"); |
||||
+ gcry_sexp_release (plain); |
||||
+ plain = NULL; |
||||
+ continue; |
||||
+ } |
||||
if (extract_cmp_data (ciph, "a", tbl[tno].m[mno].encr, |
||||
tbl[tno].m[mno].desc)) |
||||
{ |
||||
-- |
||||
2.37.1 |
||||
|
@ -0,0 +1,219 @@
@@ -0,0 +1,219 @@
|
||||
From c7709f7b23848abf4ba65cb99cb2a9e9c7ebdefc Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 1 Apr 2022 18:29:08 +0200 |
||||
Subject: [PATCH 1/3] Do not allow PKCS #1.5 padding for encryption in FIPS |
||||
|
||||
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block PKCS #1.5 |
||||
padding for encryption in FIPS mode |
||||
* cipher/rsa.c (rsa_decrypt): Block PKCS #1.5 decryption in FIPS mode |
||||
-- |
||||
|
||||
GnuPG-bug-id: 5918 |
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com> |
||||
--- |
||||
cipher/pubkey-util.c | 5 ++++- |
||||
cipher/rsa.c | 5 +++++ |
||||
2 files changed, 9 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c |
||||
index 68defea6..4953caf3 100644 |
||||
--- a/cipher/pubkey-util.c |
||||
+++ b/cipher/pubkey-util.c |
||||
@@ -957,7 +957,10 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi, |
||||
void *random_override = NULL; |
||||
size_t random_override_len = 0; |
||||
|
||||
- if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen ) |
||||
+ /* The RSA PKCS#1.5 encryption is no longer supported by FIPS */ |
||||
+ if (fips_mode ()) |
||||
+ rc = GPG_ERR_INV_FLAG; |
||||
+ else if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen ) |
||||
rc = GPG_ERR_INV_OBJ; |
||||
else |
||||
{ |
||||
diff --git a/cipher/rsa.c b/cipher/rsa.c |
||||
index 771413b3..c6319b67 100644 |
||||
--- a/cipher/rsa.c |
||||
+++ b/cipher/rsa.c |
||||
@@ -1391,6 +1391,11 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) |
||||
rc = GPG_ERR_INV_DATA; |
||||
goto leave; |
||||
} |
||||
+ if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1)) |
||||
+ { |
||||
+ rc = GPG_ERR_INV_FLAG; |
||||
+ goto leave; |
||||
+ } |
||||
|
||||
/* Extract the key. */ |
||||
rc = sexp_extract_param (keyparms, NULL, "nedp?q?u?", |
||||
-- |
||||
2.34.1 |
||||
|
||||
|
||||
From 299e2f93415984919181e0ee651719bbf83bdd2f Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 1 Apr 2022 18:31:05 +0200 |
||||
Subject: [PATCH 2/3] tests: Replace custom bit with more generic flags |
||||
|
||||
* tests/basic.c (global): New flag FLAG_SPECIAL |
||||
(check_pubkey_crypt): Change to use bitfield flags |
||||
|
||||
-- |
||||
|
||||
GnuPG-bug-id: 5918 |
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com> |
||||
--- |
||||
tests/basic.c | 19 ++++++++++--------- |
||||
1 file changed, 10 insertions(+), 9 deletions(-) |
||||
|
||||
diff --git a/tests/basic.c b/tests/basic.c |
||||
index a0ad33eb..1c6cb40b 100644 |
||||
--- a/tests/basic.c |
||||
+++ b/tests/basic.c |
||||
@@ -55,11 +55,12 @@ typedef struct test_spec_pubkey |
||||
} |
||||
test_spec_pubkey_t; |
||||
|
||||
-#define FLAG_CRYPT (1 << 0) |
||||
-#define FLAG_SIGN (1 << 1) |
||||
-#define FLAG_GRIP (1 << 2) |
||||
-#define FLAG_NOFIPS (1 << 3) |
||||
-#define FLAG_CFB8 (1 << 4) |
||||
+#define FLAG_CRYPT (1 << 0) |
||||
+#define FLAG_SIGN (1 << 1) |
||||
+#define FLAG_GRIP (1 << 2) |
||||
+#define FLAG_NOFIPS (1 << 3) |
||||
+#define FLAG_CFB8 (1 << 4) |
||||
+#define FLAG_SPECIAL (1 << 5) |
||||
|
||||
static int in_fips_mode; |
||||
|
||||
@@ -15558,7 +15559,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, |
||||
int unpadded; |
||||
int encrypt_expected_rc; |
||||
int decrypt_expected_rc; |
||||
- int special; |
||||
+ int flags; |
||||
} datas[] = |
||||
{ |
||||
{ GCRY_PK_RSA, |
||||
@@ -15642,14 +15643,14 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, |
||||
"(flags oaep)", |
||||
1, |
||||
0, |
||||
- GPG_ERR_ENCODING_PROBLEM, 1 }, |
||||
+ GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL }, |
||||
{ GCRY_PK_RSA, |
||||
"(data\n (flags oaep)\n" |
||||
" (value #11223344556677889900AA#))\n", |
||||
"(flags pkcs1)", |
||||
1, |
||||
0, |
||||
- GPG_ERR_ENCODING_PROBLEM, 1 }, |
||||
+ GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL }, |
||||
{ 0, |
||||
"(data\n (flags pss)\n" |
||||
" (value #11223344556677889900AA#))\n", |
||||
@@ -15725,7 +15726,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, |
||||
ciph = list; |
||||
} |
||||
rc = gcry_pk_decrypt (&plain, ciph, skey); |
||||
- if (!rc && datas[dataidx].special == 1) |
||||
+ if (!rc && (datas[dataidx].flags & FLAG_SPECIAL)) |
||||
{ |
||||
/* It may happen that OAEP formatted data which is |
||||
decrypted as pkcs#1 data returns a valid pkcs#1 |
||||
-- |
||||
2.34.1 |
||||
|
||||
|
||||
From f736f3c70182d9c948f9105eb769c47c5578df35 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 1 Apr 2022 18:34:42 +0200 |
||||
Subject: [PATCH 3/3] tests: Expect the RSA PKCS #1.5 encryption to fail in |
||||
FIPS mode |
||||
|
||||
* tests/basic.c (check_pubkey_crypt): Expect RSA PKCS #1.5 encryption to |
||||
fail in FIPS mode. Expect failure when wrong padding is selected |
||||
* tests/pkcs1v2.c (check_v15crypt): Expect RSA PKCS #1.5 encryption to |
||||
fail in FIPS mode |
||||
-- |
||||
|
||||
GnuPG-bug-id: 5918 |
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com> |
||||
--- |
||||
tests/basic.c | 11 +++++++---- |
||||
tests/pkcs1v2.c | 14 +++++++++++++- |
||||
2 files changed, 20 insertions(+), 5 deletions(-) |
||||
|
||||
diff --git a/tests/basic.c b/tests/basic.c |
||||
index 1c6cb40b..85764591 100644 |
||||
--- a/tests/basic.c |
||||
+++ b/tests/basic.c |
||||
@@ -15568,14 +15568,16 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, |
||||
NULL, |
||||
0, |
||||
0, |
||||
- 0 }, |
||||
+ 0, |
||||
+ FLAG_NOFIPS }, |
||||
{ GCRY_PK_RSA, |
||||
"(data\n (flags pkcs1)\n" |
||||
" (value #11223344556677889900AA#))\n", |
||||
"(flags pkcs1)", |
||||
1, |
||||
0, |
||||
- 0 }, |
||||
+ 0, |
||||
+ FLAG_NOFIPS }, |
||||
{ GCRY_PK_RSA, |
||||
"(data\n (flags oaep)\n" |
||||
" (value #11223344556677889900AA#))\n", |
||||
@@ -15677,7 +15679,8 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, |
||||
die ("converting data failed: %s\n", gpg_strerror (rc)); |
||||
|
||||
rc = gcry_pk_encrypt (&ciph, data, pkey); |
||||
- if (in_fips_mode && (flags & FLAG_NOFIPS)) |
||||
+ if (in_fips_mode && ((flags & FLAG_NOFIPS) || |
||||
+ (datas[dataidx].flags & FLAG_NOFIPS))) |
||||
{ |
||||
if (!rc) |
||||
fail ("gcry_pk_encrypt did not fail as expected in FIPS mode\n"); |
||||
@@ -15726,7 +15729,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, |
||||
ciph = list; |
||||
} |
||||
rc = gcry_pk_decrypt (&plain, ciph, skey); |
||||
- if (!rc && (datas[dataidx].flags & FLAG_SPECIAL)) |
||||
+ if ((!rc || in_fips_mode) && (datas[dataidx].flags & FLAG_SPECIAL)) |
||||
{ |
||||
/* It may happen that OAEP formatted data which is |
||||
decrypted as pkcs#1 data returns a valid pkcs#1 |
||||
diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c |
||||
index f26e779b..6c7f3d81 100644 |
||||
--- a/tests/pkcs1v2.c |
||||
+++ b/tests/pkcs1v2.c |
||||
@@ -454,7 +454,19 @@ check_v15crypt (void) |
||||
gcry_free (seed); |
||||
|
||||
err = gcry_pk_encrypt (&ciph, plain, pub_key); |
||||
- if (err) |
||||
+ if (in_fips_mode) |
||||
+ { |
||||
+ if (!err) |
||||
+ { |
||||
+ fail ("gcry_pk_encrypt should have failed in FIPS mode:\n"); |
||||
+ } |
||||
+ gcry_sexp_release (plain); |
||||
+ plain = NULL; |
||||
+ gcry_sexp_release (ciph); |
||||
+ ciph = NULL; |
||||
+ continue; |
||||
+ } |
||||
+ else if (err) |
||||
{ |
||||
show_sexp ("plain:\n", ciph); |
||||
fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (err)); |
||||
-- |
||||
2.34.1 |
||||
|
@ -0,0 +1,41 @@
@@ -0,0 +1,41 @@
|
||||
From 0a5e608b8b18d4f41e4d7434c6262bf11507f859 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Tue, 16 Aug 2022 15:30:43 +0200 |
||||
Subject: [PATCH] random: Use getrandom (GRND_RANDOM) in FIPS mode |
||||
|
||||
The SP800-90C (clarified in IG D.K.) requires the following when |
||||
different DRBGs are chained: |
||||
* the parent needs to be reseeded before generate operation |
||||
* the reseed & generate needs to be atomic |
||||
|
||||
In RHEL, this is addressed by change in the kernel, that will do this |
||||
automatically, when the getentropy () is called with GRND_RANDOM flag. |
||||
|
||||
* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Use |
||||
GRND_RANDOM in FIPS Mode |
||||
--- |
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com> |
||||
--- |
||||
random/rndgetentropy.c | 5 ++++- |
||||
1 file changed, 4 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/random/rndgetentropy.c b/random/rndgetentropy.c |
||||
index 7580873e..db4b09ed 100644 |
||||
--- a/random/rndgetentropy.c |
||||
+++ b/random/rndgetentropy.c |
||||
@@ -82,7 +82,10 @@ _gcry_rndgetentropy_gather_random (void (*add)(const void*, size_t, |
||||
{ |
||||
nbytes = length < sizeof (buffer)? length : sizeof (buffer); |
||||
_gcry_pre_syscall (); |
||||
- ret = getentropy (buffer, nbytes); |
||||
+ if (fips_mode ()) |
||||
+ ret = getrandom (buffer, nbytes, GRND_RANDOM); |
||||
+ else |
||||
+ ret = getentropy (buffer, nbytes); |
||||
_gcry_post_syscall (); |
||||
} |
||||
while (ret == -1 && errno == EINTR); |
||||
-- |
||||
2.37.1 |
||||
|
@ -0,0 +1,29 @@
@@ -0,0 +1,29 @@
|
||||
From 29bfb3ebbc63d7ed18b916c5c6946790fb3d15df Mon Sep 17 00:00:00 2001 |
||||
From: Jussi Kivilinna <jussi.kivilinna@iki.fi> |
||||
Date: Fri, 1 Apr 2022 09:49:20 +0300 |
||||
Subject: [PATCH] hwf-ppc: fix missing HWF_PPC_ARCH_3_10 in HW feature |
||||
|
||||
* src/hwf-ppc.c (ppc_features): Add HWF_PPC_ARCH_3_10. |
||||
-- |
||||
|
||||
GnuPG-bug-id: T5913 |
||||
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> |
||||
--- |
||||
src/hwf-ppc.c | 1 + |
||||
1 file changed, 1 insertion(+) |
||||
|
||||
diff --git a/src/hwf-ppc.c b/src/hwf-ppc.c |
||||
index 7801f8b0..11d14dc1 100644 |
||||
--- a/src/hwf-ppc.c |
||||
+++ b/src/hwf-ppc.c |
||||
@@ -103,6 +103,7 @@ static const struct feature_map_s ppc_features[] = |
||||
{ 0, PPC_FEATURE2_VEC_CRYPTO, HWF_PPC_VCRYPTO }, |
||||
#endif |
||||
{ 0, PPC_FEATURE2_ARCH_3_00, HWF_PPC_ARCH_3_00 }, |
||||
+ { 0, PPC_FEATURE2_ARCH_3_10, HWF_PPC_ARCH_3_10 }, |
||||
}; |
||||
#endif |
||||
|
||||
-- |
||||
2.34.1 |
||||
|
@ -0,0 +1,684 @@
@@ -0,0 +1,684 @@
|
||||
# This is taken from gnutls.spec |
||||
%define srpmhash() %{lua: |
||||
local files = rpm.expand("%_specdir/libgcrypt.spec") |
||||
for i, p in ipairs(patches) do |
||||
files = files.." "..p |
||||
end |
||||
for i, p in ipairs(sources) do |
||||
files = files.." "..p |
||||
end |
||||
local sha256sum = assert(io.popen("cat "..files.."| sha256sum")) |
||||
local hash = sha256sum:read("*a") |
||||
sha256sum:close() |
||||
print(string.sub(hash, 0, 16)) |
||||
} |
||||
|
||||
|
||||
Name: libgcrypt |
||||
Version: 1.10.0 |
||||
Release: 5%{?dist} |
||||
URL: https://www.gnupg.org/ |
||||
Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2 |
||||
Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig |
||||
Source2: wk@g10code.com |
||||
Patch1: libgcrypt-1.10.0-disable-brainpool.patch |
||||
Patch2: libgcrypt-1.10.0-fips-disable-pkcs1.5.patch |
||||
Patch3: libgcrypt-1.10.0-ppc-hwf.patch |
||||
Patch4: libgcrypt-1.10.0-allow-small-RSA-verify.patch |
||||
Patch5: libgcrypt-1.10.0-allow-short-salt.patch |
||||
Patch6: libgcrypt-1.10.0-fips-getrandom.patch |
||||
Patch7: libgcrypt-1.10.0-fips-selftest.patch |
||||
Patch8: libgcrypt-1.10.0-fips-disable-oaep.patch |
||||
|
||||
%global gcrylibdir %{_libdir} |
||||
%global gcrysoname libgcrypt.so.20 |
||||
%global hmackey orboDeJITITejsirpADONivirpUkvarP |
||||
|
||||
# Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction. |
||||
# Documentation and some utilities are GPLv2+ licensed. These files |
||||
# are in the devel subpackage. |
||||
License: LGPLv2+ |
||||
Summary: A general-purpose cryptography library |
||||
BuildRequires: gcc |
||||
BuildRequires: gawk, libgpg-error-devel >= 1.11, pkgconfig |
||||
# This is needed only when patching the .texi doc. |
||||
BuildRequires: texinfo |
||||
BuildRequires: autoconf, automake, libtool |
||||
BuildRequires: make |
||||
|
||||
%package devel |
||||
Summary: Development files for the %{name} package |
||||
License: LGPLv2+ and GPLv2+ |
||||
Requires: libgpg-error-devel |
||||
Requires: %{name}%{?_isa} = %{version}-%{release} |
||||
Requires: pkgconfig |
||||
|
||||
%description |
||||
Libgcrypt is a general purpose crypto library based on the code used |
||||
in GNU Privacy Guard. This is a development version. |
||||
|
||||
%description devel |
||||
Libgcrypt is a general purpose crypto library based on the code used |
||||
in GNU Privacy Guard. This package contains files needed to develop |
||||
applications using libgcrypt. |
||||
|
||||
%prep |
||||
%setup -q |
||||
%patch1 -p1 |
||||
%patch2 -p1 |
||||
%patch3 -p1 |
||||
%patch4 -p1 |
||||
%patch5 -p1 |
||||
%patch6 -p1 |
||||
%patch7 -p1 |
||||
%patch8 -p1 |
||||
|
||||
%build |
||||
# This package has a configure test which uses ASMs, but does not link the |
||||
# resultant .o files. As such the ASM test is always successful, even on |
||||
# architectures were the ASM is not valid when compiling with LTO. |
||||
# |
||||
# -ffat-lto-objects is sufficient to address this issue. It is the default |
||||
# for F33, but is expected to only be enabled for packages that need it in |
||||
# F34, so we use it here explicitly |
||||
%define _lto_cflags -flto=auto -ffat-lto-objects |
||||
|
||||
# should be all algorithms except SM3 and SM4 |
||||
export DIGESTS='crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2' |
||||
export CIPHERS='arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20' |
||||
|
||||
eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release) |
||||
export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" |
||||
|
||||
autoreconf -f |
||||
%configure --disable-static \ |
||||
%ifarch sparc64 |
||||
--disable-asm \ |
||||
%endif |
||||
--enable-noexecstack \ |
||||
--enable-hmac-binary-check=%{hmackey} \ |
||||
--disable-brainpool \ |
||||
--enable-digests="$DIGESTS" \ |
||||
--enable-ciphers="$CIPHERS" \ |
||||
--with-fips-module-version="$FIPS_MODULE_NAME %{version}-%{srpmhash}" |
||||
sed -i -e '/^sys_lib_dlsearch_path_spec/s,/lib /usr/lib,/usr/lib /lib64 /usr/lib64 /lib,g' libtool |
||||
%make_build |
||||
|
||||
%check |
||||
make check |
||||
# try in faked FIPS mode too |
||||
LIBGCRYPT_FORCE_FIPS_MODE=1 make check |
||||
|
||||
# Add generation of HMAC checksums of the final stripped binaries |
||||
%define libpath $RPM_BUILD_ROOT%{gcrylibdir}/%{gcrysoname}.?.? |
||||
%define __spec_install_post \ |
||||
%{?__debug_package:%{__debug_install_post}} \ |
||||
%{__arch_install_post} \ |
||||
%{__os_install_post} \ |
||||
dd if=/dev/zero of=%{libpath}.hmac bs=32 count=1 \ |
||||
objcopy --update-section .rodata1=%{libpath}.hmac %{libpath} %{libpath}.empty \ |
||||
src/hmac256 --binary %{hmackey} %{libpath}.empty > %{libpath}.hmac \ |
||||
objcopy --update-section .rodata1=%{libpath}.hmac %{libpath}.empty %{libpath}.new \ |
||||
mv -f %{libpath}.new %{libpath} \ |
||||
rm -f %{libpath}.hmac %{libpath}.empty |
||||
%{nil} |
||||
|
||||
%install |
||||
%make_install |
||||
|
||||
# Change /usr/lib64 back to /usr/lib. This saves us from having to patch the |
||||
# script to "know" that -L/usr/lib64 should be suppressed, and also removes |
||||
# a file conflict between 32- and 64-bit versions of this package. |
||||
# Also replace my_host with none. |
||||
sed -i -e 's,^libdir="/usr/lib.*"$,libdir="/usr/lib",g' $RPM_BUILD_ROOT/%{_bindir}/libgcrypt-config |
||||
sed -i -e 's,^my_host=".*"$,my_host="none",g' $RPM_BUILD_ROOT/%{_bindir}/libgcrypt-config |
||||
|
||||
rm -f ${RPM_BUILD_ROOT}/%{_infodir}/dir ${RPM_BUILD_ROOT}/%{_libdir}/*.la |
||||
/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_libdir} |
||||
|
||||
%if "%{gcrylibdir}" != "%{_libdir}" |
||||
# Relocate the shared libraries to %{gcrylibdir}. |
||||
mkdir -p $RPM_BUILD_ROOT%{gcrylibdir} |
||||
for shlib in $RPM_BUILD_ROOT%{_libdir}/*.so* ; do |
||||
if test -L "$shlib" ; then |
||||
rm "$shlib" |
||||
else |
||||
mv "$shlib" $RPM_BUILD_ROOT%{gcrylibdir}/ |
||||
fi |
||||
done |
||||
|
||||
# Add soname symlink. |
||||
/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}/ |
||||
%endif |
||||
|
||||
# Overwrite development symlinks. |
||||
pushd $RPM_BUILD_ROOT/%{gcrylibdir} |
||||
for shlib in lib*.so.?? ; do |
||||
target=$RPM_BUILD_ROOT/%{_libdir}/`echo "$shlib" | sed -e 's,\.so.*,,g'`.so |
||||
%if "%{gcrylibdir}" != "%{_libdir}" |
||||
shlib=%{gcrylibdir}/$shlib |
||||
%endif |
||||
ln -sf $shlib $target |
||||
done |
||||
popd |
||||
|
||||
# Create /etc/gcrypt (hardwired, not dependent on the configure invocation) so |
||||
# that _someone_ owns it. |
||||
mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt |
||||
|
||||
%ldconfig_scriptlets |
||||
|
||||
%files |
||||
%dir /etc/gcrypt |
||||
%{gcrylibdir}/libgcrypt.so.*.* |
||||
%{gcrylibdir}/%{gcrysoname} |
||||
%license COPYING.LIB |
||||
%doc AUTHORS NEWS THANKS |
||||
|
||||
%files devel |
||||
%{_bindir}/%{name}-config |
||||
%{_bindir}/dumpsexp |
||||
%{_bindir}/hmac256 |
||||
%{_bindir}/mpicalc |
||||
%{_includedir}/* |
||||
%{_libdir}/*.so |
||||
%{_libdir}/pkgconfig/libgcrypt.pc |
||||
%{_datadir}/aclocal/* |
||||
%{_mandir}/man1/* |
||||
|
||||
%{_infodir}/gcrypt.info* |
||||
%license COPYING |
||||
|
||||
%changelog |
||||
* Wed Aug 17 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-5 |
||||
- Allow signature verification with smaller RSA keys (#2083846) |
||||
- Allow short salt for KDF (#2114870) |
||||
- Reseed the kernel DRBG by using GRND_RANDOM (#2118695) |
||||
- Address FIPS review comments around selftests (#2118695) |
||||
- Disable RSA-OAEP in FIPS mode (#2118695) |
||||
|
||||
* Fri May 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-4 |
||||
- Backport ppc hardware flags detection (#2051307) |
||||
- Disable PKCS#1.5 encryption in FIPS mode (#2061328) |
||||
|
||||
* Thu Mar 31 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-3 |
||||
- Use correct FIPS module name (#2067123) |
||||
|
||||
* Thu Feb 17 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-2 |
||||
- Systematic FIPS module name with other FIPS modules |
||||
|
||||
* Wed Feb 02 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-1 |
||||
- Final release (#2026636) |
||||
|
||||
* Thu Jan 27 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-0.3 |
||||
- Fix broken soname in the previous beta |
||||
|
||||
* Thu Jan 27 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-0.2 |
||||
- Provide compat soname symlink as the new release is backward compatible |
||||
|
||||
* Wed Jan 26 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-0.1 |
||||
- New upstream pre-release (#2026636) |
||||
- Upstream all patches |
||||
- Implement FIPS 140-3 support |
||||
|
||||
* Tue Oct 12 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-5 |
||||
- Allow HW optimizations in FIPS mode (#1990059) |
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.3-4 |
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags |
||||
Related: rhbz#1991688 |
||||
|
||||
* Tue Jun 15 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-3 |
||||
- Fix for CVE-2021-33560 (#1970098) |
||||
|
||||
* Wed Apr 28 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-2 |
||||
- Restore the CET protection (#1954049) |
||||
|
||||
* Tue Apr 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-1 |
||||
- New upstream release (#1951325) |
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.2-4 |
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 |
||||
|
||||
* Thu Apr 15 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-3 |
||||
- Fix issues reported by coverity |
||||
|
||||
* Mon Mar 29 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-2 |
||||
- Fix OCB tag creation on s390x (failing gnupg2 tests) |
||||
|
||||
* Wed Feb 17 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-1 |
||||
- New upstream release (#1929630) |
||||
|
||||
* Fri Jan 29 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.1-1 |
||||
- New upstream release (#1922156, #1922097) |
||||
|
||||
* Wed Jan 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.0-1 |
||||
- New upstream release (#1917878) |
||||
|
||||
* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 1.8.7-1 |
||||
- new upstream release (#1891123) |
||||
|
||||
* Fri Aug 21 2020 Jeff Law <law@redhat.com> - 1.8.6-4 |
||||
- Re-enable LTO |
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.6-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild |
||||
|
||||
* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-2 |
||||
- Use make macros |
||||
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro |
||||
|
||||
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.6-1 |
||||
- new upstream version 1.8.6 |
||||
|
||||
* Wed Jul 1 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-7 |
||||
- use the hmac256 tool to calculate the library hmac |
||||
|
||||
* Tue Jun 30 2020 Jeff Law <law@redhat.com> |
||||
- Disable LTO |
||||
|
||||
* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-6 |
||||
- Fix regression - missing -ldl linkage |
||||
|
||||
* Wed Apr 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-5 |
||||
- AES performance improvements backported from master branch |
||||
|
||||
* Mon Apr 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-4 |
||||
- FIPS selftest is run directly from the constructor |
||||
- FIPS module is implicit with kernel FIPS flag |
||||
|
||||
* Thu Jan 30 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-3 |
||||
- fix the build on ARMv7 |
||||
|
||||
* Thu Jan 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-2 |
||||
- Intel CET support by H. J. Lu |
||||
|
||||
* Tue Sep 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.5-1 |
||||
- new upstream version 1.8.5 |
||||
- add CMAC selftest for FIPS POST |
||||
- add continuous FIPS entropy test |
||||
- disable non-approved FIPS hashes in the enforced FIPS mode |
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.4-4 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild |
||||
|
||||
* Tue Feb 12 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.4-3 |
||||
- fix the build tests to pass in the FIPS mode |
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.4-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild |
||||
|
||||
* Tue Nov 20 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.4-1 |
||||
- new upstream version 1.8.4 |
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild |
||||
|
||||
* Thu Jul 12 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.3-2 |
||||
- make only_urandom a default in non-presence of configuration file |
||||
- run the full FIPS selftests only when the library is called from |
||||
application |
||||
|
||||
* Thu Jun 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.3-1 |
||||
- new upstream version 1.8.3 |
||||
|
||||
* Tue Feb 6 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.2-2 |
||||
- fix behavior when getrandom syscall is not present (#1542453) |
||||
|
||||
* Thu Dec 21 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.2-1 |
||||
- new upstream version 1.8.2 |
||||
|
||||
* Tue Dec 5 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-3 |
||||
- do not try to access() /dev/urandom either if getrandom() works |
||||
|
||||
* Mon Dec 4 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-2 |
||||
- do not try to open /dev/urandom if getrandom() works (#1380866) |
||||
|
||||
* Tue Sep 5 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-1 |
||||
- new upstream version 1.8.1 |
||||
|
||||
* Wed Aug 16 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.0-1 |
||||
- new upstream version 1.8.0 |
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.8-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild |
||||
|
||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.8-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild |
||||
|
||||
* Thu Jun 29 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.8-1 |
||||
- new upstream version 1.7.8 |
||||
|
||||
* Fri Jun 2 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.7-1 |
||||
- new upstream version 1.7.7 |
||||
- GOST is now enabled |
||||
|
||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.6-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild |
||||
|
||||
* Mon Jan 30 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.6-1 |
||||
- new upstream version 1.7.6 |
||||
|
||||
* Fri Dec 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.7.5-1 |
||||
- new upstream version 1.7.5 |
||||
|
||||
* Wed Nov 23 2016 Tomáš Mráz <tmraz@redhat.com> 1.7.3-1 |
||||
- new upstream version 1.7.3 |
||||
|
||||
* Wed Aug 17 2016 Tomáš Mráz <tmraz@redhat.com> 1.6.6-1 |
||||
- new upstream version with important security fix (CVE-2016-6316) |
||||
|
||||
* Thu Jul 21 2016 Tomáš Mráz <tmraz@redhat.com> 1.6.5-1 |
||||
- new upstream version fixing low impact issue CVE-2015-7511 |
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.4-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild |
||||
|
||||
* Wed Sep 9 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.4-1 |
||||
- new upstream version |
||||
|
||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.3-5 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild |
||||
|
||||
* Fri Apr 3 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-4 |
||||
- deinitialize the RNG after the selftest is run |
||||
|
||||
* Tue Mar 24 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-3 |
||||
- touch only urandom in the selftest and when /dev/random is |
||||
unavailable for example by SELinux confinement |
||||
- fix the RSA selftest key (p q swap) (#1204517) |
||||
|
||||
* Fri Mar 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-2 |
||||
- do not use strict aliasing for bufhelp functions (#1201219) |
||||
|
||||
* Fri Mar 6 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-1 |
||||
- new upstream version |
||||
|
||||
* Wed Feb 25 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.2-4 |
||||
- do not initialize secure memory during the selftest (#1195850) |
||||
|
||||
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1.6.2-3 |
||||
- Rebuilt for Fedora 23 Change |
||||
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code |
||||
|
||||
* Wed Jan 14 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.2-2 |
||||
- fix buildability of programs using gcrypt.h with -ansi (#1182200) |
||||
|
||||
* Mon Dec 8 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.2-1 |
||||
- new upstream version |
||||
|
||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-7 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild |
||||
|
||||
* Thu Jul 17 2014 Tom Callaway <spot@fedoraproject.org> - 1.6.1-6 |
||||
- fix license handling |
||||
|
||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-5 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild |
||||
|
||||
* Tue May 20 2014 Kyle McMartin <kyle@fedoraproject.org> 1.6.1-4 |
||||
- Re-enable below algos, apply patch from upstream list to make |
||||
that code -fPIC friendly. (rhbz#1069792) |
||||
|
||||
* Mon May 19 2014 Kyle McMartin <kyle@fedoraproject.org> 1.6.1-3 |
||||
- Disable rijndael, cast5, camellia ARM assembly, as it's non-PIC as |
||||
presently written, which results in .text relocations in the shared |
||||
library. (rhbz#1069792) |
||||
|
||||
* Thu Apr 24 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.1-2 |
||||
- drop the temporary compat shared library version |
||||
- fix the soname version in -use-fipscheck.patch |
||||
|
||||
* Fri Feb 28 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.1-1 |
||||
- new upstream version breaking ABI compatibility |
||||
- this release temporarily includes old compatibility .so |
||||
|
||||
* Tue Jan 21 2014 Tomáš Mráz <tmraz@redhat.com> 1.5.3-3 |
||||
- add back the nistp521r1 EC curve |
||||
- fix a bug in the Whirlpool hash implementation |
||||
- speed up the PBKDF2 computation |
||||
|
||||
* Sun Oct 20 2013 Tom Callaway <spot@fedoraproject.org> - 1.5.3-2 |
||||
- add cleared ECC support |
||||
|
||||
* Fri Jul 26 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.3-1 |
||||
- new upstream version fixing cache side-channel attack on RSA private keys |
||||
|
||||
* Thu Jun 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-3 |
||||
- silence false error detected by valgrind (#968288) |
||||
|
||||
* Thu Apr 25 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-2 |
||||
- silence strict aliasing warning in Rijndael |
||||
- apply UsrMove |
||||
- spec file cleanups |
||||
|
||||
* Fri Apr 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-1 |
||||
- new upstream version |
||||
|
||||
* Wed Mar 20 2013 Tomas Mraz <tmraz@redhat.com> 1.5.1-1 |
||||
- new upstream version |
||||
|
||||
* Tue Mar 5 2013 Tomas Mraz <tmraz@redhat.com> 1.5.0-11 |
||||
- use poll() instead of select() when gathering randomness (#913773) |
||||
|
||||
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-10 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild |
||||
|
||||
* Thu Jan 3 2013 Tomas Mraz <tmraz@redhat.com> 1.5.0-9 |
||||
- allow empty passphrase in PBKDF2 needed for cryptsetup (=891266) |
||||
|
||||
* Mon Dec 3 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-8 |
||||
- fix multilib conflict in libgcrypt-config |
||||
- fix minor memory leaks and other bugs found by Coverity scan |
||||
|
||||
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-6 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild |
||||
|
||||
* Thu Apr 5 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-5 |
||||
- Correctly rebuild the info documentation |
||||
|
||||
* Wed Apr 4 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-4 |
||||
- Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command |
||||
|
||||
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild |
||||
|
||||
* Mon Aug 15 2011 Kalev Lember <kalevlember@gmail.com> 1.5.0-2 |
||||
- Rebuilt for rpm bug #728707 |
||||
|
||||
* Thu Jul 21 2011 Tomas Mraz <tmraz@redhat.com> 1.5.0-1 |
||||
- new upstream version |
||||
|
||||
* Mon Jun 20 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-4 |
||||
- Always xor seed from /dev/urandom over /etc/gcrypt/rngseed |
||||
|
||||
* Mon May 30 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-3 |
||||
- Make the FIPS-186-3 DSA implementation CAVS testable |
||||
- add configurable source of RNG seed /etc/gcrypt/rngseed |
||||
in the FIPS mode (#700388) |
||||
|
||||
* Fri Feb 11 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-1 |
||||
- new upstream version with minor changes |
||||
|
||||
* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.5-7 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild |
||||
|
||||
* Fri Feb 4 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-6 |
||||
- fix a bug in the fips-186-3 dsa parameter generation code |
||||
|
||||
* Tue Feb 1 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-5 |
||||
- use /dev/urandom for seeding in the FIPS mode |
||||
- make the tests to pass in the FIPS mode also fixing |
||||
the FIPS-186-3 DSA keygen |
||||
|
||||
* Sun Feb 14 2010 Rex Dieter <rdieter@fedoraproject.org> 1.4.5-4 |
||||
- FTBFS libgcrypt-1.4.5-3.fc13: ImplicitDSOLinking (#564973) |
||||
|
||||
* Wed Feb 3 2010 Tomas Mraz <tmraz@redhat.com> 1.4.5-3 |
||||
- drop the S390 build workaround as it is no longer needed |
||||
- additional spec file cleanups for merge review (#226008) |
||||
|
||||
* Mon Dec 21 2009 Tomas Mraz <tmraz@redhat.com> 1.4.5-1 |
||||
- workaround for build on S390 (#548825) |
||||
- spec file cleanups |
||||
- upgrade to new minor upstream release |
||||
|
||||
* Tue Aug 11 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-8 |
||||
- fix warning when installed with --excludedocs (#515961) |
||||
|
||||
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.4-7 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild |
||||
|
||||
* Thu Jun 18 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-6 |
||||
- and now really apply the padlock patch |
||||
|
||||
* Wed Jun 17 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-5 |
||||
- fix VIA padlock RNG inline assembly call (#505724) |
||||
|
||||
* Thu Mar 5 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-4 |
||||
- with the integrity verification check the library needs to link to libdl |
||||
(#488702) |
||||
|
||||
* Tue Mar 3 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-3 |
||||
- add hmac FIPS integrity verification check |
||||
|
||||
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.4-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild |
||||
|
||||
* Fri Jan 30 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-1 |
||||
- update to 1.4.4 |
||||
- do not abort when the fips mode kernel flag is inaccessible |
||||
due to permissions (#470219) |
||||
- hobble the library to drop the ECC support |
||||
|
||||
* Mon Oct 20 2008 Dennis Gilmore <dennis@ausil.us> 1.4.3-2 |
||||
- disable asm on sparc64 |
||||
|
||||
* Thu Sep 18 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.3-1 |
||||
- update to 1.4.3 |
||||
- own /etc/gcrypt |
||||
|
||||
* Mon Sep 15 2008 Nalin Dahyabhai <nalin@redhat.com> |
||||
- invoke make with %%{?_smp_mflags} to build faster on multi-processor |
||||
systems (Steve Grubb) |
||||
|
||||
* Mon Sep 8 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-1 |
||||
- update to 1.4.2 |
||||
|
||||
* Tue Apr 29 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-1 |
||||
- update to 1.4.1 |
||||
- bump libgpgerror-devel requirement to 1.4, matching the requirement enforced |
||||
by the configure script |
||||
|
||||
* Thu Apr 3 2008 Joe Orton <jorton@redhat.com> 1.4.0-3 |
||||
- add patch from upstream to fix severe performance regression |
||||
in entropy gathering |
||||
|
||||
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.4.0-2 |
||||
- Autorebuild for GCC 4.3 |
||||
|
||||
* Mon Dec 10 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.4.0-1 |
||||
- update to 1.4.0 |
||||
|
||||
* Tue Oct 16 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-6 |
||||
- use ldconfig to build the soname symlink for packaging along with the |
||||
shared library (#334731) |
||||
|
||||
* Wed Aug 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-5 |
||||
- add missing gawk buildrequirement |
||||
- switch from explicitly specifying the /dev/random RNG to just verifying |
||||
that the non-LGPL ones were disabled by the configure script |
||||
|
||||
* Thu Aug 16 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-4 |
||||
- clarify license |
||||
- force use of the linux /dev/random RNG, to avoid accidentally falling back |
||||
to others which would affect the license of the resulting library |
||||
|
||||
* Mon Jul 30 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-3 |
||||
- disable static libraries (part of #249815) |
||||
|
||||
* Fri Jul 27 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-2 |
||||
- move libgcrypt shared library to /%%{_lib} (#249815) |
||||
|
||||
* Tue Feb 6 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-1 |
||||
- update to 1.2.4 |
||||
|
||||
* Mon Jan 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.3-2 |
||||
- make use of install-info more failsafe (Ville Skyttä, #223705) |
||||
|
||||
* Fri Sep 1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.2.3-1 |
||||
- update to 1.2.3 |
||||
|
||||
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-3.1 |
||||
- rebuild |
||||
|
||||
* Mon Jun 05 2006 Jesse Keating <jkeating@redhat.com> 1.2.2-3 |
||||
- Added missing buildreq pkgconfig |
||||
|
||||
* Tue May 16 2006 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-2 |
||||
- remove file conflicts in libgcrypt-config by making the 64-bit version |
||||
think the libraries are in /usr/lib (which is wrong, but which it also |
||||
prunes from the suggest --libs output, so no harm done, hopefully) |
||||
|
||||
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-1.2.1 |
||||
- bump again for double-long bug on ppc(64) |
||||
|
||||
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-1.2 |
||||
- rebuilt for new gcc4.1 snapshot and glibc changes |
||||
|
||||
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com> |
||||
- rebuilt |
||||
|
||||
* Wed Oct 5 2005 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-1 |
||||
- update to 1.2.2 |
||||
|
||||
* Wed Mar 16 2005 Nalin Dahyabhai <nalin@redhat.com> 1.2.1-1 |
||||
- update to 1.2.1 |
||||
|
||||
* Fri Jul 30 2004 Florian La Roche <Florian.LaRoche@redhat.de> |
||||
- another try to package the symlink |
||||
|
||||
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com> |
||||
- rebuilt |
||||
|
||||
* Sun May 2 2004 Bill Nottingham <notting@redhat.com> - 1.2.0-1 |
||||
- update to official 1.2.0 |
||||
|
||||
* Fri Apr 16 2004 Bill Nottingham <notting@redhat.com> - 1.1.94-1 |
||||
- update to 1.1.94 |
||||
|
||||
* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com> |
||||
- rebuilt |
||||
|
||||
* Sat Feb 21 2004 Florian La Roche <Florian.LaRoche@redhat.de> |
||||
- add symlinks to shared libs at compile time |
||||
|
||||
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> |
||||
- rebuilt |
||||
|
||||
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com> |
||||
- rebuilt |
||||
|
||||
* Thu Mar 20 2003 Jeff Johnson <jbj@redhat.com> 1.1.12-1 |
||||
- upgrade to 1.1.12 (beta). |
||||
|
||||
* Fri Jun 21 2002 Tim Powers <timp@redhat.com> |
||||
- automated rebuild |
||||
|
||||
* Sun May 26 2002 Tim Powers <timp@redhat.com> |
||||
- automated rebuild |
||||
|
||||
* Tue May 21 2002 Jeff Johnson <jbj@redhat.com> |
||||
- update to 1.1.7 |
||||
- change license to LGPL. |
||||
- include splint annotations patch. |
||||
- install info pages. |
||||
|
||||
* Tue Apr 2 2002 Nalin Dahyabhai <nalin@redhat.com> 1.1.6-1 |
||||
- update to 1.1.6 |
||||
|
||||
* Thu Jan 10 2002 Nalin Dahyabhai <nalin@redhat.com> 1.1.5-1 |
||||
- fix the Source tag so that it's a real URL |
||||
|
||||
* Thu Dec 20 2001 Nalin Dahyabhai <nalin@redhat.com> |
||||
- initial package |
Loading…
Reference in new issue