diff --git a/SOURCES/libgcrypt-1.5.3-fips-reqs.patch b/SOURCES/libgcrypt-1.5.3-fips-reqs.patch index c4de13d..a32ab36 100644 --- a/SOURCES/libgcrypt-1.5.3-fips-reqs.patch +++ b/SOURCES/libgcrypt-1.5.3-fips-reqs.patch @@ -182,30 +182,30 @@ diff -up libgcrypt-1.5.3/cipher/rsa.c.fips-reqs libgcrypt-1.5.3/cipher/rsa.c -" (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e" -" ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)))"; -/* A sample 1024 bit RSA key used for the selftests (public only). */ -+" (d #36273db1f91bdba7a0417f1223ac232999d53a7b606741076353b4d2e758" -+" 950ac705f34eb2b412d470dc4f8506d3ddd863273e673121243904bc06a4" -+" ccce2b7afe7badde116ea3a5e604530ea34e2db48f31bfca7525520285de" -+" 3db27243b2898a9a3441263f9a67bea4967b0e75baa693d5b8d8b857f24b" -+" 0f1481d1574ef6454ca63bd070cad39d55de2205e78e284dee11cfb66776" -+" 09d3e33c13f99934107bec8138f0b6349c9b506f0b91814d8994047bf03c" -+" f4b1b200488d5a8f889ec5ab3a9e443f54e7d96e47aaa1bd404631f9f034" -+" b604e12b5b7386dd3a921b71c73f32e5c3c2aba17ebfa452a0b06890d120" -+" 1279e9d7c940baf219c7a50092860d01#)" -+" (p #00fc5c6e16ce1f037bcdf7b372b28f1672b856aef7cd67d84e7d07afd543" -+" 26c335be438f4e2f1c434e6bd2b2ec526d97522bcc5c3a6bf414c674da66" -+" 381c7a3f842fe3f95ab865694606a33779b2a15b58ed5ea75f8c6566bbd1" -+" 2436e637a73d49778a8c34d86929f34d5822b05124b640a886590ab7ba5c" -+" 97da57e836da7a9cad#)" -+" (q #00ccbe7b096906ee45bf884738a8f817e5b6ba6755e3e8058bb8e253d68e" ++" (d #03b1e24a94e50ab21f8619701ec97679be2cf8f733c9331d9e2974dba721" ++" 27e5def480290e78a769f96b19d28397a284868fb614ca9b1fb3a0d7efed" ++" df41451204ce71aceba659f6ed15964ebb317712364e1cfaf2fded77d658" ++" 8561acc49c97c2d7efe75f1534b35bd4f6561e1f468b45590db34553d4d0" ++" c2cb4d806b74e1b2c52740462538865d9792b0aefbbf7b9827f4b3badcb3" ++" 5adab638266a2d2fb8422a7a19142e08848e56af77a66c39b2afafa2e15b" ++" 1a7e4ed1f2c7ed350678c0465d86472af97371b13ef5058662f835ef9087" ++" f6cca8281bbf1b6b155c737b33d9e443350df85e7cc3b507231fb839f41f" ++" 02c654b29017f35d69007c70e13ba0e5#)" ++" (p #00ccbe7b096906ee45bf884738a8f817e5b6ba6755e3e8058bb8e253d68e" +" ef2ce74f4af74e268d850b3fecc31cd4ebec6ac8722a257dfda67796f01e" +" cd2857f83730756bbdd47b0c87c56c8740a5bb272c78c9745a545b0b306f" +" 444afa71e4216166f9ee65de7c04d7fda9155b7fe27aba698672a6068d9b" +" 9055609e4c5da9b655#)" -+" (u #00afdecbdc5268ea7b1bff7284db7f6757dae3165fd80691ed2bbe8e54a1" -+" 6f7ff950aad059e9695903d93e59ff206ee1470bd2b099ca4e83426a7684" -+" 75a1ecafd3092fec0f008d78fe773174ec6fbff85384f3a91c2e4b1f59f1" -+" 1f2000fee86569f6cab5de338087bc615b90570de4aeb1a9125abbe3834d" -+" 5a69716c0a5fa20603#)))"; ++" (q #00fc5c6e16ce1f037bcdf7b372b28f1672b856aef7cd67d84e7d07afd543" ++" 26c335be438f4e2f1c434e6bd2b2ec526d97522bcc5c3a6bf414c674da66" ++" 381c7a3f842fe3f95ab865694606a33779b2a15b58ed5ea75f8c6566bbd1" ++" 2436e637a73d49778a8c34d86929f34d5822b05124b640a886590ab7ba5c" ++" 97da57e836da7a9cad#)" ++" (u #2396c191175e0a83d2dc7b69b2591d3358523f18c709501cb9a1bb4ca238" ++" 404c9a8efe9c9092d0719f899950911f348b745311114a70e2f730d88c80" ++" e1cc9ff163171a7d67294ccb4e747be03e9e2ff4678fecb95c001e7ea27b" ++" 92c96f4ce40ef94863cd50225dbfb69d01336af450be86984fca3f3afacf" ++" 0740c4aaadaebebf#)))"; +/* A sample 2048 bit RSA key used for the selftests (public only). */ static const char sample_public_key[] = "(public-key" diff --git a/SOURCES/libgcrypt-1.5.3-rsa-fips-keygen.patch b/SOURCES/libgcrypt-1.5.3-rsa-fips-keygen.patch index 9d0f001..3d074d7 100644 --- a/SOURCES/libgcrypt-1.5.3-rsa-fips-keygen.patch +++ b/SOURCES/libgcrypt-1.5.3-rsa-fips-keygen.patch @@ -186,15 +186,15 @@ diff -up libgcrypt-1.5.3/cipher/rsa.c.fips-keygen libgcrypt-1.5.3/cipher/rsa.c + if (testparms) goto err; + goto qloop; + } -+ if (mpi_cmp (p, q) < 0) ++ if (mpi_cmp (p, q) > 0) + { + pqswitch = 1; -+ mpi_sub (diff, q, p); ++ mpi_sub (diff, p, q); + } + else + { + pqswitch = 0; -+ mpi_sub (diff, p, q); ++ mpi_sub (diff, q, p); + } + if (mpi_cmp (diff, mindiff) < 0) + { diff --git a/SOURCES/libgcrypt-1.5.3-urandom-only.patch b/SOURCES/libgcrypt-1.5.3-urandom-only.patch new file mode 100644 index 0000000..6ced5fb --- /dev/null +++ b/SOURCES/libgcrypt-1.5.3-urandom-only.patch @@ -0,0 +1,38 @@ +diff -up libgcrypt-1.5.3/random/random-csprng.c.urandom-only libgcrypt-1.5.3/random/random-csprng.c +--- libgcrypt-1.5.3/random/random-csprng.c.urandom-only 2013-07-25 11:10:04.000000000 +0200 ++++ libgcrypt-1.5.3/random/random-csprng.c 2015-04-10 10:31:39.797534903 +0200 +@@ -855,7 +855,7 @@ _gcry_rngcsprng_update_seed_file (void) + if ( !allow_seed_file_update ) + { + unlock_pool (); +- log_info(_("note: random_seed file not updated\n")); ++ /* log_info(_("note: random_seed file not updated\n")); */ + return; + } + +@@ -1120,8 +1120,7 @@ getfnc_gather_random (void))(void (*)(co + enum random_origins, size_t, int); + + #if USE_RNDLINUX +- if ( !access (NAME_OF_DEV_RANDOM, R_OK) +- && !access (NAME_OF_DEV_URANDOM, R_OK)) ++ if (!access (NAME_OF_DEV_URANDOM, R_OK)) + { + fnc = _gcry_rndlinux_gather_random; + return fnc; +diff -up libgcrypt-1.5.3/random/rndlinux.c.urandom-only libgcrypt-1.5.3/random/rndlinux.c +--- libgcrypt-1.5.3/random/rndlinux.c.urandom-only 2014-12-12 16:51:56.000000000 +0100 ++++ libgcrypt-1.5.3/random/rndlinux.c 2015-04-10 10:34:13.615111926 +0200 +@@ -132,7 +132,11 @@ _gcry_rndlinux_gather_random (void (*add + if (level >= 2) + { + if( fd_random == -1 ) +- fd_random = open_device ( NAME_OF_DEV_RANDOM, 1 ); ++ /* We try to open /dev/random first but in case the open fails ++ we gracefully retry with /dev/urandom. */ ++ fd_random = open_device ( NAME_OF_DEV_RANDOM, 0 ); ++ if (fd_random == -1) ++ fd_random = open_device ( NAME_OF_DEV_URANDOM, 1 ); + fd = fd_random; + } + else if (level != -1) diff --git a/SPECS/libgcrypt.spec b/SPECS/libgcrypt.spec index 61176a7..dd219a2 100644 --- a/SPECS/libgcrypt.spec +++ b/SPECS/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt Version: 1.5.3 -Release: 12%{?dist} +Release: 12%{?dist}.1 URL: http://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz # The original libgcrypt sources now contain potentially patented ECC @@ -45,6 +45,8 @@ Patch20: libgcrypt-1.5.3-rsa-fips-keygen.patch Patch21: libgcrypt-1.5.3-fips-cfgrandom.patch # update the selftests for new FIPS requirements Patch22: libgcrypt-1.5.3-fips-reqs.patch +# use only urandom if /dev/random cannot be opened +Patch24: libgcrypt-1.5.3-urandom-only.patch %define gcrylibdir %{_libdir} @@ -96,6 +98,7 @@ applications using libgcrypt. %patch20 -p1 -b .fips-keygen %patch21 -p1 -b .cfgrandom %patch22 -p1 -b .fips-reqs +%patch24 -p1 -b .urandom-only %build %configure --disable-static \ @@ -197,6 +200,11 @@ exit 0 %doc COPYING %changelog +* Fri Apr 10 2015 Tomáš Mráz 1.5.3-12.1 +- touch only urandom in the selftest and when /dev/random is + unavailable for example by SELinux confinement +- fix the RSA selftest key (p q swap) + * Wed Jan 14 2015 Tomáš Mráz 1.5.3-12 - use macros instead of inline functions in the public header