From 9fe250b05505efabf40d1b2c37985a782fb16a8c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 21 2020 16:24:32 +0000 Subject: import libgcrypt-1.8.3-4.el8 --- diff --git a/SOURCES/libgcrypt-1.8.3-fips-enttest.patch b/SOURCES/libgcrypt-1.8.3-fips-enttest.patch index 278fa1e..b6b09ba 100644 --- a/SOURCES/libgcrypt-1.8.3-fips-enttest.patch +++ b/SOURCES/libgcrypt-1.8.3-fips-enttest.patch @@ -1,16 +1,37 @@ diff -up libgcrypt-1.8.3/random/random-drbg.c.fips-enttest libgcrypt-1.8.3/random/random-drbg.c --- libgcrypt-1.8.3/random/random-drbg.c.fips-enttest 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.3/random/random-drbg.c 2019-06-03 13:19:44.035516400 +0200 -@@ -610,6 +610,8 @@ drbg_get_entropy (drbg_state_t drbg, uns ++++ libgcrypt-1.8.3/random/random-drbg.c 2019-06-24 10:04:23.219547141 +0200 +@@ -317,6 +317,7 @@ struct drbg_state_s + unsigned char *ctr_null; /* CTR mode zero buffer */ + int seeded:1; /* DRBG fully seeded? */ + int pr:1; /* Prediction resistance enabled? */ ++ int ent_primed:1; /* Previous entropy data primed? */ + /* Taken from libgcrypt ANSI X9.31 DRNG: We need to keep track of the + * process which did the initialization so that we can detect a fork. + * The volatile modifier is required so that the compiler does not +@@ -324,6 +325,7 @@ struct drbg_state_s + pid_t seed_init_pid; + const struct drbg_state_ops_s *d_ops; + const struct drbg_core_s *core; ++ unsigned char ent_hash[64]; /* Hash of previous entropy data */ + struct drbg_test_data_s *test_data; + }; + +@@ -610,11 +612,13 @@ drbg_get_entropy (drbg_state_t drbg, uns size_t len) { int rc = 0; -+ static unsigned char oldhash[64] = { 0 }; + unsigned char newhash[64]; /* Perform testing as defined in 11.3.2 */ if (drbg->test_data && drbg->test_data->fail_seed_source) -@@ -634,6 +636,17 @@ drbg_get_entropy (drbg_state_t drbg, uns + return -1; + ++redo: + read_cb_buffer = buffer; + read_cb_size = len; + read_cb_len = 0; +@@ -634,6 +638,27 @@ drbg_get_entropy (drbg_state_t drbg, uns #else rc = -1; #endif @@ -20,11 +41,73 @@ diff -up libgcrypt-1.8.3/random/random-drbg.c.fips-enttest libgcrypt-1.8.3/rando + */ + _gcry_md_hash_buffer (GCRY_MD_SHA512, newhash, buffer, len); + -+ if (memcmp (newhash, oldhash, sizeof (oldhash)) == 0) -+ return -1; /* continous entropy test failed */ ++ if (!drbg->ent_primed) ++ { ++ memcpy (drbg->ent_hash, newhash, sizeof (drbg->ent_hash)); ++ drbg->ent_primed = 1; ++ goto redo; ++ } + -+ memcpy (oldhash, newhash, sizeof (oldhash)); ++ if (memcmp (newhash, drbg->ent_hash, sizeof (drbg->ent_hash)) == 0) ++ { ++ fips_signal_error ("Entropy source failed the continuous test"); ++ return -1; /* continuous entropy test failed */ ++ } ++ ++ memcpy (drbg->ent_hash, newhash, sizeof (drbg->ent_hash)); + return rc; } +@@ -1341,26 +1366,38 @@ drbg_seed (drbg_state_t drbg, drbg_strin + } + else + { ++ int nonce = 0; + /* Gather entropy equal to the security strength of the DRBG. + * With a derivation function, a nonce is required in addition + * to the entropy. A nonce must be at least 1/2 of the security + * strength of the DRBG in size. Thus, entropy * nonce is 3/2 + * of the strength. The consideration of a nonce is only +- * applicable during initial seeding. */ ++ * applicable during initial seeding. ++ * To avoid pulling different length of data from entropy ++ * source, we use 2 * strength for initial seeding. */ + entropylen = drbg_sec_strength (drbg->core->flags); + if (!entropylen) + return GPG_ERR_GENERAL; + if (0 == reseed) +- /* make sure we round up strength/2 in +- * case it is not divisible by 2 */ +- entropylen = ((entropylen + 1) / 2) * 3; ++ { ++ nonce = 1; ++ } + dbg (("DRBG: (re)seeding with %lu bytes of entropy\n", entropylen)); +- entropy = xcalloc_secure (1, entropylen); ++ entropy = xcalloc_secure (nonce + 1, entropylen); + if (!entropy) + return GPG_ERR_ENOMEM; + ret = drbg_get_entropy (drbg, entropy, entropylen); + if (ret) + goto out; ++ if (nonce) ++ { ++ ret = drbg_get_entropy (drbg, entropy + entropylen, entropylen); ++ if (ret) ++ goto out; ++ /* make sure we round up strength/2 in ++ * case it is not divisible by 2 */ ++ entropylen = 2 * entropylen; ++ } + drbg_string_fill (&data1, entropy, entropylen); + } + +@@ -1597,6 +1634,7 @@ drbg_instantiate (drbg_state_t drbg, + drbg->core = &drbg_cores[coreref]; + drbg->pr = pr; + drbg->seeded = 0; ++ drbg->ent_primed = 0; + if (drbg->core->flags & DRBG_HMAC) + drbg->d_ops = &drbg_hmac_ops; + else if (drbg->core->flags & DRBG_HASH_MASK) diff --git a/SPECS/libgcrypt.spec b/SPECS/libgcrypt.spec index ab0a651..7eaf176 100644 --- a/SPECS/libgcrypt.spec +++ b/SPECS/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt Version: 1.8.3 -Release: 3%{?dist} +Release: 4%{?dist} URL: http://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz # The original libgcrypt sources now contain potentially patented ECC @@ -200,6 +200,9 @@ exit 0 %license COPYING %changelog +* Mon Jun 24 2019 Tomáš Mráz 1.8.3-4 +- improve the continuous FIPS entropy test + * Mon Jun 3 2019 Tomáš Mráz 1.8.3-3 - add CMAC selftest for FIPS POST - add continuous FIPS entropy test