[libgcrypt] new upstream version
Tomáš Mráz
tmraz at fedoraproject.org
Thu Jul 21 13:58:16 UTC 2011
commit b5054585fee31a6c0a42cd6e42fca02e747d53f7
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Jul 21 15:57:57 2011 +0200
new upstream version
.gitignore | 1 +
libgcrypt-1.4.5-ImplicitDSOLinking.patch | 24 -----
libgcrypt-1.4.5-urandom.patch | 33 ------
...6-cavs.patch => libgcrypt-1.5.0-fips-cavs.patch | 109 ++++++++++----------
...m.patch => libgcrypt-1.5.0-fips-cfgrandom.patch | 43 +++++---
libgcrypt-1.5.0-noecc.patch | 12 ++
....4.5-tests.patch => libgcrypt-1.5.0-tests.patch | 73 +++++++------
...ck.patch => libgcrypt-1.5.0-use-fipscheck.patch | 25 +++--
libgcrypt.spec | 27 +++---
sources | 2 +-
10 files changed, 157 insertions(+), 192 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 3259611..2daa2a1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
libgcrypt-1.4.5-hobbled.tar.bz2
/libgcrypt-1.4.6-hobbled.tar.bz2
+/libgcrypt-1.5.0-hobbled.tar.bz2
diff --git a/libgcrypt-1.4.6-cavs.patch b/libgcrypt-1.5.0-fips-cavs.patch
similarity index 95%
rename from libgcrypt-1.4.6-cavs.patch
rename to libgcrypt-1.5.0-fips-cavs.patch
index b23129b..ac999f9 100644
--- a/libgcrypt-1.4.6-cavs.patch
+++ b/libgcrypt-1.5.0-fips-cavs.patch
@@ -1,7 +1,7 @@
-diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c
---- libgcrypt-1.4.6/cipher/dsa.c.cavs 2011-05-26 22:03:17.000000000 +0200
-+++ libgcrypt-1.4.6/cipher/dsa.c 2011-05-26 22:03:18.000000000 +0200
-@@ -467,7 +467,6 @@ generate_fips186 (DSA_secret_key *sk, un
+diff -up libgcrypt-1.5.0/cipher/dsa.c.cavs libgcrypt-1.5.0/cipher/dsa.c
+--- libgcrypt-1.5.0/cipher/dsa.c.cavs 2011-07-21 14:56:35.000000000 +0200
++++ libgcrypt-1.5.0/cipher/dsa.c 2011-07-21 14:58:06.000000000 +0200
+@@ -479,7 +479,6 @@ generate_fips186 (DSA_secret_key *sk, un
initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1,
&initial_seed.seedlen);
}
@@ -9,8 +9,8 @@ diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c
if (use_fips186_2)
ec = _gcry_generate_fips186_2_prime (nbits, qbits,
initial_seed.seed,
-@@ -475,13 +474,22 @@ generate_fips186 (DSA_secret_key *sk, un
- &prime_q, &prime_p,
+@@ -487,13 +486,22 @@ generate_fips186 (DSA_secret_key *sk, un
+ &prime_q, &prime_p,
r_counter,
r_seed, r_seedlen);
- else
@@ -33,7 +33,7 @@ diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c
gcry_sexp_release (initial_seed.sexp);
if (ec)
goto leave;
-@@ -772,13 +780,12 @@ dsa_generate_ext (int algo, unsigned int
+@@ -784,13 +792,12 @@ dsa_generate_ext (int algo, unsigned int
gcry_sexp_release (l1);
gcry_sexp_release (domainsexp);
@@ -49,9 +49,9 @@ diff -up libgcrypt-1.4.6/cipher/dsa.c.cavs libgcrypt-1.4.6/cipher/dsa.c
return GPG_ERR_MISSING_VALUE;
}
-diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_driver.pl
---- libgcrypt-1.4.6/tests/cavs_driver.pl.cavs 2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.6/tests/cavs_driver.pl 2011-06-20 20:00:13.000000000 +0200
+diff -up libgcrypt-1.5.0/tests/cavs_driver.pl.cavs libgcrypt-1.5.0/tests/cavs_driver.pl
+--- libgcrypt-1.5.0/tests/cavs_driver.pl.cavs 2011-02-04 20:18:20.000000000 +0100
++++ libgcrypt-1.5.0/tests/cavs_driver.pl 2011-07-21 15:01:47.000000000 +0200
@@ -1,9 +1,11 @@
#!/usr/bin/env perl
#
@@ -153,11 +153,11 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
# generate a new DSA key with the following properties:
# PEM format
--# $1 keyfile name
+-# $1 keyfile name
-# return: file created, hash with keys of P, Q, G in hex format
+# $1: modulus size
+# $2: q size
-+# $3 keyfile name
++# $3 keyfile name
+# return: file created with key, string with values of P, Q, G in hex format
my $gen_dsakey;
@@ -165,7 +165,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
+# PEM format
+# $1: P in hex form
+# $2: Q in hex form
-+# $3: G in hex form
++# $3: G in hex form
+# return: string with values of X, Y in hex format
+my $gen_dsakey_domain;
+
@@ -173,7 +173,7 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
# $1: data to be signed in hex form
# $2: Key file in PEM format with the private key
@@ -500,17 +560,32 @@ sub libgcrypt_hmac($$$$) {
- return pipe_through_program($msg, $program);
+ return pipe_through_program($msg, $program);
}
-sub libgcrypt_dsa_pqggen($) {
@@ -313,11 +313,11 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
- $out .= "H = $H\n\n";
+ $out .= "domain_parameter_seed = $Seed\n";
+ $out .= "counter = $c\n\n";
-+ }
-+
-+ return $out;
-+}
-+
+ }
+
+ return $out;
+ }
+
+# DSA GGen test
+# $1 modulus size
+# $2 q size
@@ -436,11 +436,11 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
+ }
+ else {
+ $out .= "Result = F\n\n";
- }
-
- return $out;
- }
-
++ }
++
++ return $out;
++}
++
+# DSA Keypair test
+# $1 modulus size
+# $2 q size
@@ -725,9 +725,9 @@ diff -up libgcrypt-1.4.6/tests/cavs_driver.pl.cavs libgcrypt-1.4.6/tests/cavs_dr
$dsa_sign = \&libgcrypt_dsa_sign;
$dsa_verify = \&libgcrypt_dsa_verify;
$dsa_genpubkey = \&libgcrypt_dsa_genpubkey;
-diff -up libgcrypt-1.4.6/tests/cavs_tests.sh.cavs libgcrypt-1.4.6/tests/cavs_tests.sh
---- libgcrypt-1.4.6/tests/cavs_tests.sh.cavs 2011-05-26 21:02:02.000000000 +0200
-+++ libgcrypt-1.4.6/tests/cavs_tests.sh 2011-05-26 22:20:20.000000000 +0200
+diff -up libgcrypt-1.5.0/tests/cavs_tests.sh.cavs libgcrypt-1.5.0/tests/cavs_tests.sh
+--- libgcrypt-1.5.0/tests/cavs_tests.sh.cavs 2011-02-04 20:18:20.000000000 +0100
++++ libgcrypt-1.5.0/tests/cavs_tests.sh 2011-07-21 15:02:16.000000000 +0200
@@ -55,7 +55,7 @@ function run_one_test () {
[ -d "$respdir" ] || mkdir "$respdir"
[ -f "$rspfile" ] && rm "$rspfile"
@@ -735,12 +735,12 @@ diff -up libgcrypt-1.4.6/tests/cavs_tests.sh.cavs libgcrypt-1.4.6/tests/cavs_tes
- if echo "$reqfile" | grep '/DSA/req/' >/dev/null 2>/dev/null; then
+ if echo "$reqfile" | grep '/DSA.\?/req/' >/dev/null 2>/dev/null; then
dflag="-D"
- fi
-
-diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
---- libgcrypt-1.4.6/tests/fipsdrv.c.cavs 2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.6/tests/fipsdrv.c 2011-05-27 18:03:11.000000000 +0200
-@@ -893,9 +893,12 @@ print_mpi_line (gcry_mpi_t a, int no_lz)
+ fi
+
+diff -up libgcrypt-1.5.0/tests/fipsdrv.c.cavs libgcrypt-1.5.0/tests/fipsdrv.c
+--- libgcrypt-1.5.0/tests/fipsdrv.c.cavs 2011-02-04 20:18:20.000000000 +0100
++++ libgcrypt-1.5.0/tests/fipsdrv.c 2011-07-21 15:06:44.000000000 +0200
+@@ -893,6 +893,9 @@ print_mpi_line (gcry_mpi_t a, int no_lz)
die ("gcry_mpi_aprint failed: %s\n", gpg_strerror (err));
p = buf;
@@ -749,11 +749,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
+ p = buf;
if (no_lz && p[0] == '0' && p[1] == '0' && p[2])
p += 2;
--
-+
- printf ("%s\n", p);
- if (ferror (stdout))
- writerr++;
+
@@ -1675,14 +1678,14 @@ run_rsa_verify (const void *data, size_t
/* Generate a DSA key of size KEYSIZE and return the complete
S-expression. */
@@ -764,7 +760,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
gpg_error_t err;
gcry_sexp_t keyspec, key;
- err = gcry_sexp_build (&keyspec, NULL,
+ err = gcry_sexp_build (&keyspec, NULL,
- "(genkey (dsa (nbits %d)(use-fips186-2)))",
- keysize);
+ "(genkey (dsa (nbits %d)(qbits %d)(use-fips186)))",
@@ -795,10 +791,16 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
if (err)
die ("gcry_sexp_build failed for DSA key generation: %s\n",
gpg_strerror (err));
-@@ -1726,13 +1730,44 @@ dsa_gen_with_seed (int keysize, const vo
- return key;
- }
-
+@@ -1720,6 +1724,37 @@ dsa_gen_with_seed (int keysize, const vo
+ err = gcry_pk_genkey (&key, keyspec);
+ if (err)
+ die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err));
++
++ gcry_sexp_release (keyspec);
++
++ return key;
++}
++
+/* Generate a DSA key with specified domain parameters and return the complete
+ S-expression. */
+static gcry_sexp_t
@@ -812,7 +814,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
+ die ("gcry_sexp_build failed for domain spec: %s\n",
+ gpg_strerror (err));
+
-+ err = gcry_sexp_build (&keyspec, NULL,
++ err = gcry_sexp_build (&keyspec, NULL,
+ "(genkey"
+ " (dsa"
+ " (use-fips186)"
@@ -824,18 +826,13 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
+ err = gcry_pk_genkey (&key, keyspec);
+ if (err)
+ die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err));
-+
-+ gcry_sexp_release (keyspec);
-+
-+ return key;
-+}
-+
- /* Print the domain parameter as well as the derive information. KEY
- is the complete key as returned by dsa_gen. We print to stdout
+ gcry_sexp_release (keyspec);
+
+@@ -1732,7 +1767,7 @@ dsa_gen_with_seed (int keysize, const vo
with one parameter per line in hex format using this order: p, q,
g, seed, counter, h. */
- static void
+ static void
-print_dsa_domain_parameters (gcry_sexp_t key)
+print_dsa_domain_parameters (gcry_sexp_t key, int print_misc)
{
@@ -1127,7 +1124,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
{
- int keysize;
+ int keysize, qsize;
-
+
keysize = keysize_string? atoi (keysize_string) : 0;
if (keysize < 1024 || keysize > 3072)
die ("invalid keysize specified; needs to be 1024 .. 3072\n");
@@ -1140,7 +1137,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
+ else if (!strcmp (mode_string, "dsa-g-gen"))
+ {
+ int keysize, qsize;
-+
++
+ keysize = keysize_string? atoi (keysize_string) : 0;
+ if (keysize < 1024 || keysize > 3072)
+ die ("invalid keysize specified; needs to be 1024 .. 3072\n");
@@ -1161,7 +1158,7 @@ diff -up libgcrypt-1.4.6/tests/fipsdrv.c.cavs libgcrypt-1.4.6/tests/fipsdrv.c
{
- int keysize;
+ int keysize, qsize;
-
+
keysize = keysize_string? atoi (keysize_string) : 0;
if (keysize < 1024 || keysize > 3072)
die ("invalid keysize specified; needs to be 1024 .. 3072\n");
diff --git a/libgcrypt-1.4.6-fips-cfgrandom.patch b/libgcrypt-1.5.0-fips-cfgrandom.patch
similarity index 72%
rename from libgcrypt-1.4.6-fips-cfgrandom.patch
rename to libgcrypt-1.5.0-fips-cfgrandom.patch
index 574d6a0..1384c25 100644
--- a/libgcrypt-1.4.6-fips-cfgrandom.patch
+++ b/libgcrypt-1.5.0-fips-cfgrandom.patch
@@ -1,14 +1,14 @@
-diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/random-fips.c
---- libgcrypt-1.4.6/random/random-fips.c.cfgrandom 2011-06-20 21:13:38.000000000 +0200
-+++ libgcrypt-1.4.6/random/random-fips.c 2011-06-20 21:32:47.000000000 +0200
+diff -up libgcrypt-1.5.0/random/random-fips.c.cfgrandom libgcrypt-1.5.0/random/random-fips.c
+--- libgcrypt-1.5.0/random/random-fips.c.cfgrandom 2011-07-21 14:50:34.000000000 +0200
++++ libgcrypt-1.5.0/random/random-fips.c 2011-07-21 14:50:34.000000000 +0200
@@ -27,10 +27,10 @@
There are 3 random context which map to the different levels of
random quality:
- Generator Seed and Key Kernel entropy (init/reseed)
- ------------------------------------------------------------
-- GCRY_VERY_STRONG_RANDOM /dev/urandom 256/128 bits
-- GCRY_STRONG_RANDOM /dev/urandom 256/128 bits
+- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits
+- GCRY_STRONG_RANDOM /dev/random 256/128 bits
+ Generator Seed and Key Kernel entropy (init/reseed)
+ ---------------------------------------------------------------------------------------
+ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits
@@ -16,11 +16,12 @@ diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/r
gcry_create_nonce GCRY_STRONG_RANDOM n/a
All random generators return their data in 128 bit blocks. If the
-@@ -40,7 +40,10 @@
+@@ -40,8 +40,10 @@
(SEED_TTL) output blocks; the re-seeding is disabled in test mode.
The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are
-- keyed and seeded from the /dev/urandom device.
+- keyed and seeded from the /dev/random device. Thus these
+- generators may block until the kernel has collected enough entropy.
+ keyed and seeded with data that is loaded from the /etc/gcrypt/rngseed
+ if the device or symlink to device exists xored with the data
+ from the /dev/urandom device. This allows the system administrator
@@ -28,7 +29,7 @@ diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/r
The gcry_create_nonce generator is keyed and seeded from the
GCRY_STRONG_RANDOM generator. It may also block if the
-@@ -559,6 +562,10 @@ get_entropy (size_t nbytes)
+@@ -560,9 +562,13 @@ get_entropy (size_t nbytes)
entropy_collect_buffer_len = 0;
#if USE_RNDLINUX
@@ -38,11 +39,15 @@ diff -up libgcrypt-1.4.6/random/random-fips.c.cfgrandom libgcrypt-1.4.6/random/r
+ entropy_collect_buffer_len = 0;
rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0,
X931_AES_KEYLEN,
- GCRY_STRONG_RANDOM);
-diff -up libgcrypt-1.4.6/random/rndlinux.c.cfgrandom libgcrypt-1.4.6/random/rndlinux.c
---- libgcrypt-1.4.6/random/rndlinux.c.cfgrandom 2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.6/random/rndlinux.c 2011-06-20 21:34:09.000000000 +0200
-@@ -35,7 +35,9 @@
+- GCRY_VERY_STRONG_RANDOM);
++ GCRY_STRONG_RANDOM);
+ #elif USE_RNDW32
+ do
+ {
+diff -up libgcrypt-1.5.0/random/rndlinux.c.cfgrandom libgcrypt-1.5.0/random/rndlinux.c
+--- libgcrypt-1.5.0/random/rndlinux.c.cfgrandom 2011-02-04 20:16:03.000000000 +0100
++++ libgcrypt-1.5.0/random/rndlinux.c 2011-07-21 14:50:34.000000000 +0200
+@@ -36,7 +36,9 @@
#include "g10lib.h"
#include "rand-internal.h"
@@ -53,7 +58,7 @@ diff -up libgcrypt-1.4.6/random/rndlinux.c.cfgrandom libgcrypt-1.4.6/random/rndl
static int
-@@ -56,13 +58,17 @@ set_cloexec_flag (int fd)
+@@ -57,13 +59,17 @@ set_cloexec_flag (int fd)
* Used to open the /dev/random devices (Linux, xBSD, Solaris (if it exists)).
*/
static int
@@ -73,21 +78,23 @@ diff -up libgcrypt-1.4.6/random/rndlinux.c.cfgrandom libgcrypt-1.4.6/random/rndl
if (set_cloexec_flag (fd))
log_error ("error setting FD_CLOEXEC on fd %d: %s\n",
-@@ -91,11 +97,13 @@ _gcry_rndlinux_gather_random (void (*add
+@@ -92,6 +98,7 @@ _gcry_rndlinux_gather_random (void (*add
{
static int fd_urandom = -1;
static int fd_random = -1;
+ static int fd_configured = -1;
int fd;
int n;
- int warn=0;
byte buffer[768];
- size_t n_hw;
+@@ -100,6 +107,7 @@ _gcry_rndlinux_gather_random (void (*add
+ size_t last_so_far = 0;
+ int any_need_entropy = 0;
+ int delay;
+ size_t orig_length = length;
/* First read from a hardware source. However let it account only
for up to 50% of the requested bytes. */
-@@ -106,16 +114,26 @@ _gcry_rndlinux_gather_random (void (*add
+@@ -110,16 +118,26 @@ _gcry_rndlinux_gather_random (void (*add
length -= n_hw;
/* Open the requested device. */
diff --git a/libgcrypt-1.5.0-noecc.patch b/libgcrypt-1.5.0-noecc.patch
new file mode 100644
index 0000000..7905c71
--- /dev/null
+++ b/libgcrypt-1.5.0-noecc.patch
@@ -0,0 +1,12 @@
+diff -up libgcrypt-1.5.0/tests/Makefile.noecc libgcrypt-1.5.0/tests/Makefile
+--- libgcrypt-1.5.0/tests/Makefile.in.noecc 2011-07-21 15:34:33.000000000 +0200
++++ libgcrypt-1.5.0/tests/Makefile.in 2011-07-21 15:39:35.000000000 +0200
+@@ -57,7 +57,7 @@ TESTS = version$(EXEEXT) t-mpi-bit$(EXEE
+ ac-data$(EXEEXT) basic$(EXEEXT) mpitests$(EXEEXT) \
+ tsexp$(EXEEXT) keygen$(EXEEXT) pubkey$(EXEEXT) hmac$(EXEEXT) \
+ keygrip$(EXEEXT) fips186-dsa$(EXEEXT) aeswrap$(EXEEXT) \
+- curves$(EXEEXT) t-kdf$(EXEEXT) pkcs1v2$(EXEEXT) \
++ t-kdf$(EXEEXT) pkcs1v2$(EXEEXT) \
+ $(am__EXEEXT_1) benchmark$(EXEEXT)
+
+ # random.c uses fork() thus a test for W32 does not make any sense.
diff --git a/libgcrypt-1.4.5-tests.patch b/libgcrypt-1.5.0-tests.patch
similarity index 77%
rename from libgcrypt-1.4.5-tests.patch
rename to libgcrypt-1.5.0-tests.patch
index d2f0256..277438f 100644
--- a/libgcrypt-1.4.5-tests.patch
+++ b/libgcrypt-1.5.0-tests.patch
@@ -1,20 +1,23 @@
-diff -up libgcrypt-1.4.5/cipher/dsa.c.tests libgcrypt-1.4.5/cipher/dsa.c
---- libgcrypt-1.4.5/cipher/dsa.c.tests 2009-08-21 10:18:30.000000000 +0200
-+++ libgcrypt-1.4.5/cipher/dsa.c 2011-02-04 09:06:02.000000000 +0100
-@@ -468,21 +468,20 @@ generate_fips186 (DSA_secret_key *sk, un
+diff -up libgcrypt-1.5.0/cipher/dsa.c.tests libgcrypt-1.5.0/cipher/dsa.c
+--- libgcrypt-1.5.0/cipher/dsa.c.tests 2011-06-13 12:24:46.000000000 +0200
++++ libgcrypt-1.5.0/cipher/dsa.c 2011-07-20 16:44:51.000000000 +0200
+@@ -479,22 +479,21 @@ generate_fips186 (DSA_secret_key *sk, un
+ initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1,
&initial_seed.seedlen);
}
-
+-
- /* Fixme: Enable 186-3 after it has been approved and after fixing
- the generation function. */
- /* if (use_fips186_2) */
- (void)use_fips186_2;
-- ec = _gcry_generate_fips186_2_prime (nbits, qbits,
+- ec = _gcry_generate_fips186_2_prime (nbits, qbits,
+- initial_seed.seed,
++
+ if (use_fips186_2)
+ ec = _gcry_generate_fips186_2_prime (nbits, qbits,
- initial_seed.seed,
++ initial_seed.seed,
initial_seed.seedlen,
- &prime_q, &prime_p,
+ &prime_q, &prime_p,
r_counter,
r_seed, r_seedlen);
- /* else */
@@ -32,9 +35,9 @@ diff -up libgcrypt-1.4.5/cipher/dsa.c.tests libgcrypt-1.4.5/cipher/dsa.c
gcry_sexp_release (initial_seed.sexp);
if (ec)
goto leave;
-diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen.c
---- libgcrypt-1.4.5/cipher/primegen.c.tests 2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/cipher/primegen.c 2011-02-04 09:06:34.000000000 +0100
+diff -up libgcrypt-1.5.0/cipher/primegen.c.tests libgcrypt-1.5.0/cipher/primegen.c
+--- libgcrypt-1.5.0/cipher/primegen.c.tests 2011-03-28 14:19:52.000000000 +0200
++++ libgcrypt-1.5.0/cipher/primegen.c 2011-07-21 14:36:03.000000000 +0200
@@ -1647,7 +1647,7 @@ _gcry_generate_fips186_3_prime (unsigned
gpg_err_code_t ec;
unsigned char seed_help_buffer[256/8]; /* Used to hold a generated SEED. */
@@ -47,7 +50,7 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen
@@ -1737,7 +1737,7 @@ _gcry_generate_fips186_3_prime (unsigned
}
gcry_mpi_release (prime_q); prime_q = NULL;
- ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG,
+ ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG,
- value_u, sizeof value_u, NULL));
+ value_u, qbits/8, NULL));
if (ec)
@@ -59,7 +62,7 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen
}
- gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen);
+ gcry_md_hash_buffer (hashalgo, digest, seed_plus, seedlen);
-
+
gcry_mpi_release (tmpval); tmpval = NULL;
ec = gpg_err_code (gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG,
- digest, sizeof digest, NULL));
@@ -81,21 +84,21 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen
if (r_q)
{
*r_q = prime_q;
-diff -up libgcrypt-1.4.5/cipher/rsa.c.tests libgcrypt-1.4.5/cipher/rsa.c
---- libgcrypt-1.4.5/cipher/rsa.c.tests 2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/cipher/rsa.c 2011-02-04 09:06:02.000000000 +0100
+diff -up libgcrypt-1.5.0/cipher/rsa.c.tests libgcrypt-1.5.0/cipher/rsa.c
+--- libgcrypt-1.5.0/cipher/rsa.c.tests 2011-06-10 10:53:41.000000000 +0200
++++ libgcrypt-1.5.0/cipher/rsa.c 2011-07-21 14:36:59.000000000 +0200
@@ -388,7 +388,7 @@ generate_x931 (RSA_secret_key *sk, unsig
*swapped = 0;
- if (e_value == 1) /* Alias for a secure value. */
+ if (e_value == 1 || e_value == 0) /* Alias for a secure value. */
- e_value = 65537;
+ e_value = 65537;
/* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */
-diff -up libgcrypt-1.4.5/random/random-fips.c.tests libgcrypt-1.4.5/random/random-fips.c
---- libgcrypt-1.4.5/random/random-fips.c.tests 2011-02-04 09:06:02.000000000 +0100
-+++ libgcrypt-1.4.5/random/random-fips.c 2011-02-04 09:06:02.000000000 +0100
+diff -up libgcrypt-1.5.0/random/random-fips.c.tests libgcrypt-1.5.0/random/random-fips.c
+--- libgcrypt-1.5.0/random/random-fips.c.tests 2011-07-20 16:40:59.000000000 +0200
++++ libgcrypt-1.5.0/random/random-fips.c 2011-07-20 16:40:59.000000000 +0200
@@ -691,6 +691,7 @@ get_random (void *buffer, size_t length,
check_guards (rng_ctx);
@@ -123,9 +126,9 @@ diff -up libgcrypt-1.4.5/random/random-fips.c.tests libgcrypt-1.4.5/random/rando
}
if (x931_aes_driver (buffer, length, rng_ctx))
-diff -up libgcrypt-1.4.5/tests/ac.c.tests libgcrypt-1.4.5/tests/ac.c
---- libgcrypt-1.4.5/tests/ac.c.tests 2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/tests/ac.c 2011-02-04 09:06:02.000000000 +0100
+diff -up libgcrypt-1.5.0/tests/ac.c.tests libgcrypt-1.5.0/tests/ac.c
+--- libgcrypt-1.5.0/tests/ac.c.tests 2011-02-04 20:18:20.000000000 +0100
++++ libgcrypt-1.5.0/tests/ac.c 2011-07-20 16:40:59.000000000 +0200
@@ -150,6 +150,9 @@ main (int argc, char **argv)
if (!gcry_check_version (GCRYPT_VERSION))
die ("version mismatch\n");
@@ -136,9 +139,9 @@ diff -up libgcrypt-1.4.5/tests/ac.c.tests libgcrypt-1.4.5/tests/ac.c
if (debug)
gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
/* No valuable keys are create, so we can speed up our RNG. */
-diff -up libgcrypt-1.4.5/tests/ac-data.c.tests libgcrypt-1.4.5/tests/ac-data.c
---- libgcrypt-1.4.5/tests/ac-data.c.tests 2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/tests/ac-data.c 2011-02-04 09:06:02.000000000 +0100
+diff -up libgcrypt-1.5.0/tests/ac-data.c.tests libgcrypt-1.5.0/tests/ac-data.c
+--- libgcrypt-1.5.0/tests/ac-data.c.tests 2011-02-04 20:18:20.000000000 +0100
++++ libgcrypt-1.5.0/tests/ac-data.c 2011-07-20 16:40:59.000000000 +0200
@@ -198,6 +198,9 @@ main (int argc, char **argv)
if (!gcry_check_version (GCRYPT_VERSION))
die ("version mismatch\n");
@@ -149,9 +152,9 @@ diff -up libgcrypt-1.4.5/tests/ac-data.c.tests libgcrypt-1.4.5/tests/ac-data.c
if (debug)
gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
-diff -up libgcrypt-1.4.5/tests/ac-schemes.c.tests libgcrypt-1.4.5/tests/ac-schemes.c
---- libgcrypt-1.4.5/tests/ac-schemes.c.tests 2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/tests/ac-schemes.c 2011-02-04 09:06:02.000000000 +0100
+diff -up libgcrypt-1.5.0/tests/ac-schemes.c.tests libgcrypt-1.5.0/tests/ac-schemes.c
+--- libgcrypt-1.5.0/tests/ac-schemes.c.tests 2011-02-04 20:18:20.000000000 +0100
++++ libgcrypt-1.5.0/tests/ac-schemes.c 2011-07-20 16:40:59.000000000 +0200
@@ -338,6 +338,9 @@ main (int argc, char **argv)
if (! gcry_check_version (GCRYPT_VERSION))
die ("version mismatch\n");
@@ -162,16 +165,16 @@ diff -up libgcrypt-1.4.5/tests/ac-schemes.c.tests libgcrypt-1.4.5/tests/ac-schem
if (debug)
gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0);
-diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c
---- libgcrypt-1.4.5/tests/keygen.c.tests 2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/tests/keygen.c 2011-02-04 09:06:02.000000000 +0100
+diff -up libgcrypt-1.5.0/tests/keygen.c.tests libgcrypt-1.5.0/tests/keygen.c
+--- libgcrypt-1.5.0/tests/keygen.c.tests 2011-02-04 20:18:20.000000000 +0100
++++ libgcrypt-1.5.0/tests/keygen.c 2011-07-21 14:39:03.000000000 +0200
@@ -148,12 +148,12 @@ check_rsa_keys (void)
}
if (verbose)
- fprintf (stderr, "creating 1536 bit DSA key\n");
+ fprintf (stderr, "creating 2048 bit DSA key\n");
- rc = gcry_sexp_new (&keyparm,
+ rc = gcry_sexp_new (&keyparm,
"(genkey\n"
" (dsa\n"
- " (nbits 4:1536)\n"
@@ -187,7 +190,7 @@ diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c
if (verbose)
- fprintf (stderr, "creating 512 bit RSA key with e=257\n");
+ fprintf (stderr, "creating 1024 bit RSA key with e=257\n");
- rc = gcry_sexp_new (&keyparm,
+ rc = gcry_sexp_new (&keyparm,
"(genkey\n"
" (rsa\n"
- " (nbits 3:512)\n"
@@ -201,7 +204,7 @@ diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c
if (verbose)
- fprintf (stderr, "creating 512 bit RSA key with default e\n");
+ fprintf (stderr, "creating 1024 bit RSA key with default secure e\n");
- rc = gcry_sexp_new (&keyparm,
+ rc = gcry_sexp_new (&keyparm,
"(genkey\n"
" (rsa\n"
- " (nbits 3:512)\n"
diff --git a/libgcrypt-1.4.4-use-fipscheck.patch b/libgcrypt-1.5.0-use-fipscheck.patch
similarity index 77%
rename from libgcrypt-1.4.4-use-fipscheck.patch
rename to libgcrypt-1.5.0-use-fipscheck.patch
index d6f45b2..1cef010 100644
--- a/libgcrypt-1.4.4-use-fipscheck.patch
+++ b/libgcrypt-1.5.0-use-fipscheck.patch
@@ -1,6 +1,6 @@
-diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c
---- libgcrypt-1.4.4/src/fips.c.use-fipscheck 2009-03-03 21:09:27.000000000 +0100
-+++ libgcrypt-1.4.4/src/fips.c 2009-03-05 11:20:48.000000000 +0100
+diff -up libgcrypt-1.5.0/src/fips.c.use-fipscheck libgcrypt-1.5.0/src/fips.c
+--- libgcrypt-1.5.0/src/fips.c.use-fipscheck 2011-02-04 20:17:33.000000000 +0100
++++ libgcrypt-1.5.0/src/fips.c 2011-07-20 16:17:21.000000000 +0200
@@ -570,23 +570,48 @@ run_random_selftests (void)
return !!err;
}
@@ -42,9 +42,10 @@ diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c
int dlen;
char *fname = NULL;
- const char key[] = "What am I, a doctor or a moonshuttle conductor?";
-+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
-
+-
- if (!dladdr ("gcry_check_version", &info))
++ const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
++
+ if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath)))
err = gpg_error_from_syserror ();
else
@@ -72,15 +73,15 @@ diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c
p = strrchr (fname, '/');
if (p)
p++;
-diff -up libgcrypt-1.4.4/src/Makefile.in.use-fipscheck libgcrypt-1.4.4/src/Makefile.in
---- libgcrypt-1.4.4/src/Makefile.in.use-fipscheck 2009-01-22 19:16:51.000000000 +0100
-+++ libgcrypt-1.4.4/src/Makefile.in 2009-03-05 11:31:57.000000000 +0100
-@@ -337,7 +337,7 @@ libgcrypt_la_LIBADD = \
+diff -up libgcrypt-1.5.0/src/Makefile.in.use-fipscheck libgcrypt-1.5.0/src/Makefile.in
+--- libgcrypt-1.5.0/src/Makefile.in.use-fipscheck 2011-06-29 10:58:01.000000000 +0200
++++ libgcrypt-1.5.0/src/Makefile.in 2011-07-20 16:19:33.000000000 +0200
+@@ -375,7 +375,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \
../cipher/libcipher.la \
../random/librandom.la \
../mpi/libmpi.la \
-- @LTLIBOBJS@ @GPG_ERROR_LIBS@
-+ @LTLIBOBJS@ @GPG_ERROR_LIBS@ -ldl
+- ../compat/libcompat.la $(GPG_ERROR_LIBS)
++ ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl
dumpsexp_SOURCES = dumpsexp.c
- dumpsexp_LDADD =
+ dumpsexp_CFLAGS = $(arch_gpg_error_cflags)
diff --git a/libgcrypt.spec b/libgcrypt.spec
index b430412..5fdee9d 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -1,6 +1,6 @@
Name: libgcrypt
-Version: 1.4.6
-Release: 4%{?dist}
+Version: 1.5.0
+Release: 1%{?dist}
URL: http://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.bz2
# The original libgcrypt sources now contain potentially patented ECC
@@ -10,18 +10,17 @@ Source0: libgcrypt-%{version}-hobbled.tar.bz2
#Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
Source2: wk at g10code.com
Source3: hobble-libgcrypt
+# do not run the ecc curves test
+Patch1: libgcrypt-1.5.0-noecc.patch
# make FIPS hmac compatible with fipscheck - non upstreamable
-Patch2: libgcrypt-1.4.4-use-fipscheck.patch
-# fix ImplicitDSOLinking (missing -lgpg-error linkage in tests/), upstreamable
-Patch3: libgcrypt-1.4.5-ImplicitDSOLinking.patch
-# use /dev/urandom in the FIPS mode
-Patch4: libgcrypt-1.4.5-urandom.patch
+Patch2: libgcrypt-1.5.0-use-fipscheck.patch
# fix tests in the FIPS mode, fix the FIPS-186-3 DSA keygen
-Patch5: libgcrypt-1.4.5-tests.patch
-# add configurable source of RNG seed in the FIPS mode
-Patch6: libgcrypt-1.4.6-fips-cfgrandom.patch
+Patch5: libgcrypt-1.5.0-tests.patch
+# add configurable source of RNG seed and seed by default
+# from /dev/urandom in the FIPS mode
+Patch6: libgcrypt-1.5.0-fips-cfgrandom.patch
# make the FIPS-186-3 DSA CAVS testable
-Patch7: libgcrypt-1.4.6-cavs.patch
+Patch7: libgcrypt-1.5.0-fips-cavs.patch
# Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction.
# Documentation and some utilities are GPLv2+ licensed. These files
@@ -54,9 +53,8 @@ applications using libgcrypt.
%prep
%setup -q
%{SOURCE3}
+%patch1 -p1 -b .noecc
%patch2 -p1 -b .use-fipscheck
-%patch3 -p1 -b .ImplicitDSOLinking
-%patch4 -p1 -b .urandom
%patch5 -p1 -b .tests
%patch6 -p1 -b .cfgrandom
%patch7 -p1 -b .cavs
@@ -171,6 +169,9 @@ exit 0
%doc COPYING
%changelog
+* Thu Jul 21 2011 Tomas Mraz <tmraz at redhat.com> 1.5.0-1
+- new upstream version
+
* Mon Jun 20 2011 Tomas Mraz <tmraz at redhat.com> 1.4.6-4
- Always xor seed from /dev/urandom over /etc/gcrypt/rngseed
diff --git a/sources b/sources
index be4fd16..28984ca 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-f89395ced1cec0107d49524f5bf432f9 libgcrypt-1.4.6-hobbled.tar.bz2
+35a73c1f2616ad904108ed8645c82f4c libgcrypt-1.5.0-hobbled.tar.bz2
More information about the scm-commits
mailing list