PR#9: enable brainpool curves by default - rpms/libgcrypt

rpms / libgcrypt

#9 enable brainpool curves by default

Merged a year ago by jjelen. Opened a year ago by tmz.

rpms/ tmz/libgcrypt rawhide into rawhide

fix sporadic failures generating RSA keys in FIPS mode

Todd Zullinger • a year ago

96a092b

enable brainpool curves by default

Todd Zullinger • a year ago

9e608ad

0001-cipher-Change-the-bounds-for-RSA-key-generation-roun.patch

file added

+55

		`@@ -0,0 +1,55 @@`
		`+ From cd30ed3c0d715aa0c58a32a29cfb1476163a5b94 Mon Sep 17 00:00:00 2001`
		`+ From: NIIBE Yutaka <gniibe@fsij.org>`
		`+ Date: Wed, 20 Apr 2022 15:09:41 +0900`
		`+ Subject: [PATCH] cipher: Change the bounds for RSA key generation round.`
		`+`
		`+ * cipher/rsa.c (generate_fips): Use 10 for p, 20 for q.`
		`+`
		`+ --`
		`+`
		`+ Constants from FIPS 186-5-draft.`
		`+`
		`+ GnuPG-bug-id: 5919`
		`+ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>`
		`+ ---`
		`+ cipher/rsa.c \| 8 ++++----`
		`+ 1 file changed, 4 insertions(+), 4 deletions(-)`
		`+`
		`+ diff --git a/cipher/rsa.c b/cipher/rsa.c`
		`+ index 486a34f0..771413b3 100644`
		`+ --- a/cipher/rsa.c`
		`+ +++ b/cipher/rsa.c`
		`+ @@ -476,7 +476,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,`
		`+`
		`+ retry:`
		`+ /* generate p and q */`
		`+ - for (i = 0; i < 5 * pbits; i++)`
		`+ + for (i = 0; i < 10 * pbits; i++)`
		`+ {`
		`+ ploop:`
		`+ if (!testparms)`
		`+ @@ -506,10 +506,10 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,`
		`+ else if (testparms)`
		`+ goto err;`
		`+ }`
		`+ - if (i >= 5 * pbits)`
		`+ + if (i >= 10 * pbits)`
		`+ goto err;`
		`+`
		`+ - for (i = 0; i < 5 * pbits; i++)`
		`+ + for (i = 0; i < 20 * pbits; i++)`
		`+ {`
		`+ qloop:`
		`+ if (!testparms)`
		`+ @@ -555,7 +555,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,`
		`+ else if (testparms)`
		`+ goto err;`
		`+ }`
		`+ - if (i >= 5 * pbits)`
		`+ + if (i >= 20 * pbits)`
		`+ goto err;`
		`+`
		`+ if (testparms)`
		`+ --`
		`+ 2.38.1`
		`+`

libgcrypt-1.10.0-disable-brainpool.patch

file removed

-314

		`@@ -1,314 +0,0 @@`
		`- From f778433dd29fe07aa1791a0137f6f14febcce607 Mon Sep 17 00:00:00 2001`
		`- From: Jakub Jelen <jjelen@redhat.com>`
		`- Date: Fri, 10 Sep 2021 18:39:00 +0200`
		`- Subject: [PATCH] Allow building libgcrypt without Brainpool curves`
		`-`
		`- * README: Document possibility to build without brainpool curves`
		`- * cipher/ecc-curves.c: Conditionalize brainpool curves definitions`
		`- * configure.ac: Implement possibility to build without brainpool curves`
		`- * tests/curves.c: Skip brainpool curves if they are not built-in`
		`- * tests/keygrip.c: Skip brainpool curves if they are not built-in`
		`- * tests/bench-slope.c: Skip brainpoll curves in they are not built-in`
		`-`
		`- --`
		`-`
		`- Signed-off-by: Jakub Jelen <jjelen@redhat.com>`
		`- ---`
		`- README \| 3 +++`
		`- cipher/ecc-curves.c \| 4 ++++`
		`- configure.ac \| 13 +++++++++++++`
		`- tests/bench-slope.c \| 12 ++++++++++++`
		`- tests/curves.c \| 46 ++++++++++++++++++++++++++++++---------------`
		`- tests/keygrip.c \| 2 ++`
		`- 6 files changed, 65 insertions(+), 15 deletions(-)`
		`-`
		`- diff --git a/README b/README`
		`- index 4d7697dd..b290d01e 100644`
		`- --- a/README`
		`- +++ b/README`
		`- @@ -121,6 +121,9 @@`
		`- the list used with the current build the program`
		`- tests/version may be used.`
		`-`
		`- + --disable-brainpool`
		`- + Do not build in support for Brainpool curves.`
		`- +`
		`- --disable-endian-check`
		`- Don't let configure test for the endianness but`
		`- try to use the OS provided macros at compile`
		`- diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c`
		`- index 7c86e12c..8fd95a9c 100644`
		`- --- a/cipher/ecc-curves.c`
		`- +++ b/cipher/ecc-curves.c`
		`- @@ -77,6 +77,7 @@ static const struct`
		`- { "NIST P-521", "1.3.132.0.35" },`
		`- { "NIST P-521", "nistp521" }, /* rfc5656. */`
		`-`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- { "brainpoolP160r1", "1.3.36.3.3.2.8.1.1.1" },`
		`- { "brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3" },`
		`- { "brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5" },`
		`- @@ -84,6 +85,7 @@ static const struct`
		`- { "brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9" },`
		`- { "brainpoolP384r1", "1.3.36.3.3.2.8.1.1.11"},`
		`- { "brainpoolP512r1", "1.3.36.3.3.2.8.1.1.13"},`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`-`
		`- { "GOST2001-test", "1.2.643.2.2.35.0" },`
		`- { "GOST2001-CryptoPro-A", "1.2.643.2.2.35.1" },`
		`- @@ -297,6 +299,7 @@ static const ecc_domain_parms_t domain_parms[] =`
		`- 1`
		`- },`
		`-`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- { "brainpoolP160r1", 160, 0,`
		`- MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,`
		`- "0xe95e4a5f737059dc60dfc7ad95b3d8139515620f",`
		`- @@ -391,6 +394,7 @@ static const ecc_domain_parms_t domain_parms[] =`
		`- "b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892",`
		`- 1`
		`- },`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`- {`
		`- "GOST2001-test", 256, 0,`
		`- MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,`
		`- diff --git a/configure.ac b/configure.ac`
		`- index 0e67baf9..a63f7360 100644`
		`- --- a/configure.ac`
		`- +++ b/configure.ac`
		`- @@ -595,6 +595,14 @@ AC_ARG_WITH(fips-module-version,`
		`- AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version",`
		`- [Define FIPS module version for certification])`
		`-`
		`- +# Implementation of the --disable-brainpool switch.`
		`- +AC_MSG_CHECKING([whether brainpool curves support is requested])`
		`- +AC_ARG_ENABLE(brainpool,`
		`- + AS_HELP_STRING([--disable-brainpool],`
		`- + [Disable the brainpool curves]),`
		`- + use_brainpool="$enableval",use_brainpool=yes)`
		`- +AC_MSG_RESULT($use_brainpool)`
		`- +`
		`- # Implementation of the --disable-jent-support switch.`
		`- AC_MSG_CHECKING([whether jitter entropy support is requested])`
		`- AC_ARG_ENABLE(jent-support,`
		`- @@ -2459,6 +2467,10 @@ if test x"$ppccryptosupport" = xyes ; then`
		`- AC_DEFINE(ENABLE_PPC_CRYPTO_SUPPORT,1,`
		`- [Enable support for POWER 8 (PowerISA 2.07) crypto extension.])`
		`- fi`
		`- +if test x"$use_brainpool" = xyes ; then`
		`- + AC_DEFINE(ENABLE_BRAINPOOL, 1,`
		`- + [Enable support for the brainpool curves.])`
		`- +fi`
		`- if test x"$jentsupport" = xyes ; then`
		`- AC_DEFINE(ENABLE_JENT_SUPPORT, 1,`
		`- [Enable support for the jitter entropy collector.])`
		`- @@ -3294,6 +3306,7 @@ GCRY_MSG_WRAP([Enabled digest algorithms:],[$enabled_digests])`
		`- GCRY_MSG_WRAP([Enabled kdf algorithms: ],[$enabled_kdfs])`
		`- GCRY_MSG_WRAP([Enabled pubkey algorithms:],[$enabled_pubkey_ciphers])`
		`- GCRY_MSG_SHOW([Random number generator: ],[$random])`
		`- +GCRY_MSG_SHOW([Enabled Brainpool curves: ],[$use_brainpool])`
		`- GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport])`
		`- GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities])`
		`- GCRY_MSG_SHOW([FIPS module version: ],[$fips_module_version])`
		`- diff --git a/tests/bench-slope.c b/tests/bench-slope.c`
		`- index 5c49ac25..1b5941af 100644`
		`- --- a/tests/bench-slope.c`
		`- +++ b/tests/bench-slope.c`
		`- @@ -2316,7 +2316,9 @@ enum bench_ecc_algo`
		`- ECC_ALGO_NIST_P384,`
		`- ECC_ALGO_NIST_P521,`
		`- ECC_ALGO_SECP256K1,`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- ECC_ALGO_BRAINP256R1,`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`- __MAX_ECC_ALGO`
		`- };`
		`-`
		`- @@ -2366,7 +2368,9 @@ ecc_algo_fips_allowed (int algo)`
		`- case ECC_ALGO_NIST_P521:`
		`- return 1;`
		`- case ECC_ALGO_SECP256K1:`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- case ECC_ALGO_BRAINP256R1:`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`- case ECC_ALGO_ED25519:`
		`- case ECC_ALGO_ED448:`
		`- case ECC_ALGO_X25519:`
		`- @@ -2402,8 +2406,10 @@ ecc_algo_name (int algo)`
		`- return "NIST-P521";`
		`- case ECC_ALGO_SECP256K1:`
		`- return "secp256k1";`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- case ECC_ALGO_BRAINP256R1:`
		`- return "brainpoolP256r1";`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`- default:`
		`- return NULL;`
		`- }`
		`- @@ -2434,8 +2440,10 @@ ecc_algo_curve (int algo)`
		`- return "NIST P-521";`
		`- case ECC_ALGO_SECP256K1:`
		`- return "secp256k1";`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- case ECC_ALGO_BRAINP256R1:`
		`- return "brainpoolP256r1";`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`- default:`
		`- return NULL;`
		`- }`
		`- @@ -2466,8 +2474,10 @@ ecc_nbits (int algo)`
		`- return 521;`
		`- case ECC_ALGO_SECP256K1:`
		`- return 256;`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- case ECC_ALGO_BRAINP256R1:`
		`- return 256;`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`- default:`
		`- return 0;`
		`- }`
		`- @@ -2665,6 +2675,7 @@ bench_ecc_init (struct bench_obj *obj)`
		`- err = gcry_sexp_build (&hd->data, NULL,`
		`- "(data (flags raw) (value %m))", x);`
		`- break;`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- case ECC_ALGO_BRAINP256R1:`
		`- err = gcry_sexp_build (&hd->key_spec, NULL,`
		`- "(genkey (ECDSA (curve brainpoolP256r1)))");`
		`- @@ -2673,6 +2684,7 @@ bench_ecc_init (struct bench_obj *obj)`
		`- err = gcry_sexp_build (&hd->data, NULL,`
		`- "(data (flags raw) (value %m))", x);`
		`- break;`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`- }`
		`-`
		`- gcry_mpi_release (x);`
		`- diff --git a/tests/curves.c b/tests/curves.c`
		`- index 3c738171..8eb79565 100644`
		`- --- a/tests/curves.c`
		`- +++ b/tests/curves.c`
		`- @@ -33,7 +33,11 @@`
		`- #include "t-common.h"`
		`-`
		`- /* Number of curves defined in ../cipher/ecc-curves.c */`
		`- -#define N_CURVES 27`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- +# define N_CURVES 27`
		`- +#else`
		`- +# define N_CURVES 20`
		`- +#endif`
		`-`
		`- /* A real world sample public key. */`
		`- static char const sample_key_1[] =`
		`- @@ -52,6 +56,7 @@ static char const sample_key_1[] =`
		`- static char const sample_key_1_curve[] = "NIST P-256";`
		`- static unsigned int sample_key_1_nbits = 256;`
		`-`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- /* A made up sample public key. */`
		`- static char const sample_key_2[] =`
		`- "(public-key\n"`
		`- @@ -68,6 +73,7 @@ static char const sample_key_2[] =`
		`- " ))";`
		`- static char const sample_key_2_curve[] = "brainpoolP160r1";`
		`- static unsigned int sample_key_2_nbits = 160;`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`-`
		`- static int in_fips_mode;`
		`-`
		`- @@ -113,6 +119,7 @@ check_matching (void)`
		`-`
		`- gcry_sexp_release (key);`
		`-`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- if (!in_fips_mode)`
		`- {`
		`- err = gcry_sexp_new (&key, sample_key_2, 0, 1);`
		`- @@ -130,6 +137,7 @@ check_matching (void)`
		`-`
		`- gcry_sexp_release (key);`
		`- }`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`- }`
		`-`
		`- #define TEST_ERROR_EXPECTED (1 << 0)`
		`- @@ -185,20 +193,26 @@ check_get_params (void)`
		`- { GCRY_PK_ECC, "1.3.132.0.35" },`
		`- { GCRY_PK_ECC, "nistp521" },`
		`-`
		`- - { GCRY_PK_ECC, "brainpoolP160r1", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "brainpoolP192r1", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "brainpoolP224r1", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "brainpoolP256r1", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "brainpoolP320r1", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "brainpoolP384r1", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "brainpoolP512r1", TEST_NOFIPS },`
		`- - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", TEST_NOFIPS },`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- +# define BRAINPOOL_FLAGS TEST_NOFIPS`
		`- +#else`
		`- +# define BRAINPOOL_FLAGS TEST_ERROR_EXPECTED`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`- + { GCRY_PK_ECC, "brainpoolP160r1", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "brainpoolP192r1", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "brainpoolP224r1", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "brainpoolP256r1", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "brainpoolP320r1", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "brainpoolP384r1", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "brainpoolP512r1", BRAINPOOL_FLAGS },`
		`- + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", BRAINPOOL_FLAGS },`
		`- +#undef BRAINPOOL_ERROR_EXPECTED`
		`-`
		`- { GCRY_PK_ECC, "GOST2001-test", TEST_NOFIPS },`
		`- { GCRY_PK_ECC, "1.2.643.2.2.35.0", TEST_NOFIPS },`
		`- @@ -282,6 +296,7 @@ check_get_params (void)`
		`-`
		`- gcry_sexp_release (param);`
		`-`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- if (!in_fips_mode)`
		`- {`
		`- param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve);`
		`- @@ -297,6 +312,7 @@ check_get_params (void)`
		`-`
		`- gcry_sexp_release (param);`
		`- }`
		`- +#endif /* ENABLE_BRAINPOOL */`
		`-`
		`- /* Some simple tests */`
		`- for (idx=0; idx < DIM (tv); idx++)`
		`- diff --git a/tests/keygrip.c b/tests/keygrip.c`
		`- index 49bd71bc..fc4c17be 100644`
		`- --- a/tests/keygrip.c`
		`- +++ b/tests/keygrip.c`
		`- @@ -149,6 +149,7 @@ static struct`
		`- " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))",`
		`- "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6"`
		`- },`
		`- +#ifdef ENABLE_BRAINPOOL`
		`- {`
		`- GCRY_PK_ECC,`
		`- "(public-key"`
		`- @@ -197,6 +198,7 @@ static struct`
		`- "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F",`
		`- 1`
		`- },`
		`- +#endif /ENABLE_BRAINPOOL /`
		`- { /* Ed25519 standard */`
		`- GCRY_PK_ECC,`
		`- "(public-key"`
		`- --`
		`- 2.34.1`
		`-`

libgcrypt.spec

file modified

+10 -8

		`@@ -13,20 +13,19 @@`
		`print(string.sub(hash, 0, 16))`
		`}`

		`- # disable brainpool curves by default`
		`- %bcond_with brainpool`
		`-`
		`Name: libgcrypt`
		`Version: 1.10.1`
		`- Release: 4%{?dist}`
		`+ Release: 5%{?dist}`
		`URL: https://www.gnupg.org/`
		`Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2`
		`Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig`
		`Source2: wk@g10code.com`
		`- # brainpool curves are still not allowed to be shipped in Fedora`
		`- Patch1: libgcrypt-1.10.0-disable-brainpool.patch`
		`# Pass the annobin flags to the libgcrypt.so (#2016349)`
		`- Patch2: libgcrypt-1.10.1-annobin.patch`
		`+ Patch1: libgcrypt-1.10.1-annobin.patch`
		`+ # https://dev.gnupg.org/T5919`
		`+ # tests occasionally fail with "error generating RSA key: Number is not prime"`
		`+ # https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=cd30ed3c0`
		`+ Patch2: 0001-cipher-Change-the-bounds-for-RSA-key-generation-roun.patch`

		`%global gcrylibdir %{_libdir}`
		`%global gcrysoname libgcrypt.so.20`
		`@@ -89,7 +88,6 @@`
		`%endif`
		`--enable-noexecstack \`
		`--enable-hmac-binary-check=%{hmackey} \`
		`- %{!?with_brainpool:--disable-brainpool} \`
		`--enable-digests="$DIGESTS" \`
		`--enable-ciphers="$CIPHERS" \`
		`--with-fips-module-version="$FIPS_MODULE_NAME %{version}-%{srpmhash}"`
		`@@ -182,6 +180,10 @@`
		`%license COPYING`

		`%changelog`
		`+ * Tue Nov 08 2022 Todd Zullinger <tmz@pobox.com> - 1.10.1-5`
		`+ - enable brainpool by default (#1413618)`
		`+ - fix sporadic failures generating RSA keys in FIPS mode`
		`+`
		`* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-4`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild`

tmz commented a year ago

Thanks to the Fedora Legal team, we are now able to include Brainpool
ECC in Fedora. Matthew Miller notified the Fedora Legal list.

References:
https://bugzilla.redhat.com/1413618
https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/752Z34MTHB6B4XRUW2TTAPEIUUK4O2LA/

zuul commented a year ago

Build succeeded.

check-for-arches : SUCCESS in 57s
rpm-scratch-build : SUCCESS in 10m 46s
rpm-scratch-build-s390x : SUCCESS in 10m 48s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 14m 38s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 13m 46s (non-voting)
rpm-scratch-build-aarch64 : FAILURE in 11m 00s (non-voting)
rpm-linter : FAILURE in 2m 27s (non-voting)
rpm-rpminspect : SUCCESS in 4m 18s (non-voting)
check-for-sti-tests : SUCCESS in 21s
check-for-fmf-tests : SUCCESS in 19s
rpm-install-test : SUCCESS in 1m 57s
rpm-tmt-test : SKIPPED
rpm-sti-test : SUCCESS in 13m 00s

tmz commented a year ago

This may be known, but a scratch build I ran prior to submitting this failed on i686. In faked FIPS mode the benchmark check failed with:

RSA 1024 bit    [skipped in fips mode]
RSA 2048 bit    benchmark: creating 2048 bit RSA key failed: Number is not prime
FAIL: benchmark

It succeeded in a subsequent manual scratch build as well as the automated zuul builds above. I figured I would mention it in case it's not expected to ever fail or if it's rare and having another example helps.

jjelen commented a year ago

Yeah, this is know issue fixed with the following upstream commit:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=cd30ed3c0d715aa0c58a32a29cfb1476163a5b94
I will pull it as a separate backport (or you can include it here).

Can you in the meantime update the commit message to contain the references to the bug and the mailing list so it will not get lost when the commit will be merged?

tmz commented a year ago

Oh, good to know the make check issue in FIPS mode is fixed upstream.

Do you mean the brainpool bug report (rhbz#1413618) and legal mailing list references? If so, those should be in the commit message already:

enable brainpool curves by default

Thanks to the Fedora Legal team, we are now able to include Brainpool
ECC in Fedora.  Matthew Miller notified the Fedora Legal list.

References:
https://bugzilla.redhat.com/1413618
https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/752Z34MTHB6B4XRUW2TTAPEIUUK4O2LA/

I did think that Pagure showed an expander when there was more to the commit message, but I must be thinking of other git forges.

1 new commit added