diff --git a/gcr-3.92.0.tar.xz b/gcr-3.92.0.tar.xz deleted file mode 100644 index 0ba30564196ad8813778ea8ff52bf76486883a1a..0000000000000000000000000000000000000000 Binary files a/gcr-3.92.0.tar.xz and /dev/null differ diff --git a/gcr-4.3.0-fips.patch b/gcr-4.3.0-fips.patch new file mode 100644 index 0000000000000000000000000000000000000000..931c8ad3bcdfaa23629611cf68d34965b998784a --- /dev/null +++ b/gcr-4.3.0-fips.patch @@ -0,0 +1,379 @@ +From c2a7f26ecf8caec125146f4f3f186bbf9b4a8acf Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 16 Jul 2024 23:58:39 +0900 +Subject: [PATCH 1/5] build: Add egg-fips module + +This adds a new egg-fips module, which provides access to the system +FIPS mode, so we can conditionalize used algorithms based on that. + +Signed-off-by: Daiki Ueno +--- + egg/egg-fips-gnutls.c | 36 ++++++++++++++++++++++++++++++++++++ + egg/egg-fips-libgcrypt.c | 33 +++++++++++++++++++++++++++++++++ + egg/egg-fips.h | 31 +++++++++++++++++++++++++++++++ + egg/meson.build | 2 ++ + 4 files changed, 102 insertions(+) + create mode 100644 egg/egg-fips-gnutls.c + create mode 100644 egg/egg-fips-libgcrypt.c + create mode 100644 egg/egg-fips.h + +diff --git a/egg/egg-fips-gnutls.c b/egg/egg-fips-gnutls.c +new file mode 100644 +index 00000000..c10ba312 +--- /dev/null ++++ b/egg/egg-fips-gnutls.c +@@ -0,0 +1,36 @@ ++/* ++ * gcr ++ * ++ * Copyright (C) 2024 Red Hat, Inc. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU Lesser General Public License as ++ * published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this program; if not, see . ++ */ ++ ++#include "config.h" ++ ++#include "egg-fips.h" ++ ++#include ++ ++EggFipsMode ++egg_fips_get_mode (void) ++{ ++ return gnutls_fips140_mode_enabled (); ++} ++ ++void ++egg_fips_set_mode (EggFipsMode mode) ++{ ++ gnutls_fips140_set_mode (mode, GNUTLS_FIPS140_SET_MODE_THREAD); ++} +diff --git a/egg/egg-fips-libgcrypt.c b/egg/egg-fips-libgcrypt.c +new file mode 100644 +index 00000000..ce43e9cb +--- /dev/null ++++ b/egg/egg-fips-libgcrypt.c +@@ -0,0 +1,33 @@ ++/* ++ * gcr ++ * ++ * Copyright (C) 2024 Red Hat, Inc. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU Lesser General Public License as ++ * published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this program; if not, see . ++ */ ++ ++#include "config.h" ++#include "egg-fips.h" ++ ++EggFipsMode ++egg_fips_get_mode (void) ++{ ++ return EGG_FIPS_MODE_DISABLED; ++} ++ ++void ++egg_fips_set_mode (EggFipsMode mode) ++{ ++ (void)mode; ++} +diff --git a/egg/egg-fips.h b/egg/egg-fips.h +new file mode 100644 +index 00000000..b1e9175e +--- /dev/null ++++ b/egg/egg-fips.h +@@ -0,0 +1,31 @@ ++/* ++ * gcr ++ * ++ * Copyright (C) 2024 Red Hat, Inc. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU Lesser General Public License as ++ * published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this program; if not, see . ++ */ ++ ++#ifndef EGG_FIPS_H_ ++#define EGG_FIPS_H_ ++ ++typedef enum { ++ EGG_FIPS_MODE_DISABLED = 0, ++ /* Other values are specific to each backend */ ++} EggFipsMode; ++ ++EggFipsMode egg_fips_get_mode (void); ++void egg_fips_set_mode (EggFipsMode mode); ++ ++#endif /* EGG_FIPS_H_ */ +diff --git a/egg/meson.build b/egg/meson.build +index 4dc166e8..e2ad4d51 100644 +--- a/egg/meson.build ++++ b/egg/meson.build +@@ -23,6 +23,7 @@ if with_gcrypt + libegg_sources += [ + 'egg-crypto-libgcrypt.c', + 'egg-dh-libgcrypt.c', ++ 'egg-fips-libgcrypt.c', + 'egg-hkdf-libgcrypt.c', + 'egg-libgcrypt.c', + 'egg-openssl.c', +@@ -32,6 +33,7 @@ elif with_gnutls + libegg_sources += [ + 'egg-crypto-gnutls.c', + 'egg-dh-gnutls.c', ++ 'egg-fips-gnutls.c', + 'egg-hkdf-gnutls.c', + ] + endif +-- +GitLab + + +From d9819c2b2198a7834c4c53ecde0413265aee079b Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 17 Jul 2024 00:00:44 +0900 +Subject: [PATCH 2/5] gcr: Skip non-compliant parser tests under FIPS + +Signed-off-by: Daiki Ueno +--- + gcr/test-parser.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/gcr/test-parser.c b/gcr/test-parser.c +index 90a8d10c..161a08d0 100644 +--- a/gcr/test-parser.c ++++ b/gcr/test-parser.c +@@ -23,6 +23,7 @@ + #include "config.h" + + #include "egg/egg-error.h" ++#include "egg/egg-fips.h" + #include "egg/egg-secure-memory.h" + #include "egg/egg-testing.h" + +@@ -334,6 +335,7 @@ main (int argc, char **argv) + gchar *lower; + gchar *test; + int ret; ++ EggFipsMode fips_mode; + + g_test_init (&argc, &argv, NULL); + g_set_prgname ("test-parser"); +@@ -342,6 +344,8 @@ main (int argc, char **argv) + dir = g_dir_open (SRCDIR "/gcr/fixtures", 0, &error); + g_assert_no_error (error); + ++ fips_mode = egg_fips_get_mode (); ++ + for (;;) { + filename = g_dir_read_name (dir); + if (!filename) +@@ -349,6 +353,23 @@ main (int argc, char **argv) + if (filename[0] == '.') + continue; + ++ if (fips_mode && ++ (g_str_equal (filename, "der-key-PBE-MD5-DES.p8") || ++ g_str_equal (filename, "der-key-PBE-SHA1-3DES.p8") || ++ g_str_equal (filename, "der-key-PBE-SHA1-DES.p8") || ++ g_str_equal (filename, "der-key-PBE-SHA1-RC2-40.p8") || ++ g_str_equal (filename, "der-key-PBE-SHA1-RC4-128.p8") || ++ g_str_equal (filename, "der-key-encrypted-pkcs5.p8") || ++ g_str_equal (filename, "der-key-v2-des.p8") || ++ g_str_equal (filename, "der-key-v2-des3.p8") || ++ g_str_equal (filename, "email.p12") || ++ g_str_equal (filename, "pem-pkcs8.key") || ++ g_str_equal (filename, "pem-rsa-enc.key") || ++ g_str_equal (filename, "personal.p12") || ++ g_str_equal (filename, "unclient.p12") || ++ g_str_equal (filename, "usr0052-firefox.p12"))) ++ continue; ++ + #ifdef WITH_GNUTLS + #if GNUTLS_VERSION_NUMBER < 0x030805 + /* Not yet supported in GnuTLS */ +-- +GitLab + + +From 41818b8cf054c9d33e295e30dec18d638f8ccc79 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 17 Jul 2024 00:01:55 +0900 +Subject: [PATCH 3/5] gcr: Tolerate non-approved DH parameter usage in FIPS + mode + +The GcrSecretExchange protocol uses a weak Diffie-Hellman parameters +which are not approved by FIPS. While this is not ideal, the protocol +is not designed as a general protection mechanism of data in transit, +but just as a safety net against when the dbus-daemon (or dbus-broker) +crashes and dumps a core, and thus bumping the protocol to use a +larger DH group would be overkill. + +This patch temporarily disables the FIPS check around the GnuTLS DH +API calls to avoid errors. + +Signed-off-by: Daiki Ueno +--- + gcr/gcr-secret-exchange.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/gcr/gcr-secret-exchange.c b/gcr/gcr-secret-exchange.c +index 7c83ac13..943b2afe 100644 +--- a/gcr/gcr-secret-exchange.c ++++ b/gcr/gcr-secret-exchange.c +@@ -23,6 +23,7 @@ + + #include "egg/egg-crypto.h" + #include "egg/egg-dh.h" ++#include "egg/egg-fips.h" + #include "egg/egg-hkdf.h" + + #include "egg/egg-padding.h" +@@ -597,6 +598,7 @@ gcr_secret_exchange_default_generate_exchange_key (GcrSecretExchange *exchange, + { + GcrSecretExchangeDefault *data = exchange->pv->default_exchange; + GBytes *buffer; ++ EggFipsMode fips_mode; + + g_debug ("generating public key"); + +@@ -615,9 +617,14 @@ gcr_secret_exchange_default_generate_exchange_key (GcrSecretExchange *exchange, + egg_dh_privkey_free (data->priv); + data->priv = NULL; + ++ fips_mode = egg_fips_get_mode (); ++ egg_fips_set_mode (EGG_FIPS_MODE_DISABLED); + if (!egg_dh_gen_pair (data->params, 0, +- &data->pub, &data->priv)) ++ &data->pub, &data->priv)) { ++ egg_fips_set_mode (fips_mode); + g_return_val_if_reached (FALSE); ++ } ++ egg_fips_set_mode (fips_mode); + + buffer = egg_dh_pubkey_export (data->pub); + g_return_val_if_fail (buffer != NULL, FALSE); +@@ -634,6 +641,7 @@ gcr_secret_exchange_default_derive_transport_key (GcrSecretExchange *exchange, + GBytes *buffer; + egg_dh_pubkey *peer_pubkey; + GBytes *ikm; ++ EggFipsMode fips_mode; + + g_debug ("deriving transport key"); + +@@ -644,7 +652,10 @@ gcr_secret_exchange_default_derive_transport_key (GcrSecretExchange *exchange, + g_bytes_unref (buffer); + + /* Build up a key we can use */ ++ fips_mode = egg_fips_get_mode (); ++ egg_fips_set_mode (EGG_FIPS_MODE_DISABLED); + ikm = egg_dh_gen_secret (peer_pubkey, data->priv, data->params); ++ egg_fips_set_mode (fips_mode); + g_return_val_if_fail (ikm != NULL, FALSE); + egg_dh_pubkey_free (peer_pubkey); + +-- +GitLab + + +From a1c2fc89a787e23d1dc023298023dc620e318dba Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 17 Jul 2024 09:51:31 +0900 +Subject: [PATCH 4/5] .gitlab-ci.yml: Call meson setup with -Dcrypto option + +Signed-off-by: Daiki Ueno +--- + .gitlab-ci.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml +index 7dc97393..49162969 100644 +--- a/.gitlab-ci.yml ++++ b/.gitlab-ci.yml +@@ -23,7 +23,7 @@ fedora:Werror: + - dnf upgrade -y --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f69ecb0511 + - dnf builddep -y gcr + script: +- - meson setup _build -Dwerror=true -Dc_args=-Wno-error=deprecated-declarations -Dgtk_doc=false ++ - meson setup _build -Dwerror=true -Dc_args=-Wno-error=deprecated-declarations -Dgtk_doc=false -Dcrypto=$CRYPTO + - meson compile -C _build + - dbus-run-session -- meson test -C _build + artifacts: +@@ -49,7 +49,7 @@ fedora:asan: + - dnf upgrade -y --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f69ecb0511 + - dnf builddep -y gcr + script: +- - meson setup _build -Db_sanitize=address -Dgtk_doc=false ++ - meson setup _build -Db_sanitize=address -Dgtk_doc=false -Dcrypto=$CRYPTO + - export G_SLICE=always-malloc G_DEBUG=gc-friendly ASAN_OPTIONS=abort_on_error=1:fast_unwind_on_malloc=0 + - dbus-run-session -- meson test -C _build + allow_failure: true +@@ -74,7 +74,7 @@ fedora:ubsan: + - dnf upgrade -y --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f69ecb0511 + - dnf builddep -y gcr + script: +- - meson setup _build -Db_sanitize=undefined -Dgtk_doc=false ++ - meson setup _build -Db_sanitize=undefined -Dgtk_doc=false -Dcrypto=$CRYPTO + - dbus-run-session -- meson test -C _build + artifacts: + name: "gcr-ubsan-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" +-- +GitLab + + +From e4f4bd8024642b3c1b0f932abc6bba2bd19be80f Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 17 Jul 2024 10:15:57 +0900 +Subject: [PATCH 5/5] .gitlab-ci.yml: Exercise -Dcrypto=gnutls build in FIPS + mode + +Signed-off-by: Daiki Ueno +--- + .gitlab-ci.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml +index 49162969..d1112e5e 100644 +--- a/.gitlab-ci.yml ++++ b/.gitlab-ci.yml +@@ -10,6 +10,7 @@ variables: + matrix: + - CRYPTO: libgcrypt + - CRYPTO: gnutls ++ GNUTLS_FORCE_FIPS_MODE: [0, 1] + + fedora:Werror: + image: fedora:latest +-- +GitLab + diff --git a/gcr-4.3.0.tar.xz b/gcr-4.3.0.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..4fde15a23341cd6530a50192507de18ada7b8caf Binary files /dev/null and b/gcr-4.3.0.tar.xz differ diff --git a/gcr.spec b/gcr.spec index 36cd7115a1d54fddbebf81f03710a982772b70ac..2219634e9d97c826eadd045d3a8120de317f5d58 100644 --- a/gcr.spec +++ b/gcr.spec @@ -1,28 +1,30 @@ -%define anolis_release 2 +%define anolis_release 1 %ifarch %{valgrind_arches} %global has_valgrind 1 %endif Name: gcr -Version: 3.92.0 +Version: 4.3.0 Release: %{anolis_release}%{dist} Summary: A library for bits of crypto UI and parsing License: LGPLv2+ URL: https://wiki.gnome.org/Projects/CryptoGlue -Source0: https://download.gnome.org/sources/%{name}/3.92/%{name}-%{version}.tar.xz +Source0: https://download.gnome.org/sources/%{name}/4.3/%{name}-%{version}.tar.xz + +Patch0: gcr-4.3.0-fips.patch BuildRequires: gettext -BuildRequires: gi-docgen -BuildRequires: meson >= 0.52 -BuildRequires: pkgconfig(gio-unix-2.0) >= 2.44 +BuildRequires: meson +BuildRequires: pkgconfig(gi-docgen) +BuildRequires: pkgconfig(gio-unix-2.0) +BuildRequires: pkgconfig(gnutls) BuildRequires: pkgconfig(gobject-introspection-1.0) BuildRequires: pkgconfig(gtk4) -BuildRequires: pkgconfig(libgcrypt) >= 1 BuildRequires: pkgconfig(libsecret-1) BuildRequires: pkgconfig(libsystemd) -BuildRequires: pkgconfig(p11-kit-1) >= 0.19.0 +BuildRequires: pkgconfig(p11-kit-1) BuildRequires: pkgconfig(systemd) BuildRequires: systemd-rpm-macros BuildRequires: vala @@ -34,7 +36,8 @@ BuildRequires: /usr/bin/ssh-add BuildRequires: /usr/bin/ssh-agent BuildRequires: /usr/bin/xsltproc -Requires: %{name}-base = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} +Requires: /usr/bin/gpg2 Requires: /usr/bin/ssh-add Requires: /usr/bin/ssh-agent @@ -81,7 +84,6 @@ The gcr-devel package includes the header files for the gcr library. %meson %meson_build - %install %meson_install %find_lang gcr-4 @@ -107,21 +109,16 @@ The gcr-devel package includes the header files for the gcr library. %{_userunitdir}/gcr-ssh-agent.service %{_userunitdir}/gcr-ssh-agent.socket -%files doc -%doc NEWS README.md - %files libs -f gcr-4.lang %license COPYING -%dir %{abidir} %dir %{_libdir}/girepository-1.0 -%{_libdir}/girepository-1.0/Gck-2.typelib -%{_libdir}/girepository-1.0/Gcr-4.typelib -%{_libdir}/libgck-2.so.0.0.0 -%{_libdir}/libgck-2.so.1.92.0 +%dir %{abidir} %{abidir}/libgck-2.dump -%{_libdir}/libgcr-4.so.0.0.0 -%{_libdir}/libgcr-4.so.3.92.0 %{abidir}/libgcr-4.dump +%{_libdir}/girepository-1.0/Gck-2.typelib +%{_libdir}/girepository-1.0/Gcr-4.typelib +%{_libdir}/libgck-2.so.2* +%{_libdir}/libgcr-4.so.4* %files devel %{_includedir}/gck-2/ @@ -143,6 +140,9 @@ The gcr-devel package includes the header files for the gcr library. %doc %{_datadir}/doc/gcr-4/ %changelog +* Fri Jul 25 2025 tomcruiseqi - 4.3.0-1 +- Update to 4.3.0 to be compatible with gnome-online-accounts 3.52.3.1 + * Wed May 21 2025 zhoujiajia111 - 3.92.0-2 - Rebuild for remove inappropriate build dependencies.