diff --git a/libgcrypt-1.6.1-use-fipscheck.patch b/libgcrypt-1.6.1-use-fipscheck.patch index bdf924c..0f15509 100644 --- a/libgcrypt-1.6.1-use-fipscheck.patch +++ b/libgcrypt-1.6.1-use-fipscheck.patch @@ -47,7 +47,7 @@ Index: libgcrypt-1.6.1/src/fips.c - if (!dladdr ("gcry_check_version", &info)) + const char key[] = "orboDeJITITejsirpADONivirpUkvarP"; + -+ if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath))) ++ if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath))) err = gpg_error_from_syserror (); else { diff --git a/libgcrypt-fix-rng.patch b/libgcrypt-fix-rng.patch new file mode 100644 index 0000000..0d7d3a6 --- /dev/null +++ b/libgcrypt-fix-rng.patch @@ -0,0 +1,24 @@ +Index: libgcrypt-1.6.1/random/random.c +=================================================================== +--- libgcrypt-1.6.1.orig/random/random.c ++++ libgcrypt-1.6.1/random/random.c +@@ -440,6 +440,9 @@ _gcry_create_nonce (void *buffer, size_t + size_t n; + int err; + ++ /* Make sure we are initialized. */ ++ _gcry_random_initialize (1); ++ + /* First check whether we shall use the FIPS nonce generator. This + is only done in FIPS mode, in all other modes, we use our own + nonce generator which is seeded by the RNG actual in use. */ +@@ -455,9 +458,6 @@ _gcry_create_nonce (void *buffer, size_t + FIPS mode (not that this means it is also used if the FIPS RNG + has been selected but we are not in fips mode). */ + +- /* Make sure we are initialized. */ +- _gcry_random_initialize (1); +- + /* Acquire the nonce buffer lock. */ + err = ath_mutex_lock (&nonce_buffer_lock); + if (err) diff --git a/libgcrypt-init-at-elf-load-fips.patch b/libgcrypt-init-at-elf-load-fips.patch new file mode 100644 index 0000000..bda8c42 --- /dev/null +++ b/libgcrypt-init-at-elf-load-fips.patch @@ -0,0 +1,13 @@ +Index: libgcrypt-1.6.1/src/global.c +=================================================================== +--- libgcrypt-1.6.1.orig/src/global.c ++++ libgcrypt-1.6.1/src/global.c +@@ -76,7 +76,7 @@ static gpg_err_code_t external_lock_test + likely to be called at startup. The suggested way for an + application to make sure that this has been called is by using + gcry_check_version. */ +-static void ++static void __attribute__((constructor)) + global_init (void) + { + gcry_error_t err = 0; diff --git a/libgcrypt.changes b/libgcrypt.changes index ad706c9..3e19de1 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon May 26 12:05:17 UTC 2014 - meissner@suse.com + +- libgcrypt-fix-rng.patch: make drbg work again in FIPS mode. +- libgcrypt-1.6.1-use-fipscheck.patch: library to test is libgcrypt.so.20 + and not libgcrypt.so.11 +- libgcrypt-init-at-elf-load-fips.patch: initialize globally on ELF + DSO loading to meet FIPS requirements. + ------------------------------------------------------------------- Tue May 13 10:47:51 UTC 2014 - vcizek@suse.com diff --git a/libgcrypt.spec b/libgcrypt.spec index 535fb18..1f5e8a5 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -56,6 +56,8 @@ Patch24: 0004-Invoke-DRBG-from-common-libgcrypt-RNG-code.patch Patch25: 0005-Function-definitions-for-gcry_control-callbacks.patch Patch26: 0006-DRBG-specific-gcry_control-requests.patch Patch27: 0007-User-interface-to-DRBG.patch +Patch28: libgcrypt-fix-rng.patch +Patch29: libgcrypt-init-at-elf-load-fips.patch BuildRequires: automake >= 1.11 BuildRequires: libgpg-error-devel >= 1.11 BuildRequires: libtool @@ -136,6 +138,8 @@ understanding of applied cryptography is required to use Libgcrypt. %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 +%patch29 -p1 %endif %patch13 -p1 %patch14 -p1