pool/libgcrypt
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 712076 from home:jsikes:branches:devel:libraries:c_c++

Browse Source 
This fixes bsc#1133808. Hope it doesn't break anything else. Enjoy!

OBS-URL: https://build.opensuse.org/request/show/712076
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=128
This commit is contained in:
Pedro Monreal Gonzalez 2019-06-27 15:31:10 +00:00 committed by Git OBS Bridge
parent 02d04cf4ae
commit d57c784f09
4 changed files with 27 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch → libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch
View File

@ -1,28 +1,32 @@
Index: libgcrypt-1.8.4/src/global.c Index: libgcrypt-1.8.4/src/global.c
=================================================================== ===================================================================
--- libgcrypt-1.8.4.orig/src/global.c 2019-03-25 16:58:45.880313488 +0100 --- libgcrypt-1.8.4.orig/src/global.c
+++ libgcrypt-1.8.4/src/global.c 2019-03-25 16:58:45.896313582 +0100 +++ libgcrypt-1.8.4/src/global.c
@@ -144,11 +144,6 @@ global_init (void) @@ -141,27 +141,10 @@ global_init (void)
BUG ();
} }
-
-#ifndef FIPS_MODULE_PATH -#ifndef FIPS_MODULE_PATH
-#define FIPS_MODULE_PATH "/etc/system-fips" -#define FIPS_MODULE_PATH "/etc/system-fips"
-#endif -#endif
- -
void __attribute__ ((constructor)) _gcry_global_constructor (void) void __attribute__ ((constructor)) _gcry_global_constructor (void)
{ {
int rv; - int rv;
@@ -156,11 +151,6 @@ void __attribute__ ((constructor)) _gcry -
/* We always need the FSM lock to be functional. */ /* We always need the FSM lock to be functional. */
_gcry_initialize_fsm_lock (); _gcry_initialize_fsm_lock ();
-
- rv = access (FIPS_MODULE_PATH, F_OK); - rv = access (FIPS_MODULE_PATH, F_OK);
- if (rv < 0 && errno != ENOENT) - if (rv < 0 && errno != ENOENT)
- rv = 0; - rv = 0;
- -
- if (!rv) - if (!rv)
{ - {
/* We run the integrity check at this point. The remaining - /* We run the integrity check at this point. The remaining
selftests are run before use of the library by application. */ - selftests are run before use of the library by application. */
- _gcry_fips_run_selftests (0);
- }
}
/* This function is called by the macro fips_is_operational and makes

17
libgcrypt-fips_run_selftest_at_constructor.patch
View File

@ -1,17 +0,0 @@
Index: libgcrypt-1.6.1/src/global.c
===================================================================
--- libgcrypt-1.6.1.orig/src/global.c 2014-09-21 11:41:09.242948783 +0200
+++ libgcrypt-1.6.1/src/global.c 2014-09-21 11:54:49.567586644 +0200
@@ -124,7 +124,11 @@ global_init (void)
err = _gcry_mpi_init ();
if (err)
goto fail;
-
+ if (fips_mode()) {
+ err = _gcry_fips_run_selftests (0);
+ if (err)
+ goto fail;
+ }
return;
fail:

11
libgcrypt.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Wed Jun 26 06:52:54 UTC 2019 - Jason Sikes <jsikes@suse.de>
- Fixed redundant fips tests in some situations causing sudo to stop
working when pam-kwallet is installed. bsc#1133808
* Added libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch
* Removed libgcrypt-fips_run_selftest_at_constructor.patch
because it was obsoleted by libgcrypt-1.8.3-fips-ctor.patch
* Removed libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch
because it was obsoleted by libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jun 21 16:53:07 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> Fri Jun 21 16:53:07 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>

4
libgcrypt.spec
View File

@ -50,14 +50,11 @@ Patch14: libgcrypt-1.6.1-fips-cfgrandom.patch
Patch28: libgcrypt-fix-rng.patch Patch28: libgcrypt-fix-rng.patch
#PATCH-FIX-SUSE add FIPS CAVS test app for DRBG #PATCH-FIX-SUSE add FIPS CAVS test app for DRBG
Patch30: drbg_test.patch Patch30: drbg_test.patch
#PATCH-FIX-SUSE run FIPS self-test from constructor
Patch32: libgcrypt-fips_run_selftest_at_constructor.patch
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign #PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-sign
Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
#PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify #PATCH-FIX-UPSTREAM bsc#1064455 fipsdrv patch to enable --algo for dsa-verify
Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
Patch39: libgcrypt-1.8.3-fips-ctor.patch Patch39: libgcrypt-1.8.3-fips-ctor.patch
Patch40: libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch
Patch41: libgcrypt-binary_integrity_in_non-FIPS.patch Patch41: libgcrypt-binary_integrity_in_non-FIPS.patch
Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch
Patch43: libgcrypt-1.8.4-use_xfree.patch Patch43: libgcrypt-1.8.4-use_xfree.patch
@ -68,6 +65,7 @@ Patch45: libgcrypt-1.8.4-getrandom.patch
Patch46: libgcrypt-CVE-2019-12904-GCM-Prefetch.patch Patch46: libgcrypt-CVE-2019-12904-GCM-Prefetch.patch
Patch47: libgcrypt-CVE-2019-12904-GCM.patch Patch47: libgcrypt-CVE-2019-12904-GCM.patch
Patch48: libgcrypt-CVE-2019-12904-AES.patch Patch48: libgcrypt-CVE-2019-12904-AES.patch
Patch49: libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch
BuildRequires: automake >= 1.14 BuildRequires: automake >= 1.14
BuildRequires: fipscheck BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.25 BuildRequires: libgpg-error-devel >= 1.25