Accepting request 235418 from home:msmeissn:branches:devel:libraries:c_c++

- libgcrypt-fix-rng.patch: make drbg work again in FIPS mode. - libgcrypt-1.6.1-use-fipscheck.patch: library to test is libgcrypt.so.20 and not libgcrypt.so.11 - libgcrypt-init-at-elf-load-fips.patch: initialize globally on ELF DSO loading to meet FIPS requirements. OBS-URL: https://build.opensuse.org/request/show/235418 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=57
2014-05-27 18:06:59 +00:00 · 2014-05-27 18:06:59 +00:00 · 31afb2af23
commit 31afb2af23
parent df3dfc3e0f
5 changed files with 51 additions and 1 deletions
--- a/libgcrypt-1.6.1-use-fipscheck.patch
+++ b/libgcrypt-1.6.1-use-fipscheck.patch
@ -47,7 +47,7 @@ Index: libgcrypt-1.6.1/src/fips.c
 -  if (!dladdr ("gcry_check_version", &info))
 +  const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
 +  
-+  if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath)))
+  if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath)))
     err = gpg_error_from_syserror ();
   else
     {
--- a/libgcrypt-fix-rng.patch
+++ b/libgcrypt-fix-rng.patch
@ -0,0 +1,24 @@
+Index: libgcrypt-1.6.1/random/random.c
+===================================================================
+--- libgcrypt-1.6.1.orig/random/random.c
+++ libgcrypt-1.6.1/random/random.c
+@@ -440,6 +440,9 @@ _gcry_create_nonce (void *buffer, size_t
+   size_t n;
+   int err;
+ 
+  /* Make sure we are initialized. */
+  _gcry_random_initialize (1);
+
+   /* First check whether we shall use the FIPS nonce generator.  This
+      is only done in FIPS mode, in all other modes, we use our own
+      nonce generator which is seeded by the RNG actual in use.  */
+@@ -455,9 +458,6 @@ _gcry_create_nonce (void *buffer, size_t
+      FIPS mode (not that this means it is also used if the FIPS RNG
+      has been selected but we are not in fips mode).  */
+ 
+-  /* Make sure we are initialized. */
+-  _gcry_random_initialize (1);
+-
+   /* Acquire the nonce buffer lock. */
+   err = ath_mutex_lock (&nonce_buffer_lock);
+   if (err)
--- a/libgcrypt-init-at-elf-load-fips.patch
+++ b/libgcrypt-init-at-elf-load-fips.patch
@ -0,0 +1,13 @@
+Index: libgcrypt-1.6.1/src/global.c
+===================================================================
+--- libgcrypt-1.6.1.orig/src/global.c
+++ libgcrypt-1.6.1/src/global.c
+@@ -76,7 +76,7 @@ static gpg_err_code_t external_lock_test
+    likely to be called at startup.  The suggested way for an
+    application to make sure that this has been called is by using
+    gcry_check_version. */
+-static void
+static void __attribute__((constructor))
+ global_init (void)
+ {
+   gcry_error_t err = 0;
--- a/libgcrypt.changes
+++ b/libgcrypt.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon May 26 12:05:17 UTC 2014 - meissner@suse.com
+
+- libgcrypt-fix-rng.patch: make drbg work again in FIPS mode.
+- libgcrypt-1.6.1-use-fipscheck.patch: library to test is libgcrypt.so.20
+  and not libgcrypt.so.11
+- libgcrypt-init-at-elf-load-fips.patch: initialize globally on ELF 
+  DSO loading to meet FIPS requirements.
+
 -------------------------------------------------------------------
 Tue May 13 10:47:51 UTC 2014 - vcizek@suse.com

--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@ -56,6 +56,8 @@ Patch24:        0004-Invoke-DRBG-from-common-libgcrypt-RNG-code.patch
 Patch25:        0005-Function-definitions-for-gcry_control-callbacks.patch
 Patch26:        0006-DRBG-specific-gcry_control-requests.patch
 Patch27:        0007-User-interface-to-DRBG.patch
+Patch28:        libgcrypt-fix-rng.patch
+Patch29:        libgcrypt-init-at-elf-load-fips.patch
 BuildRequires:  automake >= 1.11
 BuildRequires:  libgpg-error-devel >= 1.11
 BuildRequires:  libtool
@ -136,6 +138,8 @@ understanding of applied cryptography is required to use Libgcrypt.
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
+%patch28 -p1
+%patch29 -p1
 %endif
 %patch13 -p1
 %patch14 -p1