diff --git a/libgcrypt-1.8.4-getrandom.patch b/libgcrypt-1.8.4-getrandom.patch new file mode 100644 index 0000000..4810974 --- /dev/null +++ b/libgcrypt-1.8.4-getrandom.patch @@ -0,0 +1,103 @@ +Index: libgcrypt-1.8.4/random/random-csprng.c +=================================================================== +--- libgcrypt-1.8.4.orig/random/random-csprng.c ++++ libgcrypt-1.8.4/random/random-csprng.c +@@ -55,6 +55,10 @@ + #ifdef __MINGW32__ + #include + #endif ++#if defined(__linux__) && defined(HAVE_SYSCALL) ++# include ++# include ++#endif + #include "g10lib.h" + #include "random.h" + #include "rand-internal.h" +@@ -1116,6 +1120,22 @@ getfnc_gather_random (void))(void (*)(co + enum random_origins, size_t, int); + + #if USE_RNDLINUX ++#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom) ++ long ret; ++ char buffer[1]; ++ ++ _gcry_pre_syscall (); ++ ret = syscall (__NR_getrandom, ++ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK); ++ _gcry_post_syscall (); ++ if (ret != -1 || errno != ENOSYS) ++ { ++ fnc = _gcry_rndlinux_gather_random; ++ return fnc; ++ } ++ else ++ /* The syscall is not supported - fallback to /dev/urandom. */ ++#endif + if ( !access (NAME_OF_DEV_RANDOM, R_OK) + && !access (NAME_OF_DEV_URANDOM, R_OK)) + { +Index: libgcrypt-1.8.4/random/random.c +=================================================================== +--- libgcrypt-1.8.4.orig/random/random.c ++++ libgcrypt-1.8.4/random/random.c +@@ -110,8 +110,8 @@ _gcry_random_read_conf (void) + unsigned int result = 0; + + fp = fopen (fname, "r"); +- if (!fp) +- return result; ++ if (!fp) /* We make only_urandom the default. */ ++ return RANDOM_CONF_ONLY_URANDOM; + + for (;;) + { +Index: libgcrypt-1.8.4/random/rndlinux.c +=================================================================== +--- libgcrypt-1.8.4.orig/random/rndlinux.c ++++ libgcrypt-1.8.4/random/rndlinux.c +@@ -34,6 +34,7 @@ + #include + #if defined(__linux__) && defined(HAVE_SYSCALL) + # include ++# include + #endif + + #include "types.h" +@@ -248,6 +249,18 @@ _gcry_rndlinux_gather_random (void (*add + { + if (fd_urandom == -1) + { ++#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom) ++ long ret; ++ ++ _gcry_pre_syscall (); ++ ret = syscall (__NR_getrandom, ++ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK); ++ _gcry_post_syscall (); ++ if (ret > -1 || errno == EAGAIN || errno == EINTR) ++ fd_urandom = -2; ++ else ++ /* The syscall is not supported - fallback to /dev/urandom. */ ++#endif + fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1); + ever_opened |= 2; + } +@@ -275,6 +288,7 @@ _gcry_rndlinux_gather_random (void (*add + * syscall and not a new device and thus we are not able to use + * select(2) to have a timeout. */ + #if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom) ++ if (fd == -2) + { + long ret; + size_t nbytes; +@@ -290,9 +304,7 @@ _gcry_rndlinux_gather_random (void (*add + _gcry_post_syscall (); + } + while (ret == -1 && errno == EINTR); +- if (ret == -1 && errno == ENOSYS) +- ; /* The syscall is not supported - fallback to pulling from fd. */ +- else ++ if (1) + { /* The syscall is supported. Some sanity checks. */ + if (ret == -1) + log_fatal ("unexpected error from getrandom: %s\n", diff --git a/libgcrypt-init-at-elf-load-fips.patch b/libgcrypt-init-at-elf-load-fips.patch deleted file mode 100644 index bda8c42..0000000 --- a/libgcrypt-init-at-elf-load-fips.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: libgcrypt-1.6.1/src/global.c -=================================================================== ---- libgcrypt-1.6.1.orig/src/global.c -+++ libgcrypt-1.6.1/src/global.c -@@ -76,7 +76,7 @@ static gpg_err_code_t external_lock_test - likely to be called at startup. The suggested way for an - application to make sure that this has been called is by using - gcry_check_version. */ --static void -+static void __attribute__((constructor)) - global_init (void) - { - gcry_error_t err = 0; diff --git a/libgcrypt.changes b/libgcrypt.changes index 38719ba..6767de4 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Apr 26 06:47:45 UTC 2019 - Jason Sikes + +- do not try to open /dev/urandom if getrandom() works + * Added libgcrypt-1.8.4-getrandom.patch +- Drop libgcrypt-init-at-elf-load-fips.patch obsoleted + by libgcrypt-1.8.3-fips-ctor.patch + ------------------------------------------------------------------- Tue Apr 23 12:38:40 UTC 2019 - Jason Sikes diff --git a/libgcrypt.spec b/libgcrypt.spec index f0f4c2e..7306197 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -48,7 +48,6 @@ Patch13: libgcrypt-1.6.1-fips-cavs.patch #PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine Patch14: libgcrypt-1.6.1-fips-cfgrandom.patch Patch28: libgcrypt-fix-rng.patch -Patch29: libgcrypt-init-at-elf-load-fips.patch #PATCH-FIX-SUSE add FIPS CAVS test app for DRBG Patch30: drbg_test.patch #PATCH-FIX-SUSE run FIPS self-test from constructor @@ -63,6 +62,7 @@ Patch41: libgcrypt-binary_integrity_in_non-FIPS.patch Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch Patch43: libgcrypt-1.8.4-use_xfree.patch Patch44: libgcrypt-1.8.4-allow_FSM_same_state.patch +Patch45: libgcrypt-1.8.4-getrandom.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.25