Accepting request 698242 from home:jsikes:branches:devel:libraries:c_c++

Hopefully this fixes bsc#1131369. Hopefully.

OBS-URL: https://build.opensuse.org/request/show/698242
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=125

libgcrypt-1.8.4-getrandom.patch

@@ -0,0 +1,103 @@
+Index: libgcrypt-1.8.4/random/random-csprng.c
+===================================================================
+--- libgcrypt-1.8.4.orig/random/random-csprng.c
++++ libgcrypt-1.8.4/random/random-csprng.c
+@@ -55,6 +55,10 @@
+ #ifdef __MINGW32__
+ #include <process.h>
+ #endif
++#if defined(__linux__) && defined(HAVE_SYSCALL)
++# include <sys/syscall.h>
++# include <linux/random.h>
++#endif
+ #include "g10lib.h"
+ #include "random.h"
+ #include "rand-internal.h"
+@@ -1116,6 +1120,22 @@ getfnc_gather_random (void))(void (*)(co
+              enum random_origins, size_t, int);
+ 
+ #if USE_RNDLINUX
++#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
++  long ret;
++  char buffer[1];
++
++  _gcry_pre_syscall ();
++  ret = syscall (__NR_getrandom,
++                 (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK);
++  _gcry_post_syscall ();
++  if (ret != -1 || errno != ENOSYS)
++    {
++      fnc = _gcry_rndlinux_gather_random;
++      return fnc;
++    }
++  else
++          /* The syscall is not supported - fallback to /dev/urandom. */
++#endif
+   if ( !access (NAME_OF_DEV_RANDOM, R_OK)
+        && !access (NAME_OF_DEV_URANDOM, R_OK))
+     {
+Index: libgcrypt-1.8.4/random/random.c
+===================================================================
+--- libgcrypt-1.8.4.orig/random/random.c
++++ libgcrypt-1.8.4/random/random.c
+@@ -110,8 +110,8 @@ _gcry_random_read_conf (void)
+   unsigned int result = 0;
+ 
+   fp = fopen (fname, "r");
+-  if (!fp)
+-    return result;
++  if (!fp) /* We make only_urandom the default. */
++    return RANDOM_CONF_ONLY_URANDOM;
+ 
+   for (;;)
+     {
+Index: libgcrypt-1.8.4/random/rndlinux.c
+===================================================================
+--- libgcrypt-1.8.4.orig/random/rndlinux.c
++++ libgcrypt-1.8.4/random/rndlinux.c
+@@ -34,6 +34,7 @@
+ #include <fcntl.h>
+ #if defined(__linux__) && defined(HAVE_SYSCALL)
+ # include <sys/syscall.h>
++# include <linux/random.h>
+ #endif
+ 
+ #include "types.h"
+@@ -248,6 +249,18 @@ _gcry_rndlinux_gather_random (void (*add
+     {
+       if (fd_urandom == -1)
+         {
++#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
++          long ret;
++
++          _gcry_pre_syscall ();
++          ret = syscall (__NR_getrandom,
++                         (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK);
++          _gcry_post_syscall ();
++          if (ret > -1 || errno == EAGAIN || errno == EINTR)
++            fd_urandom = -2;
++	  else
++            /* The syscall is not supported - fallback to /dev/urandom. */
++#endif
+           fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1);
+           ever_opened |= 2;
+         }
+@@ -275,6 +288,7 @@ _gcry_rndlinux_gather_random (void (*add
+        * syscall and not a new device and thus we are not able to use
+        * select(2) to have a timeout. */
+ #if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
++      if (fd == -2)
+         {
+           long ret;
+           size_t nbytes;
+@@ -290,9 +304,7 @@ _gcry_rndlinux_gather_random (void (*add
+               _gcry_post_syscall ();
+             }
+           while (ret == -1 && errno == EINTR);
+-          if (ret == -1 && errno == ENOSYS)
+-            ; /* The syscall is not supported - fallback to pulling from fd.  */
+-          else
++          if (1)
+             { /* The syscall is supported.  Some sanity checks.  */
+               if (ret == -1)
+                 log_fatal ("unexpected error from getrandom: %s\n",

libgcrypt-init-at-elf-load-fips.patch

@@ -1,13 +0,0 @@
-Index: libgcrypt-1.6.1/src/global.c
-===================================================================
---- libgcrypt-1.6.1.orig/src/global.c
-+++ libgcrypt-1.6.1/src/global.c
-@@ -76,7 +76,7 @@ static gpg_err_code_t external_lock_test
-    likely to be called at startup.  The suggested way for an
-    application to make sure that this has been called is by using
-    gcry_check_version. */
--static void
-+static void __attribute__((constructor))
- global_init (void)
- {
-   gcry_error_t err = 0;

libgcrypt.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Apr 26 06:47:45 UTC 2019 - Jason Sikes <jsikes@suse.de>
+
+- do not try to open /dev/urandom if getrandom() works
+  * Added libgcrypt-1.8.4-getrandom.patch
+- Drop libgcrypt-init-at-elf-load-fips.patch obsoleted
+  by libgcrypt-1.8.3-fips-ctor.patch
+
 -------------------------------------------------------------------
 Tue Apr 23 12:38:40 UTC 2019 - Jason Sikes <jsikes@suse.de>
 

libgcrypt.spec

@@ -48,7 +48,6 @@ Patch13:        libgcrypt-1.6.1-fips-cavs.patch
 #PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine
 Patch14:        libgcrypt-1.6.1-fips-cfgrandom.patch
 Patch28:        libgcrypt-fix-rng.patch
-Patch29:        libgcrypt-init-at-elf-load-fips.patch
 #PATCH-FIX-SUSE add FIPS CAVS test app for DRBG
 Patch30:        drbg_test.patch
 #PATCH-FIX-SUSE run FIPS self-test from constructor
@@ -63,6 +62,7 @@ Patch41:        libgcrypt-binary_integrity_in_non-FIPS.patch
 Patch42:        libgcrypt-fips_rsa_no_enforced_mode.patch
 Patch43:        libgcrypt-1.8.4-use_xfree.patch
 Patch44:        libgcrypt-1.8.4-allow_FSM_same_state.patch
+Patch45:        libgcrypt-1.8.4-getrandom.patch
 BuildRequires:  automake >= 1.14
 BuildRequires:  fipscheck
 BuildRequires:  libgpg-error-devel >= 1.25