3
0
forked from pool/libgcrypt

Accepting request 235587 from devel:libraries:c_c++

- libgcrypt-fix-rng.patch: make drbg work again in FIPS mode.
- libgcrypt-1.6.1-use-fipscheck.patch: library to test is libgcrypt.so.20
  and not libgcrypt.so.11
- libgcrypt-init-at-elf-load-fips.patch: initialize globally on ELF 
  DSO loading to meet FIPS requirements. (forwarded request 235418 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/235587
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libgcrypt?expand=0&rev=48
This commit is contained in:
Stephan Kulow 2014-06-01 16:54:43 +00:00 committed by Git OBS Bridge
commit dbc6021874
5 changed files with 51 additions and 1 deletions

View File

@ -47,7 +47,7 @@ Index: libgcrypt-1.6.1/src/fips.c
- if (!dladdr ("gcry_check_version", &info))
+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
+
+ if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath)))
+ if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath)))
err = gpg_error_from_syserror ();
else
{

24
libgcrypt-fix-rng.patch Normal file
View File

@ -0,0 +1,24 @@
Index: libgcrypt-1.6.1/random/random.c
===================================================================
--- libgcrypt-1.6.1.orig/random/random.c
+++ libgcrypt-1.6.1/random/random.c
@@ -440,6 +440,9 @@ _gcry_create_nonce (void *buffer, size_t
size_t n;
int err;
+ /* Make sure we are initialized. */
+ _gcry_random_initialize (1);
+
/* First check whether we shall use the FIPS nonce generator. This
is only done in FIPS mode, in all other modes, we use our own
nonce generator which is seeded by the RNG actual in use. */
@@ -455,9 +458,6 @@ _gcry_create_nonce (void *buffer, size_t
FIPS mode (not that this means it is also used if the FIPS RNG
has been selected but we are not in fips mode). */
- /* Make sure we are initialized. */
- _gcry_random_initialize (1);
-
/* Acquire the nonce buffer lock. */
err = ath_mutex_lock (&nonce_buffer_lock);
if (err)

View File

@ -0,0 +1,13 @@
Index: libgcrypt-1.6.1/src/global.c
===================================================================
--- libgcrypt-1.6.1.orig/src/global.c
+++ libgcrypt-1.6.1/src/global.c
@@ -76,7 +76,7 @@ static gpg_err_code_t external_lock_test
likely to be called at startup. The suggested way for an
application to make sure that this has been called is by using
gcry_check_version. */
-static void
+static void __attribute__((constructor))
global_init (void)
{
gcry_error_t err = 0;

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Mon May 26 12:05:17 UTC 2014 - meissner@suse.com
- libgcrypt-fix-rng.patch: make drbg work again in FIPS mode.
- libgcrypt-1.6.1-use-fipscheck.patch: library to test is libgcrypt.so.20
and not libgcrypt.so.11
- libgcrypt-init-at-elf-load-fips.patch: initialize globally on ELF
DSO loading to meet FIPS requirements.
-------------------------------------------------------------------
Tue May 13 10:47:51 UTC 2014 - vcizek@suse.com

View File

@ -56,6 +56,8 @@ Patch24: 0004-Invoke-DRBG-from-common-libgcrypt-RNG-code.patch
Patch25: 0005-Function-definitions-for-gcry_control-callbacks.patch
Patch26: 0006-DRBG-specific-gcry_control-requests.patch
Patch27: 0007-User-interface-to-DRBG.patch
Patch28: libgcrypt-fix-rng.patch
Patch29: libgcrypt-init-at-elf-load-fips.patch
BuildRequires: automake >= 1.11
BuildRequires: libgpg-error-devel >= 1.11
BuildRequires: libtool
@ -136,6 +138,8 @@ understanding of applied cryptography is required to use Libgcrypt.
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%endif
%patch13 -p1
%patch14 -p1