tmraz pushed to libgcrypt (f21). "deinitialize the RNG after the selftest is run"

Fri Apr 3 14:47:46 UTC 2015

>From ab1d80feb687c3d5c5e22d38fca5f3d957f92b6c Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz at fedoraproject.org>
Date: Fri, 3 Apr 2015 16:47:34 +0200
Subject: deinitialize the RNG after the selftest is run

diff --git a/libgcrypt-1.6.2-fips-ctor.patch b/libgcrypt-1.6.2-fips-ctor.patch
index c53847d..fe3ec60 100644
--- a/libgcrypt-1.6.2-fips-ctor.patch
+++ b/libgcrypt-1.6.2-fips-ctor.patch
@@ -16,7 +16,7 @@ diff -up libgcrypt-1.6.2/cipher/md.c.fips-ctor libgcrypt-1.6.2/cipher/md.c
 diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c
 --- libgcrypt-1.6.2/src/global.c.fips-ctor	2015-02-25 13:57:21.174704842 +0100
 +++ libgcrypt-1.6.2/src/global.c	2015-02-25 14:03:07.066864208 +0100
-@@ -132,6 +132,34 @@ global_init (void)
+@@ -132,6 +132,36 @@ global_init (void)
  }
  
  
@@ -44,6 +44,8 @@ diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c
 +      if (fips_mode ())
 +         _gcry_random_initialize (1);
 +      _gcry_fips_run_selftests (0);
++      if (!fips_mode())
++         _gcry_random_close_fds ();
 +      no_secure_memory = no_secmem_save;
 +    }
 +}
@@ -51,7 +53,7 @@ diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c
  /* This function is called by the macro fips_is_operational and makes
     sure that the minimal initialization has been done.  This is far
     from a perfect solution and hides problems with an improper
-@@ -542,8 +570,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+@@ -542,8 +572,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
  
      case GCRYCTL_FIPS_MODE_P:
        if (fips_mode ()
@@ -61,7 +63,7 @@ diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c
  	rc = GPG_ERR_GENERAL; /* Used as TRUE value */
        break;
  
-@@ -635,7 +662,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+@@ -635,7 +664,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
        break;
  
      case GCRYCTL_SET_ENFORCED_FIPS_FLAG:
diff --git a/libgcrypt.spec b/libgcrypt.spec
index 18985c6..5224730 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -1,6 +1,6 @@
 Name: libgcrypt
 Version: 1.6.3
-Release: 3%{?dist}
+Release: 4%{?dist}
 URL: http://www.gnupg.org/
 Source0: libgcrypt-%{version}-hobbled.tar.xz
 # The original libgcrypt sources now contain potentially patented ECC
@@ -208,6 +208,9 @@ exit 0
 %license COPYING
 
 %changelog
+* Fri Apr  3 2015 Tomáš Mráz <tmraz at redhat.com> 1.6.3-4
+- deinitialize the RNG after the selftest is run
+
 * Tue Mar 24 2015 Tomáš Mráz <tmraz at redhat.com> 1.6.3-3
 - touch only urandom in the selftest and when /dev/random is
   unavailable for example by SELinux confinement
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/libgcrypt.git/commit/?h=f21&id=ab1d80feb687c3d5c5e22d38fca5f3d957f92b6c
