tmraz pushed to libgcrypt (f22). "deinitialize the RNG after the selftest is run"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri Apr 3 15:09:29 UTC 2015
>From ab1d80feb687c3d5c5e22d38fca5f3d957f92b6c Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz at fedoraproject.org>
Date: Fri, 3 Apr 2015 16:47:34 +0200
Subject: deinitialize the RNG after the selftest is run
diff --git a/libgcrypt-1.6.2-fips-ctor.patch b/libgcrypt-1.6.2-fips-ctor.patch
index c53847d..fe3ec60 100644
--- a/libgcrypt-1.6.2-fips-ctor.patch
+++ b/libgcrypt-1.6.2-fips-ctor.patch
@@ -16,7 +16,7 @@ diff -up libgcrypt-1.6.2/cipher/md.c.fips-ctor libgcrypt-1.6.2/cipher/md.c
diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c
--- libgcrypt-1.6.2/src/global.c.fips-ctor 2015-02-25 13:57:21.174704842 +0100
+++ libgcrypt-1.6.2/src/global.c 2015-02-25 14:03:07.066864208 +0100
-@@ -132,6 +132,34 @@ global_init (void)
+@@ -132,6 +132,36 @@ global_init (void)
}
@@ -44,6 +44,8 @@ diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c
+ if (fips_mode ())
+ _gcry_random_initialize (1);
+ _gcry_fips_run_selftests (0);
++ if (!fips_mode())
++ _gcry_random_close_fds ();
+ no_secure_memory = no_secmem_save;
+ }
+}
@@ -51,7 +53,7 @@ diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c
/* This function is called by the macro fips_is_operational and makes
sure that the minimal initialization has been done. This is far
from a perfect solution and hides problems with an improper
-@@ -542,8 +570,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+@@ -542,8 +572,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
case GCRYCTL_FIPS_MODE_P:
if (fips_mode ()
@@ -61,7 +63,7 @@ diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c
rc = GPG_ERR_GENERAL; /* Used as TRUE value */
break;
-@@ -635,7 +662,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+@@ -635,7 +664,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
break;
case GCRYCTL_SET_ENFORCED_FIPS_FLAG:
diff --git a/libgcrypt.spec b/libgcrypt.spec
index 18985c6..5224730 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -1,6 +1,6 @@
Name: libgcrypt
Version: 1.6.3
-Release: 3%{?dist}
+Release: 4%{?dist}
URL: http://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.xz
# The original libgcrypt sources now contain potentially patented ECC
@@ -208,6 +208,9 @@ exit 0
%license COPYING
%changelog
+* Fri Apr 3 2015 Tomáš Mráz <tmraz at redhat.com> 1.6.3-4
+- deinitialize the RNG after the selftest is run
+
* Tue Mar 24 2015 Tomáš Mráz <tmraz at redhat.com> 1.6.3-3
- touch only urandom in the selftest and when /dev/random is
unavailable for example by SELinux confinement
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/libgcrypt.git/commit/?h=f22&id=ab1d80feb687c3d5c5e22d38fca5f3d957f92b6c
More information about the scm-commits
mailing list