- fix a bug in the fips-186-3 dsa parameter generation code

libgcrypt-1.4.5-tests.patch

@@ -1,6 +1,6 @@
 diff -up libgcrypt-1.4.5/cipher/dsa.c.tests libgcrypt-1.4.5/cipher/dsa.c
 --- libgcrypt-1.4.5/cipher/dsa.c.tests	2009-08-21 10:18:30.000000000 +0200
-+++ libgcrypt-1.4.5/cipher/dsa.c	2011-02-01 18:04:56.000000000 +0100
++++ libgcrypt-1.4.5/cipher/dsa.c	2011-02-04 09:06:02.000000000 +0100
 @@ -468,21 +468,20 @@ generate_fips186 (DSA_secret_key *sk, un
                                                      &initial_seed.seedlen);
          }
@@ -34,7 +34,7 @@ diff -up libgcrypt-1.4.5/cipher/dsa.c.tests libgcrypt-1.4.5/cipher/dsa.c
          goto leave;
 diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen.c
 --- libgcrypt-1.4.5/cipher/primegen.c.tests	2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/cipher/primegen.c	2011-02-01 18:00:53.000000000 +0100
++++ libgcrypt-1.4.5/cipher/primegen.c	2011-02-04 09:06:34.000000000 +0100
 @@ -1647,7 +1647,7 @@ _gcry_generate_fips186_3_prime (unsigned
    gpg_err_code_t ec;
    unsigned char seed_help_buffer[256/8];  /* Used to hold a generated SEED. */
@@ -53,7 +53,7 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen
        if (ec)
          goto leave;
        mpi_set_highbit (prime_q, qbits-1 );
-@@ -1782,7 +1782,7 @@ _gcry_generate_fips186_3_prime (unsigned
+@@ -1782,11 +1782,11 @@ _gcry_generate_fips186_3_prime (unsigned
                if (seed_plus[i])
                  break;
              }
@@ -62,6 +62,11 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen
            
            gcry_mpi_release (tmpval); tmpval = NULL;
            ec = gpg_err_code (gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG,
+-                                            digest, sizeof digest, NULL));
++                                            digest, qbits/8, NULL));
+           if (ec)
+             goto leave;
+           if (value_j == value_n)
 @@ -1822,11 +1822,11 @@ _gcry_generate_fips186_3_prime (unsigned
      }
  
@@ -78,7 +83,7 @@ diff -up libgcrypt-1.4.5/cipher/primegen.c.tests libgcrypt-1.4.5/cipher/primegen
        *r_q = prime_q;
 diff -up libgcrypt-1.4.5/cipher/rsa.c.tests libgcrypt-1.4.5/cipher/rsa.c
 --- libgcrypt-1.4.5/cipher/rsa.c.tests	2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/cipher/rsa.c	2011-02-01 18:40:26.000000000 +0100
++++ libgcrypt-1.4.5/cipher/rsa.c	2011-02-04 09:06:02.000000000 +0100
 @@ -388,7 +388,7 @@ generate_x931 (RSA_secret_key *sk, unsig
  
    *swapped = 0;
@@ -89,8 +94,8 @@ diff -up libgcrypt-1.4.5/cipher/rsa.c.tests libgcrypt-1.4.5/cipher/rsa.c
  
    /* Point 1 of section 4.1:  k = 1024 + 256s with S >= 0  */
 diff -up libgcrypt-1.4.5/random/random-fips.c.tests libgcrypt-1.4.5/random/random-fips.c
---- libgcrypt-1.4.5/random/random-fips.c.tests	2011-02-01 12:31:00.000000000 +0100
-+++ libgcrypt-1.4.5/random/random-fips.c	2011-02-01 12:31:00.000000000 +0100
+--- libgcrypt-1.4.5/random/random-fips.c.tests	2011-02-04 09:06:02.000000000 +0100
++++ libgcrypt-1.4.5/random/random-fips.c	2011-02-04 09:06:02.000000000 +0100
 @@ -691,6 +691,7 @@ get_random (void *buffer, size_t length,
  
    check_guards (rng_ctx);
@@ -120,7 +125,7 @@ diff -up libgcrypt-1.4.5/random/random-fips.c.tests libgcrypt-1.4.5/random/rando
    if (x931_aes_driver (buffer, length, rng_ctx))
 diff -up libgcrypt-1.4.5/tests/ac.c.tests libgcrypt-1.4.5/tests/ac.c
 --- libgcrypt-1.4.5/tests/ac.c.tests	2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/tests/ac.c	2011-02-01 12:49:14.000000000 +0100
++++ libgcrypt-1.4.5/tests/ac.c	2011-02-04 09:06:02.000000000 +0100
 @@ -150,6 +150,9 @@ main (int argc, char **argv)
    if (!gcry_check_version (GCRYPT_VERSION))
      die ("version mismatch\n");
@@ -133,7 +138,7 @@ diff -up libgcrypt-1.4.5/tests/ac.c.tests libgcrypt-1.4.5/tests/ac.c
    /* No valuable keys are create, so we can speed up our RNG. */
 diff -up libgcrypt-1.4.5/tests/ac-data.c.tests libgcrypt-1.4.5/tests/ac-data.c
 --- libgcrypt-1.4.5/tests/ac-data.c.tests	2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/tests/ac-data.c	2011-02-01 12:49:54.000000000 +0100
++++ libgcrypt-1.4.5/tests/ac-data.c	2011-02-04 09:06:02.000000000 +0100
 @@ -198,6 +198,9 @@ main (int argc, char **argv)
    if (!gcry_check_version (GCRYPT_VERSION))
      die ("version mismatch\n");
@@ -146,7 +151,7 @@ diff -up libgcrypt-1.4.5/tests/ac-data.c.tests libgcrypt-1.4.5/tests/ac-data.c
  
 diff -up libgcrypt-1.4.5/tests/ac-schemes.c.tests libgcrypt-1.4.5/tests/ac-schemes.c
 --- libgcrypt-1.4.5/tests/ac-schemes.c.tests	2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/tests/ac-schemes.c	2011-02-01 12:49:41.000000000 +0100
++++ libgcrypt-1.4.5/tests/ac-schemes.c	2011-02-04 09:06:02.000000000 +0100
 @@ -338,6 +338,9 @@ main (int argc, char **argv)
    if (! gcry_check_version (GCRYPT_VERSION))
      die ("version mismatch\n");
@@ -159,7 +164,7 @@ diff -up libgcrypt-1.4.5/tests/ac-schemes.c.tests libgcrypt-1.4.5/tests/ac-schem
  
 diff -up libgcrypt-1.4.5/tests/keygen.c.tests libgcrypt-1.4.5/tests/keygen.c
 --- libgcrypt-1.4.5/tests/keygen.c.tests	2009-04-02 11:25:34.000000000 +0200
-+++ libgcrypt-1.4.5/tests/keygen.c	2011-02-01 18:19:56.000000000 +0100
++++ libgcrypt-1.4.5/tests/keygen.c	2011-02-04 09:06:02.000000000 +0100
 @@ -148,12 +148,12 @@ check_rsa_keys (void)
      }
  

libgcrypt.spec

@@ -1,6 +1,6 @@
 Name: libgcrypt
 Version: 1.4.5
-Release: 5%{?dist}
+Release: 6%{?dist}
 URL: http://www.gnupg.org/
 Source0: libgcrypt-%{version}-hobbled.tar.bz2
 # The original libgcrypt sources now contain potentially patented ECC
@@ -165,6 +165,9 @@ exit 0
 %doc COPYING
 
 %changelog
+* Thu Feb  4 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-6
+- fix a bug in the fips-186-3 dsa parameter generation code
+
 * Tue Feb  1 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-5
 - use /dev/urandom for seeding in the FIPS mode
 - make the tests to pass in the FIPS mode also fixing