diff --git a/libgcrypt-1.6.2-fips-ctor.patch b/libgcrypt-1.6.2-fips-ctor.patch index c53847d..fe3ec60 100644 --- a/libgcrypt-1.6.2-fips-ctor.patch +++ b/libgcrypt-1.6.2-fips-ctor.patch @@ -16,7 +16,7 @@ diff -up libgcrypt-1.6.2/cipher/md.c.fips-ctor libgcrypt-1.6.2/cipher/md.c diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c --- libgcrypt-1.6.2/src/global.c.fips-ctor 2015-02-25 13:57:21.174704842 +0100 +++ libgcrypt-1.6.2/src/global.c 2015-02-25 14:03:07.066864208 +0100 -@@ -132,6 +132,34 @@ global_init (void) +@@ -132,6 +132,36 @@ global_init (void) } @@ -44,6 +44,8 @@ diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c + if (fips_mode ()) + _gcry_random_initialize (1); + _gcry_fips_run_selftests (0); ++ if (!fips_mode()) ++ _gcry_random_close_fds (); + no_secure_memory = no_secmem_save; + } +} @@ -51,7 +53,7 @@ diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c /* This function is called by the macro fips_is_operational and makes sure that the minimal initialization has been done. This is far from a perfect solution and hides problems with an improper -@@ -542,8 +570,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, +@@ -542,8 +572,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, case GCRYCTL_FIPS_MODE_P: if (fips_mode () @@ -61,7 +63,7 @@ diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c rc = GPG_ERR_GENERAL; /* Used as TRUE value */ break; -@@ -635,7 +662,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, +@@ -635,7 +664,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, break; case GCRYCTL_SET_ENFORCED_FIPS_FLAG: diff --git a/libgcrypt.spec b/libgcrypt.spec index 18985c6..5224730 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt Version: 1.6.3 -Release: 3%{?dist} +Release: 4%{?dist} URL: http://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz # The original libgcrypt sources now contain potentially patented ECC @@ -208,6 +208,9 @@ exit 0 %license COPYING %changelog +* Fri Apr 3 2015 Tomáš Mráz 1.6.3-4 +- deinitialize the RNG after the selftest is run + * Tue Mar 24 2015 Tomáš Mráz 1.6.3-3 - touch only urandom in the selftest and when /dev/random is unavailable for example by SELinux confinement