From d9dbf8b32529ce52309379cbb174b955a2bd269c Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 26 Sep 2022 13:50:35 +0200
Subject: [PATCH] Fix FIPS Keygen that non-deterministically fails

Related: rhbz#2130275
---
 libgcrypt-1.10.0-fips-keygen.patch | 55 ++++++++++++++++++++++++++++++
 libgcrypt.spec                     |  3 ++
 2 files changed, 58 insertions(+)
 create mode 100644 libgcrypt-1.10.0-fips-keygen.patch

diff --git a/libgcrypt-1.10.0-fips-keygen.patch b/libgcrypt-1.10.0-fips-keygen.patch
new file mode 100644
index 0000000..6df1429
--- /dev/null
+++ b/libgcrypt-1.10.0-fips-keygen.patch
@@ -0,0 +1,55 @@
+From cd30ed3c0d715aa0c58a32a29cfb1476163a5b94 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 20 Apr 2022 15:09:41 +0900
+Subject: [PATCH] cipher: Change the bounds for RSA key generation round.
+
+* cipher/rsa.c (generate_fips): Use 10 for p, 20 for q.
+
+--
+
+Constants from FIPS 186-5-draft.
+
+GnuPG-bug-id: 5919
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/rsa.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 486a34f0..771413b3 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -476,7 +476,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
+ 
+  retry:
+   /* generate p and q */
+-  for (i = 0; i < 5 * pbits; i++)
++  for (i = 0; i < 10 * pbits; i++)
+     {
+     ploop:
+       if (!testparms)
+@@ -506,10 +506,10 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
+       else if (testparms)
+         goto err;
+     }
+-  if (i >= 5 * pbits)
++  if (i >= 10 * pbits)
+     goto err;
+ 
+-  for (i = 0; i < 5 * pbits; i++)
++  for (i = 0; i < 20 * pbits; i++)
+     {
+     qloop:
+       if (!testparms)
+@@ -555,7 +555,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
+       else if (testparms)
+         goto err;
+     }
+-  if (i >= 5 * pbits)
++  if (i >= 20 * pbits)
+     goto err;
+ 
+   if (testparms)
+-- 
+2.37.3
+
diff --git a/libgcrypt.spec b/libgcrypt.spec
index 0d827d9..b6ba953 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -33,6 +33,8 @@ Patch7: libgcrypt-1.10.0-fips-selftest.patch
 Patch8: libgcrypt-1.10.0-fips-disable-oaep.patch
 # https://dev.gnupg.org/T6217
 Patch9: libgcrypt-1.10.0-sha3-large.patch
+# https://dev.gnupg.org/T5919
+Patch10: libgcrypt-1.10.0-fips-keygen.patch
 
 %global gcrylibdir %{_libdir}
 %global gcrysoname libgcrypt.so.20
@@ -77,6 +79,7 @@ applications using libgcrypt.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 %build
 # This package has a configure test which uses ASMs, but does not link the