diff --git a/libgcrypt-1.6.2-fips-ctor.patch b/libgcrypt-1.6.2-fips-ctor.patch index 3934669..a1b5501 100644 --- a/libgcrypt-1.6.2-fips-ctor.patch +++ b/libgcrypt-1.6.2-fips-ctor.patch @@ -1,6 +1,6 @@ diff -up libgcrypt-1.6.2/cipher/md.c.fips-ctor libgcrypt-1.6.2/cipher/md.c --- libgcrypt-1.6.2/cipher/md.c.fips-ctor 2014-08-21 14:50:39.000000000 +0200 -+++ libgcrypt-1.6.2/cipher/md.c 2014-12-08 16:45:01.095256244 +0100 ++++ libgcrypt-1.6.2/cipher/md.c 2015-02-25 13:57:21.175704866 +0100 @@ -413,11 +413,8 @@ md_enable (gcry_md_hd_t hd, int algorith if (!err && algorithm == GCRY_MD_MD5 && fips_mode ()) @@ -14,9 +14,9 @@ diff -up libgcrypt-1.6.2/cipher/md.c.fips-ctor libgcrypt-1.6.2/cipher/md.c } } diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c ---- libgcrypt-1.6.2/src/global.c.fips-ctor 2014-12-08 16:45:01.094256222 +0100 -+++ libgcrypt-1.6.2/src/global.c 2014-12-08 16:46:29.182248403 +0100 -@@ -132,6 +132,28 @@ global_init (void) +--- libgcrypt-1.6.2/src/global.c.fips-ctor 2015-02-25 13:57:21.174704842 +0100 ++++ libgcrypt-1.6.2/src/global.c 2015-02-25 14:03:07.066864208 +0100 +@@ -132,6 +132,34 @@ global_init (void) } @@ -34,18 +34,36 @@ diff -up libgcrypt-1.6.2/src/global.c.fips-ctor libgcrypt-1.6.2/src/global.c + + if (!rv) + { ++ int no_secmem_save; ++ ++ /* it should be always 0 at this point but let's keep on the safe side */ ++ no_secmem_save = no_secure_memory; ++ no_secure_memory = 1; + /* force selftests */ + global_init (); + if (fips_mode ()) + _gcry_random_initialize (1); + _gcry_fips_run_selftests (0); ++ no_secure_memory = no_secmem_save; + } +} + /* This function is called by the macro fips_is_operational and makes sure that the minimal initialization has been done. This is far from a perfect solution and hides problems with an improper -@@ -635,7 +657,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, +@@ -542,9 +570,8 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, + + case GCRYCTL_FIPS_MODE_P: + if (fips_mode () +- && !_gcry_is_fips_mode_inactive () +- && !no_secure_memory) +- rc = GPG_ERR_GENERAL; /* Used as TRUE value */ ++ && !_gcry_is_fips_mode_inactive ()) ++ err = GPG_ERR_GENERAL; /* Used as TRUE value */ + break; + + case GCRYCTL_FORCE_FIPS_MODE: +@@ -635,7 +662,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, break; case GCRYCTL_SET_ENFORCED_FIPS_FLAG: diff --git a/libgcrypt-1.6.2-fips-test.patch b/libgcrypt-1.6.2-fips-test.patch index 9c0a64c..b21d4a1 100644 --- a/libgcrypt-1.6.2-fips-test.patch +++ b/libgcrypt-1.6.2-fips-test.patch @@ -1,16 +1,3 @@ -diff -up libgcrypt-1.6.2/src/global.c.fips-test libgcrypt-1.6.2/src/global.c ---- libgcrypt-1.6.2/src/global.c.fips-test 2014-12-08 16:54:07.766619659 +0100 -+++ libgcrypt-1.6.2/src/global.c 2014-12-08 16:55:18.555220601 +0100 -@@ -564,8 +564,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, - - case GCRYCTL_FIPS_MODE_P: - if (fips_mode () -- && !_gcry_is_fips_mode_inactive () -- && !no_secure_memory) -+ && !_gcry_is_fips_mode_inactive ()) - rc = GPG_ERR_GENERAL; /* Used as TRUE value */ - break; - diff -up libgcrypt-1.6.2/tests/basic.c.fips-test libgcrypt-1.6.2/tests/basic.c --- libgcrypt-1.6.2/tests/basic.c.fips-test 2014-08-21 14:50:39.000000000 +0200 +++ libgcrypt-1.6.2/tests/basic.c 2014-12-08 16:54:07.767619682 +0100 diff --git a/libgcrypt.spec b/libgcrypt.spec index 3d0d4c3..1a71b93 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt Version: 1.6.2 -Release: 3%{?dist} +Release: 4%{?dist} URL: http://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz # The original libgcrypt sources now contain potentially patented ECC @@ -201,6 +201,9 @@ exit 0 %license COPYING %changelog +* Wed Feb 25 2015 Tomáš Mráz 1.6.2-4 +- do not initialize secure memory during the selftest (#1195850) + * Sat Feb 21 2015 Till Maas - 1.6.2-3 - Rebuilt for Fedora 23 Change https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code