commit libgcrypt for openSUSE:Factory
Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2014-04-05 16:50:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libgcrypt" Changes: -------- --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2014-02-08 10:34:20.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new/libgcrypt.changes 2014-04-05 16:50:16.000000000 +0200 @@ -1,0 +2,20 @@ +Thu Apr 3 12:04:46 UTC 2014 - tchvatal@suse.com + +- Cleanup with spec-cleaner to sort out. +- Really apply ppc64 patch as it was ommited probably by mistake. + +------------------------------------------------------------------- +Thu Mar 27 14:57:22 UTC 2014 - meissner@suse.com + +- FIPS changes (from Fedora): + - replaced libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff by + libgcrypt-1.6.1-fips-cfgrandom.patch + - libgcrypt-fixed-sizet.patch: fixed an int type for -flto + - libgcrypt-1.6.1-use-fipscheck.patch: use the fipscheck binary + - libgcrypt-1.6.1-fips-cavs.patch: add CAVS tests +- use fipscheck only after 13.1 +- libgcrypt-fips-allow-legacy.patch: attempt to allow some + legacy algorithms for gpg2 usage even in FIPS mode. + (currently not applied) + +------------------------------------------------------------------- Old: ---- libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff New: ---- libgcrypt-1.6.1-fips-cavs.patch libgcrypt-1.6.1-fips-cfgrandom.patch libgcrypt-1.6.1-use-fipscheck.patch libgcrypt-fips-allow-legacy.patch libgcrypt-fixed-sizet.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libgcrypt.spec ++++++ --- /var/tmp/diff_new_pack.Pmu06I/_old 2014-04-05 16:50:17.000000000 +0200 +++ /var/tmp/diff_new_pack.Pmu06I/_new 2014-04-05 16:50:17.000000000 +0200 @@ -18,17 +18,15 @@ %define build_hmac256 1 %define separate_hmac256_binary 0 - %define libsoname %{name}20 %define sosuffix 20.0.1 - Name: libgcrypt -Url: http://directory.fsf.org/wiki/Libgcrypt Version: 1.6.1 Release: 0 Summary: The GNU Crypto Library License: GPL-2.0+ and LGPL-2.1+ and GPL-3.0+ Group: Development/Libraries/C and C++ +Url: http://directory.fsf.org/wiki/Libgcrypt Source: ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2 Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig Source2: baselibs.conf @@ -41,16 +39,23 @@ #PATCH-FIX-UPSTREAM: bnc#701267, explicitly link with $(DL_LIBS) #was: libgcrypt-1.5.0-as-needed.patch Patch5: libgcrypt-unresolved-dladdr.patch -#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine -Patch6: libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff #PATCH-FIX-SUSE: N/A Patch7: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff #PATCH-FIX-UPSTREAM: internal functions are supposed to be used inside libgcrypt, mvyskocil@suse.com Patch8: libgcrypt-1.6.0-use-intenal-functions.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build +Patch10: libgcrypt-fips-allow-legacy.patch +Patch11: libgcrypt-fixed-sizet.patch +Patch12: libgcrypt-1.6.1-use-fipscheck.patch +Patch13: libgcrypt-1.6.1-fips-cavs.patch +#PATCH-FIX-SUSE: bnc#724841, fix a random device opening routine +Patch14: libgcrypt-1.6.1-fips-cfgrandom.patch BuildRequires: automake >= 1.11 BuildRequires: libgpg-error-devel >= 1.11 BuildRequires: libtool +BuildRoot: %{_tmppath}/%{name}-%{version}-build +%if 0%{?suse_version} > 1310 +BuildRequires: fipscheck +%endif # not for base packages to avoid huge cycles #BuildRequires: gpg-offline @@ -76,7 +81,7 @@ Requires: %{libsoname} = %{version} Requires: glibc-devel Requires: libgpg-error-devel >= 1.8 -PreReq: %install_info_prereq +Requires(post): %{install_info_prereq} %description devel Libgcrypt is a general purpose library of cryptographic building @@ -93,9 +98,9 @@ Summary: The GNU Crypto Library License: GPL-2.0+ and LGPL-2.1+ Group: Development/Libraries/C and C++ -Requires: %{libsoname} = %version +Requires: %{libsoname} = %{version} Requires: libgpg-error-devel -PreReq: %install_info_prereq +Requires(post): %{install_info_prereq} %description hmac256 Libgcrypt is a general purpose library of cryptographic building @@ -106,26 +111,32 @@ %endif # #if separate_hmac256_binary %prep -%setup -q -n %{name}-%{version} +%setup -q %patch0 -p1 %patch1 %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 %patch7 -p1 %patch8 -p1 +#%patch10 -p1 +%patch11 -p1 +%if 0%{?suse_version} > 1310 +%patch12 -p1 +%endif +%patch13 -p1 +%patch14 -p1 %build echo building with build_hmac256 set to %{build_hmac256} %{?suse_update_config} autoreconf -fi -export CFLAGS="%optflags $(getconf LFS_CFLAGS)" +export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)" %configure --with-pic \ --enable-noexecstack \ --disable-static \ --enable-m-guard \ -%ifarch %sparc +%ifarch %{sparc} --disable-asm \ %endif --enable-hmac-binary-check \ @@ -140,6 +151,12 @@ # # this shows up earlier because otherwise the %expand of # the macro is too late. +%if 0%{?suse_version} > 1310 +%{expand:%%global __os_install_post {%__os_install_post + fipshmac %{buildroot}/%{_bindir}/hmac256 + fipshmac %{buildroot}/%{_libdir}/*.so.?? +}} +%else %{expand:%%global __os_install_post {%__os_install_post %{buildroot}/%{_bindir}/hmac256 "What am I, a doctor or a moonshuttle conductor?" \ @@ -148,15 +165,19 @@ < %{buildroot}/%{_libdir}/libgcrypt.so.%{sosuffix} > %{buildroot}/%{_libdir}/.libgcrypt.so.20.hmac }} %endif +%endif %check +%if 0%{?suse_version} > 1310 +fipshmac src/.libs/libgcrypt.so.?? +%endif # Nice idea. however this uses /dev/random, which hangs # on hardware without random feeds. # so lets not run it inside OBS # make check %install -make DESTDIR=$RPM_BUILD_ROOT install +make DESTDIR=%{buildroot} install %{?_smp_mflags} rm %{buildroot}%{_libdir}/%{name}.la ++++++ libgcrypt-1.6.1-fips-cavs.patch ++++++ ++++ 1123 lines (skipped) ++++++ libgcrypt-1.6.1-fips-cfgrandom.patch ++++++ Index: libgcrypt-1.6.1/random/random-fips.c =================================================================== --- libgcrypt-1.6.1.orig/random/random-fips.c +++ libgcrypt-1.6.1/random/random-fips.c @@ -27,10 +27,10 @@ There are 3 random context which map to the different levels of random quality: - Generator Seed and Key Kernel entropy (init/reseed) - ------------------------------------------------------------ - GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits - GCRY_STRONG_RANDOM /dev/random 256/128 bits + Generator Seed and Key Kernel entropy (init/reseed) + --------------------------------------------------------------------------------------- + GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits + GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits gcry_create_nonce GCRY_STRONG_RANDOM n/a All random generators return their data in 128 bit blocks. If the @@ -40,8 +40,10 @@ (SEED_TTL) output blocks; the re-seeding is disabled in test mode. The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are - keyed and seeded from the /dev/random device. Thus these - generators may block until the kernel has collected enough entropy. + keyed and seeded with data that is loaded from the /etc/gcrypt/rngseed + if the device or symlink to device exists xored with the data + from the /dev/urandom device. This allows the system administrator + to always seed the RNGs from /dev/random if it is required. The gcry_create_nonce generator is keyed and seeded from the GCRY_STRONG_RANDOM generator. It may also block if the @@ -560,9 +562,13 @@ get_entropy (size_t nbytes) entropy_collect_buffer_len = 0; #if USE_RNDLINUX + _gcry_rndlinux_gather_random (entropy_collect_cb, 0, + X931_AES_KEYLEN, + -1); + entropy_collect_buffer_len = 0; rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0, X931_AES_KEYLEN, - GCRY_VERY_STRONG_RANDOM); + GCRY_STRONG_RANDOM); #elif USE_RNDW32 do { Index: libgcrypt-1.6.1/random/rndlinux.c =================================================================== --- libgcrypt-1.6.1.orig/random/rndlinux.c +++ libgcrypt-1.6.1/random/rndlinux.c @@ -36,7 +36,9 @@ #include "g10lib.h" #include "rand-internal.h" -static int open_device (const char *name, int retry); +#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed" + +static int open_device (const char *name, int retry, int fatal); static int @@ -59,7 +61,7 @@ set_cloexec_flag (int fd) * a fatal error but retries until it is able to reopen the device. */ static int -open_device (const char *name, int retry) +open_device (const char *name, int retry, int fatal) { int fd; @@ -67,6 +69,8 @@ open_device (const char *name, int retry _gcry_random_progress ("open_dev_random", 'X', 1, 0); again: fd = open (name, O_RDONLY); + if (fd == -1 && !fatal) + return fd; if (fd == -1 && retry) { struct timeval tv; @@ -111,6 +115,7 @@ _gcry_rndlinux_gather_random (void (*add { static int fd_urandom = -1; static int fd_random = -1; + static int fd_configured = -1; static unsigned char ever_opened; int fd; int n; @@ -134,6 +139,11 @@ _gcry_rndlinux_gather_random (void (*add close (fd_urandom); fd_urandom = -1; } + if (fd_configured != -1) + { + close (fd_configured); + fd_configured = -1; + } return 0; } @@ -153,20 +163,30 @@ _gcry_rndlinux_gather_random (void (*add that we always require the device to be existent but want a more graceful behaviour if the rarely needed close operation has been used and the device needs to be re-opened later. */ + + if (level == -1) + { + if (fd_configured == -1) + fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0, 0 ); + fd = fd_configured; + if (fd == -1) + return -1; + } + if (level >= 2) { if (fd_random == -1) { - fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1)); + fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1), 1); ever_opened |= 1; } fd = fd_random; } - else + else if (level != -1) { if (fd_urandom == -1) { - fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2)); + fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1); ever_opened |= 2; } fd = fd_urandom; ++++++ libgcrypt-1.6.1-use-fipscheck.patch ++++++ Index: libgcrypt-1.6.1/src/fips.c =================================================================== --- libgcrypt-1.6.1.orig/src/fips.c +++ libgcrypt-1.6.1/src/fips.c @@ -589,23 +589,48 @@ run_random_selftests (void) return !!err; } +static int +get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) +{ + Dl_info info; + void *dl, *sym; + int rv = -1; + + dl = dlopen(libname, RTLD_LAZY); + if (dl == NULL) { + return -1; + } + + sym = dlsym(dl, symbolname); + + if (sym != NULL && dladdr(sym, &info)) { + strncpy(path, info.dli_fname, pathlen-1); + path[pathlen-1] = '\0'; + rv = 0; + } + + dlclose(dl); + + return rv; +} + /* Run an integrity check on the binary. Returns 0 on success. */ static int check_binary_integrity (void) { #ifdef ENABLE_HMAC_BINARY_CHECK gpg_error_t err; - Dl_info info; + char libpath[4096]; unsigned char digest[32]; int dlen; char *fname = NULL; - const char key[] = "What am I, a doctor or a moonshuttle conductor?"; - - if (!dladdr ("gcry_check_version", &info)) + const char key[] = "orboDeJITITejsirpADONivirpUkvarP"; + + if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath))) err = gpg_error_from_syserror (); else { - dlen = _gcry_hmac256_file (digest, sizeof digest, info.dli_fname, + dlen = _gcry_hmac256_file (digest, sizeof digest, libpath, key, strlen (key)); if (dlen < 0) err = gpg_error_from_syserror (); @@ -613,7 +638,7 @@ check_binary_integrity (void) err = gpg_error (GPG_ERR_INTERNAL); else { - fname = _gcry_malloc (strlen (info.dli_fname) + 1 + 5 + 1 ); + fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 ); if (!fname) err = gpg_error_from_syserror (); else @@ -622,7 +647,7 @@ check_binary_integrity (void) char *p; /* Prefix the basename with a dot. */ - strcpy (fname, info.dli_fname); + strcpy (fname, libpath); p = strrchr (fname, '/'); if (p) p++; Index: libgcrypt-1.6.1/src/Makefile.in =================================================================== --- libgcrypt-1.6.1.orig/src/Makefile.in +++ libgcrypt-1.6.1/src/Makefile.in @@ -449,7 +449,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \ ../cipher/libcipher.la \ ../random/librandom.la \ ../mpi/libmpi.la \ - ../compat/libcompat.la $(GPG_ERROR_LIBS) + ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl dumpsexp_SOURCES = dumpsexp.c dumpsexp_CFLAGS = $(arch_gpg_error_cflags) ++++++ libgcrypt-fips-allow-legacy.patch ++++++ diff -urNp libgcrypt-1.5.3.orig/cipher/cipher.c libgcrypt-1.5.3/cipher/cipher.c --- libgcrypt-1.5.3.orig/cipher/cipher.c 2013-08-14 02:41:07.967316255 +0200 +++ libgcrypt-1.5.3/cipher/cipher.c 2013-08-14 03:11:19.403611811 +0200 @@ -293,6 +293,15 @@ dummy_decrypt_stream (void *c, BUG(); } +/* Re-Register default cipher listing */ +void +cipher_reregister_default(void) +{ + ath_mutex_lock (&ciphers_registered_lock); + default_ciphers_registered = 0; + ath_mutex_unlock (&ciphers_registered_lock); +} + /* Internal function. Register all the ciphers included in CIPHER_TABLE. Note, that this function gets only used by the macro @@ -316,7 +325,8 @@ cipher_register_default (void) if (! cipher_table[i].cipher->stdecrypt) cipher_table[i].cipher->stdecrypt = dummy_decrypt_stream; - if ( fips_mode () && !cipher_table[i].fips_allowed ) + if ( !_gcry_is_fips_mode_inactive() && + fips_mode () && !cipher_table[i].fips_allowed ) continue; err = _gcry_module_add (&ciphers_registered, diff -urNp libgcrypt-1.5.3.orig/cipher/md.c libgcrypt-1.5.3/cipher/md.c --- libgcrypt-1.5.3.orig/cipher/md.c 2013-08-14 02:41:07.968316245 +0200 +++ libgcrypt-1.5.3/cipher/md.c 2013-08-14 03:20:04.269937326 +0200 @@ -168,7 +168,14 @@ static void md_start_debug ( gcry_md_hd_ static void md_stop_debug ( gcry_md_hd_t a ); - +/* Re-Register default digest listing */ +void +digest_reregister_default(void) +{ + ath_mutex_lock (&digests_registered_lock); + default_digests_registered = 0; + ath_mutex_unlock (&digests_registered_lock); +} /* Internal function. Register all the ciphers included in CIPHER_TABLE. Returns zero on success or an error code. */ @@ -180,7 +187,8 @@ md_register_default (void) for (i = 0; !err && digest_table[i].digest; i++) { - if ( fips_mode ()) + if ( !_gcry_is_fips_mode_inactive() && + fips_mode ()) { if (!digest_table[i].fips_allowed) continue; diff -urNp libgcrypt-1.5.3.orig/cipher/pubkey.c libgcrypt-1.5.3/cipher/pubkey.c --- libgcrypt-1.5.3.orig/cipher/pubkey.c 2013-08-14 02:41:07.969316234 +0200 +++ libgcrypt-1.5.3/cipher/pubkey.c 2013-08-14 03:22:07.227878253 +0200 @@ -192,6 +192,15 @@ dummy_get_nbits (int algorithm, gcry_mpi return 0; } +/* Re-Register default digest listing */ +void +pk_reregister_default(void) +{ + ath_mutex_lock (&pubkeys_registered_lock); + default_pubkeys_registered = 0; + ath_mutex_unlock (&pubkeys_registered_lock); +} + /* Internal function. Register all the pubkeys included in PUBKEY_TABLE. Returns zero on success or an error code. */ static void @@ -202,6 +211,10 @@ pk_register_default (void) for (i = 0; (! err) && pubkey_table[i].pubkey; i++) { + if ( !_gcry_is_fips_mode_inactive() && + fips_mode () && !pubkey_table[i].fips_allowed ) + continue; + #define pubkey_use_dummy(func) \ if (! pubkey_table[i].pubkey->func) \ pubkey_table[i].pubkey->func = dummy_##func; diff -urNp libgcrypt-1.5.3.orig/doc/gcrypt.texi libgcrypt-1.5.3/doc/gcrypt.texi --- libgcrypt-1.5.3.orig/doc/gcrypt.texi 2013-08-14 02:41:07.908316872 +0200 +++ libgcrypt-1.5.3/doc/gcrypt.texi 2013-08-14 03:43:51.808257657 +0200 @@ -844,6 +844,25 @@ This option may be used to disabale a ce behaves as if this feature has not been detected. Note that the detection code might be run if the feature has been disabled. This command must be used at initialization time; i.e. before calling + +@item GCRYCTL_INACTIVATE_FIPS_FLAG; Arguments: const char *log +Suspend FIPS mode which implies that all ciphers are again allowed to be used. +Still, all operations around the FIPS 140-2 mode, such as the finite +state model enforcement are still enforced. The idea of this mode +is to allow the caller to implement legacy operations, such as +decryption or signature verification of data that is already present +using non-approved ciphers. After the legacy operation is completed, +GCRYCTL_REACTIVATE_FIPS_FLAG should be invoked to limit the ciphers +again. The argument allows the caller to provide a string that is logged. + +@item GCRYCTL_REACTIVATE_FIPS_FLAG; Arguments: const char *log +Re-activate FIPS mode by limiting the allowed cipher listing to the +approved ciphers. This call should be called immediately after the +legacy operations that are made possible with +@code{GCRYCTL_INACTIVATE_FIPS_FLAG} are completed. FIPS 140-2 self +tests are invoked. The argument allows the caller to provide a +string that is logged. + @code{gcry_check_version}. @end table Binärdateien libgcrypt-1.5.3.orig/doc/.gcrypt.texi.swp und libgcrypt-1.5.3/doc/.gcrypt.texi.swp sind verschieden. diff -urNp libgcrypt-1.5.3.orig/src/fips.c libgcrypt-1.5.3/src/fips.c --- libgcrypt-1.5.3.orig/src/fips.c 2013-08-14 02:41:07.943316506 +0200 +++ libgcrypt-1.5.3/src/fips.c 2013-08-14 03:33:47.600705208 +0200 @@ -307,6 +307,10 @@ _gcry_inactivate_fips_mode (const char * { inactive_fips_mode = 1; unlock_fsm (); + /* enforce reloading of cipher list to allow use of all ciphers */ + cipher_reregister_default(); + digest_reregister_default(); + pk_reregister_default(); #ifdef HAVE_SYSLOG syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: " "%s - FIPS mode inactivated", text); @@ -316,6 +320,33 @@ _gcry_inactivate_fips_mode (const char * unlock_fsm (); } +void +_gcry_reactivate_fips_mode (const char *text) +{ + gcry_assert (_gcry_fips_mode ()); + + lock_fsm (); + if (inactive_fips_mode) + { + inactive_fips_mode = 0; + unlock_fsm (); + /* execute self test as there have been non-approved ciphers allowed + * to execute */ + _gcry_fips_run_selftests(0); + /* enforce reloading of cipher list to only use FIPS ciphers */ + cipher_reregister_default(); + digest_reregister_default(); + pk_reregister_default(); +#ifdef HAVE_SYSLOG + syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: " + "%s - FIPS mode activated", text); +#endif /*HAVE_SYSLOG*/ + } + else + unlock_fsm (); + +} + /* Return the FIPS mode inactive flag. If it is true the FIPS mode is not anymore active. */ diff -urNp libgcrypt-1.5.3.orig/src/g10lib.h libgcrypt-1.5.3/src/g10lib.h --- libgcrypt-1.5.3.orig/src/g10lib.h 2013-08-14 02:41:07.941316527 +0200 +++ libgcrypt-1.5.3/src/g10lib.h 2013-08-14 03:25:29.836347533 +0200 @@ -329,8 +329,11 @@ int _gcry_enforced_fips_mode (void); void _gcry_set_enforced_fips_mode (void); void _gcry_inactivate_fips_mode (const char *text); +void _gcry_reactivate_fips_mode (const char *text); int _gcry_is_fips_mode_inactive (void); - +void cipher_reregister_default(void); +void digest_reregister_default(void); +void pk_reregister_default(void); void _gcry_fips_signal_error (const char *srcfile, int srcline, diff -urNp libgcrypt-1.5.3.orig/src/gcrypt.h libgcrypt-1.5.3/src/gcrypt.h --- libgcrypt-1.5.3.orig/src/gcrypt.h.in 2013-08-14 02:41:07.942316516 +0200 +++ libgcrypt-1.5.3/src/gcrypt.h.in 2013-08-14 02:58:13.304374921 +0200 @@ -423,7 +423,9 @@ enum gcry_ctl_cmds GCRYCTL_SELFTEST = 57, /* Note: 58 .. 62 are used internally. */ GCRYCTL_DISABLE_HWF = 63, - GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64 + GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64, + GCRYCTL_INACTIVATE_FIPS_FLAG = 65, + GCRYCTL_REACTIVATE_FIPS_FLAG = 66 }; /* Perform various operations defined by CMD. */ diff -urNp libgcrypt-1.5.3.orig/src/global.c libgcrypt-1.5.3/src/global.c --- libgcrypt-1.5.3.orig/src/global.c 2013-08-14 02:41:07.943316506 +0200 +++ libgcrypt-1.5.3/src/global.c 2013-08-15 23:40:34.233497710 +0200 @@ -609,6 +609,16 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, err = GPG_ERR_GENERAL; break; + case GCRYCTL_INACTIVATE_FIPS_FLAG: + log_info ("FIPS mode enabled but allow all approved and non-approved ciphers\n"); + _gcry_inactivate_fips_mode (va_arg (arg_ptr, const char *)); + break; + + case GCRYCTL_REACTIVATE_FIPS_FLAG: + log_info ("FIPS mode enabled and limit ciphers to approved ciphers\n"); + _gcry_reactivate_fips_mode (va_arg (arg_ptr, const char *)); + break; + default: err = GPG_ERR_INV_OP; } ++++++ libgcrypt-fixed-sizet.patch ++++++ Index: libgcrypt-1.6.1/random/rndlinux.c =================================================================== --- libgcrypt-1.6.1.orig/random/rndlinux.c +++ libgcrypt-1.6.1/random/rndlinux.c @@ -261,7 +261,7 @@ _gcry_rndlinux_gather_random (void (*add do { - int nbytes = length < sizeof(buffer)? length : sizeof(buffer); + size_t nbytes = length < sizeof(buffer)? length : sizeof(buffer); n = read(fd, buffer, nbytes ); if( n >= 0 && n > nbytes ) {
participants (1)
-
root@hilbert.suse.de