From 9fe250b05505efabf40d1b2c37985a782fb16a8c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 21 2020 16:24:32 +0000
Subject: import libgcrypt-1.8.3-4.el8


---

diff --git a/SOURCES/libgcrypt-1.8.3-fips-enttest.patch b/SOURCES/libgcrypt-1.8.3-fips-enttest.patch
index 278fa1e..b6b09ba 100644
--- a/SOURCES/libgcrypt-1.8.3-fips-enttest.patch
+++ b/SOURCES/libgcrypt-1.8.3-fips-enttest.patch
@@ -1,16 +1,37 @@
 diff -up libgcrypt-1.8.3/random/random-drbg.c.fips-enttest libgcrypt-1.8.3/random/random-drbg.c
 --- libgcrypt-1.8.3/random/random-drbg.c.fips-enttest	2017-11-23 19:16:58.000000000 +0100
-+++ libgcrypt-1.8.3/random/random-drbg.c	2019-06-03 13:19:44.035516400 +0200
-@@ -610,6 +610,8 @@ drbg_get_entropy (drbg_state_t drbg, uns
++++ libgcrypt-1.8.3/random/random-drbg.c	2019-06-24 10:04:23.219547141 +0200
+@@ -317,6 +317,7 @@ struct drbg_state_s
+   unsigned char *ctr_null;	/* CTR mode zero buffer */
+   int seeded:1;			/* DRBG fully seeded? */
+   int pr:1;			/* Prediction resistance enabled? */
++  int ent_primed:1;             /* Previous entropy data primed? */
+   /* Taken from libgcrypt ANSI X9.31 DRNG: We need to keep track of the
+    * process which did the initialization so that we can detect a fork.
+    * The volatile modifier is required so that the compiler does not
+@@ -324,6 +325,7 @@ struct drbg_state_s
+   pid_t seed_init_pid;
+   const struct drbg_state_ops_s *d_ops;
+   const struct drbg_core_s *core;
++  unsigned char ent_hash[64];	/* Hash of previous entropy data */
+   struct drbg_test_data_s *test_data;
+ };
+ 
+@@ -610,11 +612,13 @@ drbg_get_entropy (drbg_state_t drbg, uns
  		       size_t len)
  {
    int rc = 0;
-+  static unsigned char oldhash[64] = { 0 };
 +  unsigned char newhash[64];
  
    /* Perform testing as defined in 11.3.2 */
    if (drbg->test_data && drbg->test_data->fail_seed_source)
-@@ -634,6 +636,17 @@ drbg_get_entropy (drbg_state_t drbg, uns
+     return -1;
+ 
++redo:
+   read_cb_buffer = buffer;
+   read_cb_size = len;
+   read_cb_len = 0;
+@@ -634,6 +638,27 @@ drbg_get_entropy (drbg_state_t drbg, uns
  #else
    rc = -1;
  #endif
@@ -20,11 +41,73 @@ diff -up libgcrypt-1.8.3/random/random-drbg.c.fips-enttest libgcrypt-1.8.3/rando
 +   */
 +  _gcry_md_hash_buffer (GCRY_MD_SHA512, newhash, buffer, len);
 +
-+  if (memcmp (newhash, oldhash, sizeof (oldhash)) == 0)
-+    return -1;  /* continous entropy test failed */
++  if (!drbg->ent_primed)
++    {
++      memcpy (drbg->ent_hash, newhash, sizeof (drbg->ent_hash));
++      drbg->ent_primed = 1;
++      goto redo;
++    }
 +
-+  memcpy (oldhash, newhash, sizeof (oldhash));
++  if (memcmp (newhash, drbg->ent_hash, sizeof (drbg->ent_hash)) == 0)
++    {
++      fips_signal_error ("Entropy source failed the continuous test");
++      return -1;  /* continuous entropy test failed */
++    }
++
++  memcpy (drbg->ent_hash, newhash, sizeof (drbg->ent_hash));
 +
    return rc;
  }
  
+@@ -1341,26 +1366,38 @@ drbg_seed (drbg_state_t drbg, drbg_strin
+     }
+   else
+     {
++      int nonce = 0;
+       /* Gather entropy equal to the security strength of the DRBG.
+        * With a derivation function, a nonce is required in addition
+        * to the entropy. A nonce must be at least 1/2 of the security
+        * strength of the DRBG in size. Thus, entropy * nonce is 3/2
+        * of the strength. The consideration of a nonce is only
+-       * applicable during initial seeding. */
++       * applicable during initial seeding.
++       * To avoid pulling different length of data from entropy
++       * source, we use 2 * strength for initial seeding. */
+       entropylen = drbg_sec_strength (drbg->core->flags);
+       if (!entropylen)
+ 	return GPG_ERR_GENERAL;
+       if (0 == reseed)
+-	/* make sure we round up strength/2 in
+-	 * case it is not divisible by 2 */
+-	entropylen = ((entropylen + 1) / 2) * 3;
++        {
++	  nonce = 1;
++        }
+       dbg (("DRBG: (re)seeding with %lu bytes of entropy\n", entropylen));
+-      entropy = xcalloc_secure (1, entropylen);
++      entropy = xcalloc_secure (nonce + 1, entropylen);
+       if (!entropy)
+ 	return GPG_ERR_ENOMEM;
+       ret = drbg_get_entropy (drbg, entropy, entropylen);
+       if (ret)
+ 	goto out;
++      if (nonce)
++        {
++          ret = drbg_get_entropy (drbg, entropy + entropylen, entropylen);
++          if (ret)
++	    goto out;
++	  /* make sure we round up strength/2 in
++	   * case it is not divisible by 2 */
++ 	  entropylen = 2 * entropylen;
++        }
+       drbg_string_fill (&data1, entropy, entropylen);
+     }
+ 
+@@ -1597,6 +1634,7 @@ drbg_instantiate (drbg_state_t drbg,
+   drbg->core = &drbg_cores[coreref];
+   drbg->pr = pr;
+   drbg->seeded = 0;
++  drbg->ent_primed = 0;
+   if (drbg->core->flags & DRBG_HMAC)
+     drbg->d_ops = &drbg_hmac_ops;
+   else if (drbg->core->flags & DRBG_HASH_MASK)
diff --git a/SPECS/libgcrypt.spec b/SPECS/libgcrypt.spec
index ab0a651..7eaf176 100644
--- a/SPECS/libgcrypt.spec
+++ b/SPECS/libgcrypt.spec
@@ -1,6 +1,6 @@
 Name: libgcrypt
 Version: 1.8.3
-Release: 3%{?dist}
+Release: 4%{?dist}
 URL: http://www.gnupg.org/
 Source0: libgcrypt-%{version}-hobbled.tar.xz
 # The original libgcrypt sources now contain potentially patented ECC
@@ -200,6 +200,9 @@ exit 0
 %license COPYING
 
 %changelog
+* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.3-4
+- improve the continuous FIPS entropy test
+
 * Mon Jun  3 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.3-3
 - add CMAC selftest for FIPS POST
 - add continuous FIPS entropy test