diff --git a/SOURCES/libgcrypt-1.9.3-fips-hwfeatures.patch b/SOURCES/libgcrypt-1.9.3-fips-hwfeatures.patch new file mode 100644 index 0000000..305d949 --- /dev/null +++ b/SOURCES/libgcrypt-1.9.3-fips-hwfeatures.patch @@ -0,0 +1,13 @@ +diff -up libgcrypt-1.8.5/src/hwfeatures.c.hw-fips libgcrypt-1.8.5/src/hwfeatures.c +--- libgcrypt-1.8.5/src/hwfeatures.c.hw-fips 2021-06-25 11:55:55.843819137 +0200 ++++ libgcrypt-1.8.5/src/hwfeatures.c 2021-06-25 11:56:00.925895390 +0200 +@@ -205,9 +205,6 @@ _gcry_detect_hw_features (void) + { + hw_features = 0; + +- if (fips_mode ()) +- return; /* Hardware support is not to be evaluated. */ +- + parse_hwf_deny_file (); + + #if defined (HAVE_CPU_ARCH_X86) diff --git a/SPECS/libgcrypt.spec b/SPECS/libgcrypt.spec index 18ad37b..a4bf452 100644 --- a/SPECS/libgcrypt.spec +++ b/SPECS/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt Version: 1.9.3 -Release: 4%{?dist} +Release: 5%{?dist} URL: https://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz # The original libgcrypt sources now contain potentially patented ECC @@ -50,6 +50,9 @@ Patch28: libgcrypt-1.8.5-intel-cet.patch Patch30: libgcrypt-1.8.5-fips-module.patch # Fix for CVE-2021-33560 Patch31: libgcrypt-1.9.3-CVE-2021-33560.patch +# We can use HW optimizations in FIPS (#1990059) +Patch32: libgcrypt-1.9.3-fips-hwfeatures.patch + %global gcrylibdir %{_libdir} %global gcrysoname libgcrypt.so.20 @@ -100,6 +103,7 @@ applications using libgcrypt. %patch28 -p1 -b .intel-cet %patch30 -p1 -b .fips-module %patch31 -p1 -b .CVE-2021-33560 +%patch32 -p1 -b .hw-fips cp %{SOURCE4} cipher/ cp %{SOURCE5} %{SOURCE6} %{SOURCE8} tests/ @@ -209,6 +213,9 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf %license COPYING %changelog +* Tue Oct 12 2021 Jakub Jelen - 1.9.3-5 +- Allow HW optimizations in FIPS mode (#1990059) + * Mon Aug 09 2021 Mohan Boddu - 1.9.3-4 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688