#! /bin/sh /usr/share/dpatch/dpatch-run
## 20-mlockall-failure-non-fatal.dpatch by  <james.westby@canonical.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Changes in pam mean that seccure isn't allowed to lock all of
## DP: the memory that it wants. This patch makes that non-fatal, and
## DP: tells libgcrypt to initialize secure memory instead of disabling
## DP: it as seccure provides its own. This patch is a stop-gap from
## DP: the upstream developer, who is working on a better fix.
## DP: (Closes: #489835)

@DPATCH@
diff -urNad seccure-0.3~/seccure.c seccure-0.3/seccure.c
--- seccure-0.3~/seccure.c	2006-08-16 21:13:57.000000000 +0100
+++ seccure-0.3/seccure.c	2008-09-16 14:40:53.000000000 +0100
@@ -90,6 +90,18 @@
 #endif
 }
 
+void warning(const char *msg)
+{
+  beep_on_terminal(stderr);
+  fprintf(stderr, "WARNING: %s.\n", msg);
+}
+
+void warning_errno(const char *msg, int err)
+{
+  beep_on_terminal(stderr);
+  fprintf(stderr, "WARNING: %s: %s.\n", msg, strerror(err));
+}
+
 void fatal(const char *msg)
 {
   beep_on_terminal(stderr);
@@ -1061,13 +1073,12 @@
 
 #if ! NOMEMLOCK
   if (mlockall(MCL_CURRENT | MCL_FUTURE) < 0)
-    fatal_errno("Cannot obtain memory lock", errno);
+    warning_errno("Cannot obtain memory lock", errno);
 #endif
 
-  /* As we already have locked all memory we don't need gcrypt's mlocking */
-  err = gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
+  err = gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0);
   if (gcry_err_code(err))
-    fatal_gcrypt("Cannot disable gcrypt's secure memory", err);
+    fatal_gcrypt("Cannot initialize gcrypt's secure memory", err);
 
   if (getuid() != geteuid())
     seteuid(getuid());