gentleknife / rpms / libgcrypt

Forked from rpms/libgcrypt 4 years ago
Clone
Blob Blame History Raw
diff -up libgcrypt-1.8.5/src/fips.c.fips-module libgcrypt-1.8.5/src/fips.c
--- libgcrypt-1.8.5/src/fips.c.fips-module	2020-04-20 19:07:45.924919645 +0200
+++ libgcrypt-1.8.5/src/fips.c	2020-04-20 19:10:33.690722470 +0200
@@ -35,10 +35,6 @@
 #include "hmac256.h"
 
 
-/* The name of the file used to force libgcrypt into fips mode. */
-#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled"
-
-
 /* The states of the finite state machine used in fips mode.  */
 enum module_states
   {
@@ -122,54 +118,6 @@ _gcry_initialize_fips_mode (int force)
       goto leave;
     }
 
-  /* For testing the system it is useful to override the system
-     provided detection of the FIPS mode and force FIPS mode using a
-     file.  The filename is hardwired so that there won't be any
-     confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
-     actually used.  The file itself may be empty.  */
-  if ( !access (FIPS_FORCE_FILE, F_OK) )
-    {
-      gcry_assert (!no_fips_mode_required);
-      goto leave;
-    }
-
-  /* Checking based on /proc file properties.  */
-  {
-    static const char procfname[] = "/proc/sys/crypto/fips_enabled";
-    FILE *fp;
-    int saved_errno;
-
-    fp = fopen (procfname, "r");
-    if (fp)
-      {
-        char line[256];
-
-        if (fgets (line, sizeof line, fp) && atoi (line))
-          {
-            /* System is in fips mode.  */
-            fclose (fp);
-            gcry_assert (!no_fips_mode_required);
-            goto leave;
-          }
-        fclose (fp);
-      }
-    else if ((saved_errno = errno) != ENOENT
-             && saved_errno != EACCES
-             && !access ("/proc/version", F_OK) )
-      {
-        /* Problem reading the fips file despite that we have the proc
-           file system.  We better stop right away. */
-        log_info ("FATAL: error reading `%s' in libgcrypt: %s\n",
-                  procfname, strerror (saved_errno));
-#ifdef HAVE_SYSLOG
-        syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
-                "reading `%s' failed: %s - abort",
-                procfname, strerror (saved_errno));
-#endif /*HAVE_SYSLOG*/
-        abort ();
-      }
-  }
-
   /* Fips not not requested, set flag.  */
   no_fips_mode_required = 1;
 
diff -up libgcrypt-1.8.5/src/g10lib.h.fips-module libgcrypt-1.8.5/src/g10lib.h
--- libgcrypt-1.8.5/src/g10lib.h.fips-module	2020-04-20 19:07:45.918919759 +0200
+++ libgcrypt-1.8.5/src/g10lib.h	2020-04-20 19:11:05.003125740 +0200
@@ -422,6 +422,9 @@ gpg_err_code_t _gcry_sexp_vextract_param
 
 /*-- fips.c --*/
 
+/* The name of the file used to force libgcrypt into fips mode. */
+#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled"
+
 void _gcry_initialize_fips_mode (int force);
 
 int _gcry_fips_mode (void);
diff -up libgcrypt-1.8.5/src/global.c.fips-module libgcrypt-1.8.5/src/global.c
--- libgcrypt-1.8.5/src/global.c.fips-module	2020-04-20 19:07:45.919919741 +0200
+++ libgcrypt-1.8.5/src/global.c	2020-04-20 19:07:45.950919149 +0200
@@ -160,6 +160,53 @@ void __attribute__ ((constructor)) _gcry
   rv = access (FIPS_MODULE_PATH, F_OK);
   if (rv < 0 && errno != ENOENT)
     rv = 0;
+ 
+  /* For testing the system it is useful to override the system
+     provided detection of the FIPS mode and force FIPS mode using a
+     file.  The filename is hardwired so that there won't be any
+     confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
+     actually used.  The file itself may be empty.  */
+  if ( !access (FIPS_FORCE_FILE, F_OK) )
+    {
+      rv = 0;
+      force_fips_mode = 1;
+    }
+
+  /* Checking based on /proc file properties.  */
+  {
+    static const char procfname[] = "/proc/sys/crypto/fips_enabled";
+    FILE *fp;
+    int saved_errno;
+
+    fp = fopen (procfname, "r");
+    if (fp)
+      {
+        char line[256];
+
+        if (fgets (line, sizeof line, fp) && atoi (line))
+          {
+            /* System is in fips mode.  */
+            rv = 0;
+            force_fips_mode = 1;
+          }
+        fclose (fp);
+      }
+    else if ((saved_errno = errno) != ENOENT
+             && saved_errno != EACCES
+             && !access ("/proc/version", F_OK) )
+      {
+        /* Problem reading the fips file despite that we have the proc
+           file system.  We better stop right away. */
+        log_info ("FATAL: error reading `%s' in libgcrypt: %s\n",
+                  procfname, strerror (saved_errno));
+#ifdef HAVE_SYSLOG
+        syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
+                "reading `%s' failed: %s - abort",
+                procfname, strerror (saved_errno));
+#endif /*HAVE_SYSLOG*/
+        abort ();
+      }
+  }
 
   if (!rv)
     {