Blame SOURCES/libgcrypt-1.8.5-fips-module.patch

5bcc82
diff -up libgcrypt-1.8.5/src/fips.c.fips-module libgcrypt-1.8.5/src/fips.c
5bcc82
--- libgcrypt-1.8.5/src/fips.c.fips-module	2020-04-20 19:07:45.924919645 +0200
5bcc82
+++ libgcrypt-1.8.5/src/fips.c	2020-04-20 19:10:33.690722470 +0200
5bcc82
@@ -35,10 +35,6 @@
5bcc82
 #include "hmac256.h"
5bcc82
 
5bcc82
 
5bcc82
-/* The name of the file used to force libgcrypt into fips mode. */
5bcc82
-#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled"
5bcc82
-
5bcc82
-
5bcc82
 /* The states of the finite state machine used in fips mode.  */
5bcc82
 enum module_states
5bcc82
   {
5bcc82
@@ -122,54 +118,6 @@ _gcry_initialize_fips_mode (int force)
5bcc82
       goto leave;
5bcc82
     }
5bcc82
 
5bcc82
-  /* For testing the system it is useful to override the system
5bcc82
-     provided detection of the FIPS mode and force FIPS mode using a
5bcc82
-     file.  The filename is hardwired so that there won't be any
5bcc82
-     confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
5bcc82
-     actually used.  The file itself may be empty.  */
5bcc82
-  if ( !access (FIPS_FORCE_FILE, F_OK) )
5bcc82
-    {
5bcc82
-      gcry_assert (!no_fips_mode_required);
5bcc82
-      goto leave;
5bcc82
-    }
5bcc82
-
5bcc82
-  /* Checking based on /proc file properties.  */
5bcc82
-  {
5bcc82
-    static const char procfname[] = "/proc/sys/crypto/fips_enabled";
5bcc82
-    FILE *fp;
5bcc82
-    int saved_errno;
5bcc82
-
5bcc82
-    fp = fopen (procfname, "r");
5bcc82
-    if (fp)
5bcc82
-      {
5bcc82
-        char line[256];
5bcc82
-
5bcc82
-        if (fgets (line, sizeof line, fp) && atoi (line))
5bcc82
-          {
5bcc82
-            /* System is in fips mode.  */
5bcc82
-            fclose (fp);
5bcc82
-            gcry_assert (!no_fips_mode_required);
5bcc82
-            goto leave;
5bcc82
-          }
5bcc82
-        fclose (fp);
5bcc82
-      }
5bcc82
-    else if ((saved_errno = errno) != ENOENT
5bcc82
-             && saved_errno != EACCES
5bcc82
-             && !access ("/proc/version", F_OK) )
5bcc82
-      {
5bcc82
-        /* Problem reading the fips file despite that we have the proc
5bcc82
-           file system.  We better stop right away. */
5bcc82
-        log_info ("FATAL: error reading `%s' in libgcrypt: %s\n",
5bcc82
-                  procfname, strerror (saved_errno));
5bcc82
-#ifdef HAVE_SYSLOG
5bcc82
-        syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
5bcc82
-                "reading `%s' failed: %s - abort",
5bcc82
-                procfname, strerror (saved_errno));
5bcc82
-#endif /*HAVE_SYSLOG*/
5bcc82
-        abort ();
5bcc82
-      }
5bcc82
-  }
5bcc82
-
5bcc82
   /* Fips not not requested, set flag.  */
5bcc82
   no_fips_mode_required = 1;
5bcc82
 
5bcc82
diff -up libgcrypt-1.8.5/src/g10lib.h.fips-module libgcrypt-1.8.5/src/g10lib.h
5bcc82
--- libgcrypt-1.8.5/src/g10lib.h.fips-module	2020-04-20 19:07:45.918919759 +0200
5bcc82
+++ libgcrypt-1.8.5/src/g10lib.h	2020-04-20 19:11:05.003125740 +0200
5bcc82
@@ -422,6 +422,9 @@ gpg_err_code_t _gcry_sexp_vextract_param
5bcc82
 
5bcc82
 /*-- fips.c --*/
5bcc82
 
5bcc82
+/* The name of the file used to force libgcrypt into fips mode. */
5bcc82
+#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled"
5bcc82
+
5bcc82
 void _gcry_initialize_fips_mode (int force);
5bcc82
 
5bcc82
 int _gcry_fips_mode (void);
5bcc82
diff -up libgcrypt-1.8.5/src/global.c.fips-module libgcrypt-1.8.5/src/global.c
5bcc82
--- libgcrypt-1.8.5/src/global.c.fips-module	2020-04-20 19:07:45.919919741 +0200
5bcc82
+++ libgcrypt-1.8.5/src/global.c	2020-04-20 19:07:45.950919149 +0200
5bcc82
@@ -160,6 +160,53 @@ void __attribute__ ((constructor)) _gcry
5bcc82
   rv = access (FIPS_MODULE_PATH, F_OK);
5bcc82
   if (rv < 0 && errno != ENOENT)
5bcc82
     rv = 0;
5bcc82
+ 
5bcc82
+  /* For testing the system it is useful to override the system
5bcc82
+     provided detection of the FIPS mode and force FIPS mode using a
5bcc82
+     file.  The filename is hardwired so that there won't be any
5bcc82
+     confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
5bcc82
+     actually used.  The file itself may be empty.  */
5bcc82
+  if ( !access (FIPS_FORCE_FILE, F_OK) )
5bcc82
+    {
5bcc82
+      rv = 0;
5bcc82
+      force_fips_mode = 1;
5bcc82
+    }
5bcc82
+
5bcc82
+  /* Checking based on /proc file properties.  */
5bcc82
+  {
5bcc82
+    static const char procfname[] = "/proc/sys/crypto/fips_enabled";
5bcc82
+    FILE *fp;
5bcc82
+    int saved_errno;
5bcc82
+
5bcc82
+    fp = fopen (procfname, "r");
5bcc82
+    if (fp)
5bcc82
+      {
5bcc82
+        char line[256];
5bcc82
+
5bcc82
+        if (fgets (line, sizeof line, fp) && atoi (line))
5bcc82
+          {
5bcc82
+            /* System is in fips mode.  */
5bcc82
+            rv = 0;
5bcc82
+            force_fips_mode = 1;
5bcc82
+          }
5bcc82
+        fclose (fp);
5bcc82
+      }
5bcc82
+    else if ((saved_errno = errno) != ENOENT
5bcc82
+             && saved_errno != EACCES
5bcc82
+             && !access ("/proc/version", F_OK) )
5bcc82
+      {
5bcc82
+        /* Problem reading the fips file despite that we have the proc
5bcc82
+           file system.  We better stop right away. */
5bcc82
+        log_info ("FATAL: error reading `%s' in libgcrypt: %s\n",
5bcc82
+                  procfname, strerror (saved_errno));
5bcc82
+#ifdef HAVE_SYSLOG
5bcc82
+        syslog (LOG_USER|LOG_ERR, "Libgcrypt error: "
5bcc82
+                "reading `%s' failed: %s - abort",
5bcc82
+                procfname, strerror (saved_errno));
5bcc82
+#endif /*HAVE_SYSLOG*/
5bcc82
+        abort ();
5bcc82
+      }
5bcc82
+  }
5bcc82
 
5bcc82
   if (!rv)
5bcc82
     {