diff -up libgcrypt-1.8.5/src/fips.c.fips-module libgcrypt-1.8.5/src/fips.c --- libgcrypt-1.8.5/src/fips.c.fips-module 2020-04-20 19:07:45.924919645 +0200 +++ libgcrypt-1.8.5/src/fips.c 2020-04-20 19:10:33.690722470 +0200 @@ -35,10 +35,6 @@ #include "hmac256.h" -/* The name of the file used to force libgcrypt into fips mode. */ -#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled" - - /* The states of the finite state machine used in fips mode. */ enum module_states { @@ -122,54 +118,6 @@ _gcry_initialize_fips_mode (int force) goto leave; } - /* For testing the system it is useful to override the system - provided detection of the FIPS mode and force FIPS mode using a - file. The filename is hardwired so that there won't be any - confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is - actually used. The file itself may be empty. */ - if ( !access (FIPS_FORCE_FILE, F_OK) ) - { - gcry_assert (!_gcry_no_fips_mode_required); - goto leave; - } - - /* Checking based on /proc file properties. */ - { - static const char procfname[] = "/proc/sys/crypto/fips_enabled"; - FILE *fp; - int saved_errno; - - fp = fopen (procfname, "r"); - if (fp) - { - char line[256]; - - if (fgets (line, sizeof line, fp) && atoi (line)) - { - /* System is in fips mode. */ - fclose (fp); - gcry_assert (!_gcry_no_fips_mode_required); - goto leave; - } - fclose (fp); - } - else if ((saved_errno = errno) != ENOENT - && saved_errno != EACCES - && !access ("/proc/version", F_OK) ) - { - /* Problem reading the fips file despite that we have the proc - file system. We better stop right away. */ - log_info ("FATAL: error reading `%s' in libgcrypt: %s\n", - procfname, strerror (saved_errno)); -#ifdef HAVE_SYSLOG - syslog (LOG_USER|LOG_ERR, "Libgcrypt error: " - "reading `%s' failed: %s - abort", - procfname, strerror (saved_errno)); -#endif /*HAVE_SYSLOG*/ - abort (); - } - } - /* Fips not not requested, set flag. */ _gcry_no_fips_mode_required = 1; diff -up libgcrypt-1.8.5/src/g10lib.h.fips-module libgcrypt-1.8.5/src/g10lib.h --- libgcrypt-1.8.5/src/g10lib.h.fips-module 2020-04-20 19:07:45.918919759 +0200 +++ libgcrypt-1.8.5/src/g10lib.h 2020-04-20 19:11:05.003125740 +0200 @@ -422,6 +422,9 @@ gpg_err_code_t _gcry_sexp_vextract_param /*-- fips.c --*/ +/* The name of the file used to force libgcrypt into fips mode. */ +#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled" + extern int _gcry_no_fips_mode_required; void _gcry_initialize_fips_mode (int force); diff -up libgcrypt-1.8.5/src/global.c.fips-module libgcrypt-1.8.5/src/global.c --- libgcrypt-1.8.5/src/global.c.fips-module 2020-04-20 19:07:45.919919741 +0200 +++ libgcrypt-1.8.5/src/global.c 2020-04-20 19:07:45.950919149 +0200 @@ -160,6 +160,53 @@ void __attribute__ ((constructor)) _gcry rv = access (FIPS_MODULE_PATH, F_OK); if (rv < 0 && errno != ENOENT) rv = 0; + + /* For testing the system it is useful to override the system + provided detection of the FIPS mode and force FIPS mode using a + file. The filename is hardwired so that there won't be any + confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is + actually used. The file itself may be empty. */ + if ( !access (FIPS_FORCE_FILE, F_OK) ) + { + rv = 0; + force_fips_mode = 1; + } + + /* Checking based on /proc file properties. */ + { + static const char procfname[] = "/proc/sys/crypto/fips_enabled"; + FILE *fp; + int saved_errno; + + fp = fopen (procfname, "r"); + if (fp) + { + char line[256]; + + if (fgets (line, sizeof line, fp) && atoi (line)) + { + /* System is in fips mode. */ + rv = 0; + force_fips_mode = 1; + } + fclose (fp); + } + else if ((saved_errno = errno) != ENOENT + && saved_errno != EACCES + && !access ("/proc/version", F_OK) ) + { + /* Problem reading the fips file despite that we have the proc + file system. We better stop right away. */ + log_info ("FATAL: error reading `%s' in libgcrypt: %s\n", + procfname, strerror (saved_errno)); +#ifdef HAVE_SYSLOG + syslog (LOG_USER|LOG_ERR, "Libgcrypt error: " + "reading `%s' failed: %s - abort", + procfname, strerror (saved_errno)); +#endif /*HAVE_SYSLOG*/ + abort (); + } + } if (!rv) {