3
0
forked from pool/libgcrypt
libgcrypt/libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff

28 lines
907 B
Diff
Raw Normal View History

From: draht@suse.com
Subject: LIBGCRYPT_FORCE_FIPS_MODE env
environ LIBGCRYPT_FORCE_FIPS_MODE forces FIPS mode of libgcrypt
Index: libgcrypt-1.5.2/src/fips.c
===================================================================
--- libgcrypt-1.5.2.orig/src/fips.c
+++ libgcrypt-1.5.2/src/fips.c
@@ -123,6 +123,17 @@ _gcry_initialize_fips_mode (int force)
goto leave;
}
+ /* for convenience, so that a process can run fips-enabled, but
+ not necessarily all of them, enable FIPS mode via environment
+ variable LIBGCRYPT_FORCE_FIPS_MODE. */
+
+ if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL)
+ {
Accepting request 868925 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 1.9.1 * *Fix exploitable bug* in hash functions introduced with 1.9.0. [bsc#1181632, CVE-2021-3345] * Return an error if a negative MPI is used with sexp scan functions. * Check for operational FIPS in the random and KDF functions. * Fix compile error on ARMv7 with NEON disabled. * Fix self-test in KDF module. * Improve assembler checks for better LTO support. * Fix 32-bit cross build on x86. * Fix non-NEON ARM assembly implementation for SHA512. * Fix build problems with the cipher_bulk_ops_t typedef. * Fix Ed25519 private key handling for preceding ZEROs. * Fix overflow in modular inverse implementation. * Fix register access for AVX/AVX2 implementations of Blake2. * Add optimized cipher and hash functions for s390x/zSeries. * Use hardware bit counting functionx when available. * Update DSA functions to match FIPS 186-3. * New self-tests for CMACs and KDFs. * Add bulk cipher functions for OFB and GCM modes. - Update libgpg-error required version - Use the suffix variable correctly in get_hmac_path() - Rebase libgcrypt-fips_selftest_trigger_file.patch - Add the global config file /etc/gcrypt/random.conf * This file can be used to globally change parameters of the random generator with the options: only-urandom and disable-jent. - Update to 1.9.0: OBS-URL: https://build.opensuse.org/request/show/868925 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=142
2021-02-03 13:44:42 +01:00
+ gcry_assert (!_gcry_no_fips_mode_required);
+ goto leave;
+ }
+
+
/* For testing the system it is useful to override the system
provided detection of the FIPS mode and force FIPS mode using a
file. The filename is hardwired so that there won't be any