diff --git a/libgcrypt-binary_integrity_in_non-FIPS.patch b/libgcrypt-binary_integrity_in_non-FIPS.patch deleted file mode 100644 index 00b3a06..0000000 --- a/libgcrypt-binary_integrity_in_non-FIPS.patch +++ /dev/null @@ -1,96 +0,0 @@ -Index: libgcrypt-1.8.2/src/fips.c -=================================================================== ---- libgcrypt-1.8.2.orig/src/fips.c 2019-03-27 13:15:14.190987624 +0100 -+++ libgcrypt-1.8.2/src/fips.c 2019-03-27 13:18:07.047986428 +0100 -@@ -115,6 +115,50 @@ _gcry_initialize_fsm_lock (void) - abort (); - } - } -+ -+/* Checks whether the library will enter the FIPS mode. -+ Uses the same logic as _gcry_initialize_fips_mode */ -+static int -+will_enter_fips (void) -+{ -+ /* for convenience, so that a process can run fips-enabled, but -+ not necessarily all of them, enable FIPS mode via environment -+ variable LIBGCRYPT_FORCE_FIPS_MODE. */ -+ if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL) -+ return 1; -+ -+ /* For testing the system it is useful to override the system -+ provided detection of the FIPS mode and force FIPS mode using a -+ file. The filename is hardwired so that there won't be any -+ confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is -+ actually used. The file itself may be empty. */ -+ if ( !access (FIPS_FORCE_FILE, F_OK) ) -+ return 1; -+ -+ /* Checking based on /proc file properties. */ -+ { -+ static const char procfname[] = "/proc/sys/crypto/fips_enabled"; -+ FILE *fp; -+ -+ fp = fopen (procfname, "r"); -+ if (fp) -+ { -+ char line[256]; -+ -+ if (fgets (line, sizeof line, fp) && atoi (line)) -+ { -+ /* System is in fips mode. */ -+ fclose (fp); -+ return 1; -+ } -+ fclose (fp); -+ } -+ } -+ -+ return 0; -+} -+ -+ - - /* Check whether the OS is in FIPS mode and record that in a module - local variable. If FORCE is passed as true, fips mode will be -@@ -631,10 +675,10 @@ get_library_path(const char *libname, co - - /* Run an integrity check on the binary. Returns 0 on success. */ - static int --check_binary_integrity (void) -+check_binary_integrity () - { - #ifdef ENABLE_HMAC_BINARY_CHECK -- gpg_error_t err; -+ gpg_error_t err = 0; - char libpath[4096]; - unsigned char digest[32]; - int dlen; -@@ -675,7 +719,14 @@ check_binary_integrity (void) - /* Open the file. */ - fp = fopen (fname, "r"); - if (!fp) -- err = gpg_error_from_syserror (); -+ { -+ /* Missing checksum is a problem only in FIPS mode. -+ As the integrity check was moved to the POWERON state, -+ we no longer can rely on fips_mode(). Because at the point, -+ the library is not yet initialized. */ -+ if (will_enter_fips() || errno != ENOENT) -+ err = gpg_error_from_syserror (); -+ } - else - { - /* A buffer of 64 bytes plus one for a LF and one to -@@ -743,9 +794,8 @@ _gcry_fips_run_selftests (int extended) - we return and finish the remaining selftests before - real use of the library. It will be in the POWERON - state meanwhile. */ -- if (in_poweron) -- if (check_binary_integrity ()) -- goto leave; -+ if (check_binary_integrity ()) -+ goto leave; - - if (in_poweron) - return 0; diff --git a/libgcrypt.changes b/libgcrypt.changes index 66e341f..b36fdae 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Apr 5 21:56:00 UTC 2019 - Jason Sikes + +- removed libgcrypt-binary_integrity_in_non-FIPS.patch since it was breaking + libotr. bsc#1131183 + ------------------------------------------------------------------- Tue Mar 26 16:30:23 UTC 2019 - Vítězslav Čížek diff --git a/libgcrypt.spec b/libgcrypt.spec index 81ed1ee..ca988db 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -59,7 +59,6 @@ Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch Patch39: libgcrypt-1.8.3-fips-ctor.patch Patch40: libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch -Patch41: libgcrypt-binary_integrity_in_non-FIPS.patch Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck