testing/libgcrypt
SHA256
3
0
Fork 0
forked from pool/libgcrypt
Code Pull Requests Activity

Accepting request 692407 from home:jsikes:branches:devel:libraries:c_c++

Browse Source 
Fixed a little oops. Enjoy.

OBS-URL: https://build.opensuse.org/request/show/692407
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=123
This commit is contained in:
Tomáš Chvátal 2019-04-09 06:12:53 +00:00 committed by Git OBS Bridge
parent 9563eb9685
commit 9521655df0
3 changed files with 6 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
libgcrypt-binary_integrity_in_non-FIPS.patch
View File

@ -1,96 +0,0 @@
Index: libgcrypt-1.8.2/src/fips.c
===================================================================
--- libgcrypt-1.8.2.orig/src/fips.c 2019-03-27 13:15:14.190987624 +0100
+++ libgcrypt-1.8.2/src/fips.c 2019-03-27 13:18:07.047986428 +0100
@@ -115,6 +115,50 @@ _gcry_initialize_fsm_lock (void)
abort ();
}
}
+
+/* Checks whether the library will enter the FIPS mode.
+ Uses the same logic as _gcry_initialize_fips_mode */
+static int
+will_enter_fips (void)
+{
+ /* for convenience, so that a process can run fips-enabled, but
+ not necessarily all of them, enable FIPS mode via environment
+ variable LIBGCRYPT_FORCE_FIPS_MODE. */
+ if (getenv("LIBGCRYPT_FORCE_FIPS_MODE") != NULL)
+ return 1;
+
+ /* For testing the system it is useful to override the system
+ provided detection of the FIPS mode and force FIPS mode using a
+ file. The filename is hardwired so that there won't be any
+ confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is
+ actually used. The file itself may be empty. */
+ if ( !access (FIPS_FORCE_FILE, F_OK) )
+ return 1;
+
+ /* Checking based on /proc file properties. */
+ {
+ static const char procfname[] = "/proc/sys/crypto/fips_enabled";
+ FILE *fp;
+
+ fp = fopen (procfname, "r");
+ if (fp)
+ {
+ char line[256];
+
+ if (fgets (line, sizeof line, fp) && atoi (line))
+ {
+ /* System is in fips mode. */
+ fclose (fp);
+ return 1;
+ }
+ fclose (fp);
+ }
+ }
+
+ return 0;
+}
+
+
/* Check whether the OS is in FIPS mode and record that in a module
local variable. If FORCE is passed as true, fips mode will be
@@ -631,10 +675,10 @@ get_library_path(const char *libname, co
/* Run an integrity check on the binary. Returns 0 on success. */
static int
-check_binary_integrity (void)
+check_binary_integrity ()
{
#ifdef ENABLE_HMAC_BINARY_CHECK
- gpg_error_t err;
+ gpg_error_t err = 0;
char libpath[4096];
unsigned char digest[32];
int dlen;
@@ -675,7 +719,14 @@ check_binary_integrity (void)
/* Open the file. */
fp = fopen (fname, "r");
if (!fp)
- err = gpg_error_from_syserror ();
+ {
+ /* Missing checksum is a problem only in FIPS mode.
+ As the integrity check was moved to the POWERON state,
+ we no longer can rely on fips_mode(). Because at the point,
+ the library is not yet initialized. */
+ if (will_enter_fips() || errno != ENOENT)
+ err = gpg_error_from_syserror ();
+ }
else
{
/* A buffer of 64 bytes plus one for a LF and one to
@@ -743,9 +794,8 @@ _gcry_fips_run_selftests (int extended)
we return and finish the remaining selftests before
real use of the library. It will be in the POWERON
state meanwhile. */
- if (in_poweron)
- if (check_binary_integrity ())
- goto leave;
+ if (check_binary_integrity ())
+ goto leave;
if (in_poweron)
return 0;

6
libgcrypt.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Fri Apr 5 21:56:00 UTC 2019 - Jason Sikes <jsikes@suse.de>
- removed libgcrypt-binary_integrity_in_non-FIPS.patch since it was breaking
libotr. bsc#1131183
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Mar 26 16:30:23 UTC 2019 - Vítězslav Čížek <vcizek@suse.com> Tue Mar 26 16:30:23 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>

1
libgcrypt.spec
View File

@ -59,7 +59,6 @@ Patch35: libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch
Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch Patch36: libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch
Patch39: libgcrypt-1.8.3-fips-ctor.patch Patch39: libgcrypt-1.8.3-fips-ctor.patch
Patch40: libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch Patch40: libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch
Patch41: libgcrypt-binary_integrity_in_non-FIPS.patch
Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch Patch42: libgcrypt-fips_rsa_no_enforced_mode.patch
BuildRequires: automake >= 1.14 BuildRequires: automake >= 1.14
BuildRequires: fipscheck BuildRequires: fipscheck