rpms / gnutls

Clone
Source Code
GIT

Files

  1.   873a72c7757a2e5444b4713a02ba3ef7adaf2dd7
  2.   SOURCES
  3.   gnutls-3.3.8-zombie-fips.patch
Blob Blame History Raw 
diff -ur gnutls-3.3.8.orig/lib/fips.c gnutls-3.3.8/lib/fips.c
--- gnutls-3.3.8.orig/lib/fips.c	2014-09-04 21:05:54.000000000 +0200
+++ gnutls-3.3.8/lib/fips.c	2014-11-18 09:46:47.376148426 +0100
@@ -37,6 +37,8 @@
 #define FIPS_KERNEL_FILE "/proc/sys/crypto/fips_enabled"
 #define FIPS_SYSTEM_FILE "/etc/system-fips"
 
+static int _fips_mode = -1;
+
 /* Returns:
  * 0 - FIPS mode disabled
  * 1 - FIPS mode enabled and enforced
@@ -46,21 +48,20 @@
 {
 unsigned f1p = 0, f2p;
 FILE* fd;
-static int fips_mode = -1;
 const char *p;
 
-	if (fips_mode != -1)
-		return fips_mode;
+	if (_fips_mode != -1)
+		return _fips_mode;
 
 	p = getenv("GNUTLS_FORCE_FIPS_MODE");
 	if (p) {
 		if (p[0] == '1')
-			fips_mode = 1;
+			_fips_mode = 1;
 		else if (p[0] == '2')
-			fips_mode = 2;
+			_fips_mode = 2;
 		else
-			fips_mode = 0;
-		return fips_mode;
+			_fips_mode = 0;
+		return _fips_mode;
 	}
 
 	fd = fopen(FIPS_KERNEL_FILE, "r");
@@ -76,20 +77,29 @@
 
 	if (f1p != 0 && f2p != 0) {
 		_gnutls_debug_log("FIPS140-2 mode enabled\n");
-		fips_mode = 1;
-		return fips_mode;
+		_fips_mode = 1;
+		return _fips_mode;
 	}
 
 	if (f2p != 0) {
 		/* a funny state where self tests are performed
 		 * and ignored */
 		_gnutls_debug_log("FIPS140-2 ZOMBIE mode enabled\n");
-		fips_mode = 2;
-		return fips_mode;
+		_fips_mode = 2;
+		return _fips_mode;
 	}
 
-	fips_mode = 0;
-	return fips_mode;
+	_fips_mode = 0;
+	return _fips_mode;
+}
+
+/* This _fips_mode == 2 is a strange mode where checks are being
+ * performed, but its output is ignored. */
+void _gnutls_fips_mode_reset_zombie(void)
+{
+	if (_fips_mode == 2) {
+		_fips_mode = 0;
+	}
 }
 
 #define GNUTLS_LIBRARY_NAME "libgnutls.so.28"
@@ -367,6 +377,9 @@
 		goto error;
 	}
 	
+	if (_fips_mode == 2)
+		_fips_mode = 0;
+
 	return 0;
 
 error:
Only in gnutls-3.3.8/lib: fips.c.orig
diff -ur gnutls-3.3.8.orig/lib/fips.h gnutls-3.3.8/lib/fips.h
--- gnutls-3.3.8.orig/lib/fips.h	2014-09-04 21:05:54.000000000 +0200
+++ gnutls-3.3.8/lib/fips.h	2014-11-18 09:46:47.377148445 +0100
@@ -55,6 +55,7 @@
 
 int _gnutls_fips_perform_self_checks1(void);
 int _gnutls_fips_perform_self_checks2(void);
+void _gnutls_fips_mode_reset_zombie(void);
 
 #ifdef ENABLE_FIPS140
 unsigned _gnutls_fips_mode_enabled(void);
diff -ur gnutls-3.3.8.orig/lib/gnutls_global.c gnutls-3.3.8/lib/gnutls_global.c
--- gnutls-3.3.8.orig/lib/gnutls_global.c	2014-09-04 21:05:54.000000000 +0200
+++ gnutls-3.3.8/lib/gnutls_global.c	2014-11-18 09:46:47.377148445 +0100
@@ -326,6 +326,7 @@
 				goto out;
 			}
 		}
+		_gnutls_fips_mode_reset_zombie();
 	}
 #endif
 	_gnutls_switch_lib_state(LIB_STATE_OPERATIONAL);
Only in gnutls-3.3.8/lib: gnutls_global.c.orig

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation