Overview

File aide-disable-gcrypt-MD5-in-fips-mode.patch of Package aide.22016

From 59c376c3f0f5d7546192c32ee847181ebc5add4e Mon Sep 17 00:00:00 2001
From: Ali Abdallah <aabdallah@suse.de>
Date: Mon, 8 Nov 2021 09:28:58 +0100
Subject: [PATCH] Enable gcrypt MD5 hashsum only if not in fips mode

Add check for fips mode, and enable gcrypt MD5 hashsum only if it is not
active. Otherwise, md5_init in gcrypt cipher/md5.c will fatally abort with

"Every time you use MD5 god kills a kitten. How many more have to die?"
---
 doc/aide.conf.5 |  2 +-
 src/aide.c      | 16 +++++++++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/doc/aide.conf.5 b/doc/aide.conf.5
index 240f4c6..124ea58 100644
--- a/doc/aide.conf.5
+++ b/doc/aide.conf.5
@@ -415,7 +415,7 @@ Input is read from filedescriptor \fBnumber\fR or output is written to
 .IP "I:	ignore changed filename"
 .IP "ANF:	allow new files
 .IP "ARF:	allow removed files
-.IP "md5:	md5 checksum"
+.IP "md5: MD5 checksum (not in \fIlibgcrypt\fR FIPS mode)"
 .IP "sha1: sha1 checksum"
 .IP "sha256: sha256 checksum"
 .IP "sha512: sha512 checksum"
diff --git a/src/aide.c b/src/aide.c
index c8f0af4..ca8f2d4 100644
--- a/src/aide.c
+++ b/src/aide.c
@@ -30,6 +30,7 @@
 #include <sys/types.h>
 #include <dirent.h>
 #include <time.h>
+#include <syslog.h>
 
 #if HAVE_UNISTD_H
 #include <unistd.h>
@@ -267,6 +268,7 @@ static void setdefaults_before_config()
   url_t* u=NULL;
   char* s=(char*)malloc(sizeof(char)*MAXHOSTNAMELEN+1);
   DB_ATTR_TYPE X;
+  DB_ATTR_TYPE GROUP_R_HASHES=0LLU;
 
   /*
     Set up the hostname
@@ -349,7 +351,12 @@ static void setdefaults_before_config()
 
   conf->db_attrs = 0;
 #if defined(WITH_MHASH) || defined(WITH_GCRYPT)
-  conf->db_attrs |= DB_MD5|DB_TIGER|DB_HAVAL|DB_CRC32|DB_SHA1|DB_RMD160|DB_SHA256|DB_SHA512;
+  if (!gcry_fips_mode_active())
+    conf->db_attrs |= DB_MD5;
+  else {
+    syslog(LOG_NOTICE, "libgcrypt is running in FIPS mode, MD5 hash is not available");
+  }
+  conf->db_attrs |= DB_TIGER|DB_HAVAL|DB_CRC32|DB_SHA1|DB_RMD160|DB_SHA256|DB_SHA512;
 #ifdef WITH_MHASH
   conf->db_attrs |= DB_GOST;
 #ifdef HAVE_MHASH_WHIRLPOOL
@@ -404,7 +411,10 @@ static void setdefaults_before_config()
   do_groupdef("c",DB_CTIME);
   do_groupdef("a",DB_ATIME);
 #if defined(WITH_MHASH) || defined(WITH_GCRYPT)
-  do_groupdef("md5",DB_MD5);
+  if (!gcry_fips_mode_active()) {
+    do_groupdef("md5",DB_MD5);
+    GROUP_R_HASHES = DB_MD5;
+  }
   do_groupdef("tiger",DB_TIGER);
   do_groupdef("haval",DB_HAVAL);
   do_groupdef("crc32",DB_CRC32);
@@ -452,7 +462,7 @@ static void setdefaults_before_config()
   do_groupdef("R",DB_PERM|DB_FTYPE|DB_INODE|DB_LNKCOUNT|DB_UID|DB_GID|DB_SIZE|
           DB_LINKNAME|DB_MTIME|DB_CTIME
 #if defined(WITH_MHASH) || defined(WITH_GCRYPT)
-          |DB_MD5
+          |GROUP_R_HASHES
 #endif
           |X);
 
-- 
2.26.2
openSUSE Build Service is sponsored by
Places