File gnutls-fips_mode_enabled.patch of Package gnutls.18748
Index: gnutls-3.6.7/lib/fips.c
===================================================================
--- gnutls-3.6.7.orig/lib/fips.c 2020-04-07 11:11:54.490109339 +0200
+++ gnutls-3.6.7/lib/fips.c 2020-04-21 14:54:51.262199739 +0200
@@ -38,7 +38,6 @@ unsigned int _gnutls_lib_state = LIB_STA
#include <dlfcn.h>
#define FIPS_KERNEL_FILE "/proc/sys/crypto/fips_enabled"
-#define FIPS_SYSTEM_FILE "/etc/system-fips"
/* We provide a per-thread FIPS-mode so that an application
* can use gnutls_fips140_set_mode() to override a specific
@@ -53,7 +52,7 @@ static int _skip_integrity_checks = 0;
*/
unsigned _gnutls_fips_mode_enabled(void)
{
- unsigned f1p = 0, f2p;
+ unsigned f1p = 0;
FILE* fd;
const char *p;
unsigned ret;
@@ -80,7 +79,7 @@ unsigned _gnutls_fips_mode_enabled(void)
p = secure_getenv("GNUTLS_FORCE_FIPS_MODE");
if (p) {
if (p[0] == '1')
- ret = 1;
+ ret = GNUTLS_FIPS140_STRICT;
else if (p[0] == '2')
ret = GNUTLS_FIPS140_SELFTESTS;
else if (p[0] == '3')
@@ -102,22 +101,12 @@ unsigned _gnutls_fips_mode_enabled(void)
else f1p = 0;
}
- f2p = !access(FIPS_SYSTEM_FILE, F_OK);
-
- if (f1p != 0 && f2p != 0) {
+ if (f1p != 0) {
_gnutls_debug_log("FIPS140-2 mode enabled\n");
ret = GNUTLS_FIPS140_STRICT;
goto exit;
}
- if (f2p != 0) {
- /* a funny state where self tests are performed
- * and ignored */
- _gnutls_debug_log("FIPS140-2 ZOMBIE mode enabled\n");
- ret = GNUTLS_FIPS140_SELFTESTS;
- goto exit;
- }
-
ret = GNUTLS_FIPS140_DISABLED;
goto exit;