do not dump core if hash algorithm not available in the FIPS mode

2014-05-07 16:53:53 +02:00 · 2014-05-07 16:53:53 +02:00 · db860fa735
commit db860fa735
parent 03c4b85686
2 changed files with 41 additions and 1 deletions
--- a/gnupg-2.0.19-fips-algo.patch
+++ b/gnupg-2.0.19-fips-algo.patch
@ -39,3 +39,40 @@ diff -up gnupg-2.0.19/g10/mainproc.c.fips gnupg-2.0.19/g10/mainproc.c
       }
     if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) {
 	/* This is a kludge to work around a bug in pgp2.  It does only
+@@ -2157,24 +2159,30 @@ proc_tree( CTX c, KBNODE node )
+ 	else if( !c->any.data ) {
+ 	    /* detached signature */
+ 	    free_md_filter_context( &c->mfx );
+-            if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0))
+-              BUG ();
+            if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0)) {
+               log_error("Digest algorithm not available probably due to FIPS mode.\n");
+               return;
+	    }
+ 
+ 	    if( !opt.pgp2_workarounds )
+ 		;
+ 	    else if( sig->digest_algo == DIGEST_ALGO_MD5
+ 		     && is_RSA( sig->pubkey_algo ) ) {
+ 		/* enable a workaround for a pgp2 bug */
+-                if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0))
+-                  BUG ();
+                if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0)) {
+                   log_error("Digest algorithm not available probably due to FIPS mode.\n");
+                   return;
+	        }
+ 	    }
+ 	    else if( sig->digest_algo == DIGEST_ALGO_SHA1
+ 		     && sig->pubkey_algo == PUBKEY_ALGO_DSA
+ 		     && sig->sig_class == 0x01 ) {
+ 		/* enable the workaround also for pgp5 when the detached
+ 		 * signature has been created in textmode */
+-              if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 ))
+-                BUG ();
+              if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 )) {
+                 log_error("Digest algorithm not available.\n");
+                 return;
+	      }
+ 	    }
+ #if 0 /* workaround disabled */
+ 	    /* Here we have another hack to work around a pgp 2 bug
--- a/gnupg2.spec
+++ b/gnupg2.spec
@ -1,7 +1,7 @@
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
 Version: 2.0.22
-Release: 2%{?dist}
+Release: 3%{?dist}

 License: GPLv3+
 Group:   Applications/System
@ -193,6 +193,9 @@ fi


 %changelog
+* Wed May  7 2014 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-3
+- do not dump core if hash algorithm not available in the FIPS mode
+
 * Tue Mar  4 2014 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-2
 - rebuilt against new libgcrypt