[gnupg2] do not dump core if hash algorithm not available in the FIPS mode

Tomáš Mráz tmraz at fedoraproject.org
Wed May 7 14:53:33 UTC 2014 

commit db860fa735af16b9b1bb19b7d382c20005ca1096
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Wed May 7 16:53:53 2014 +0200

    do not dump core if hash algorithm not available in the FIPS mode

 gnupg-2.0.19-fips-algo.patch |   37 +++++++++++++++++++++++++++++++++++++
 gnupg2.spec                  |    5 ++++-
 2 files changed, 41 insertions(+), 1 deletions(-)
---
diff --git a/gnupg-2.0.19-fips-algo.patch b/gnupg-2.0.19-fips-algo.patch
index 4eaea75..f7b4ae9 100644
--- a/gnupg-2.0.19-fips-algo.patch
+++ b/gnupg-2.0.19-fips-algo.patch
@@ -39,3 +39,40 @@ diff -up gnupg-2.0.19/g10/mainproc.c.fips gnupg-2.0.19/g10/mainproc.c
        }
      if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) {
  	/* This is a kludge to work around a bug in pgp2.  It does only
+@@ -2157,24 +2159,30 @@ proc_tree( CTX c, KBNODE node )
+ 	else if( !c->any.data ) {
+ 	    /* detached signature */
+ 	    free_md_filter_context( &c->mfx );
+-            if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0))
+-              BUG ();
++            if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0)) {
++               log_error("Digest algorithm not available probably due to FIPS mode.\n");
++               return;
++	    }
+ 
+ 	    if( !opt.pgp2_workarounds )
+ 		;
+ 	    else if( sig->digest_algo == DIGEST_ALGO_MD5
+ 		     && is_RSA( sig->pubkey_algo ) ) {
+ 		/* enable a workaround for a pgp2 bug */
+-                if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0))
+-                  BUG ();
++                if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0)) {
++                   log_error("Digest algorithm not available probably due to FIPS mode.\n");
++                   return;
++	        }
+ 	    }
+ 	    else if( sig->digest_algo == DIGEST_ALGO_SHA1
+ 		     && sig->pubkey_algo == PUBKEY_ALGO_DSA
+ 		     && sig->sig_class == 0x01 ) {
+ 		/* enable the workaround also for pgp5 when the detached
+ 		 * signature has been created in textmode */
+-              if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 ))
+-                BUG ();
++              if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 )) {
++                 log_error("Digest algorithm not available.\n");
++                 return;
++	      }
+ 	    }
+ #if 0 /* workaround disabled */
+ 	    /* Here we have another hack to work around a pgp 2 bug
diff --git a/gnupg2.spec b/gnupg2.spec
index 88d86a8..9cad929 100644
--- a/gnupg2.spec
+++ b/gnupg2.spec
@@ -1,7 +1,7 @@
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
 Version: 2.0.22
-Release: 2%{?dist}
+Release: 3%{?dist}
 
 License: GPLv3+
 Group:   Applications/System
@@ -193,6 +193,9 @@ fi
 
 
 %changelog
+* Wed May  7 2014 Tomáš Mráz <tmraz at redhat.com> - 2.0.22-3
+- do not dump core if hash algorithm not available in the FIPS mode
+
 * Tue Mar  4 2014 Tomáš Mráz <tmraz at redhat.com> - 2.0.22-2
 - rebuilt against new libgcrypt

More information about the scm-commits mailing list