Pull Request (patch libgcrypt)

Antonio Harres tom.mharres at gmail.com
Fri Aug 21 00:57:51 CEST 2020


Hello, I will be as descriptive as possible about the issue here:
In order to probe if fips_mode is enabled in the operating system,
libgcrypt will try to fopen "/proc/sys/crypto/fips_enabled", now according
to libgcrypt documentation, this file may not exist...
If it doesn't, then libgcrypt fallsback to "/etc/gcrypt/fips_enabled", it
will again try to fopen it.
This procedure is described here:
https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html
The key point here is that the relevant portion of code is using fopen to
probe for the existence of the file, this may return all sorts of errors,
but commonly it's ENOENT. which is then returned into any code that is
initializing libgcrypt. But, I'm getting errno at something that is not an
error, rather, a configuration detail, the fact that the file doesn't exist
just means that libgcrypt should disable fips mode internally.
While describing the problem here, I understood a flaw in my patch, allow
me to send a new patch that will ignore errno only in case it's ENOENT.

Em qua., 19 de ago. de 2020 às 14:29, Werner Koch <wk at gnupg.org> escreveu:

> Hi!
>
> > I was coding with libcurl and decided to debug my code with a
> > watchpoint on errno, to my unpleasent surprise, I found that libgcrypt
> > was returning error, despite that I was doing everything okay and
> > libgcrypt wasn't really having a decent reason to return error.
>
> Can you please describe the problem you are trying to address?
>
> May I assume that you are under the impression that Libgcrypt may not
> change ERRNO while you call an arbitrary function of it?  That is not
> the case.  Maybe you should take another path to debuggng that
> watchpointing ERRNO.
>
>
> Shalom-Salam,
>
>    Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20200820/8eaea120/attachment-0001.html>


More information about the Gcrypt-devel mailing list