<div dir="ltr"><pre>diff --git a/src/fips.c b/src/fips.c
index 1ac7f477..c28efaef 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -138,8 +138,17 @@ _gcry_initialize_fips_mode (int force)
static const char procfname[] = "/proc/sys/crypto/fips_enabled";
FILE *fp;
int saved_errno;
-
+ saved_errno = errno;
+ /* since procfname may not exist and that's okay, we should ignore
+ if fopen sets errno to ENOENT (no such file) */
fp = fopen (procfname, "r");
+ /* if file doesn't exist, which is a condition described here:
+ <a href="https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html">https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html</a> */
+ if (errno == ENOENT)
+ {
+ /* restore errno's value before fopen call */
+ errno = saved_errno;
+ }
if (fp)
{
char line[256];
@@ -178,6 +187,7 @@ _gcry_initialize_fips_mode (int force)
{
/* Yes, we are in FIPS mode. */
FILE *fp;
+ int saved_errno;
/* Intitialize the lock to protect the FSM. */
err = gpgrt_lock_init (&fsm_lock);
@@ -197,9 +207,16 @@ _gcry_initialize_fips_mode (int force)
}
+ saved_errno = errno;
/* If the FIPS force files exists, is readable and has a number
!= 0 on its first line, we enable the enforced fips mode. */
fp = fopen (FIPS_FORCE_FILE, "r");
+ if (errno == ENOENT)
+ {
+ /* since FIPS_FORCE_FILE may not exist, we ignore if fopen
+ returns ENOENT (file not found) */
+ errno = saved_errno;
+ }
if (fp)
{
char line[256];
</pre></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em qui., 20 de ago. de 2020 às 19:57, Antonio Harres <<a href="mailto:tom.mharres@gmail.com">tom.mharres@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div>Hello, I will be as descriptive as possible about the issue here:<br></div>In order to probe if fips_mode is enabled in the operating system, libgcrypt will try to fopen "/proc/sys/crypto/fips_enabled", now according to libgcrypt documentation, this file may not exist...<br></div>If it doesn't, then libgcrypt fallsback to "/etc/gcrypt/fips_enabled", it will again try to fopen it.<br></div><div>This procedure is described here: <a href="https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html" target="_blank">https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html</a><br></div><div>The key point here is that the relevant portion of code is using fopen to probe for the existence of the file, this may return all sorts of errors, but commonly it's ENOENT. which is then returned into any code that is initializing libgcrypt. But, I'm getting errno at something that is not an error, rather, a configuration detail, the fact that the file doesn't exist just means that libgcrypt should disable fips mode internally.<br></div><div>While describing the problem here, I understood a flaw in my patch, allow me to send a new patch that will ignore errno only in case it's ENOENT.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em qua., 19 de ago. de 2020 às 14:29, Werner Koch <<a href="mailto:wk@gnupg.org" target="_blank">wk@gnupg.org</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi!<br>
<br>
> I was coding with libcurl and decided to debug my code with a<br>
> watchpoint on errno, to my unpleasent surprise, I found that libgcrypt<br>
> was returning error, despite that I was doing everything okay and<br>
> libgcrypt wasn't really having a decent reason to return error.<br>
<br>
Can you please describe the problem you are trying to address?<br>
<br>
May I assume that you are under the impression that Libgcrypt may not<br>
change ERRNO while you call an arbitrary function of it? That is not<br>
the case. Maybe you should take another path to debuggng that<br>
watchpointing ERRNO.<br>
<br>
<br>
Shalom-Salam,<br>
<br>
Werner<br>
<br>
-- <br>
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.<br>
</blockquote></div>
</blockquote></div>