Bug#1014517: apt - Fails in FIPS mode in libgcrypt

Sun, 28 May 2023 13:45:14 -0700 

So I see in the changes to libgcrypt since bullseye that there have
been some changes in the initialization on systems where FIPS is
enabled.

The attached patch has "works for me" status, and I feel that it is the
correct way to continue to have apt function as expected on a FIPS
enabled system.

I added a GCRYCTL_NO_FIPS_MODE setting in maybeInit() in
apt-pkg/contrib/hashes.cc
And, since the value of the enum GCRYCTL_NO_FIPS_MODE appeared just
before the release of libgcrypt 1.10.0, I added that version dependency
to the debian/control file.

Control: tag -1 patch

-Maitland

enc:
0001-Do-not-fail-on-systems-running-in-FIPSmode.patch


From 4df25d8781f56036e921792fdd48abd5f2084d98 Mon Sep 17 00:00:00 2001
From: "A. Maitland Bottoms" <[email protected]>
Date: Sun, 28 May 2023 15:12:36 -0400
Subject: [PATCH] Do not fail on systems running in FIPSmode.

Initialize using gcrypt's GCRYCTL_NO_FIPS_MODE, available since
gcrypt version 1.10.0, otherwise apt aborts on FIPS enabled systems.
---
 apt-pkg/contrib/hashes.cc | 3 +++
 debian/changelog          | 6 ++++++
 debian/control            | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/apt-pkg/contrib/hashes.cc b/apt-pkg/contrib/hashes.cc
index 313b1d37d..80b9bbf3f 100644
--- a/apt-pkg/contrib/hashes.cc
+++ b/apt-pkg/contrib/hashes.cc
@@ -330,6 +330,9 @@ public:
 	    exit(2);
 	 }
 
+	 // It is OK for apt to use MD5.
+	 gcry_control(GCRYCTL_NO_FIPS_MODE, 0);
+
 	 gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
       }
    }
diff --git a/debian/changelog b/debian/changelog
index 5961148d2..e279ad0d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+apt (2.6.2) unstable; urgency=medium
+
+  * Do not fail on systems running in FIPSmode. (Closes: #1014517)
+
+ -- A. Maitland Bottoms <[email protected]>  Sun, 28 May 2023 11:28:37 -0400
+
 apt (2.6.1) unstable; urgency=medium
 
   * Restore adduser dependency for bookworm.
diff --git a/debian/control b/debian/control
index 58c6be15e..6f3ceb81e 100644
--- a/debian/control
+++ b/debian/control
@@ -17,7 +17,7 @@ Build-Depends: cmake (>= 3.4),
                libbz2-dev,
                libdb-dev,
                libgnutls28-dev (>= 3.4.6),
-               libgcrypt20-dev,
+               libgcrypt20-dev (>=1.10.0),
                liblz4-dev (>= 0.0~r126),
                liblzma-dev,
                libseccomp-dev (>= 2.4.2) [amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x hppa powerpc powerpcspe ppc64 x32],
-- 
2.39.2

Reply via email to