Bug#1014517: apt - Fails in FIPS mode in libgcrypt

2023-05-28 Thread A. Maitland Bottoms 
So I see in the changes to libgcrypt since bullseye that there have
been some changes in the initialization on systems where FIPS is
enabled.

The attached patch has "works for me" status, and I feel that it is the
correct way to continue to have apt function as expected on a FIPS
enabled system.

I added a GCRYCTL_NO_FIPS_MODE setting in maybeInit() in
apt-pkg/contrib/hashes.cc
And, since the value of the enum GCRYCTL_NO_FIPS_MODE appeared just
before the release of libgcrypt 1.10.0, I added that version dependency
to the debian/control file.

Control: tag -1 patch

-Maitland

enc:
0001-Do-not-fail-on-systems-running-in-FIPSmode.patch

From 4df25d8781f56036e921792fdd48abd5f2084d98 Mon Sep 17 00:00:00 2001
From: "A. Maitland Bottoms" 
Date: Sun, 28 May 2023 15:12:36 -0400
Subject: [PATCH] Do not fail on systems running in FIPSmode.

Initialize using gcrypt's GCRYCTL_NO_FIPS_MODE, available since
gcrypt version 1.10.0, otherwise apt aborts on FIPS enabled systems.
---
 apt-pkg/contrib/hashes.cc | 3 +++
 debian/changelog  | 6 ++
 debian/control| 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/apt-pkg/contrib/hashes.cc b/apt-pkg/contrib/hashes.cc
index 313b1d37d..80b9bbf3f 100644
--- a/apt-pkg/contrib/hashes.cc
+++ b/apt-pkg/contrib/hashes.cc
@@ -330,6 +330,9 @@ public:
 	exit(2);
 	 }
 
+	 // It is OK for apt to use MD5.
+	 gcry_control(GCRYCTL_NO_FIPS_MODE, 0);
+
 	 gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
   }
}
diff --git a/debian/changelog b/debian/changelog
index 5961148d2..e279ad0d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+apt (2.6.2) unstable; urgency=medium
+
+  * Do not fail on systems running in FIPSmode. (Closes: #1014517)
+
+ -- A. Maitland Bottoms   Sun, 28 May 2023 11:28:37 -0400
+
 apt (2.6.1) unstable; urgency=medium
 
   * Restore adduser dependency for bookworm.
diff --git a/debian/control b/debian/control
index 58c6be15e..6f3ceb81e 100644
--- a/debian/control
+++ b/debian/control
@@ -17,7 +17,7 @@ Build-Depends: cmake (>= 3.4),
libbz2-dev,
libdb-dev,
libgnutls28-dev (>= 3.4.6),
-   libgcrypt20-dev,
+   libgcrypt20-dev (>=1.10.0),
liblz4-dev (>= 0.0~r126),
liblzma-dev,
libseccomp-dev (>= 2.4.2) [amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x hppa powerpc powerpcspe ppc64 x32],
-- 
2.39.2

Bug#1014517: apt - Fails in FIPS mode in libgcrypt

2022-07-07 Thread Bastian Blank 
Package: apt
Version: 2.5.1
Severity: normal

"apt update" fails if the system runs in FIPS mode:

| # apt update
| Hit:2 http://deb.debian.org/debian-debug sid InRelease
| fatal error in libgcrypt, file ../../src/misc.c, line 92, function 
_gcry_fatal_error: requested algo not in md context
| 
| Fatal error: requested algo not in md context
| Aborted

The backtrace is:

| #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
| #1  0xf78a630c in __GI_abort () at abort.c:79
| #2  0xf75ce110 in _gcry_fatal_error (rc=rc@entry=5, 
text=text@entry=0xf765cb80 "requested algo not in md context") at 
../../src/misc.c:97
| #3  0xf75e65b0 in md_read (algo=, a=, 
a=) at ../../cipher/md.c:1095
| #4  0xf7e435ac in HexDigest (hd=, algo=) at ./apt-pkg/contrib/hashes.cc:429
| #5  0xf7e44a18 in Hashes::GetHashString 
(this=this@entry=0xe6d8, hash=hash@entry=Hashes::MD5SUM) at 
./apt-pkg/contrib/hashes.cc:457
| #6  0xf7e5bfd4 in debListParser::Description_md5 
(this=0xaad9cf10) at ./apt-pkg/deb/deblistparser.cc:295
| #7  0xf7ecc020 in pkgCacheGenerator::MergeListVersion 
(this=this@entry=0xaab31470, List=..., Pkg=..., Version=..., 
OutVer=@0xe8c8: 0x0) at ./apt-pkg/pkgcachegen.cc:490
| #8  0xf7ecdb0c in pkgCacheGenerator::MergeList 
(this=this@entry=0xaab31470, List=..., OutVer=, 
OutVer@entry=0x0) at ./apt-pkg/pkgcachegen.cc:286
| #9  0xf7eb030c in pkgDebianIndexFile::Merge (this=, 
Gen=..., Prog=) at ./apt-pkg/indexfile.cc:348
| #10 0xf7ec8ef4 in operator() 
(__closure=__closure@entry=0xebc0, I=0xaab0a340) at 
./apt-pkg/pkgcachegen.cc:1557
| #11 0xf7ecedb4 in 
std::for_each<__gnu_cxx::__normal_iterator >, BuildCache(pkgCacheGenerator&, OpProgress*, 
map_filesize_t&, map_filesize_t, const pkgSourceList*, FileIterator, 
FileIterator):: > (__f=..., __last=0x0, 
__first=0xaab0a340) at /usr/include/c++/11/bits/stl_algo.h:3820
| #12 BuildCache (Gen=..., Progress=, 
Progress@entry=0xf280, CurrentSize=@0xecf0: 100043188, 
TotalSize=, TotalSize@entry=100043188, 
| List=List@entry=0x0, Start=..., End=...) at ./apt-pkg/pkgcachegen.cc:1586
| #13 0xf7ed0994 in pkgCacheGenerator::MakeStatusCache (List=..., 
Progress=Progress@entry=0xf280, OutMap=OutMap@entry=0xef18, 
OutCache=OutCache@entry=0xef20)
| at /usr/include/c++/11/bits/stl_iterator.h:1026
| #14 0xf7e0b2dc in pkgCacheFile::BuildCaches (this=0xf0c0, 
Progress=0xf280, WithLock=) at ./apt-pkg/cachefile.cc:127
| #15 0xf7f9e6fc in DoUpdate(CommandLine&) () from 
/lib/aarch64-linux-gnu/libapt-private.so.0.0
| #16 0xf7e27d20 in CommandLine::DispatchArg (this=0xf448, 
Map=, NoMatch=true) at ./apt-pkg/contrib/cmndline.cc:369
| #17 0xf7f633f4 in DispatchCommandLine(CommandLine&, 
std::vector > 
const&) ()
|from /lib/aarch64-linux-gnu/libapt-private.so.0.0
| #18 0x1898 in ?? ()
| #19 0xf78a6614 in __libc_start_main (main=0x17c0, argc=2, 
argv=0xf5d8, init=, fini=, 
rtld_fini=, 
| stack_end=) at ../csu/libc-start.c:332
| #20 0x19b8 in ?? ()

In FIPS mode MD5 is not allowed, so every usage results in a fatal error.

One workarounds would be:
Check for FIPS mode with gcry_fips_mode_active and don't try to use it
then.

Bastian

-- Package-specific info:

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.18.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-- no debconf information