diff options
author | Jakub Jelen <jjelen@redhat.com> | 2023-03-06 15:57:40 +0100 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2023-03-14 13:47:27 +0900 |
commit | 0b2b30c0c42fa2fea646a83a1f21a99f7a902853 (patch) | |
tree | 4c0009942effd371a29e3f3fa4e3ee09ffc782ba | |
parent | fcb9ec67a11763ca10fa1b64166c206da95eb006 (diff) | |
download | libgcrypt-0b2b30c0c42fa2fea646a83a1f21a99f7a902853.tar.gz |
fips: Explicitly allow only some PK flags.
* src/fips.c (_gcry_fips_indicator_pk_flags): New function for explicit
FIPS indicator for public key algorithm flags.
* src/g10lib.h (_gcry_fips_indicator_pk_flags): New.
* src/gcrypt.h.in (GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS): New.
* src/global.c (_gcry_vcontrol): Handle the new option.
* doc/gcrypt.texi: Document new options.
--
Cherry-picked master commit of:
4c1c8a707f9652dbfad8f8b531d8b84556f655f1
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-rw-r--r-- | doc/gcrypt.texi | 6 | ||||
-rw-r--r-- | src/fips.c | 15 | ||||
-rw-r--r-- | src/g10lib.h | 1 | ||||
-rw-r--r-- | src/gcrypt.h.in | 3 | ||||
-rw-r--r-- | src/global.c | 7 |
5 files changed, 31 insertions, 1 deletions
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index 828d58a2..3b40af8a 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -997,6 +997,12 @@ Check if the given message digest algorithm is approved under the current FIPS 140-3 certification. If the algorithm is approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. +@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char * + +Check if the given public key operation flag is approved under the current +FIPS 140-3 certification. If the flag is approved, this function returns +@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + @end table @end deftypefun @@ -454,6 +454,21 @@ _gcry_fips_indicator_function (va_list arg_ptr) } +int +_gcry_fips_indicator_pk_flags (va_list arg_ptr) +{ + const char *flag = va_arg (arg_ptr, const char *); + + if (strcmp (flag, "param") == 0 || + strcmp (flag, "raw") == 0 || + strcmp (flag, "no-blinding") == 0 || + strcmp (flag, "pss") == 0) + return GPG_ERR_NO_ERROR; + + return GPG_ERR_NOT_SUPPORTED; +} + + /* This is a test on whether the library is in the error or operational state. */ int diff --git a/src/g10lib.h b/src/g10lib.h index 490caf2e..a7aee80d 100644 --- a/src/g10lib.h +++ b/src/g10lib.h @@ -460,6 +460,7 @@ int _gcry_fips_indicator_mac (va_list arg_ptr); int _gcry_fips_indicator_md (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr); int _gcry_fips_indicator_function (va_list arg_ptr); +int _gcry_fips_indicator_pk_flags (va_list arg_ptr); int _gcry_fips_is_operational (void); diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index 8a002a2e..255c5ab1 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -333,7 +333,8 @@ enum gcry_ctl_cmds GCRYCTL_NO_FIPS_MODE = 83, GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84, GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, - GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86 + GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86, + GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87 }; /* Perform various operations defined by CMD. */ diff --git a/src/global.c b/src/global.c index 7c5caa14..873789cc 100644 --- a/src/global.c +++ b/src/global.c @@ -818,6 +818,13 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr) rc = _gcry_fips_indicator_function (arg_ptr); break; + case GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS: + /* Get FIPS Service Indicator for a public key operation flags. + * Returns GPG_ERR_NO_ERROR if the flag is allowed to be used or + * GPG_ERR_NOT_SUPPORTED otherwise */ + rc = _gcry_fips_indicator_pk_flags (arg_ptr); + break; + case PRIV_CTL_INIT_EXTRNG_TEST: /* Init external random test. */ rc = GPG_ERR_NOT_SUPPORTED; break; |