diff options
author | Tobias Heider <tobias.heider@canonical.com> | 2023-02-16 03:20:48 +0100 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2023-03-08 10:23:01 +0900 |
commit | a51f0e66842ae989cd3966e5ef5eb1f62a3576b1 (patch) | |
tree | 93a59fa0db8efb08270f0e21e85707f6ade432d5 | |
parent | 397ff085749e5b47095827d19561332a67007c02 (diff) | |
download | libgcrypt-a51f0e66842ae989cd3966e5ef5eb1f62a3576b1.tar.gz |
fips: Add explicit indicators for md and mac algorithms.
* src/fips.c (_gcry_fips_indicator_mac): New function indicating
non-approved mac algorithms.
(_gcry_fips_indicator_md): new functions indicating non-approved
message digest algorithms.
* src/g10lib.h (_gcry_fips_indicator_mac): New function.
(_gcry_fips_indicator_md): Ditto.
* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbols,
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC and
GCRYCTL_FIPS_SERVICE_INDICATOR_MD.
* src/global.c (_gcry_vcontrol): Handle new FIPS indicators.
--
Cherry-pick master commit of:
c88672a327f6774a66d75a35f25266eec99b16f4
GnuPG-bug-id: 6376
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
-rw-r--r-- | src/fips.c | 51 | ||||
-rw-r--r-- | src/g10lib.h | 2 | ||||
-rw-r--r-- | src/gcrypt.h.in | 4 | ||||
-rw-r--r-- | src/global.c | 14 |
4 files changed, 70 insertions, 1 deletions
@@ -377,6 +377,57 @@ _gcry_fips_indicator_cipher (va_list arg_ptr) } int +_gcry_fips_indicator_mac (va_list arg_ptr) +{ + enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos); + + switch (alg) + { + case GCRY_MAC_CMAC_AES: + case GCRY_MAC_HMAC_SHA1: + case GCRY_MAC_HMAC_SHA224: + case GCRY_MAC_HMAC_SHA256: + case GCRY_MAC_HMAC_SHA384: + case GCRY_MAC_HMAC_SHA512: + case GCRY_MAC_HMAC_SHA512_224: + case GCRY_MAC_HMAC_SHA512_256: + case GCRY_MAC_HMAC_SHA3_224: + case GCRY_MAC_HMAC_SHA3_256: + case GCRY_MAC_HMAC_SHA3_384: + case GCRY_MAC_HMAC_SHA3_512: + return GPG_ERR_NO_ERROR; + default: + return GPG_ERR_NOT_SUPPORTED; + } +} + +int +_gcry_fips_indicator_md (va_list arg_ptr) +{ + enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos); + + switch (alg) + { + case GCRY_MD_SHA1: + case GCRY_MD_SHA224: + case GCRY_MD_SHA256: + case GCRY_MD_SHA384: + case GCRY_MD_SHA512: + case GCRY_MD_SHA512_224: + case GCRY_MD_SHA512_256: + case GCRY_MD_SHA3_224: + case GCRY_MD_SHA3_256: + case GCRY_MD_SHA3_384: + case GCRY_MD_SHA3_512: + case GCRY_MD_SHAKE128: + case GCRY_MD_SHAKE256: + return GPG_ERR_NO_ERROR; + default: + return GPG_ERR_NOT_SUPPORTED; + } +} + +int _gcry_fips_indicator_kdf (va_list arg_ptr) { enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos); diff --git a/src/g10lib.h b/src/g10lib.h index 645ec7d3..490caf2e 100644 --- a/src/g10lib.h +++ b/src/g10lib.h @@ -456,6 +456,8 @@ void _gcry_fips_signal_error (const char *srcfile, #endif int _gcry_fips_indicator_cipher (va_list arg_ptr); +int _gcry_fips_indicator_mac (va_list arg_ptr); +int _gcry_fips_indicator_md (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr); int _gcry_fips_indicator_function (va_list arg_ptr); diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index ddb99ef9..8a002a2e 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -331,7 +331,9 @@ enum gcry_ctl_cmds GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81, GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82, GCRYCTL_NO_FIPS_MODE = 83, - GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84 + GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84, + GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, + GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86 }; /* Perform various operations defined by CMD. */ diff --git a/src/global.c b/src/global.c index 5087c819..7c5caa14 100644 --- a/src/global.c +++ b/src/global.c @@ -791,6 +791,20 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr) rc = _gcry_fips_indicator_cipher (arg_ptr); break; + case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC: + /* Get FIPS Service Indicator for a given message authentication code. + * Returns GPG_ERR_NO_ERROR if algorithm is allowed or + * GPG_ERR_NOT_SUPPORTED otherwise */ + rc = _gcry_fips_indicator_mac (arg_ptr); + break; + + case GCRYCTL_FIPS_SERVICE_INDICATOR_MD: + /* Get FIPS Service Indicator for a given message digest. Returns + * GPG_ERR_NO_ERROR if algorithm is allowed or GPG_ERR_NOT_SUPPORTED + * otherwise */ + rc = _gcry_fips_indicator_md (arg_ptr); + break; + case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF: /* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */ |