diff options
| author | NIIBE Yutaka <gniibe@fsij.org> | 2022-01-04 13:58:55 +0900 |
|---|---|---|
| committer | NIIBE Yutaka <gniibe@fsij.org> | 2022-01-04 14:05:26 +0900 |
| commit | 034e4402dade7a4bcc239913b78c702c5c6f0dbb (patch) | |
| tree | 27fb91885efe6f769886ab4b94b988f9cee1a71b | |
| parent | c49ff1f46436ed071b93816112a0d0393f84d5d7 (diff) | |
| download | libgcrypt-034e4402dade7a4bcc239913b78c702c5c6f0dbb.tar.gz | |
fips: Use flags.fips to check algo availability.
* cipher/cipher.c (check_cipher_algo): Check ->flags.fips.
(_gcry_cipher_open_internal, _gcry_cipher_selftest): Likewise.
(_gcry_cipher_init): Don't modify ->flags.disabled.
* cipher/mac.c (_gcry_mac_init): Don't modify ->flags.disabled.
(check_mac_algo): Check ->flags.fips.
(mac_open, _gcry_mac_selftest): Likewise.
* cipher/md.c (check_digest_algo): Check ->flags.fips.
(md_enable, _gcry_md_hash_buffer): Likewise.
(_gcry_md_hash_buffers_extract, _gcry_md_selftest): Likewise.
(_gcry_md_init): Don't modify ->flags.disabled.
--
GnuPG-bug-id: 5747
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
| -rw-r--r-- | cipher/cipher.c | 22 | ||||
| -rw-r--r-- | cipher/mac.c | 30 | ||||
| -rw-r--r-- | cipher/md.c | 33 |
3 files changed, 34 insertions, 51 deletions
diff --git a/cipher/cipher.c b/cipher/cipher.c index 5516cfec..4890777d 100644 --- a/cipher/cipher.c +++ b/cipher/cipher.c @@ -412,7 +412,7 @@ check_cipher_algo (int algorithm) gcry_cipher_spec_t *spec; spec = spec_from_algo (algorithm); - if (spec && !spec->flags.disabled) + if (spec && !spec->flags.disabled && (spec->flags.fips || !fips_mode ())) return 0; return GPG_ERR_CIPHER_ALGO; @@ -509,6 +509,8 @@ _gcry_cipher_open_internal (gcry_cipher_hd_t *handle, err = GPG_ERR_CIPHER_ALGO; else if (spec->flags.disabled) err = GPG_ERR_CIPHER_ALGO; + else if (!spec->flags.fips && fips_mode ()) + err = GPG_ERR_CIPHER_ALGO; else err = 0; @@ -1864,17 +1866,6 @@ _gcry_cipher_get_algo_blklen (int algo) gcry_err_code_t _gcry_cipher_init (void) { - if (fips_mode()) - { - /* disable algorithms that are disallowed in fips */ - int idx; - gcry_cipher_spec_t *spec; - - for (idx = 0; (spec = cipher_list[idx]); idx++) - if (!spec->flags.fips) - spec->flags.disabled = 1; - } - return 0; } @@ -1888,14 +1879,17 @@ _gcry_cipher_selftest (int algo, int extended, selftest_report_func_t report) gcry_cipher_spec_t *spec; spec = spec_from_algo (algo); - if (spec && !spec->flags.disabled && spec->selftest) + if (spec && !spec->flags.disabled + && (spec->flags.fips || !fips_mode ()) + && spec->selftest) ec = spec->selftest (algo, extended, report); else { ec = GPG_ERR_CIPHER_ALGO; if (report) report ("cipher", algo, "module", - (spec && !spec->flags.disabled)? + spec && !spec->flags.disabled + && (spec->flags.fips || !fips_mode ())? "no selftest available" : spec? "algorithm disabled" : "algorithm not found"); } diff --git a/cipher/mac.c b/cipher/mac.c index a19728a5..9851b81c 100644 --- a/cipher/mac.c +++ b/cipher/mac.c @@ -382,27 +382,16 @@ static gcry_mac_spec_t * const mac_list_algo501[] = gcry_err_code_t _gcry_mac_init (void) { - if (fips_mode()) - { - /* disable algorithms that are disallowed in fips */ - int idx; - gcry_mac_spec_t *spec; - - for (idx = 0; (spec = mac_list[idx]); idx++) - if (!spec->flags.fips) - spec->flags.disabled = 1; - } - return 0; } /* Return the spec structure for the MAC algorithm ALGO. For an unknown algorithm NULL is returned. */ -static gcry_mac_spec_t * +static const gcry_mac_spec_t * spec_from_algo (int algo) { - gcry_mac_spec_t *spec = NULL; + const gcry_mac_spec_t *spec = NULL; if (algo >= 101 && algo < 101 + DIM(mac_list_algo101)) spec = mac_list_algo101[algo - 101]; @@ -478,10 +467,10 @@ _gcry_mac_algo_name (int algorithm) static gcry_err_code_t check_mac_algo (int algorithm) { - gcry_mac_spec_t *spec; + const gcry_mac_spec_t *spec; spec = spec_from_algo (algorithm); - if (spec && !spec->flags.disabled) + if (spec && !spec->flags.disabled && (spec->flags.fips || !fips_mode ())) return 0; return GPG_ERR_MAC_ALGO; @@ -503,6 +492,8 @@ mac_open (gcry_mac_hd_t * hd, int algo, int secure, gcry_ctx_t ctx) return GPG_ERR_MAC_ALGO; else if (spec->flags.disabled) return GPG_ERR_MAC_ALGO; + else if (!spec->flags.fips && fips_mode ()) + return GPG_ERR_MAC_ALGO; else if (!spec->ops) return GPG_ERR_MAC_ALGO; else if (!spec->ops->open || !spec->ops->write || !spec->ops->setkey || @@ -788,17 +779,20 @@ gpg_error_t _gcry_mac_selftest (int algo, int extended, selftest_report_func_t report) { gcry_err_code_t ec; - gcry_mac_spec_t *spec; + const gcry_mac_spec_t *spec; spec = spec_from_algo (algo); - if (spec && !spec->flags.disabled && spec->ops && spec->ops->selftest) + if (spec && !spec->flags.disabled + && (spec->flags.fips || !fips_mode ()) + && spec->ops && spec->ops->selftest) ec = spec->ops->selftest (algo, extended, report); else { ec = GPG_ERR_MAC_ALGO; if (report) report ("mac", algo, "module", - spec && !spec->flags.disabled? + spec && !spec->flags.disabled + && (spec->flags.fips || !fips_mode ())? "no selftest available" : spec? "algorithm disabled" : "algorithm not found"); diff --git a/cipher/md.c b/cipher/md.c index 524d6858..68f5ffdf 100644 --- a/cipher/md.c +++ b/cipher/md.c @@ -429,10 +429,10 @@ _gcry_md_algo_name (int algorithm) static gcry_err_code_t check_digest_algo (int algorithm) { - gcry_md_spec_t *spec; + const gcry_md_spec_t *spec; spec = spec_from_algo (algorithm); - if (spec && !spec->flags.disabled) + if (spec && !spec->flags.disabled && (spec->flags.fips || !fips_mode ())) return 0; return GPG_ERR_DIGEST_ALGO; @@ -563,10 +563,13 @@ md_enable (gcry_md_hd_t hd, int algorithm) err = GPG_ERR_DIGEST_ALGO; } - /* Any non-FIPS algorithm should go this way */ if (!err && spec->flags.disabled) err = GPG_ERR_DIGEST_ALGO; + /* Any non-FIPS algorithm should go this way */ + if (!err && !spec->flags.fips && fips_mode ()) + err = GPG_ERR_DIGEST_ALGO; + if (!err && h->flags.hmac && spec->read == NULL) { /* Expandable output function cannot act as part of HMAC. */ @@ -1197,7 +1200,7 @@ _gcry_md_hash_buffer (int algo, void *digest, iov.off = 0; iov.len = length; - if (spec->flags.disabled) + if (spec->flags.disabled || (!spec->flags.fips && fips_mode ())) log_bug ("gcry_md_hash_buffer failed for algo %d: %s", algo, gpg_strerror (gcry_error (GPG_ERR_DIGEST_ALGO))); @@ -1270,7 +1273,7 @@ _gcry_md_hash_buffers_extract (int algo, unsigned int flags, void *digest, if (!hmac && spec->hash_buffers) { - if (spec->flags.disabled) + if (spec->flags.disabled || (!spec->flags.fips && fips_mode ())) return GPG_ERR_DIGEST_ALGO; spec->hash_buffers (digest, digestlen, iov, iovcnt); @@ -1576,17 +1579,6 @@ _gcry_md_info (gcry_md_hd_t h, int cmd, void *buffer, size_t *nbytes) gcry_err_code_t _gcry_md_init (void) { - if (fips_mode()) - { - /* disable algorithms that are disallowed in fips */ - int idx; - gcry_md_spec_t *spec; - - for (idx = 0; (spec = digest_list[idx]); idx++) - if (!spec->flags.fips) - spec->flags.disabled = 1; - } - return 0; } @@ -1621,10 +1613,12 @@ gpg_error_t _gcry_md_selftest (int algo, int extended, selftest_report_func_t report) { gcry_err_code_t ec = 0; - gcry_md_spec_t *spec; + const gcry_md_spec_t *spec; spec = spec_from_algo (algo); - if (spec && !spec->flags.disabled && spec->selftest) + if (spec && !spec->flags.disabled + && (spec->flags.fips || !fips_mode ()) + && spec->selftest) ec = spec->selftest (algo, extended, report); else { @@ -1632,7 +1626,8 @@ _gcry_md_selftest (int algo, int extended, selftest_report_func_t report) /* */ : GPG_ERR_NOT_IMPLEMENTED; if (report) report ("digest", algo, "module", - (spec && !spec->flags.disabled)? + spec && !spec->flags.disabled + && (spec->flags.fips || !fips_mode ())? "no selftest available" : spec? "algorithm disabled" : "algorithm not found"); } |