diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2023-03-24 13:12:56 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2023-03-24 14:05:30 +0900 |
commit | f6f345fe89b0a61408bbc72058ab42ac6e6a7577 (patch) | |
tree | 765df80cb7a891aa6333abc4527e87e6ff01066c | |
parent | f815ae113a2a914b0d20f0eb36d91c0351d5a797 (diff) | |
download | libgcrypt-f6f345fe89b0a61408bbc72058ab42ac6e6a7577.tar.gz |
fips: More elaborate way of getting FIPS pk flags indicators.
* src/fips.c (_gcry_fips_indicator_pk_flags): List more allowed string
in the S-expression.
* doc/gcrypt.texi: Add document for the FIPS service indicator
GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS with example.
--
GnuPG-bug-id: 6417
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
-rw-r--r-- | doc/gcrypt.texi | 42 | ||||
-rw-r--r-- | src/fips.c | 41 |
2 files changed, 76 insertions, 7 deletions
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index 3b40af8a..dd55600d 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -999,9 +999,45 @@ FIPS 140-3 certification. If the algorithm is approved, this function returns @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char * -Check if the given public key operation flag is approved under the current -FIPS 140-3 certification. If the flag is approved, this function returns -@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. +Check if the given public key operation flag or s-expression object name is +approved under the current FIPS 140-3 certification. If the flag is +approved, this function returns @code{GPG_ERR_NO_ERROR}. + +Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + +For compound s-expression objects, if the object name is allowed, the user +is responsible to check also the internal members. For example: + +@example + gcry_sexp_t s_sig = NULL; + gcry_md_hd_t hd = NULL; + gcry_sexp_t s_sk = NULL; + const char *data_tmpl = "(data(flags pss)(hash %s %b)(salt-length 1:0))"; + + if (err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION, "gcry_md_open") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MD, GCRY_MD_SHA512) && + err = gcry_md_open (&hd, GCRY_MD_SHA512, 0)) + @{ + printf ("gcry_md_open failed: %s", gpg_strerror (err)); + return; + @} + gcry_md_write (hd, buffer, buflen); + + /* initialize the key in s_sk */ + + if (err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION, "gcry_pk_hash_sign") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "data") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "flags") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "pss") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "hash") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "salt-length") + err = gcry_pk_hash_sign (&s_sig, data_tmpl, s_sk, hd, NULL)) + @{ + printf ("gcry_pk_hash_sign failed: %s", gpg_strerror (err)); + return; + @} + /* ok */ +@end example @end table @@ -456,16 +456,49 @@ _gcry_fips_indicator_function (va_list arg_ptr) return GPG_ERR_NO_ERROR; } +/* Note: the array should be sorted. */ +static const char *valid_string_in_sexp[] = { + "curve", + "d", + "data", + "e", + "ecdsa", + "flags", + "genkey", + "hash", + "n", + "nbits", + "pkcs1", + "private-key", + "pss", + "public-key", + "q", + "r", + "raw", + "rsa", + "rsa-use-e", + "s", + "salt-length", + "sig-val", + "value" +}; + +static int +compare_string (const void *v1, const void *v2) +{ + const char * const *p_str1 = v1; + const char * const *p_str2 = v2; + + return strcmp (*p_str1, *p_str2); +} int _gcry_fips_indicator_pk_flags (va_list arg_ptr) { const char *flag = va_arg (arg_ptr, const char *); - if (strcmp (flag, "param") == 0 || - strcmp (flag, "raw") == 0 || - strcmp (flag, "no-blinding") == 0 || - strcmp (flag, "pss") == 0) + if (bsearch (&flag, valid_string_in_sexp, DIM (valid_string_in_sexp), + sizeof (char *), compare_string)) return GPG_ERR_NO_ERROR; return GPG_ERR_NOT_SUPPORTED; |