diff options
author | Jakub Jelen <jjelen@redhat.com> | 2022-08-08 13:50:15 +0200 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2022-08-23 15:38:17 +0900 |
commit | 05a9c9d1ba1db6c1cd160fba979e9ddf4700a0c0 (patch) | |
tree | af994d0363771bf53953c82cba087ee8b9ed7eb7 | |
parent | 1fc7bfc351ba1d7fa31c0c62a24ad78e9e1cfd5b (diff) | |
download | libgcrypt-05a9c9d1ba1db6c1cd160fba979e9ddf4700a0c0.tar.gz |
fips: Add function-name based FIPS indicator.
* doc/gcrypt.texi: Document the new function-based fips indicator
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
* src/fips.c (_gcry_fips_indicator_function): New function indicating
non-approved functions.
* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbol
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
* src/global.c (_gcry_vcontrol): Handle new FIPS indicator.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-rw-r--r-- | doc/gcrypt.texi | 7 | ||||
-rw-r--r-- | src/fips.c | 12 | ||||
-rw-r--r-- | src/g10lib.h | 1 | ||||
-rw-r--r-- | src/gcrypt.h.in | 3 | ||||
-rw-r--r-- | src/global.c | 7 |
5 files changed, 29 insertions, 1 deletions
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index f2c1cc94..b608dba2 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -995,6 +995,13 @@ certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. +@item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char * + +Check if the given function is approved under the current FIPS 140-3 +certification. If the function is approved, this function returns +@code{GPG_ERR_NO_ERROR} (other restrictions might still apply). +Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + @end table @end deftypefun @@ -390,6 +390,18 @@ _gcry_fips_indicator_kdf (va_list arg_ptr) } } +int +_gcry_fips_indicator_function (va_list arg_ptr) +{ + const char *function = va_arg (arg_ptr, const char *); + + if (strcmp (function, "gcry_sign") == 0 || + strcmp (function, "gcry_verify") == 0) + return GPG_ERR_NOT_SUPPORTED; + + return GPG_ERR_NO_ERROR; +} + /* This is a test on whether the library is in the error or operational state. */ diff --git a/src/g10lib.h b/src/g10lib.h index 8ba0a5c2..eff6295f 100644 --- a/src/g10lib.h +++ b/src/g10lib.h @@ -468,6 +468,7 @@ void _gcry_fips_signal_error (const char *srcfile, int _gcry_fips_indicator_cipher (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr); +int _gcry_fips_indicator_function (va_list arg_ptr); int _gcry_fips_is_operational (void); diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index 299261db..d6a1d516 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -329,7 +329,8 @@ enum gcry_ctl_cmds GCRYCTL_SET_DECRYPTION_TAG = 80, GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81, GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82, - GCRYCTL_NO_FIPS_MODE = 83 + GCRYCTL_NO_FIPS_MODE = 83, + GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84 }; /* Perform various operations defined by CMD. */ diff --git a/src/global.c b/src/global.c index 258ea4d1..debf6194 100644 --- a/src/global.c +++ b/src/global.c @@ -797,6 +797,13 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr) rc = _gcry_fips_indicator_kdf (arg_ptr); break; + case GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION: + /* Get FIPS Service Indicator for a given function from the API. + * Returns GPG_ERR_NO_ERROR if the function is allowed or + * GPG_ERR_NOT_SUPPORTED otherwise */ + rc = _gcry_fips_indicator_function (arg_ptr); + break; + case PRIV_CTL_INIT_EXTRNG_TEST: /* Init external random test. */ rc = GPG_ERR_NOT_SUPPORTED; break; |