diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2022-01-04 13:58:55 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2022-01-04 14:05:26 +0900 |
commit | 034e4402dade7a4bcc239913b78c702c5c6f0dbb (patch) | |
tree | 27fb91885efe6f769886ab4b94b988f9cee1a71b /cipher/md.c | |
parent | c49ff1f46436ed071b93816112a0d0393f84d5d7 (diff) | |
download | libgcrypt-034e4402dade7a4bcc239913b78c702c5c6f0dbb.tar.gz |
fips: Use flags.fips to check algo availability.
* cipher/cipher.c (check_cipher_algo): Check ->flags.fips.
(_gcry_cipher_open_internal, _gcry_cipher_selftest): Likewise.
(_gcry_cipher_init): Don't modify ->flags.disabled.
* cipher/mac.c (_gcry_mac_init): Don't modify ->flags.disabled.
(check_mac_algo): Check ->flags.fips.
(mac_open, _gcry_mac_selftest): Likewise.
* cipher/md.c (check_digest_algo): Check ->flags.fips.
(md_enable, _gcry_md_hash_buffer): Likewise.
(_gcry_md_hash_buffers_extract, _gcry_md_selftest): Likewise.
(_gcry_md_init): Don't modify ->flags.disabled.
--
GnuPG-bug-id: 5747
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Diffstat (limited to 'cipher/md.c')
-rw-r--r-- | cipher/md.c | 33 |
1 files changed, 14 insertions, 19 deletions
diff --git a/cipher/md.c b/cipher/md.c index 524d6858..68f5ffdf 100644 --- a/cipher/md.c +++ b/cipher/md.c @@ -429,10 +429,10 @@ _gcry_md_algo_name (int algorithm) static gcry_err_code_t check_digest_algo (int algorithm) { - gcry_md_spec_t *spec; + const gcry_md_spec_t *spec; spec = spec_from_algo (algorithm); - if (spec && !spec->flags.disabled) + if (spec && !spec->flags.disabled && (spec->flags.fips || !fips_mode ())) return 0; return GPG_ERR_DIGEST_ALGO; @@ -563,10 +563,13 @@ md_enable (gcry_md_hd_t hd, int algorithm) err = GPG_ERR_DIGEST_ALGO; } - /* Any non-FIPS algorithm should go this way */ if (!err && spec->flags.disabled) err = GPG_ERR_DIGEST_ALGO; + /* Any non-FIPS algorithm should go this way */ + if (!err && !spec->flags.fips && fips_mode ()) + err = GPG_ERR_DIGEST_ALGO; + if (!err && h->flags.hmac && spec->read == NULL) { /* Expandable output function cannot act as part of HMAC. */ @@ -1197,7 +1200,7 @@ _gcry_md_hash_buffer (int algo, void *digest, iov.off = 0; iov.len = length; - if (spec->flags.disabled) + if (spec->flags.disabled || (!spec->flags.fips && fips_mode ())) log_bug ("gcry_md_hash_buffer failed for algo %d: %s", algo, gpg_strerror (gcry_error (GPG_ERR_DIGEST_ALGO))); @@ -1270,7 +1273,7 @@ _gcry_md_hash_buffers_extract (int algo, unsigned int flags, void *digest, if (!hmac && spec->hash_buffers) { - if (spec->flags.disabled) + if (spec->flags.disabled || (!spec->flags.fips && fips_mode ())) return GPG_ERR_DIGEST_ALGO; spec->hash_buffers (digest, digestlen, iov, iovcnt); @@ -1576,17 +1579,6 @@ _gcry_md_info (gcry_md_hd_t h, int cmd, void *buffer, size_t *nbytes) gcry_err_code_t _gcry_md_init (void) { - if (fips_mode()) - { - /* disable algorithms that are disallowed in fips */ - int idx; - gcry_md_spec_t *spec; - - for (idx = 0; (spec = digest_list[idx]); idx++) - if (!spec->flags.fips) - spec->flags.disabled = 1; - } - return 0; } @@ -1621,10 +1613,12 @@ gpg_error_t _gcry_md_selftest (int algo, int extended, selftest_report_func_t report) { gcry_err_code_t ec = 0; - gcry_md_spec_t *spec; + const gcry_md_spec_t *spec; spec = spec_from_algo (algo); - if (spec && !spec->flags.disabled && spec->selftest) + if (spec && !spec->flags.disabled + && (spec->flags.fips || !fips_mode ()) + && spec->selftest) ec = spec->selftest (algo, extended, report); else { @@ -1632,7 +1626,8 @@ _gcry_md_selftest (int algo, int extended, selftest_report_func_t report) /* */ : GPG_ERR_NOT_IMPLEMENTED; if (report) report ("digest", algo, "module", - (spec && !spec->flags.disabled)? + spec && !spec->flags.disabled + && (spec->flags.fips || !fips_mode ())? "no selftest available" : spec? "algorithm disabled" : "algorithm not found"); } |