| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
* doc/gcrypt.texi: Add 'GCRYCTL_SET_ALLOW_WEAK_KEY' under
'gcry_cipher_ctl'.
--
GnuPG-bug-id: 6451
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
|
|
|
|
|
|
|
|
| |
* cipher/cipher.c (cipher_setkey): Do not reset RC.
--
This reverts commit b75a58df84a5137954cb678adf8c202b39ee1def.
GnuPG-bug-id: 6451
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
|
|
|
|
|
| |
* cipher/cipher.c (cipher_setkey): Reset RC.
--
GnuPG-bug-id: 6451
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random)
[GRND_RANDOM]: Conditionalize the use of getrandom, as it's
not a portable function.
--
Cherry-picked master commit of:
fa21ddc158b5d7b5900856e5b131071302217a51
Fixes-commit: aab1d63e4def41593312f76de016c885ffafecde
GnuPG-bug-id: 6442
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
| |
--
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cipher/cipher-poly1305.c (_gcry_cipher_poly1305_encrypt)
(_gcry_cipher_poly1305_decrypt) [USE_CHACHA20]: Conditionalize.
--
Cherry-picked master commit of:
137f1fd82bc9136d434ca41f58d62091b64df6db
GnuPG-bug-id: 6384
Reported-by: Andrew Collier
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/Makefile.am [ENABLE_O_FLAG_MUNGING]: Support -Oz.
* random/Makefile.am [ENABLE_O_FLAG_MUNGING]: Support -Oz.
--
Cherry-picked from master commit of:
7edf1abb9a0d892a80cbf7ab42f64b2720671ee9
GnuPG-bug-id: 6432
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
| |
--
GnuPG-bug-id: 6435
|
|
|
|
|
|
|
|
| |
* m4/gpg-error.m4: Update from libgpg-error master.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_pk_flags): List more allowed string
in the S-expression.
* doc/gcrypt.texi: Add document for the FIPS service indicator
GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS with example.
--
GnuPG-bug-id: 6417
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
| |
* m4/gpg-error.m4: Update from libgpg-error master.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
| |
* tests/basic.c (check_digests): Check the FIPS indicators.
(check_mac): Ditto.
--
Cherry-pick master commit of:
fae63f517906ba8f46d255f1b5770665f2197ad9
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c: (_gcry_fips_indicator_function): Mark using random
override non-approved in FIPS mode.
--
Cherry-pick master commit of:
e0a5a9eb8301991c28fae8632add8dacce81aeb4
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_function): Add
gcry_pk_encrypt/decrypt as non-approved.
--
Cherry-pick master commit of:
05cb8355d3e66f15425ad85ae2203882e80f4792
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_function): Fix typo in sign/verify
function names.
--
Cherry-pick master commit of:
c5de9e77fb332939695918710b0842030515cce0
Fixes-commit: 05a9c9d1ba1db6c1cd160fba979e9ddf4700a0c0
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_pk_flags): New function for explicit
FIPS indicator for public key algorithm flags.
* src/g10lib.h (_gcry_fips_indicator_pk_flags): New.
* src/gcrypt.h.in (GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS): New.
* src/global.c (_gcry_vcontrol): Handle the new option.
* doc/gcrypt.texi: Document new options.
--
Cherry-picked master commit of:
4c1c8a707f9652dbfad8f8b531d8b84556f655f1
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
* doc/gcrypt.texi: Document the new options for FIPS indicators.
--
Cherry-picked master commit of:
0b7ad923978f708b41933d6b91d3159ffc7a84a1
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/mac-hmac.c (_gcry_mac_type_spec_hmac_md5): Allow in fips mode.
* cipher/md5.c (_gcry_digest_spec_md5): Allow in fips mode.
--
Cherry-pick master commit of:
dc4a60e2d70bc52ba2955f8e676341d675ab89a0
GnuPG-bug-id: 6376
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_mac): New function indicating
non-approved mac algorithms.
(_gcry_fips_indicator_md): new functions indicating non-approved
message digest algorithms.
* src/g10lib.h (_gcry_fips_indicator_mac): New function.
(_gcry_fips_indicator_md): Ditto.
* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbols,
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC and
GCRYCTL_FIPS_SERVICE_INDICATOR_MD.
* src/global.c (_gcry_vcontrol): Handle new FIPS indicators.
--
Cherry-pick master commit of:
c88672a327f6774a66d75a35f25266eec99b16f4
GnuPG-bug-id: 6376
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/kdf.c (check_one): run selftests for more approved parameters
and check that wrong parameters correctly fail in FIPS mode.
--
Cherry-picked from master commit of:
f5fe94810f3099c9ccc2ca3a5891502922ab0576
Fixes-commit: 535a4d345872aa2cd2ab3a5f9c4411d0a0313328
GnuPG-bug-id: 5512
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (get_file_offset): Check return value of ftell to be able
to detect errors.
--
Cherry-picked master commit of:
3fd3bb31597f80c76a94ea62e42d58d796beabf1
Originally reported by coverity.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* random/random-drbg.c (global): Remove unused SHA384-based defines.
(drbg_cores): Remove SHA384 configurations.
(drbg_sec_strength): Remove unused SHA384.
--
Cherry-picked from master commit of:
45b80678109e5817b7cd15566a9d6c96b064b95f
These are no longer allowed by FIPS and it looks like they were never
usable as they do not have any conversion from the string flags.
GnuPG-bug-id: 6393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/visibility.c (gcry_pk_hash_sign): Check fips status before
calling the operation itself.
(gcry_pk_hash_verify): Ditto.
--
Cherry-picked master commit of:
654d0dfa04993ebe28c0536d42f4bc6d87c28369
GnuPG-bug-id: 6396
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/ecc.c (test_keys_fips): Replace calls to log_fatal with
return code on error.
(ecc_generate): Signal error when PCT fails in FIPS mode.
--
Cherry-picked master commit of:
23a2d1285e35b2eb91bb422609eb1c965c8a9bf6
GnuPG-bug-id: 6397
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/ecc.c (ecc_generate): Do not allow skipping tests PCT tests
in FIPS mode.
--
Cherry-picked from master commit of:
2ddeec574bc1ae90bb4242c4ce9ad9e7975a27bd
The new FIPS specification requires to run the PCT without any
exceptions.
GnuPG-bug-id: 6394
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_cipher): Do not mark GCM mode as
FIPS approved.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
| |
--
|
|
|
|
|
|
|
|
|
|
|
|
| |
* m4/ax_cc_for_build.m4: Fix for no arg.
* m4/noexecstack.m4: Likewise.
--
Cherry-pick master commit of:
e3b441214f93d8f61875b8223480e57afa2a3f10
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac: Add function declarations for asm functions.
--
Cherry-pick master commit of:
693ffa145378682229473b0e811a9cea7c4d307a
Suggested-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/t-rsa-testparm.c (check_rsa_testparm): Define parameters as
void.
--
Cherry-picked master commit of:
0909186b9e66aa3a8fac7b2571915c45a7bfaeb3
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
|
|
|
|
|
|
|
| |
--
Cherry-pick master commit of:
896fe69757e0fe84696d3b23f7b15425e128988a
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rsa.c (rsa_generate): Do not accept use-x931 or derive-parms
in FIPS mode.
* tests/pubkey.c (get_keys_x931_new): Expect failure in FIPS mode.
(check_run): Skip checking X9.31 keys in FIPS mode.
* doc/gcrypt.texi: Document "test-parms" and clarify some cases around
the X9.31 keygen.
--
Cherry-pick master commit of:
06ea5b5332ffdb44a0a394d766be8989bcb6a95c
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rsa-common.c (_gcry_rsa_pss_encode): Prevent usage of large
salt lengths
(_gcry_rsa_pss_verify): Ditto.
* tests/basic.c (check_pubkey_sign): Check longer salt length fails in
FIPS mode
* tests/t-rsa-pss.c (one_test_sexp): Fix function name in error message
--
Backport the master commit of:
bf1e62e59200b2046680d1d3d1599facc88cfe63
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_cipher): Add key wrapping mode as
approved.
--
Cherry-picked master branch of:
c34c9e70055ee43e5ef257384fa15941f064e5a4
GnuPG-bug-id: 5512
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/kdf.c (_gcry_kdf_pkdf2): Require 8 chars passphrase for FIPS.
Set bounds for salt length and iteration count in FIPS mode.
--
Cherry-picked from master branch of:
f4a861f3e5ae82f278284061e4829c03edf9c3a7
GnuPG-bug-id: 6039
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
| |
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/libgcrypt.m4: Overriding the decision by
--with-libgcrypt-prefix, use gpgrt-config libgcrypt when gpgrt-config
is available.
--
Backport the master commit of:
0dcb7e05c9e1c9c2a23abe0a0390680741b61414
This may offer better migration.
GnuPG-bug-id: 5034
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/visibility.c (gcry_md_setkey): Add the check here, too.
--
Cherry-picked from the master commit of:
b095ea7559734f519fbe92d570afe567330eb474
GnuPG-bug-id: 6039
Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/kdf.c (_gcry_kdf_pkdf2): Remove the length limitation of
passphrase input length.
--
Cherry-picked from master commit of:
47db7fe3a0c36523d2ccec31705cffff9a2337bc
This reverts commit d09d3d33c79daa2f8d385dfedf3f20ad205b0fba
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
| |
* m4/gpg-error.m4: Update from libgpg-error 1.46.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* tests/t-kdf.c (check_pbkdf2): Add test vector with short dklen and
verify it fails in FIPS mode
--
Cherry-picked master commit of:
efdc87b305ff326f37acd3a9c2606de24a706cce
GnuPG-bug-id: 6219
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Clarify
description of the chainging DRBG in FIPS mode.
--
Cherry-picked master commit of:
6e832840a8b7cdd30f77e66685ad0de863d7e84d
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): In fips
mode, gather max 32 B of strong entropy for initialization.
--
Cherry-pick master commit of:
a6a6e94027abf18a51f5f93bf9fb2cfe5496bdf8
The limitation of our current kernel patch guarantees that only 32B of
strong random data can be gathered using getrandom().
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/keccak-armv7-neon.S: Fix function name in comment and change
parameter type to size_t.
* cipher/keccak.c (keccak_ops_t): Change absorb function signature to
use size_t.
(keccak_absorb_lanes64_avx512): Change nlanes type to size_t.
(_gcry_keccak_absorb_lanes64_armv7_neon): Ditto.
(keccak_absorb_lanes64_armv7_neon): Ditto.
(keccak_absorb_lanes32bi): Ditto.
(keccak_absorb_lanes32bi_bmi2): Ditto.
(keccak_write): Change nlanes variable to use size_t and avoid
overflow when calculating count.
* cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): Change
nlanes argument to use size_t.
--
Cherry-pick master commit of:
9c828129b2058c3f36e07634637929a54e8377ee
Any input to the SHA3 functions > 4GB was giving wrong result when it
was invoked in one-shot, while working correctly when it was fed by
chunks. It turned out that the calculation in the `keccak_write`
overflows the `unsigned int` type (`nlanes * 8` does not fit 32b when
the `inlen` > 4GB).
GnuPG-bug-id: 6217
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/kdf.c (_gcry_kdf_pkdf2): Add output length check.
--
Cherry-picked master commit of:
3c04b692de1e7b45b764ff8d66bf84609b012e3a
GnuPG-bug-id: 6219
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
--
Cherry-pick master commit of:
857e6f467d0fc9fd858a73d84122695425970075
GnuPG-bug-id: 6039
Fixes-commit: ab5aef9b7b6ef757eff7bea4a17ade0ce3d3191b
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (AC_USE_SYSTEM_EXTENSIONS): Use it earlier.
--
Cherry-picked master commit of:
2efb90104591eda490d9f7ba281aa29bceb92487
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rsa.c (rsa_generate): Skip PCT is test-parms were specified.
* tests/t-rsa-testparm.c: Add test for this functionality
* tests/Makefile.am: Add test to build system
--
Cherry-pick master commit of:
c20022ffd4ad2cea51928a109dfa102d711d30ac
ACVP testing uses the test-parms option to specify p and q to be checked
for primality. When test-parms is specified, generate_fips() always
returns keys with p=q=0. These keys then fail the pairwise consistency
test, because they cannot be used to successfully sign a message and
verify the signature.
Skip the PCT when test-parms is specified.
Add a regression test to check that this functionality continues to work
in the future.
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac: Define AM_CONDITIONALs for USE_DSA, USE_RSA,
USE_ELGAMAL, USE_ECC so Makefiles can depend on them.
* tests/Makefile.am: Skip tests that test only one public key algorithm
if that algorithm is disabled.
--
Cherry-pick master commit of:
56000fb5c42f01f1ced4e3dd0bb30662c0ba87c3
Skip building and running tests that are specific for a public key
algorithm if that algorithm was disabled using the
--enable-pubkey-ciphers configure option.
GnuPG-bug-id: 6048
Signed-off-by: Clemens Lang <cllang@redhat.com>
|