| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_pk_flags): List more allowed string
in the S-expression.
* doc/gcrypt.texi: Add document for the FIPS service indicator
GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS with example.
--
GnuPG-bug-id: 6417
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
| |
* src/fips.c: (_gcry_fips_indicator_function): Mark using random
override non-approved in FIPS mode.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_pk_flags): New function for explicit
FIPS indicator for public key algorithm flags.
* src/g10lib.h (_gcry_fips_indicator_pk_flags): New.
* src/gcrypt.h.in (GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS): New.
* src/global.c (_gcry_vcontrol): Handle the new option.
* doc/gcrypt.texi: Document new options.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_mac): New function indicating
non-approved mac algorithms.
(_gcry_fips_indicator_md): new functions indicating non-approved
message digest algorithms.
* src/g10lib.h (_gcry_fips_indicator_mac): New function.
(_gcry_fips_indicator_md): Ditto.
* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbols,
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC and
GCRYCTL_FIPS_SERVICE_INDICATOR_MD.
* src/global.c (_gcry_vcontrol): Handle new FIPS indicators.
--
GnuPG-bug-id: 6376
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
|
| |
|
|
|
|
|
|
|
|
| |
* src/fips.c (get_file_offset): Check return value of ftell to be able
to detect errors.
--
Originally reported by coverity.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_cipher): Add key wrapping mode as
approved.
--
GnuPG-bug-id: 5512
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_function): Add
gcry_pk_encrypt/decrypt as non-approved.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator_function): Fix typo in sign/verify
function names.
--
Fixes-commit: 05a9c9d1ba1db6c1cd160fba979e9ddf4700a0c0
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* doc/gcrypt.texi: Document the new function-based fips indicator
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
* src/fips.c (_gcry_fips_indicator_function): New function indicating
non-approved functions.
* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbol
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
* src/global.c (_gcry_vcontrol): Handle new FIPS indicator.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (run_pubkey_selftests): Do not run selftests for disabled
public key algorithms.
--
Skip running FIPS selftests that are specific for a public key algorithm
if that algorithm was disabled using the --enable-pubkey-ciphers
configure option.
GnuPG-bug-id: 6048
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (get_file_offset): Compute the maximum offset
of segments.
* src/gen-note-integrity.sh: Likewise.
--
The result is same (in current format of ELF program).
Semantics is more clear. It hashes:
- From the start of shared library file,
- fixed up the ELF header to exclude link-time information,
- up to the last segment.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/Makefile.am (EXTRA_DIST): Change the name of the script.
(libgcrypt.la.done): Invoce OBJCOPY with --add-section.
(libgcrypt.so.hmac): Specify ECHO_N.
* src/fips.c (get_file_offset): Rename from get_file_offsets.
Find the note section and return the value in HMAC.
(hmac256_check): Simplify by HMAC from the note section, not loaded.
(check_binary_integrity): Use dladdr instead of dladdr1.
* src/gen-note-integrity.sh: Rename from genhmac.sh.
Generate ElfN_Nhdr, and then the hmac.
--
The idea of use of .note is by Daiki Ueno.
https://gitlab.com/dueno/integrity-notes
Further, instead of NOTE segment loaded onto memory, use noload
section in the file.
Thanks to Clemens Lang for initiating this direction of improvement.
The namespace "FDO" would need to be changed.
GnuPG-bug-id: 5835
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (READELF): Check the tool.
* src/Makefile.am (libgcrypt.so.hmac): Use genhmac.sh with hmac256.
* src/fips.c (get_file_offsets): Rename from get_file_offset.
Determine the OFFSET2 at the end of loadable segments, too.
Add fixup of the ELF header to exclude section information.
(hmac256_check): Finish scanning at the end of loadble segments.
* src/genhmac.sh: New.
--
This change fixes the build with ld.gold.
GnuPG-bug-id: 5835
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
| |
--
Coding style fix.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c [ENABLE_HMAC_BINARY_CHECK] (hmac256_check): Use ELF headers
to locate the file offset for the HMAC in addition to information from
the loader
--
The previous method of locating the offset of the .rodata1 section in
the ELF file on disk used information obtained from the loader. This
computed the address of the value in memory at runtime, but the offset
in the file can be different. Specifically, the old code computed
a value relative to ElfW(Phdr).p_vaddr, but the offset in the file is
relative to ElfW(Phdr).p_offset. These values can differ, so the
computed address at runtime must be translated into a file offset
relative to p_offset.
This is largely cosmetic, since the text section that should contain the
HMAC usually has both p_vaddr and p_offset set to 0.
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
| |
|
|
|
|
| |
* src/fips.c (hmac256_check): Remove unused assignment.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* src/gcrypt.h.in (enum gcry_ctl_cmds): Remove
GCRYCTL_FIPS_SERVICE_INDICATOR.
* src/fips.c (_gcry_fips_indicator_cipher): Use gcry_kdf_algos.
* tests/basic.c: Use GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER.
--
GnuPG-bug-id: 5512
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator): rename to
_gcry_fips_indicator_cipher().
(_gcry_fips_indicator_kdf): New function.
* src/g10lib.h: Rename _gcry_fips_indicator to
_gcry_fips_indicator_cipher() and add _gcry_fips_indicator_kdf()
* src/gcrypt.h.in (enum gcry_ctl_cmds): Add
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER and
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF.
* src/global.c (_gcry_vcontrol): Implement support for KDF FIPS
Indicator separate from the cipher one.
--
GnuPG-bug-id: 5512
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_to_activate): New.
* src/g10lib.h (_gcry_fips_to_activate): New.
* src/global.c [ENABLE_HMAC_BINARY_CHECK] (_gcry_global_constructor):
New.
--
Note: constructor is non-portable feature of GCC. This behavior
of running selftests just after the load of the library is
specific to the build with ENABLE_HMAC_BINARY_CHECK.
GnuPG-bug-id: 5636
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
| |
* cipher/dsa.c (run_selftests): Disable DSA spec in FIPS mode.
* src/fips.c (run_pubkey_selftests): Skip DSA power-on selftests.
--
GnuPG-bug-id: 5710
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
* src/fips.c (check_fips_system_setting): New.
(_gcry_initialize_fips_mode): Use the new function.
--
GnuPG-bug-id: 5636
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* cipher/des.c (_gcry_cipher_spec_tripledes): Mark as non-FIPS
* cipher/mac-cmac.c ( _gcry_mac_type_spec_cmac_tripledes): Mark non-FIPS
* src/fips.c (run_cipher_selftests): skip 3DES selftests)
(run_mac_selftests): skip CMAC_3DES selftests
* tests/basic.c (check_cfb_cipher): Do not expect the 3DES working in
FIPS mode
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_indicator): New.
* src/g10lib.h (_gcry_fips_indicator): New declaration.
* src/gcrypt.h.in (gcry_ctl_cmds): New GCRYCTL_FIPS_SERVICE_INDICATOR
* src/global.c (_gcry_vcontrol): Handle GCRYCTL_FIPS_SERVICE_INDICATOR
* tests/basic.c (do_check_ocb_cipher): Check excplicit FIPS indicator
(check_ocb_cipher_largebuf_split): Ditto.
(check_ocb_cipher_checksum): Ditto.
(check_ocb_cipher_splitaad): Ditto.
(check_bulk_cipher_modes): Ditto.
--
Add GCRYCTL_FIPS_SERVICE_INDICATOR to handle explicit FIPS indicators
for cipher modes.
GnuPG-bug-id: 5512
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_is_operational): Call _cgry_random_close_fds.
--
GnuPG-bug-id: 5636
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (run_digest_selftests): Skip SHA256 selftest if they were
already executed as part of the integrity check.
(run_mac_selftests): Skip HMAC-SHA256 selftest if they were already
executed as part of the integrity check.
(run_hmac_sha256_selftests): Run SHA256 selftest too.
(_gcry_fips_run_selftests): Run the sha256 selftests regardless of the
fips mode status.
--
Prevent running the SHA256 tests twice and runs the SHA256 test
before the HMAC-SHA256 also from when manually invoked.
GnuPG-bug-id: 5617
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
| |
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (run_hmac_sha256_selftests): New function.
(_gcry_fips_run_selftests): Move integrity check earlier and run
HMAC-SHA256 tests before that.
--
GnuPG-bug-id: 5617
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
* src/fips.c (KEY_FOR_BINARY_CHECK): Allow supplying externally.
* src/hmac256.c: Use KEY_FOR_BINARY_CHECK macro.
--
GnuPG-bug-id: 5550
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rsa.c (generate_fips): Drop reference to enforced fips mode and
use normal FIPS mode check
* doc/gcrypt.texi: Drop references to enforced FIPS mode
* src/fips.c (enforced_fips_mode): Removed
(_gcry_initialize_fips_mode): Remove reading of the FIPS_FORCE_FILE
to enforce FIPS mode
(_gcry_enforced_fips_mode): Remove
(_gcry_set_enforced_fips_mode): Remove
* src/g10lib.h (_gcry_enforced_fips_mode): Remove declaration
(_gcry_set_enforced_fips_mode): Remova declaration
* src/global.c (print_config): Remove the forced fips flag
(_gcry_vcontrol): Deprecate GCRYCTL_SET_ENFORCED_FIPS_FLAG
(get_no_secure_memory): Ignore the option in FIPS mode
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
(_gcry_vcontrol): Simply ignore GCRYCTL_SET_ENFORCED_FIPS_FLAG.
Signed-off-by: Werner Koch <wk@gnupg.org>
GnuPG-bug-id: 5244
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/md.c (_gcry_md_hash_buffer): Remove inactivation of FIPS mode
when MD5 is used
(_gcry_md_hash_buffers_extract): Ditto.
* src/fips.c (gcry_is_fips_mode_inactive): Removed
(_gcry_inactivate_fips_mode): Removed
(_gcry_is_fips_mode_inactive): Removed
* src/g10lib.h (_gcry_inactivate_fips_mode): Remove declaration
(_gcry_is_fips_mode_inactive): Remove declaration
* global.c (_gcry_vcontrol): Update the GCRYCTL_FIPS_MODE_P
(_gcry_set_allocation_handler): Silently ignore custom alocation
handlers in FIPS mode
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
* src/fips.c (hmac256_check): New.
(check_binary_integrity): Use hmac256_check.
--
GnuPG-bug-id: 5550
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/Makefile.am (libgcrypt.la.done): Use the rodata1 section.
* src/fips.c (_gcry_fips_run_selftests): Only enable
check_binary_integrity by ENABLE_HMAC_BINARY_CHECK.
[ENABLE_HMAC_BINARY_CHECK] (hmac_for_the_implementation): New.
[ENABLE_HMAC_BINARY_CHECK] (check_binary_integrity): Use
hmac_for_the_implementation in rodata.
--
GnuPG-bug-id: 5550
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c: Define FIPS_FORCE_FILE macro earlier.
(check_binary_integrity): Use the address of gcry_check_version.
* src/visibility.h [FIPS_FORCE_FILE] (gcry_check_version): Allow
internal use of exported function.
--
GnuPG-bug-id: 5550
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_initialize_fips_mode): Check the
environment variable LIBGCRYPT_FORCE_FIPS_MODE.
--
Useful for developers to test FIPS mode.
GnuPG-bug-id: 5541
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/cipher-proto.h (_gcry_kdf_selftest): New.
* cipher/kdf.c (check_one, selftest_pbkdf2): New.
(_gcry_kdf_selftest): New.
* src/fips.c (run_kdf_selftests): New.
(_gcry_fips_run_selftests): Call run_kdf_selftests.
--
Original work was libgcrypt-1.8.5-kdf-selftest.patch from Red Hat.
API style of check_one function follows the one in mac-hmac.c and
mac-cmac.c, which originates cipher/hmac-tests.c of libgcrypt 1.8
(copyrighted by Free Software Foundation, Inc., in 2008).
Covering the test vectors of original work, as an initial merge,
I include test vectors from tests/t-kdf.c, since PBKDF2 is defined
in RFC-6070 with those vectors.
Simo Sorce addressed about SHA1 deprecation. I marked the test
vectors with USE_SHA1.
GnuPG-bug-id: 5182
Co-authored-by: Tomáš Mráz <tm@t8m.info>
Suggested-by: Simo Sorce <simo@redhat.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/mac-cmac.c (check_one, selftests_cmac_3des): New.
(selftests_cmac_aes, cmac_selftest): New.
(cmac_ops): Add cmac_selftest.
* src/fips.c (run_mac_selftests): Add CMAC selftests.
--
Original work was libgcrypt-1.8.3-cmac-selftest.patch from Red Hat.
API of check_one function is taken from cipher/hmac-tests.c of
libgcrypt 1.8, copyrighted by Free Software Foundation, Inc., then
modified for CMAC.
Covering the test vectors of original work, we use exactly same test
vectors from tests/basic.c.
Co-authored-by: Tomáš Mráz <tm@t8m.info>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/Makefile.am: Prepare merge of hmac-test.c into mac-hmac.c.
* cipher/hmac-tests.c: Ifdef-out run_selftests and _gcry_hmac_selftest.
* cipher/mac-internal.h: Include cipher-proto.h for selftest.
(gcry_mac_spec_ops): Add selftest field.
* cipher/mac-hmac.c: Include hmac-tests.c for migration.
(hmac_selftest) New.
(hmac_ops): Add hmac_selftest.
* cipher/gost28147.c, cipher/mac-cmac.c: Add new field for selftest.
* cipher/mac-gmac.c, cipher/mac-poly1305.c: Likewise..
* cipher/mac.c (_gcry_mac_selftest): New.
* src/fips.c (run_mac_selftests): Rename from run_hmac_selftests.
Use GCRY_MAC_HMAC_*, and call _gcry_mac_selftest.
(_gcry_fips_run_selftests): Use run_mac_selftests.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_run_selftests): Check the status of fips_mode
before calling check_binary_integrity.
--
GnuPG-bug-id: 4274
Reported-by: Pedro Monreal
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
| |
* src/fips.c (_gcry_fips_mode): Remove.
(_gcry_enforced_fips_mode, _gcry_inactivate_fips_mode)
(_gcry_is_fips_mode_inactive): Use fips_mode.
* src/g10lib.h (_gcry_fips_mode): Remove.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/fips.c (no_fips_mode_required): Rename to...
(_gcry_no_fips_mode_required): ...this and make externally available.
* src/g10lib.h (_gcry_no_fips_mode_required): New extern.
(fips_mode): Inline _gcry_fips_mode to macro, use
_gcry_no_fips_mode_required directly.
(fips_is_operational): Inline fips_mode check from
_gcry_fips_in_operational.
--
Add fast path to reduce call overhead in src/visibility.c where
fips_is_operational is called before cipher/md/etc operations.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/Makefile.am (mpicalc_LDADD): Add DL_LIBS.
* src/fips.c (check_binary_integrity): Allow use of hmac256 output.
* src/hmac256.c (main): Add option --stdkey
--
Note that when using that configure option "make check" won't work in
one go. Instead use
make
cd src/.libs
../hmac256 --stdkey '' libgcrypt.so.20 >.libgcrypt.so.20.hmac
cd ../..
make check
Reported-by: Burt Silverman
Signed-off-by: Werner Koch <wk@gnupg.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/ecc-curves.c: Unmark curve P-192 for FIPS.
* cipher/ecc.c: Add ECDSA self test.
* cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Use SHA-2
in FIPS mode.
* tests/fipsdrv.c: Add support for ECDSA signatures.
--
Enable ECC in FIPS mode.
According to NIST SP 800-131A, curve P-192 and SHA-1 are disallowed
for key pair generation and signature generation after 2013.
Thanks to Jan Matejek for the patch.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Minor source code re-formatting by -wk.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/cipher-ocb.c: Fix typos.
* cipher/des.c: Likewise.
* cipher/dsa-common.c: Likewise.
* cipher/ecc.c: Likewise.
* cipher/pubkey.c: Likewise.
* cipher/rsa-common.c: Likewise.
* cipher/scrypt.c: Likewise.
* random/random-csprng.c: Likewise.
* random/random-fips.c: Likewise.
* random/rndw32.c: Likewise.
* src/cipher-proto.h: Likewise.
* src/context.c: Likewise.
* src/fips.c: Likewise.
* src/gcrypt.h.in: Likewise.
* src/global.c: Likewise.
* src/sexp.c: Likewise.
* tests/mpitests.c: Likewise.
* tests/t-lock.c: Likewise.
Signed-off-by: Justus Winter <justus@g10code.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
(GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): New.
(GCRY_MAC_HMAC_SHA3_224, GCRY_MAC_HMAC_SHA3_256)
(GCRY_MAC_HMAC_SHA3_384, GCRY_MAC_HMAC_SHA3_512): New.
* cipher/keccak.c: New with stub functions.
* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add keccak.c.
* configure.ac (available_digests): Add sha3.
(USE_SHA3): New.
* src/fips.c (run_hmac_selftests): Add SHA3 to the required selftests.
* cipher/md.c (digest_list) [USE_SHA3]: Add standard SHA3 algos.
(md_open): Ditto for hmac processing.
* cipher/mac-hmac.c (map_mac_algo_to_md): Add mapping.
* cipher/hmac-tests.c (run_selftests): Prepare for tests.
* cipher/pubkey-util.c (get_hash_algo): Add "sha3-xxx".
--
Note that the algo GCRY_MD_SHA3_xxx are prelimanry. We should try to
sync them with OpenPGP.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (NEED_GPG_ERROR_VERSION): Require 1.13.
(gl_LOCK): Remove.
* src/ath.c, src/ath.h: Remove. Remove from all files. Replace all
mutexes by gpgrt based statically initialized locks.
* src/global.c (global_init): Remove ath_init.
(_gcry_vcontrol): Make ath install a dummy function.
(print_config): Remove threads info line.
* doc/gcrypt.texi: Simplify the multi-thread related documentation.
--
The current code does only work on ELF systems with weak symbol
support. In particular no locks were used under Windows. With the
new gpgrt_lock functions from the soon to be released libgpg-error
1.13 we have a better portable scheme which also allows for static
initialized mutexes.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
| |
|
|
|
|
|
|
|
| |
* src/fips.c (check_binary_integrity): s/gcry_malloc/xtrymalloc/.
--
This fixes a build problem with ENABLE_HMAC_BINARY_CHECK.
Reported-by: Michal Vyskocil.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* src/hwfeatures.c: Inclyde syslog.h and ctype.h.
(HWF_DENY_FILE): New.
(my_isascii): New.
(parse_hwf_deny_file): New.
(_gcry_detect_hw_features): Call it.
* src/mpicalc.c (main): Correctly initialize Libgcrypt. Add options
"--print-config" and "--disable-hwf".
Signed-off-by: Werner Koch <wk@gnupg.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/visibility.h: Remove remaining define/undef hacks for symbol
visibility. Add macros to detect the use of the public functions.
Change all affected functions by replacing them by the x-macros.
* src/g10lib.h: Add internal prototypes.
(xtrymalloc, xtrycalloc, xtrymalloc_secure, xtrycalloc_secure)
(xtryrealloc, xtrystrdup, xmalloc, xcalloc, xmalloc_secure)
(xcalloc_secure, xrealloc, xstrdup, xfree): New macros.
--
The use of xmalloc/xtrymalloc/xfree is a more common pattern than the
gcry_free etc. functions. Those functions behave like those defined
by C and thus for better readability we use these macros and not
the underscore prefixed functions.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/gcrypt.h.in (GCRY_PK_ECC): New.
* cipher/pubkey.c (map_algo): New.
(spec_from_algo, gcry_pk_get_param, _gcry_pk_selftest): Use it.
* cipher/ecc.c (selftests_ecdsa): Report using GCRY_PK_ECC.
(run_selftests): Simplify.
(ecdh_names, ecdsa_names): Merge into a new ecc_names.
(_gcry_pubkey_spec_ecdh, _gcry_pubkey_spec_ecdsa): Merge into new
_gcry_pubkey_spec_ecc.
--
The algo ids are actually a relict from Libgcrypt's former life as
GnuPG's crypto code. They don't make much sense anymore and are often
not needed.
This patch requires some changes to the GnuPG 2.1 code (which has
still not been released). For example the secret key transfer between
gpg and gpg-agent (gpg --export and gpg --import). Fortunately this
will also require to add usage flags to the secret key storage of
gpg-agent which is is something we should have done a long time ago.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
| |
|
|
|
|
|
|
|
|
| |
* doc/gcrypt.texi: Add documentation of the new command.
* src/fips.c (_gcry_enforced_fips_mode): Report the enforced fips mode
only when fips mode is enabled.
(_gcry_set_enforced_fips_mode): New function.
* src/g10lib.h: Add the _gcry_set_enforced_fips_mode prototype.
* src/gcrypt.h.in: Add the GCRYCTL_SET_ENFORCED_FIPS_FLAG.
* src/global.c (_gcry_vcontrol): Handle the new command.
|
