|
 |
e35e9c |
From fd832687f36c1885d2388c55f7e8569184ba2593 Mon Sep 17 00:00:00 2001
|
|
|
e35e9c |
From: Tobias Heider <tobias.heider@canonical.com>
|
|
|
e35e9c |
Date: Thu, 16 Feb 2023 03:20:48 +0100
|
|
|
e35e9c |
Subject: [PATCH] fips: Add explicit indicators for md and mac algorithms
|
|
|
e35e9c |
|
|
|
e35e9c |
* src/fips.c (_gcry_fips_indicator_mac): New function indicating
|
|
|
e35e9c |
non-approved mac algorithms
|
|
|
e35e9c |
(_gcry_fips_indicator_md): new functions indicating non-approved
|
|
|
e35e9c |
message digest algorithms
|
|
|
e35e9c |
* src/g10lib.h (_gcry_fips_indicator_mac): new function
|
|
|
e35e9c |
(_gcry_fips_indicator_md): ditto
|
|
|
e35e9c |
* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbols
|
|
|
e35e9c |
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC and
|
|
|
e35e9c |
GCRYCTL_FIPS_SERVICE_INDICATOR_MD
|
|
|
e35e9c |
* src/global.c (_gcry_vcontrol): Handle new FIPS indicators.
|
|
|
e35e9c |
* doc/gcrypt.texi: Document the new option.
|
|
|
e35e9c |
--
|
|
|
e35e9c |
|
|
|
e35e9c |
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
|
|
|
e35e9c |
---
|
|
|
e35e9c |
doc/gcrypt.texi | 13 +++++++++++++
|
|
|
e35e9c |
src/fips.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
e35e9c |
src/g10lib.h | 2 ++
|
|
|
e35e9c |
src/gcrypt.h.in | 4 +++-
|
|
|
e35e9c |
src/global.c | 14 ++++++++++++++
|
|
|
e35e9c |
5 files changed, 83 insertions(+), 1 deletion(-)
|
|
|
e35e9c |
|
|
|
e35e9c |
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
|
|
|
e35e9c |
index e44c2f2e..462c5931 100644
|
|
|
e35e9c |
--- a/doc/gcrypt.texi
|
|
|
e35e9c |
+++ b/doc/gcrypt.texi
|
|
|
e35e9c |
@@ -992,6 +992,19 @@ certification. If the function is approved, this function returns
|
|
|
e35e9c |
@code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
|
|
|
e35e9c |
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
|
e35e9c |
|
|
|
e35e9c |
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos
|
|
|
e35e9c |
+
|
|
|
e35e9c |
+Check if the given MAC is approved under the current FIPS 140-3
|
|
|
e35e9c |
+certification. If the MAC is approved, this function returns
|
|
|
e35e9c |
+@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
|
|
e35e9c |
+is returned.
|
|
|
e35e9c |
+
|
|
|
e35e9c |
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
|
|
|
e35e9c |
+
|
|
|
e35e9c |
+Check if the given message digest algorithm is approved under the current
|
|
|
e35e9c |
+FIPS 140-3 certification. If the algorithm is approved, this function returns
|
|
|
e35e9c |
+@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
|
e35e9c |
+
|
|
|
e35e9c |
@end table
|
|
|
e35e9c |
|
|
|
e35e9c |
@end deftypefun
|
|
|
e35e9c |
diff --git a/src/fips.c b/src/fips.c
|
|
|
e35e9c |
index 272aabae..8b3b3f04 100644
|
|
|
e35e9c |
--- a/src/fips.c
|
|
|
e35e9c |
+++ b/src/fips.c
|
|
|
e35e9c |
@@ -377,6 +377,57 @@ _gcry_fips_indicator_cipher (va_list arg_ptr)
|
|
|
e35e9c |
}
|
|
|
e35e9c |
}
|
|
|
e35e9c |
|
|
|
e35e9c |
+int
|
|
|
e35e9c |
+_gcry_fips_indicator_mac (va_list arg_ptr)
|
|
|
e35e9c |
+{
|
|
|
e35e9c |
+ enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
|
|
|
e35e9c |
+
|
|
|
e35e9c |
+ switch (alg)
|
|
|
e35e9c |
+ {
|
|
|
e35e9c |
+ case GCRY_MAC_CMAC_AES:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA1:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA224:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA256:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA384:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA512:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA512_224:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA512_256:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA3_224:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA3_256:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA3_384:
|
|
|
e35e9c |
+ case GCRY_MAC_HMAC_SHA3_512:
|
|
|
e35e9c |
+ return GPG_ERR_NO_ERROR;
|
|
|
e35e9c |
+ default:
|
|
|
e35e9c |
+ return GPG_ERR_NOT_SUPPORTED;
|
|
|
e35e9c |
+ }
|
|
|
e35e9c |
+}
|
|
|
e35e9c |
+
|
|
|
e35e9c |
+int
|
|
|
e35e9c |
+_gcry_fips_indicator_md (va_list arg_ptr)
|
|
|
e35e9c |
+{
|
|
|
e35e9c |
+ enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
|
|
|
e35e9c |
+
|
|
|
e35e9c |
+ switch (alg)
|
|
|
e35e9c |
+ {
|
|
|
e35e9c |
+ case GCRY_MD_SHA1:
|
|
|
e35e9c |
+ case GCRY_MD_SHA224:
|
|
|
e35e9c |
+ case GCRY_MD_SHA256:
|
|
|
e35e9c |
+ case GCRY_MD_SHA384:
|
|
|
e35e9c |
+ case GCRY_MD_SHA512:
|
|
|
e35e9c |
+ case GCRY_MD_SHA512_224:
|
|
|
e35e9c |
+ case GCRY_MD_SHA512_256:
|
|
|
e35e9c |
+ case GCRY_MD_SHA3_224:
|
|
|
e35e9c |
+ case GCRY_MD_SHA3_256:
|
|
|
e35e9c |
+ case GCRY_MD_SHA3_384:
|
|
|
e35e9c |
+ case GCRY_MD_SHA3_512:
|
|
|
e35e9c |
+ case GCRY_MD_SHAKE128:
|
|
|
e35e9c |
+ case GCRY_MD_SHAKE256:
|
|
|
e35e9c |
+ return GPG_ERR_NO_ERROR;
|
|
|
e35e9c |
+ default:
|
|
|
e35e9c |
+ return GPG_ERR_NOT_SUPPORTED;
|
|
|
e35e9c |
+ }
|
|
|
e35e9c |
+}
|
|
|
e35e9c |
+
|
|
|
e35e9c |
int
|
|
|
e35e9c |
_gcry_fips_indicator_kdf (va_list arg_ptr)
|
|
|
e35e9c |
{
|
|
|
e35e9c |
diff --git a/src/g10lib.h b/src/g10lib.h
|
|
|
e35e9c |
index 6be0ab21..86337eed 100644
|
|
|
e35e9c |
--- a/src/g10lib.h
|
|
|
e35e9c |
+++ b/src/g10lib.h
|
|
|
e35e9c |
@@ -467,6 +467,8 @@ void _gcry_fips_signal_error (const char *srcfile,
|
|
|
e35e9c |
#endif
|
|
|
e35e9c |
|
|
|
e35e9c |
int _gcry_fips_indicator_cipher (va_list arg_ptr);
|
|
|
e35e9c |
+int _gcry_fips_indicator_mac (va_list arg_ptr);
|
|
|
e35e9c |
+int _gcry_fips_indicator_md (va_list arg_ptr);
|
|
|
e35e9c |
int _gcry_fips_indicator_kdf (va_list arg_ptr);
|
|
|
e35e9c |
int _gcry_fips_indicator_function (va_list arg_ptr);
|
|
|
e35e9c |
|
|
|
e35e9c |
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
|
|
|
e35e9c |
index aba22bfc..54080d46 100644
|
|
|
e35e9c |
--- a/src/gcrypt.h.in
|
|
|
e35e9c |
+++ b/src/gcrypt.h.in
|
|
|
e35e9c |
@@ -330,7 +330,9 @@ enum gcry_ctl_cmds
|
|
|
e35e9c |
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
|
|
|
e35e9c |
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
|
|
|
e35e9c |
GCRYCTL_NO_FIPS_MODE = 83,
|
|
|
e35e9c |
- GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84
|
|
|
e35e9c |
+ GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
|
|
|
e35e9c |
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
|
|
|
e35e9c |
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86
|
|
|
e35e9c |
};
|
|
|
e35e9c |
|
|
|
e35e9c |
/* Perform various operations defined by CMD. */
|
|
|
e35e9c |
diff --git a/src/global.c b/src/global.c
|
|
|
e35e9c |
index debf6194..d16d3709 100644
|
|
|
e35e9c |
--- a/src/global.c
|
|
|
e35e9c |
+++ b/src/global.c
|
|
|
e35e9c |
@@ -791,6 +791,20 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
|
|
|
e35e9c |
rc = _gcry_fips_indicator_cipher (arg_ptr);
|
|
|
e35e9c |
break;
|
|
|
e35e9c |
|
|
|
e35e9c |
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
|
|
|
e35e9c |
+ /* Get FIPS Service Indicator for a given message authentication code.
|
|
|
e35e9c |
+ * Returns GPG_ERR_NO_ERROR if algorithm is allowed or
|
|
|
e35e9c |
+ * GPG_ERR_NOT_SUPPORTED otherwise */
|
|
|
e35e9c |
+ rc = _gcry_fips_indicator_mac (arg_ptr);
|
|
|
e35e9c |
+ break;
|
|
|
e35e9c |
+
|
|
|
e35e9c |
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MD:
|
|
|
e35e9c |
+ /* Get FIPS Service Indicator for a given message digest. Returns
|
|
|
e35e9c |
+ * GPG_ERR_NO_ERROR if algorithm is allowed or GPG_ERR_NOT_SUPPORTED
|
|
|
e35e9c |
+ * otherwise */
|
|
|
e35e9c |
+ rc = _gcry_fips_indicator_md (arg_ptr);
|
|
|
e35e9c |
+ break;
|
|
|
e35e9c |
+
|
|
|
e35e9c |
case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF:
|
|
|
e35e9c |
/* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR
|
|
|
e35e9c |
* if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
|
|
|
e35e9c |
--
|
|
|
e35e9c |
2.39.2
|
|
|
e35e9c |
|
|
|
e35e9c |
From 2d193a955d05b4b9caed2895cf25600add3484da Mon Sep 17 00:00:00 2001
|
|
|
e35e9c |
From: Tobias Heider <tobias.heider@canonical.com>
|
|
|
e35e9c |
Date: Thu, 16 Feb 2023 03:21:26 +0100
|
|
|
e35e9c |
Subject: [PATCH] fips: Unblock MD5 in fips mode but mark non-approved in
|
|
|
e35e9c |
indicator.
|
|
|
e35e9c |
|
|
|
e35e9c |
* cipher/mac-hmac.c (_gcry_mac_type_spec_hmac_md5): allow in fips mode
|
|
|
e35e9c |
* cipher/md5.c (_gcry_digest_spec_md5): allow in fips mode
|
|
|
e35e9c |
--
|
|
|
e35e9c |
|
|
|
e35e9c |
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
|
|
|
e35e9c |
---
|
|
|
e35e9c |
cipher/mac-hmac.c | 2 +-
|
|
|
e35e9c |
cipher/md5.c | 2 +-
|
|
|
e35e9c |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
e35e9c |
|
|
|
e35e9c |
diff --git a/cipher/mac-hmac.c b/cipher/mac-hmac.c
|
|
|
e35e9c |
index f1ab568b..9fac77dc 100644
|
|
|
e35e9c |
--- a/cipher/mac-hmac.c
|
|
|
e35e9c |
+++ b/cipher/mac-hmac.c
|
|
|
e35e9c |
@@ -1413,7 +1413,7 @@ const gcry_mac_spec_t _gcry_mac_type_spec_hmac_tiger1 = {
|
|
|
e35e9c |
#endif
|
|
|
e35e9c |
#if USE_MD5
|
|
|
e35e9c |
const gcry_mac_spec_t _gcry_mac_type_spec_hmac_md5 = {
|
|
|
e35e9c |
- GCRY_MAC_HMAC_MD5, {0, 0}, "HMAC_MD5",
|
|
|
e35e9c |
+ GCRY_MAC_HMAC_MD5, {0, 1}, "HMAC_MD5",
|
|
|
e35e9c |
&hmac_ops
|
|
|
e35e9c |
};
|
|
|
e35e9c |
#endif
|
|
|
e35e9c |
diff --git a/cipher/md5.c b/cipher/md5.c
|
|
|
e35e9c |
index 5457fc38..744a2cc1 100644
|
|
|
e35e9c |
--- a/cipher/md5.c
|
|
|
e35e9c |
+++ b/cipher/md5.c
|
|
|
e35e9c |
@@ -314,7 +314,7 @@ static const gcry_md_oid_spec_t oid_spec_md5[] =
|
|
|
e35e9c |
|
|
|
e35e9c |
const gcry_md_spec_t _gcry_digest_spec_md5 =
|
|
|
e35e9c |
{
|
|
|
e35e9c |
- GCRY_MD_MD5, {0, 0},
|
|
|
e35e9c |
+ GCRY_MD_MD5, {0, 1},
|
|
|
e35e9c |
"MD5", asn, DIM (asn), oid_spec_md5, 16,
|
|
|
e35e9c |
md5_init, _gcry_md_block_write, md5_final, md5_read, NULL,
|
|
|
e35e9c |
NULL,
|
|
|
e35e9c |
--
|
|
|
e35e9c |
2.39.2
|
|
|
e35e9c |
|
|
|
e35e9c |
From f52f33389da3302f51b6b00451cf9fc7e7a7e277 Mon Sep 17 00:00:00 2001
|
|
|
e35e9c |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
e35e9c |
Date: Mon, 6 Mar 2023 17:26:17 +0100
|
|
|
e35e9c |
Subject: [PATCH] tests: Improve test coverage for FIPS service indicators
|
|
|
e35e9c |
|
|
|
e35e9c |
* tests/basic.c (check_digests): Check the FIPS indicators
|
|
|
e35e9c |
(check_mac): Ditto.
|
|
|
e35e9c |
--
|
|
|
e35e9c |
|
|
|
e35e9c |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
e35e9c |
---
|
|
|
e35e9c |
tests/basic.c | 13 +++++++++++++
|
|
|
e35e9c |
1 file changed, 13 insertions(+)
|
|
|
e35e9c |
|
|
|
e35e9c |
diff --git a/tests/basic.c b/tests/basic.c
|
|
|
e35e9c |
index 095bdc97..5d5ceac9 100644
|
|
|
e35e9c |
--- a/tests/basic.c
|
|
|
e35e9c |
+++ b/tests/basic.c
|
|
|
e35e9c |
@@ -14086,6 +14086,7 @@ check_mac (void)
|
|
|
e35e9c |
"\x13\x46\x76\xfb\x6d\xe0\x44\x60\x65\xc9\x74\x40\xfa\x8c\x6a\x58" },
|
|
|
e35e9c |
{ 0 },
|
|
|
e35e9c |
};
|
|
|
e35e9c |
+ gcry_error_t err;
|
|
|
e35e9c |
int i;
|
|
|
e35e9c |
|
|
|
e35e9c |
if (verbose)
|
|
|
e35e9c |
@@ -15370,6 +15370,12 @@ check_digests (void)
|
|
|
e35e9c |
{
|
|
|
e35e9c |
if (in_fips_mode)
|
|
|
e35e9c |
{
|
|
|
e35e9c |
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MD, algos[i].md);
|
|
|
e35e9c |
+ if (err == GPG_ERR_NO_ERROR)
|
|
|
e35e9c |
+ {
|
|
|
e35e9c |
+ fail ("algo %d, gcry_md_test_algo failed while it should"
|
|
|
e35e9c |
+ " have worked in FIPS mode\n", algos[i].md);
|
|
|
e35e9c |
+ }
|
|
|
e35e9c |
if (verbose)
|
|
|
e35e9c |
fprintf (stderr, " algorithm %d not available in fips mode\n",
|
|
|
e35e9c |
algos[i].md);
|
|
|
e35e9c |
@@ -16948,6 +16954,7 @@ check_mac (void)
|
|
|
e35e9c |
#endif /* USE_GOST28147 */
|
|
|
e35e9c |
{ 0 },
|
|
|
e35e9c |
};
|
|
|
e35e9c |
+ gcry_error_t err;
|
|
|
e35e9c |
int i;
|
|
|
e35e9c |
|
|
|
e35e9c |
if (verbose)
|
|
|
e35e9c |
@@ -16961,6 +16968,12 @@ check_mac (void)
|
|
|
e35e9c |
{
|
|
|
e35e9c |
if (in_fips_mode)
|
|
|
e35e9c |
{
|
|
|
e35e9c |
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MAC, algos[i].algo);
|
|
|
e35e9c |
+ if (err == GPG_ERR_NO_ERROR)
|
|
|
e35e9c |
+ {
|
|
|
e35e9c |
+ fail ("algo %d, gcry_mac_test_algo failed while it should"
|
|
|
e35e9c |
+ " have worked in FIPS mode\n", algos[i].algo);
|
|
|
e35e9c |
+ }
|
|
|
e35e9c |
if (verbose)
|
|
|
e35e9c |
fprintf (stderr, " algorithm %d not available in fips mode\n",
|
|
|
e35e9c |
algos[i].algo);
|
|
|
e35e9c |
--
|
|
|
e35e9c |
2.39.2
|
|
|
e35e9c |
|