diff options
| author | Vitezslav Cizek <vcizek@suse.com> | 2015-10-29 17:13:16 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2016-03-18 15:48:15 +0100 |
| commit | ce1cbe16992a7340edcf8e6576973e3508267640 (patch) | |
| tree | ab4d7c4b3429f83878803f1db98df8830a856dc9 /cipher | |
| parent | c478cf175887c84dc071c4f73a7667603b354789 (diff) | |
| download | libgcrypt-ce1cbe16992a7340edcf8e6576973e3508267640.tar.gz | |
Disable non-allowed algorithms in FIPS mode
* cipher/cipher.c (_gcry_cipher_init),
* cipher/mac.c (_gcry_mac_init),
* cipher/md.c (_gcry_md_init),
* cipher/pubkey.c (_gcry_pk_init): In the FIPS mode, disable all the
non-allowed ciphers.
* cipher/md5.c: Mark MD5 as not allowed in FIPS.
* src/g10lib.h (_gcry_mac_init): New.
* src/global.c (global_init): Call the new _gcry_mac_init.
* tests/basic.c (check_ciphers): Fix a typo.
--
When running in the FIPS mode, disable all the ciphers that don't have
the fips flag set.
Skip the non-allowed algos during testing in the FIPS mode.
Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Diffstat (limited to 'cipher')
| -rw-r--r-- | cipher/cipher.c | 11 | ||||
| -rw-r--r-- | cipher/mac.c | 17 | ||||
| -rw-r--r-- | cipher/md.c | 11 | ||||
| -rw-r--r-- | cipher/md5.c | 2 | ||||
| -rw-r--r-- | cipher/pubkey.c | 11 |
5 files changed, 51 insertions, 1 deletions
diff --git a/cipher/cipher.c b/cipher/cipher.c index 802ffad8..a0138466 100644 --- a/cipher/cipher.c +++ b/cipher/cipher.c @@ -1514,6 +1514,17 @@ _gcry_cipher_get_algo_blklen (int algo) gcry_err_code_t _gcry_cipher_init (void) { + if (fips_mode()) + { + /* disable algorithms that are disallowed in fips */ + int idx; + gcry_cipher_spec_t *spec; + + for (idx = 0; (spec = cipher_list[idx]); idx++) + if (!spec->flags.fips) + spec->flags.disabled = 1; + } + return 0; } diff --git a/cipher/mac.c b/cipher/mac.c index b8a5534b..46be7b7b 100644 --- a/cipher/mac.c +++ b/cipher/mac.c @@ -116,6 +116,23 @@ static gcry_mac_spec_t *mac_list[] = { NULL, }; +/* Explicitly initialize this module. */ +gcry_err_code_t +_gcry_mac_init (void) +{ + if (fips_mode()) + { + /* disable algorithms that are disallowed in fips */ + int idx; + gcry_mac_spec_t *spec; + + for (idx = 0; (spec = mac_list[idx]); idx++) + if (!spec->flags.fips) + spec->flags.disabled = 1; + } + + return 0; +} /* Return the spec structure for the MAC algorithm ALGO. For an diff --git a/cipher/md.c b/cipher/md.c index 15d944d4..281db120 100644 --- a/cipher/md.c +++ b/cipher/md.c @@ -1296,6 +1296,17 @@ _gcry_md_info (gcry_md_hd_t h, int cmd, void *buffer, size_t *nbytes) gcry_err_code_t _gcry_md_init (void) { + if (fips_mode()) + { + /* disable algorithms that are disallowed in fips */ + int idx; + gcry_md_spec_t *spec; + + for (idx = 0; (spec = digest_list[idx]); idx++) + if (!spec->flags.fips) + spec->flags.disabled = 1; + } + return 0; } diff --git a/cipher/md5.c b/cipher/md5.c index 66cc5f62..ed942cf4 100644 --- a/cipher/md5.c +++ b/cipher/md5.c @@ -310,7 +310,7 @@ static gcry_md_oid_spec_t oid_spec_md5[] = gcry_md_spec_t _gcry_digest_spec_md5 = { - GCRY_MD_MD5, {0, 1}, + GCRY_MD_MD5, {0, 0}, "MD5", asn, DIM (asn), oid_spec_md5, 16, md5_init, _gcry_md_block_write, md5_final, md5_read, NULL, sizeof (MD5_CONTEXT) diff --git a/cipher/pubkey.c b/cipher/pubkey.c index b321a899..8ec15fd4 100644 --- a/cipher/pubkey.c +++ b/cipher/pubkey.c @@ -926,6 +926,17 @@ _gcry_pubkey_get_sexp (gcry_sexp_t *r_sexp, int mode, gcry_ctx_t ctx) gcry_err_code_t _gcry_pk_init (void) { + if (fips_mode()) + { + /* disable algorithms that are disallowed in fips */ + int idx; + gcry_pk_spec_t *spec; + + for (idx = 0; (spec = pubkey_list[idx]); idx++) + if (!spec->flags.fips) + spec->flags.disabled = 1; + } + return 0; } |