From ce1cbe16992a7340edcf8e6576973e3508267640 Mon Sep 17 00:00:00 2001 From: Vitezslav Cizek Date: Thu, 29 Oct 2015 17:13:16 +0100 Subject: Disable non-allowed algorithms in FIPS mode * cipher/cipher.c (_gcry_cipher_init), * cipher/mac.c (_gcry_mac_init), * cipher/md.c (_gcry_md_init), * cipher/pubkey.c (_gcry_pk_init): In the FIPS mode, disable all the non-allowed ciphers. * cipher/md5.c: Mark MD5 as not allowed in FIPS. * src/g10lib.h (_gcry_mac_init): New. * src/global.c (global_init): Call the new _gcry_mac_init. * tests/basic.c (check_ciphers): Fix a typo. -- When running in the FIPS mode, disable all the ciphers that don't have the fips flag set. Skip the non-allowed algos during testing in the FIPS mode. Thanks to Ludwig Nussel. Signed-off-by: Vitezslav Cizek Signed-off-by: Vitezslav Cizek --- cipher/cipher.c | 11 +++++++++++ cipher/mac.c | 17 +++++++++++++++++ cipher/md.c | 11 +++++++++++ cipher/md5.c | 2 +- cipher/pubkey.c | 11 +++++++++++ 5 files changed, 51 insertions(+), 1 deletion(-) (limited to 'cipher') diff --git a/cipher/cipher.c b/cipher/cipher.c index 802ffad8..a0138466 100644 --- a/cipher/cipher.c +++ b/cipher/cipher.c @@ -1514,6 +1514,17 @@ _gcry_cipher_get_algo_blklen (int algo) gcry_err_code_t _gcry_cipher_init (void) { + if (fips_mode()) + { + /* disable algorithms that are disallowed in fips */ + int idx; + gcry_cipher_spec_t *spec; + + for (idx = 0; (spec = cipher_list[idx]); idx++) + if (!spec->flags.fips) + spec->flags.disabled = 1; + } + return 0; } diff --git a/cipher/mac.c b/cipher/mac.c index b8a5534b..46be7b7b 100644 --- a/cipher/mac.c +++ b/cipher/mac.c @@ -116,6 +116,23 @@ static gcry_mac_spec_t *mac_list[] = { NULL, }; +/* Explicitly initialize this module. */ +gcry_err_code_t +_gcry_mac_init (void) +{ + if (fips_mode()) + { + /* disable algorithms that are disallowed in fips */ + int idx; + gcry_mac_spec_t *spec; + + for (idx = 0; (spec = mac_list[idx]); idx++) + if (!spec->flags.fips) + spec->flags.disabled = 1; + } + + return 0; +} /* Return the spec structure for the MAC algorithm ALGO. For an diff --git a/cipher/md.c b/cipher/md.c index 15d944d4..281db120 100644 --- a/cipher/md.c +++ b/cipher/md.c @@ -1296,6 +1296,17 @@ _gcry_md_info (gcry_md_hd_t h, int cmd, void *buffer, size_t *nbytes) gcry_err_code_t _gcry_md_init (void) { + if (fips_mode()) + { + /* disable algorithms that are disallowed in fips */ + int idx; + gcry_md_spec_t *spec; + + for (idx = 0; (spec = digest_list[idx]); idx++) + if (!spec->flags.fips) + spec->flags.disabled = 1; + } + return 0; } diff --git a/cipher/md5.c b/cipher/md5.c index 66cc5f62..ed942cf4 100644 --- a/cipher/md5.c +++ b/cipher/md5.c @@ -310,7 +310,7 @@ static gcry_md_oid_spec_t oid_spec_md5[] = gcry_md_spec_t _gcry_digest_spec_md5 = { - GCRY_MD_MD5, {0, 1}, + GCRY_MD_MD5, {0, 0}, "MD5", asn, DIM (asn), oid_spec_md5, 16, md5_init, _gcry_md_block_write, md5_final, md5_read, NULL, sizeof (MD5_CONTEXT) diff --git a/cipher/pubkey.c b/cipher/pubkey.c index b321a899..8ec15fd4 100644 --- a/cipher/pubkey.c +++ b/cipher/pubkey.c @@ -926,6 +926,17 @@ _gcry_pubkey_get_sexp (gcry_sexp_t *r_sexp, int mode, gcry_ctx_t ctx) gcry_err_code_t _gcry_pk_init (void) { + if (fips_mode()) + { + /* disable algorithms that are disallowed in fips */ + int idx; + gcry_pk_spec_t *spec; + + for (idx = 0; (spec = pubkey_list[idx]); idx++) + if (!spec->flags.fips) + spec->flags.disabled = 1; + } + return 0; } -- cgit v1.2.1