From 987df146aa160fba84e01e527cf8e43117d5b610 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 7 Mar 2023 08:59:18 +0100 Subject: [PATCH] Add MD and HMAC FIPS indicators Resolves: rhbz#2176145 --- libgcrypt-1.10.0-fips-indicator-md-hmac.patch | 214 ++++++++++++++++++ libgcrypt.spec | 3 + 2 files changed, 217 insertions(+) create mode 100644 libgcrypt-1.10.0-fips-indicator-md-hmac.patch diff --git a/libgcrypt-1.10.0-fips-indicator-md-hmac.patch b/libgcrypt-1.10.0-fips-indicator-md-hmac.patch new file mode 100644 index 0000000..15fe7f5 --- /dev/null +++ b/libgcrypt-1.10.0-fips-indicator-md-hmac.patch @@ -0,0 +1,214 @@ +From fd832687f36c1885d2388c55f7e8569184ba2593 Mon Sep 17 00:00:00 2001 +From: Tobias Heider +Date: Thu, 16 Feb 2023 03:20:48 +0100 +Subject: [PATCH] fips: Add explicit indicators for md and mac algorithms + +* src/fips.c (_gcry_fips_indicator_mac): New function indicating + non-approved mac algorithms + (_gcry_fips_indicator_md): new functions indicating non-approved + message digest algorithms +* src/g10lib.h (_gcry_fips_indicator_mac): new function + (_gcry_fips_indicator_md): ditto +* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbols + GCRYCTL_FIPS_SERVICE_INDICATOR_MAC and + GCRYCTL_FIPS_SERVICE_INDICATOR_MD +* src/global.c (_gcry_vcontrol): Handle new FIPS indicators. +* doc/gcrypt.texi: Document the new option. +-- + +Signed-off-by: Tobias Heider +--- + doc/gcrypt.texi | 13 +++++++++++++ + src/fips.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ + src/g10lib.h | 2 ++ + src/gcrypt.h.in | 4 +++- + src/global.c | 14 ++++++++++++++ + 5 files changed, 83 insertions(+), 1 deletion(-) + +diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi +index e44c2f2e..462c5931 100644 +--- a/doc/gcrypt.texi ++++ b/doc/gcrypt.texi +@@ -992,6 +992,19 @@ certification. If the function is approved, this function returns + @code{GPG_ERR_NO_ERROR} (other restrictions might still apply). + Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + ++@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos ++ ++Check if the given MAC is approved under the current FIPS 140-3 ++certification. If the MAC is approved, this function returns ++@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} ++is returned. ++ ++@item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos ++ ++Check if the given message digest algorithm is approved under the current ++FIPS 140-3 certification. If the algorithm is approved, this function returns ++@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. ++ + @end table + + @end deftypefun +diff --git a/src/fips.c b/src/fips.c +index 272aabae..8b3b3f04 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -377,6 +377,57 @@ _gcry_fips_indicator_cipher (va_list arg_ptr) + } + } + ++int ++_gcry_fips_indicator_mac (va_list arg_ptr) ++{ ++ enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos); ++ ++ switch (alg) ++ { ++ case GCRY_MAC_CMAC_AES: ++ case GCRY_MAC_HMAC_SHA1: ++ case GCRY_MAC_HMAC_SHA224: ++ case GCRY_MAC_HMAC_SHA256: ++ case GCRY_MAC_HMAC_SHA384: ++ case GCRY_MAC_HMAC_SHA512: ++ case GCRY_MAC_HMAC_SHA512_224: ++ case GCRY_MAC_HMAC_SHA512_256: ++ case GCRY_MAC_HMAC_SHA3_224: ++ case GCRY_MAC_HMAC_SHA3_256: ++ case GCRY_MAC_HMAC_SHA3_384: ++ case GCRY_MAC_HMAC_SHA3_512: ++ return GPG_ERR_NO_ERROR; ++ default: ++ return GPG_ERR_NOT_SUPPORTED; ++ } ++} ++ ++int ++_gcry_fips_indicator_md (va_list arg_ptr) ++{ ++ enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos); ++ ++ switch (alg) ++ { ++ case GCRY_MD_SHA1: ++ case GCRY_MD_SHA224: ++ case GCRY_MD_SHA256: ++ case GCRY_MD_SHA384: ++ case GCRY_MD_SHA512: ++ case GCRY_MD_SHA512_224: ++ case GCRY_MD_SHA512_256: ++ case GCRY_MD_SHA3_224: ++ case GCRY_MD_SHA3_256: ++ case GCRY_MD_SHA3_384: ++ case GCRY_MD_SHA3_512: ++ case GCRY_MD_SHAKE128: ++ case GCRY_MD_SHAKE256: ++ return GPG_ERR_NO_ERROR; ++ default: ++ return GPG_ERR_NOT_SUPPORTED; ++ } ++} ++ + int + _gcry_fips_indicator_kdf (va_list arg_ptr) + { +diff --git a/src/g10lib.h b/src/g10lib.h +index 6be0ab21..86337eed 100644 +--- a/src/g10lib.h ++++ b/src/g10lib.h +@@ -467,6 +467,8 @@ void _gcry_fips_signal_error (const char *srcfile, + #endif + + int _gcry_fips_indicator_cipher (va_list arg_ptr); ++int _gcry_fips_indicator_mac (va_list arg_ptr); ++int _gcry_fips_indicator_md (va_list arg_ptr); + int _gcry_fips_indicator_kdf (va_list arg_ptr); + int _gcry_fips_indicator_function (va_list arg_ptr); + +diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in +index aba22bfc..54080d46 100644 +--- a/src/gcrypt.h.in ++++ b/src/gcrypt.h.in +@@ -330,7 +330,9 @@ enum gcry_ctl_cmds + GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81, + GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82, + GCRYCTL_NO_FIPS_MODE = 83, +- GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84 ++ GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84, ++ GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, ++ GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86 + }; + + /* Perform various operations defined by CMD. */ +diff --git a/src/global.c b/src/global.c +index debf6194..d16d3709 100644 +--- a/src/global.c ++++ b/src/global.c +@@ -791,6 +791,20 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr) + rc = _gcry_fips_indicator_cipher (arg_ptr); + break; + ++ case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC: ++ /* Get FIPS Service Indicator for a given message authentication code. ++ * Returns GPG_ERR_NO_ERROR if algorithm is allowed or ++ * GPG_ERR_NOT_SUPPORTED otherwise */ ++ rc = _gcry_fips_indicator_mac (arg_ptr); ++ break; ++ ++ case GCRYCTL_FIPS_SERVICE_INDICATOR_MD: ++ /* Get FIPS Service Indicator for a given message digest. Returns ++ * GPG_ERR_NO_ERROR if algorithm is allowed or GPG_ERR_NOT_SUPPORTED ++ * otherwise */ ++ rc = _gcry_fips_indicator_md (arg_ptr); ++ break; ++ + case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF: + /* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR + * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */ +-- +2.39.2 + +From 2d193a955d05b4b9caed2895cf25600add3484da Mon Sep 17 00:00:00 2001 +From: Tobias Heider +Date: Thu, 16 Feb 2023 03:21:26 +0100 +Subject: [PATCH] fips: Unblock MD5 in fips mode but mark non-approved in + indicator. + +* cipher/mac-hmac.c (_gcry_mac_type_spec_hmac_md5): allow in fips mode +* cipher/md5.c (_gcry_digest_spec_md5): allow in fips mode +-- + +Signed-off-by: Tobias Heider +--- + cipher/mac-hmac.c | 2 +- + cipher/md5.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/cipher/mac-hmac.c b/cipher/mac-hmac.c +index f1ab568b..9fac77dc 100644 +--- a/cipher/mac-hmac.c ++++ b/cipher/mac-hmac.c +@@ -1413,7 +1413,7 @@ const gcry_mac_spec_t _gcry_mac_type_spec_hmac_tiger1 = { + #endif + #if USE_MD5 + const gcry_mac_spec_t _gcry_mac_type_spec_hmac_md5 = { +- GCRY_MAC_HMAC_MD5, {0, 0}, "HMAC_MD5", ++ GCRY_MAC_HMAC_MD5, {0, 1}, "HMAC_MD5", + &hmac_ops + }; + #endif +diff --git a/cipher/md5.c b/cipher/md5.c +index 5457fc38..744a2cc1 100644 +--- a/cipher/md5.c ++++ b/cipher/md5.c +@@ -314,7 +314,7 @@ static const gcry_md_oid_spec_t oid_spec_md5[] = + + const gcry_md_spec_t _gcry_digest_spec_md5 = + { +- GCRY_MD_MD5, {0, 0}, ++ GCRY_MD_MD5, {0, 1}, + "MD5", asn, DIM (asn), oid_spec_md5, 16, + md5_init, _gcry_md_block_write, md5_final, md5_read, NULL, + NULL, +-- +2.39.2 + diff --git a/libgcrypt.spec b/libgcrypt.spec index 7949727..fbfeada 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -51,6 +51,8 @@ Patch14: libgcrypt-1.10.0-fips-integrity2.patch Patch15: libgcrypt-1.10.0-fips-x931.patch # bf1e62e59200b2046680d1d3d1599facc88cfe63 Patch16: libgcrypt-1.10.0-fips-rsa-pss.patch +# https://dev.gnupg.org/T6376 +Patch17: libgcrypt-1.10.0-fips-indicator-md-hmac.patch %global gcrylibdir %{_libdir} %global gcrysoname libgcrypt.so.20 @@ -100,6 +102,7 @@ applications using libgcrypt. %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 %build # This package has a configure test which uses ASMs, but does not link the