From fd832687f36c1885d2388c55f7e8569184ba2593 Mon Sep 17 00:00:00 2001 From: Tobias Heider Date: Thu, 16 Feb 2023 03:20:48 +0100 Subject: [PATCH] fips: Add explicit indicators for md and mac algorithms * src/fips.c (_gcry_fips_indicator_mac): New function indicating non-approved mac algorithms (_gcry_fips_indicator_md): new functions indicating non-approved message digest algorithms * src/g10lib.h (_gcry_fips_indicator_mac): new function (_gcry_fips_indicator_md): ditto * src/gcrypt.h.in (enum gcry_ctl_cmds): New symbols GCRYCTL_FIPS_SERVICE_INDICATOR_MAC and GCRYCTL_FIPS_SERVICE_INDICATOR_MD * src/global.c (_gcry_vcontrol): Handle new FIPS indicators. * doc/gcrypt.texi: Document the new option. -- Signed-off-by: Tobias Heider --- doc/gcrypt.texi | 13 +++++++++++++ src/fips.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ src/g10lib.h | 2 ++ src/gcrypt.h.in | 4 +++- src/global.c | 14 ++++++++++++++ 5 files changed, 83 insertions(+), 1 deletion(-) diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index e44c2f2e..462c5931 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -992,6 +992,19 @@ certification. If the function is approved, this function returns @code{GPG_ERR_NO_ERROR} (other restrictions might still apply). Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. +@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos + +Check if the given MAC is approved under the current FIPS 140-3 +certification. If the MAC is approved, this function returns +@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} +is returned. + +@item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos + +Check if the given message digest algorithm is approved under the current +FIPS 140-3 certification. If the algorithm is approved, this function returns +@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + @end table @end deftypefun diff --git a/src/fips.c b/src/fips.c index 272aabae..8b3b3f04 100644 --- a/src/fips.c +++ b/src/fips.c @@ -377,6 +377,57 @@ _gcry_fips_indicator_cipher (va_list arg_ptr) } } +int +_gcry_fips_indicator_mac (va_list arg_ptr) +{ + enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos); + + switch (alg) + { + case GCRY_MAC_CMAC_AES: + case GCRY_MAC_HMAC_SHA1: + case GCRY_MAC_HMAC_SHA224: + case GCRY_MAC_HMAC_SHA256: + case GCRY_MAC_HMAC_SHA384: + case GCRY_MAC_HMAC_SHA512: + case GCRY_MAC_HMAC_SHA512_224: + case GCRY_MAC_HMAC_SHA512_256: + case GCRY_MAC_HMAC_SHA3_224: + case GCRY_MAC_HMAC_SHA3_256: + case GCRY_MAC_HMAC_SHA3_384: + case GCRY_MAC_HMAC_SHA3_512: + return GPG_ERR_NO_ERROR; + default: + return GPG_ERR_NOT_SUPPORTED; + } +} + +int +_gcry_fips_indicator_md (va_list arg_ptr) +{ + enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos); + + switch (alg) + { + case GCRY_MD_SHA1: + case GCRY_MD_SHA224: + case GCRY_MD_SHA256: + case GCRY_MD_SHA384: + case GCRY_MD_SHA512: + case GCRY_MD_SHA512_224: + case GCRY_MD_SHA512_256: + case GCRY_MD_SHA3_224: + case GCRY_MD_SHA3_256: + case GCRY_MD_SHA3_384: + case GCRY_MD_SHA3_512: + case GCRY_MD_SHAKE128: + case GCRY_MD_SHAKE256: + return GPG_ERR_NO_ERROR; + default: + return GPG_ERR_NOT_SUPPORTED; + } +} + int _gcry_fips_indicator_kdf (va_list arg_ptr) { diff --git a/src/g10lib.h b/src/g10lib.h index 6be0ab21..86337eed 100644 --- a/src/g10lib.h +++ b/src/g10lib.h @@ -467,6 +467,8 @@ void _gcry_fips_signal_error (const char *srcfile, #endif int _gcry_fips_indicator_cipher (va_list arg_ptr); +int _gcry_fips_indicator_mac (va_list arg_ptr); +int _gcry_fips_indicator_md (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr); int _gcry_fips_indicator_function (va_list arg_ptr); diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index aba22bfc..54080d46 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -330,7 +330,9 @@ enum gcry_ctl_cmds GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81, GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82, GCRYCTL_NO_FIPS_MODE = 83, - GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84 + GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84, + GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, + GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86 }; /* Perform various operations defined by CMD. */ diff --git a/src/global.c b/src/global.c index debf6194..d16d3709 100644 --- a/src/global.c +++ b/src/global.c @@ -791,6 +791,20 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr) rc = _gcry_fips_indicator_cipher (arg_ptr); break; + case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC: + /* Get FIPS Service Indicator for a given message authentication code. + * Returns GPG_ERR_NO_ERROR if algorithm is allowed or + * GPG_ERR_NOT_SUPPORTED otherwise */ + rc = _gcry_fips_indicator_mac (arg_ptr); + break; + + case GCRYCTL_FIPS_SERVICE_INDICATOR_MD: + /* Get FIPS Service Indicator for a given message digest. Returns + * GPG_ERR_NO_ERROR if algorithm is allowed or GPG_ERR_NOT_SUPPORTED + * otherwise */ + rc = _gcry_fips_indicator_md (arg_ptr); + break; + case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF: /* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */ -- 2.39.2 From 2d193a955d05b4b9caed2895cf25600add3484da Mon Sep 17 00:00:00 2001 From: Tobias Heider Date: Thu, 16 Feb 2023 03:21:26 +0100 Subject: [PATCH] fips: Unblock MD5 in fips mode but mark non-approved in indicator. * cipher/mac-hmac.c (_gcry_mac_type_spec_hmac_md5): allow in fips mode * cipher/md5.c (_gcry_digest_spec_md5): allow in fips mode -- Signed-off-by: Tobias Heider --- cipher/mac-hmac.c | 2 +- cipher/md5.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cipher/mac-hmac.c b/cipher/mac-hmac.c index f1ab568b..9fac77dc 100644 --- a/cipher/mac-hmac.c +++ b/cipher/mac-hmac.c @@ -1413,7 +1413,7 @@ const gcry_mac_spec_t _gcry_mac_type_spec_hmac_tiger1 = { #endif #if USE_MD5 const gcry_mac_spec_t _gcry_mac_type_spec_hmac_md5 = { - GCRY_MAC_HMAC_MD5, {0, 0}, "HMAC_MD5", + GCRY_MAC_HMAC_MD5, {0, 1}, "HMAC_MD5", &hmac_ops }; #endif diff --git a/cipher/md5.c b/cipher/md5.c index 5457fc38..744a2cc1 100644 --- a/cipher/md5.c +++ b/cipher/md5.c @@ -314,7 +314,7 @@ static const gcry_md_oid_spec_t oid_spec_md5[] = const gcry_md_spec_t _gcry_digest_spec_md5 = { - GCRY_MD_MD5, {0, 0}, + GCRY_MD_MD5, {0, 1}, "MD5", asn, DIM (asn), oid_spec_md5, 16, md5_init, _gcry_md_block_write, md5_final, md5_read, NULL, NULL, -- 2.39.2 From f52f33389da3302f51b6b00451cf9fc7e7a7e277 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 6 Mar 2023 17:26:17 +0100 Subject: [PATCH] tests: Improve test coverage for FIPS service indicators * tests/basic.c (check_digests): Check the FIPS indicators (check_mac): Ditto. -- Signed-off-by: Jakub Jelen --- tests/basic.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/basic.c b/tests/basic.c index 095bdc97..5d5ceac9 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -14086,6 +14086,7 @@ check_mac (void) "\x13\x46\x76\xfb\x6d\xe0\x44\x60\x65\xc9\x74\x40\xfa\x8c\x6a\x58" }, { 0 }, }; + gcry_error_t err; int i; if (verbose) @@ -15370,6 +15370,12 @@ check_digests (void) { if (in_fips_mode) { + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MD, algos[i].md); + if (err == GPG_ERR_NO_ERROR) + { + fail ("algo %d, gcry_md_test_algo failed while it should" + " have worked in FIPS mode\n", algos[i].md); + } if (verbose) fprintf (stderr, " algorithm %d not available in fips mode\n", algos[i].md); @@ -16948,6 +16954,7 @@ check_mac (void) #endif /* USE_GOST28147 */ { 0 }, }; + gcry_error_t err; int i; if (verbose) @@ -16961,6 +16968,12 @@ check_mac (void) { if (in_fips_mode) { + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MAC, algos[i].algo); + if (err == GPG_ERR_NO_ERROR) + { + fail ("algo %d, gcry_mac_test_algo failed while it should" + " have worked in FIPS mode\n", algos[i].algo); + } if (verbose) fprintf (stderr, " algorithm %d not available in fips mode\n", algos[i].algo); -- 2.39.2