forked from pool/libgcrypt
Pedro Monreal Gonzalez
b5b243be7f
* Add --enable-marvin-workaround to spec to enable workaround * Fix timing based side-channel in RSA implementation ( Marvin attack ) * Add libgcrypt-CVE-2024-2236.patch OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=193
99 lines
2.8 KiB
Diff
99 lines
2.8 KiB
Diff
From 608ff4b2261e2d8961f0ef4189e74b1173b2802c Mon Sep 17 00:00:00 2001
|
|
From: Lucas Mulling <lucas.mulling@suse.com>
|
|
Date: Sun, 2 Feb 2025 12:58:21 -0300
|
|
Subject: [PATCH 2/2] cipher: Don't differentiate GCRY_CIPHER_MODE_CMAC in FIPS
|
|
mode.
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
* cipher/cipher.c (_gcry_cipher_mode_fips_compliance): Allow
|
|
GCRY_CIPHER_MODE_CMAC in fips mode.
|
|
* cipher/cipher.c (cipher_modes_fips_compliance)
|
|
(cipher_int_modes_fips_compliance): New.
|
|
--
|
|
|
|
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
|
|
|
|
Added some comments, changed scope of the new functions and shorted
|
|
their names. Also added restructured the switch and added all other
|
|
modes.
|
|
|
|
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
Signed-off-by: Lucas Mülling <lucas.mulling@suse.com>
|
|
---
|
|
cipher/cipher.c | 49 ++++++++++++++++++++++++++++++++++++++++++++-----
|
|
1 file changed, 44 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/cipher/cipher.c b/cipher/cipher.c
|
|
index 3b7970b3..fc130907 100644
|
|
--- a/cipher/cipher.c
|
|
+++ b/cipher/cipher.c
|
|
@@ -505,8 +505,9 @@ _gcry_cipher_open (gcry_cipher_hd_t *handle,
|
|
}
|
|
|
|
|
|
-gcry_err_code_t
|
|
-_gcry_cipher_mode_fips_compliance (enum gcry_cipher_modes mode)
|
|
+/* Return an error if the give cipher mode is non-FIPS compliant. */
|
|
+static gcry_err_code_t
|
|
+cipher_modes_fips_compliance (enum gcry_cipher_modes mode)
|
|
{
|
|
switch (mode)
|
|
{
|
|
@@ -519,10 +520,48 @@ _gcry_cipher_mode_fips_compliance (enum gcry_cipher_modes mode)
|
|
case GCRY_CIPHER_MODE_CCM:
|
|
case GCRY_CIPHER_MODE_XTS:
|
|
case GCRY_CIPHER_MODE_AESWRAP:
|
|
- return GPG_ERR_NO_ERROR;
|
|
- default:
|
|
- return GPG_ERR_NOT_SUPPORTED;
|
|
+ return 0;
|
|
+ case GCRY_CIPHER_MODE_NONE:
|
|
+ case GCRY_CIPHER_MODE_STREAM:
|
|
+ case GCRY_CIPHER_MODE_GCM:
|
|
+ case GCRY_CIPHER_MODE_POLY1305:
|
|
+ case GCRY_CIPHER_MODE_OCB:
|
|
+ case GCRY_CIPHER_MODE_EAX:
|
|
+ case GCRY_CIPHER_MODE_SIV:
|
|
+ case GCRY_CIPHER_MODE_GCM_SIV:
|
|
+ break;
|
|
}
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
+}
|
|
+
|
|
+
|
|
+/* This is similar to cipher_modes_fips_compliance but only for the
|
|
+ * internal modes (i.e. CMAC). Return an error if the mode is
|
|
+ * non-FIPS compliant. */
|
|
+static gcry_err_code_t
|
|
+cipher_int_modes_fips_compliance (enum gcry_cipher_internal_modes mode)
|
|
+{
|
|
+ switch (mode)
|
|
+ {
|
|
+ case GCRY_CIPHER_MODE_INTERNAL:
|
|
+ break;
|
|
+ case GCRY_CIPHER_MODE_CMAC:
|
|
+ return 0;
|
|
+ }
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
+}
|
|
+
|
|
+
|
|
+/* Return an error if the give cipher mode is non-FIPS compliant. The
|
|
+ * mode is not an enum here so that we can use it for real modes and
|
|
+ * for internal modes. */
|
|
+gcry_err_code_t
|
|
+_gcry_cipher_mode_fips_compliance (int mode)
|
|
+{
|
|
+ if (mode >= GCRY_CIPHER_MODE_INTERNAL)
|
|
+ return cipher_int_modes_fips_compliance (mode);
|
|
+ else
|
|
+ return cipher_modes_fips_compliance (mode);
|
|
}
|
|
|
|
|
|
--
|
|
2.49.0
|
|
|