From c74fde0c3f6114c594332fb28a09c7b817969231 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 17 Sep 2021 17:11:30 +0200 Subject: [PATCH 187/200] Allow passing FIPS module version * README: Document new --with-fips-module-version=version switch * configure.ac: Implementation of the --with-fips-module-version * src/global.c (print_config): Print FIPS module version from above -- Signed-off-by: Jakub Jelen Moved the module version to a 3rd field to keep the semantics of that line. Signed-off-by: Werner Koch GnuPG-bug-id: 1600 --- README | 4 ++++ configure.ac | 7 +++++++ src/global.c | 16 +++++++++++++--- 3 files changed, 24 insertions(+), 3 deletions(-) Index: libgcrypt-1.9.4/README =================================================================== --- libgcrypt-1.9.4.orig/README +++ libgcrypt-1.9.4/README @@ -165,6 +165,10 @@ against a HMAC checksum. This works only in FIPS mode and on systems providing the dladdr function. + --with-fips-module-version=version + Specify a string used as a module version for FIPS + certification purposes. + --disable-padlock-support Disable support for the PadLock engine of VIA processors. The default is to use PadLock if Index: libgcrypt-1.9.4/configure.ac =================================================================== --- libgcrypt-1.9.4.orig/configure.ac +++ libgcrypt-1.9.4/configure.ac @@ -599,6 +599,12 @@ if test "$use_hmac_binary_check" = yes ; [Define to support an HMAC based integrity check]) fi +# Implementation of the --with-fips-module-version. +AC_ARG_WITH(fips-module-version, + [ --with-fips-module-version=VERSION], + fips_module_version="$withval", fips_module_version="" ) +AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version", + [Define FIPS module version for certification]) # Implementation of the --disable-jent-support switch. AC_MSG_CHECKING([whether jitter entropy support is requested]) @@ -3266,6 +3272,7 @@ GCRY_MSG_WRAP([Enabled pubkey algorithms GCRY_MSG_SHOW([Random number generator: ],[$random]) GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport]) GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities]) +GCRY_MSG_SHOW([FIPS module version: ],[$fips_module_version]) GCRY_MSG_SHOW([Try using Padlock crypto: ],[$padlocksupport]) GCRY_MSG_SHOW([Try using AES-NI crypto: ],[$aesnisupport]) GCRY_MSG_SHOW([Try using Intel SHAEXT: ],[$shaextsupport]) Index: libgcrypt-1.9.4/src/global.c =================================================================== --- libgcrypt-1.9.4.orig/src/global.c +++ libgcrypt-1.9.4/src/global.c @@ -379,10 +379,19 @@ print_config (const char *what, gpgrt_st { /* We use y/n instead of 1/0 for the stupid reason that * Emacsen's compile error parser would accidentally flag that - * line when printed during "make check" as an error. */ - gpgrt_fprintf (fp, "fips-mode:%c:%c:\n", + * line when printed during "make check" as an error. The + * second field is obsolete and thus empty (used to be used for + * a so-called enforced-fips-mode). The third field has an + * option static string describing the module versions; this is + * an optional configure option. */ + gpgrt_fprintf (fp, "fips-mode:%c::%s:\n", fips_mode ()? 'y':'n', - _gcry_enforced_fips_mode ()? 'y':'n' ); +#ifdef FIPS_MODULE_VERSION + fips_mode () ? FIPS_MODULE_VERSION : "" +#else + "" +#endif /* FIPS_MODULE_VERSION */ + ); } if (!what || !strcmp (what, "rng-type"))