c25b02784b
- FIPS changes (from Fedora): - replaced libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff by libgcrypt-1.6.1-fips-cfgrandom.patch - libgcrypt-fixed-sizet.patch: fixed an int type for -flto - libgcrypt-1.6.1-use-fipscheck.patch: use the fipscheck binary - libgcrypt-1.6.1-fips-cavs.patch: add CAVS tests OBS-URL: https://build.opensuse.org/request/show/227791 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=46
217 lines
8.1 KiB
Diff
217 lines
8.1 KiB
Diff
diff -urNp libgcrypt-1.5.3.orig/cipher/cipher.c libgcrypt-1.5.3/cipher/cipher.c
|
||
--- libgcrypt-1.5.3.orig/cipher/cipher.c 2013-08-14 02:41:07.967316255 +0200
|
||
+++ libgcrypt-1.5.3/cipher/cipher.c 2013-08-14 03:11:19.403611811 +0200
|
||
@@ -293,6 +293,15 @@ dummy_decrypt_stream (void *c,
|
||
BUG();
|
||
}
|
||
|
||
+/* Re-Register default cipher listing */
|
||
+void
|
||
+cipher_reregister_default(void)
|
||
+{
|
||
+ ath_mutex_lock (&ciphers_registered_lock);
|
||
+ default_ciphers_registered = 0;
|
||
+ ath_mutex_unlock (&ciphers_registered_lock);
|
||
+}
|
||
+
|
||
|
||
/* Internal function. Register all the ciphers included in
|
||
CIPHER_TABLE. Note, that this function gets only used by the macro
|
||
@@ -316,7 +325,8 @@ cipher_register_default (void)
|
||
if (! cipher_table[i].cipher->stdecrypt)
|
||
cipher_table[i].cipher->stdecrypt = dummy_decrypt_stream;
|
||
|
||
- if ( fips_mode () && !cipher_table[i].fips_allowed )
|
||
+ if ( !_gcry_is_fips_mode_inactive() &&
|
||
+ fips_mode () && !cipher_table[i].fips_allowed )
|
||
continue;
|
||
|
||
err = _gcry_module_add (&ciphers_registered,
|
||
diff -urNp libgcrypt-1.5.3.orig/cipher/md.c libgcrypt-1.5.3/cipher/md.c
|
||
--- libgcrypt-1.5.3.orig/cipher/md.c 2013-08-14 02:41:07.968316245 +0200
|
||
+++ libgcrypt-1.5.3/cipher/md.c 2013-08-14 03:20:04.269937326 +0200
|
||
@@ -168,7 +168,14 @@ static void md_start_debug ( gcry_md_hd_
|
||
static void md_stop_debug ( gcry_md_hd_t a );
|
||
|
||
|
||
-
|
||
+/* Re-Register default digest listing */
|
||
+void
|
||
+digest_reregister_default(void)
|
||
+{
|
||
+ ath_mutex_lock (&digests_registered_lock);
|
||
+ default_digests_registered = 0;
|
||
+ ath_mutex_unlock (&digests_registered_lock);
|
||
+}
|
||
|
||
/* Internal function. Register all the ciphers included in
|
||
CIPHER_TABLE. Returns zero on success or an error code. */
|
||
@@ -180,7 +187,8 @@ md_register_default (void)
|
||
|
||
for (i = 0; !err && digest_table[i].digest; i++)
|
||
{
|
||
- if ( fips_mode ())
|
||
+ if ( !_gcry_is_fips_mode_inactive() &&
|
||
+ fips_mode ())
|
||
{
|
||
if (!digest_table[i].fips_allowed)
|
||
continue;
|
||
diff -urNp libgcrypt-1.5.3.orig/cipher/pubkey.c libgcrypt-1.5.3/cipher/pubkey.c
|
||
--- libgcrypt-1.5.3.orig/cipher/pubkey.c 2013-08-14 02:41:07.969316234 +0200
|
||
+++ libgcrypt-1.5.3/cipher/pubkey.c 2013-08-14 03:22:07.227878253 +0200
|
||
@@ -192,6 +192,15 @@ dummy_get_nbits (int algorithm, gcry_mpi
|
||
return 0;
|
||
}
|
||
|
||
+/* Re-Register default digest listing */
|
||
+void
|
||
+pk_reregister_default(void)
|
||
+{
|
||
+ ath_mutex_lock (&pubkeys_registered_lock);
|
||
+ default_pubkeys_registered = 0;
|
||
+ ath_mutex_unlock (&pubkeys_registered_lock);
|
||
+}
|
||
+
|
||
/* Internal function. Register all the pubkeys included in
|
||
PUBKEY_TABLE. Returns zero on success or an error code. */
|
||
static void
|
||
@@ -202,6 +211,10 @@ pk_register_default (void)
|
||
|
||
for (i = 0; (! err) && pubkey_table[i].pubkey; i++)
|
||
{
|
||
+ if ( !_gcry_is_fips_mode_inactive() &&
|
||
+ fips_mode () && !pubkey_table[i].fips_allowed )
|
||
+ continue;
|
||
+
|
||
#define pubkey_use_dummy(func) \
|
||
if (! pubkey_table[i].pubkey->func) \
|
||
pubkey_table[i].pubkey->func = dummy_##func;
|
||
diff -urNp libgcrypt-1.5.3.orig/doc/gcrypt.texi libgcrypt-1.5.3/doc/gcrypt.texi
|
||
--- libgcrypt-1.5.3.orig/doc/gcrypt.texi 2013-08-14 02:41:07.908316872 +0200
|
||
+++ libgcrypt-1.5.3/doc/gcrypt.texi 2013-08-14 03:43:51.808257657 +0200
|
||
@@ -844,6 +844,25 @@ This option may be used to disabale a ce
|
||
behaves as if this feature has not been detected. Note that the
|
||
detection code might be run if the feature has been disabled. This
|
||
command must be used at initialization time; i.e. before calling
|
||
+
|
||
+@item GCRYCTL_INACTIVATE_FIPS_FLAG; Arguments: const char *log
|
||
+Suspend FIPS mode which implies that all ciphers are again allowed to be used.
|
||
+Still, all operations around the FIPS 140-2 mode, such as the finite
|
||
+state model enforcement are still enforced. The idea of this mode
|
||
+is to allow the caller to implement legacy operations, such as
|
||
+decryption or signature verification of data that is already present
|
||
+using non-approved ciphers. After the legacy operation is completed,
|
||
+GCRYCTL_REACTIVATE_FIPS_FLAG should be invoked to limit the ciphers
|
||
+again. The argument allows the caller to provide a string that is logged.
|
||
+
|
||
+@item GCRYCTL_REACTIVATE_FIPS_FLAG; Arguments: const char *log
|
||
+Re-activate FIPS mode by limiting the allowed cipher listing to the
|
||
+approved ciphers. This call should be called immediately after the
|
||
+legacy operations that are made possible with
|
||
+@code{GCRYCTL_INACTIVATE_FIPS_FLAG} are completed. FIPS 140-2 self
|
||
+tests are invoked. The argument allows the caller to provide a
|
||
+string that is logged.
|
||
+
|
||
@code{gcry_check_version}.
|
||
|
||
@end table
|
||
Binärdateien libgcrypt-1.5.3.orig/doc/.gcrypt.texi.swp und libgcrypt-1.5.3/doc/.gcrypt.texi.swp sind verschieden.
|
||
diff -urNp libgcrypt-1.5.3.orig/src/fips.c libgcrypt-1.5.3/src/fips.c
|
||
--- libgcrypt-1.5.3.orig/src/fips.c 2013-08-14 02:41:07.943316506 +0200
|
||
+++ libgcrypt-1.5.3/src/fips.c 2013-08-14 03:33:47.600705208 +0200
|
||
@@ -307,6 +307,10 @@ _gcry_inactivate_fips_mode (const char *
|
||
{
|
||
inactive_fips_mode = 1;
|
||
unlock_fsm ();
|
||
+ /* enforce reloading of cipher list to allow use of all ciphers */
|
||
+ cipher_reregister_default();
|
||
+ digest_reregister_default();
|
||
+ pk_reregister_default();
|
||
#ifdef HAVE_SYSLOG
|
||
syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: "
|
||
"%s - FIPS mode inactivated", text);
|
||
@@ -316,6 +320,33 @@ _gcry_inactivate_fips_mode (const char *
|
||
unlock_fsm ();
|
||
}
|
||
|
||
+void
|
||
+_gcry_reactivate_fips_mode (const char *text)
|
||
+{
|
||
+ gcry_assert (_gcry_fips_mode ());
|
||
+
|
||
+ lock_fsm ();
|
||
+ if (inactive_fips_mode)
|
||
+ {
|
||
+ inactive_fips_mode = 0;
|
||
+ unlock_fsm ();
|
||
+ /* execute self test as there have been non-approved ciphers allowed
|
||
+ * to execute */
|
||
+ _gcry_fips_run_selftests(0);
|
||
+ /* enforce reloading of cipher list to only use FIPS ciphers */
|
||
+ cipher_reregister_default();
|
||
+ digest_reregister_default();
|
||
+ pk_reregister_default();
|
||
+#ifdef HAVE_SYSLOG
|
||
+ syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: "
|
||
+ "%s - FIPS mode activated", text);
|
||
+#endif /*HAVE_SYSLOG*/
|
||
+ }
|
||
+ else
|
||
+ unlock_fsm ();
|
||
+
|
||
+}
|
||
+
|
||
|
||
/* Return the FIPS mode inactive flag. If it is true the FIPS mode is
|
||
not anymore active. */
|
||
diff -urNp libgcrypt-1.5.3.orig/src/g10lib.h libgcrypt-1.5.3/src/g10lib.h
|
||
--- libgcrypt-1.5.3.orig/src/g10lib.h 2013-08-14 02:41:07.941316527 +0200
|
||
+++ libgcrypt-1.5.3/src/g10lib.h 2013-08-14 03:25:29.836347533 +0200
|
||
@@ -329,8 +329,11 @@ int _gcry_enforced_fips_mode (void);
|
||
void _gcry_set_enforced_fips_mode (void);
|
||
|
||
void _gcry_inactivate_fips_mode (const char *text);
|
||
+void _gcry_reactivate_fips_mode (const char *text);
|
||
int _gcry_is_fips_mode_inactive (void);
|
||
-
|
||
+void cipher_reregister_default(void);
|
||
+void digest_reregister_default(void);
|
||
+void pk_reregister_default(void);
|
||
|
||
void _gcry_fips_signal_error (const char *srcfile,
|
||
int srcline,
|
||
diff -urNp libgcrypt-1.5.3.orig/src/gcrypt.h libgcrypt-1.5.3/src/gcrypt.h
|
||
--- libgcrypt-1.5.3.orig/src/gcrypt.h.in 2013-08-14 02:41:07.942316516 +0200
|
||
+++ libgcrypt-1.5.3/src/gcrypt.h.in 2013-08-14 02:58:13.304374921 +0200
|
||
@@ -423,7 +423,9 @@ enum gcry_ctl_cmds
|
||
GCRYCTL_SELFTEST = 57,
|
||
/* Note: 58 .. 62 are used internally. */
|
||
GCRYCTL_DISABLE_HWF = 63,
|
||
- GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64
|
||
+ GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64,
|
||
+ GCRYCTL_INACTIVATE_FIPS_FLAG = 65,
|
||
+ GCRYCTL_REACTIVATE_FIPS_FLAG = 66
|
||
};
|
||
|
||
/* Perform various operations defined by CMD. */
|
||
diff -urNp libgcrypt-1.5.3.orig/src/global.c libgcrypt-1.5.3/src/global.c
|
||
--- libgcrypt-1.5.3.orig/src/global.c 2013-08-14 02:41:07.943316506 +0200
|
||
+++ libgcrypt-1.5.3/src/global.c 2013-08-15 23:40:34.233497710 +0200
|
||
@@ -609,6 +609,16 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
|
||
err = GPG_ERR_GENERAL;
|
||
break;
|
||
|
||
+ case GCRYCTL_INACTIVATE_FIPS_FLAG:
|
||
+ log_info ("FIPS mode enabled but allow all approved and non-approved ciphers\n");
|
||
+ _gcry_inactivate_fips_mode (va_arg (arg_ptr, const char *));
|
||
+ break;
|
||
+
|
||
+ case GCRYCTL_REACTIVATE_FIPS_FLAG:
|
||
+ log_info ("FIPS mode enabled and limit ciphers to approved ciphers\n");
|
||
+ _gcry_reactivate_fips_mode (va_arg (arg_ptr, const char *));
|
||
+ break;
|
||
+
|
||
default:
|
||
err = GPG_ERR_INV_OP;
|
||
}
|