libgcrypt/libgcrypt-FIPS-SLI-hash-mac.patch

Index: libgcrypt-1.10.2/doc/gcrypt.texi
===================================================================
--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.2/doc/gcrypt.texi
@@ -985,13 +985,21 @@ certification. If the function is approv
 @code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
 Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos
 
-Check if the given MAC is approved under the current FIPS 140-3
-certification. If the MAC is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
+Check if the given HASH is approved under the current FIPS 140-3
+certification. If the HASH is approved, this function returns
+@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
 is returned.
 
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int]
+
+Check if the given MAC is approved under the current FIPS 140-3
+certification. The second parameter provides the keylen (if the
+algorithm supports different key sizes). If the MAC is approved,
+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise
+@code{GPG_ERR_NOT_SUPPORTED} is returned.
+
 @item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
 
 Check if the given message digest algorithm is approved under the current
Index: libgcrypt-1.10.2/src/fips.c
===================================================================
--- libgcrypt-1.10.2.orig/src/fips.c
+++ libgcrypt-1.10.2/src/fips.c
@@ -377,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg
     }
 }
 
-int
-_gcry_fips_indicator_mac (va_list arg_ptr)
-{
-  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
-
-  switch (alg)
-    {
-    case GCRY_MAC_CMAC_AES:
-    case GCRY_MAC_HMAC_SHA1:
-    case GCRY_MAC_HMAC_SHA224:
-    case GCRY_MAC_HMAC_SHA256:
-    case GCRY_MAC_HMAC_SHA384:
-    case GCRY_MAC_HMAC_SHA512:
-    case GCRY_MAC_HMAC_SHA512_224:
-    case GCRY_MAC_HMAC_SHA512_256:
-    case GCRY_MAC_HMAC_SHA3_224:
-    case GCRY_MAC_HMAC_SHA3_256:
-    case GCRY_MAC_HMAC_SHA3_384:
-    case GCRY_MAC_HMAC_SHA3_512:
-      return GPG_ERR_NO_ERROR;
-    default:
-      return GPG_ERR_NOT_SUPPORTED;
-    }
-}
-
 /* FIPS approved curves, extracted from:
  *   cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
 static const struct
@@ -598,6 +574,62 @@ _gcry_fips_indicator_pk_flags (va_list a
   return GPG_ERR_NOT_SUPPORTED;
 }
 
+int
+_gcry_fips_indicator_hash (va_list arg_ptr)
+{
+  enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
+
+  switch (alg)
+    {
+    case GCRY_MD_SHA1:
+    case GCRY_MD_SHA224:
+    case GCRY_MD_SHA256:
+    case GCRY_MD_SHA384:
+    case GCRY_MD_SHA512:
+    case GCRY_MD_SHA512_224:
+    case GCRY_MD_SHA512_256:
+    case GCRY_MD_SHA3_224:
+    case GCRY_MD_SHA3_256:
+    case GCRY_MD_SHA3_384:
+    case GCRY_MD_SHA3_512:
+    case GCRY_MD_SHAKE128:
+    case GCRY_MD_SHAKE256:
+      return GPG_ERR_NO_ERROR;
+    default:
+      return GPG_ERR_NOT_SUPPORTED;
+    }
+}
+
+int
+_gcry_fips_indicator_mac (va_list arg_ptr)
+{
+  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
+  unsigned int keylen = va_arg (arg_ptr, unsigned int);
+
+  switch (alg)
+    {
+    case GCRY_MAC_HMAC_SHA1:
+    case GCRY_MAC_HMAC_SHA224:
+    case GCRY_MAC_HMAC_SHA256:
+    case GCRY_MAC_HMAC_SHA384:
+    case GCRY_MAC_HMAC_SHA512:
+    case GCRY_MAC_HMAC_SHA512_224:
+    case GCRY_MAC_HMAC_SHA512_256:
+    case GCRY_MAC_HMAC_SHA3_224:
+    case GCRY_MAC_HMAC_SHA3_256:
+    case GCRY_MAC_HMAC_SHA3_384:
+    case GCRY_MAC_HMAC_SHA3_512:
+        if (keylen >= 112) {
+          return GPG_ERR_NO_ERROR;
+        }
+    case GCRY_MAC_CMAC_AES:
+        if (keylen == 128 || keylen == 192 || keylen == 256) {
+          return GPG_ERR_NO_ERROR;
+        }
+    default:
+      return GPG_ERR_NOT_SUPPORTED;
+    }
+}
 
 /* This is a test on whether the library is in the error or
    operational state. */
Index: libgcrypt-1.10.2/src/g10lib.h
===================================================================
--- libgcrypt-1.10.2.orig/src/g10lib.h
+++ libgcrypt-1.10.2/src/g10lib.h
@@ -456,6 +456,7 @@ void _gcry_fips_signal_error (const char
 #endif
 
 int _gcry_fips_indicator_cipher (va_list arg_ptr);
+int _gcry_fips_indicator_hash (va_list arg_ptr);
 int _gcry_fips_indicator_mac (va_list arg_ptr);
 int _gcry_fips_indicator_md (va_list arg_ptr);
 int _gcry_fips_indicator_kdf (va_list arg_ptr);
Index: libgcrypt-1.10.2/src/gcrypt.h.in
===================================================================
--- libgcrypt-1.10.2.orig/src/gcrypt.h.in
+++ libgcrypt-1.10.2/src/gcrypt.h.in
@@ -335,7 +335,8 @@ enum gcry_ctl_cmds
     GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
     GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
-    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
+    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88,
+    GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 89
   };
 
 /* Perform various operations defined by CMD. */
Index: libgcrypt-1.10.2/src/global.c
===================================================================
--- libgcrypt-1.10.2.orig/src/global.c
+++ libgcrypt-1.10.2/src/global.c
@@ -791,6 +791,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
       rc = _gcry_fips_indicator_cipher (arg_ptr);
       break;
 
+    case GCRYCTL_FIPS_SERVICE_INDICATOR_HASH:
+      /* Get FIPS Service Indicator for a given HASH. Returns GPG_ERR_NO_ERROR
+       * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
+      rc = _gcry_fips_indicator_hash (arg_ptr);
+      break;
+
     case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
       /* Get FIPS Service Indicator for a given message authentication code.
        * Returns GPG_ERR_NO_ERROR if algorithm is allowed or