testing/libgcrypt
SHA256
3
0
Fork 0
forked from pool/libgcrypt
Code Pull Requests Activity
62320f7e7e
libgcrypt/libgcrypt-fips-allow-legacy.patch

217 lines
8.1 KiB
Diff
Raw Normal View History

Accepting request 227791 from home:msmeissn:branches:devel:libraries:c_c++ - FIPS changes (from Fedora): - replaced libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff by libgcrypt-1.6.1-fips-cfgrandom.patch - libgcrypt-fixed-sizet.patch: fixed an int type for -flto - libgcrypt-1.6.1-use-fipscheck.patch: use the fipscheck binary - libgcrypt-1.6.1-fips-cavs.patch: add CAVS tests OBS-URL: https://build.opensuse.org/request/show/227791 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=46
2014-03-31 09:35:35 +02:00
diff -urNp libgcrypt-1.5.3.orig/cipher/cipher.c libgcrypt-1.5.3/cipher/cipher.c
--- libgcrypt-1.5.3.orig/cipher/cipher.c 2013-08-14 02:41:07.967316255 +0200
+++ libgcrypt-1.5.3/cipher/cipher.c 2013-08-14 03:11:19.403611811 +0200
@@ -293,6 +293,15 @@ dummy_decrypt_stream (void *c,
BUG();
}
+/* Re-Register default cipher listing */
+void
+cipher_reregister_default(void)
+{
+ ath_mutex_lock (&ciphers_registered_lock);
+ default_ciphers_registered = 0;
+ ath_mutex_unlock (&ciphers_registered_lock);
+}
+
/* Internal function. Register all the ciphers included in
CIPHER_TABLE. Note, that this function gets only used by the macro
@@ -316,7 +325,8 @@ cipher_register_default (void)
if (! cipher_table[i].cipher->stdecrypt)
cipher_table[i].cipher->stdecrypt = dummy_decrypt_stream;
- if ( fips_mode () && !cipher_table[i].fips_allowed )
+ if ( !_gcry_is_fips_mode_inactive() &&
+ fips_mode () && !cipher_table[i].fips_allowed )
continue;
err = _gcry_module_add (&ciphers_registered,
diff -urNp libgcrypt-1.5.3.orig/cipher/md.c libgcrypt-1.5.3/cipher/md.c
--- libgcrypt-1.5.3.orig/cipher/md.c 2013-08-14 02:41:07.968316245 +0200
+++ libgcrypt-1.5.3/cipher/md.c 2013-08-14 03:20:04.269937326 +0200
@@ -168,7 +168,14 @@ static void md_start_debug ( gcry_md_hd_
static void md_stop_debug ( gcry_md_hd_t a );
-
+/* Re-Register default digest listing */
+void
+digest_reregister_default(void)
+{
+ ath_mutex_lock (&digests_registered_lock);
+ default_digests_registered = 0;
+ ath_mutex_unlock (&digests_registered_lock);
+}
/* Internal function. Register all the ciphers included in
CIPHER_TABLE. Returns zero on success or an error code. */
@@ -180,7 +187,8 @@ md_register_default (void)
for (i = 0; !err && digest_table[i].digest; i++)
{
- if ( fips_mode ())
+ if ( !_gcry_is_fips_mode_inactive() &&
+ fips_mode ())
{
if (!digest_table[i].fips_allowed)
continue;
diff -urNp libgcrypt-1.5.3.orig/cipher/pubkey.c libgcrypt-1.5.3/cipher/pubkey.c
--- libgcrypt-1.5.3.orig/cipher/pubkey.c 2013-08-14 02:41:07.969316234 +0200
+++ libgcrypt-1.5.3/cipher/pubkey.c 2013-08-14 03:22:07.227878253 +0200
@@ -192,6 +192,15 @@ dummy_get_nbits (int algorithm, gcry_mpi
return 0;
}
+/* Re-Register default digest listing */
+void
+pk_reregister_default(void)
+{
+ ath_mutex_lock (&pubkeys_registered_lock);
+ default_pubkeys_registered = 0;
+ ath_mutex_unlock (&pubkeys_registered_lock);
+}
+
/* Internal function. Register all the pubkeys included in
PUBKEY_TABLE. Returns zero on success or an error code. */
static void
@@ -202,6 +211,10 @@ pk_register_default (void)
for (i = 0; (! err) && pubkey_table[i].pubkey; i++)
{
+ if ( !_gcry_is_fips_mode_inactive() &&
+ fips_mode () && !pubkey_table[i].fips_allowed )
+ continue;
+
#define pubkey_use_dummy(func) \
if (! pubkey_table[i].pubkey->func) \
pubkey_table[i].pubkey->func = dummy_##func;
diff -urNp libgcrypt-1.5.3.orig/doc/gcrypt.texi libgcrypt-1.5.3/doc/gcrypt.texi
--- libgcrypt-1.5.3.orig/doc/gcrypt.texi 2013-08-14 02:41:07.908316872 +0200
+++ libgcrypt-1.5.3/doc/gcrypt.texi 2013-08-14 03:43:51.808257657 +0200
@@ -844,6 +844,25 @@ This option may be used to disabale a ce
behaves as if this feature has not been detected. Note that the
detection code might be run if the feature has been disabled. This
command must be used at initialization time; i.e. before calling
+
+@item GCRYCTL_INACTIVATE_FIPS_FLAG; Arguments: const char *log
+Suspend FIPS mode which implies that all ciphers are again allowed to be used.
+Still, all operations around the FIPS 140-2 mode, such as the finite
+state model enforcement are still enforced. The idea of this mode
+is to allow the caller to implement legacy operations, such as
+decryption or signature verification of data that is already present
+using non-approved ciphers. After the legacy operation is completed,
+GCRYCTL_REACTIVATE_FIPS_FLAG should be invoked to limit the ciphers
+again. The argument allows the caller to provide a string that is logged.
+
+@item GCRYCTL_REACTIVATE_FIPS_FLAG; Arguments: const char *log
+Re-activate FIPS mode by limiting the allowed cipher listing to the
+approved ciphers. This call should be called immediately after the
+legacy operations that are made possible with
+@code{GCRYCTL_INACTIVATE_FIPS_FLAG} are completed. FIPS 140-2 self
+tests are invoked. The argument allows the caller to provide a
+string that is logged.
+
@code{gcry_check_version}.
@end table
Binärdateien libgcrypt-1.5.3.orig/doc/.gcrypt.texi.swp und libgcrypt-1.5.3/doc/.gcrypt.texi.swp sind verschieden.
diff -urNp libgcrypt-1.5.3.orig/src/fips.c libgcrypt-1.5.3/src/fips.c
--- libgcrypt-1.5.3.orig/src/fips.c 2013-08-14 02:41:07.943316506 +0200
+++ libgcrypt-1.5.3/src/fips.c 2013-08-14 03:33:47.600705208 +0200
@@ -307,6 +307,10 @@ _gcry_inactivate_fips_mode (const char *
{
inactive_fips_mode = 1;
unlock_fsm ();
+ /* enforce reloading of cipher list to allow use of all ciphers */
+ cipher_reregister_default();
+ digest_reregister_default();
+ pk_reregister_default();
#ifdef HAVE_SYSLOG
syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: "
"%s - FIPS mode inactivated", text);
@@ -316,6 +320,33 @@ _gcry_inactivate_fips_mode (const char *
unlock_fsm ();
}
+void
+_gcry_reactivate_fips_mode (const char *text)
+{
+ gcry_assert (_gcry_fips_mode ());
+
+ lock_fsm ();
+ if (inactive_fips_mode)
+ {
+ inactive_fips_mode = 0;
+ unlock_fsm ();
+ /* execute self test as there have been non-approved ciphers allowed
+ * to execute */
+ _gcry_fips_run_selftests(0);
+ /* enforce reloading of cipher list to only use FIPS ciphers */
+ cipher_reregister_default();
+ digest_reregister_default();
+ pk_reregister_default();
+#ifdef HAVE_SYSLOG
+ syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: "
+ "%s - FIPS mode activated", text);
+#endif /*HAVE_SYSLOG*/
+ }
+ else
+ unlock_fsm ();
+
+}
+
/* Return the FIPS mode inactive flag. If it is true the FIPS mode is
not anymore active. */
diff -urNp libgcrypt-1.5.3.orig/src/g10lib.h libgcrypt-1.5.3/src/g10lib.h
--- libgcrypt-1.5.3.orig/src/g10lib.h 2013-08-14 02:41:07.941316527 +0200
+++ libgcrypt-1.5.3/src/g10lib.h 2013-08-14 03:25:29.836347533 +0200
@@ -329,8 +329,11 @@ int _gcry_enforced_fips_mode (void);
void _gcry_set_enforced_fips_mode (void);
void _gcry_inactivate_fips_mode (const char *text);
+void _gcry_reactivate_fips_mode (const char *text);
int _gcry_is_fips_mode_inactive (void);
-
+void cipher_reregister_default(void);
+void digest_reregister_default(void);
+void pk_reregister_default(void);
void _gcry_fips_signal_error (const char *srcfile,
int srcline,
diff -urNp libgcrypt-1.5.3.orig/src/gcrypt.h libgcrypt-1.5.3/src/gcrypt.h
--- libgcrypt-1.5.3.orig/src/gcrypt.h.in 2013-08-14 02:41:07.942316516 +0200
+++ libgcrypt-1.5.3/src/gcrypt.h.in 2013-08-14 02:58:13.304374921 +0200
@@ -423,7 +423,9 @@ enum gcry_ctl_cmds
GCRYCTL_SELFTEST = 57,
/* Note: 58 .. 62 are used internally. */
GCRYCTL_DISABLE_HWF = 63,
- GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64
+ GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64,
+ GCRYCTL_INACTIVATE_FIPS_FLAG = 65,
+ GCRYCTL_REACTIVATE_FIPS_FLAG = 66
};
/* Perform various operations defined by CMD. */
diff -urNp libgcrypt-1.5.3.orig/src/global.c libgcrypt-1.5.3/src/global.c
--- libgcrypt-1.5.3.orig/src/global.c 2013-08-14 02:41:07.943316506 +0200
+++ libgcrypt-1.5.3/src/global.c 2013-08-15 23:40:34.233497710 +0200
@@ -609,6 +609,16 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
err = GPG_ERR_GENERAL;
break;
+ case GCRYCTL_INACTIVATE_FIPS_FLAG:
+ log_info ("FIPS mode enabled but allow all approved and non-approved ciphers\n");
+ _gcry_inactivate_fips_mode (va_arg (arg_ptr, const char *));
+ break;
+
+ case GCRYCTL_REACTIVATE_FIPS_FLAG:
+ log_info ("FIPS mode enabled and limit ciphers to approved ciphers\n");
+ _gcry_reactivate_fips_mode (va_arg (arg_ptr, const char *));
+ break;
+
default:
err = GPG_ERR_INV_OP;
}
Copy Permalink