File skip-GCM-for-FIPS.patch of Package libgcrypt.665
From bb35f855a9eca3171abed6848d29a95c85a68ffa Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Wed, 24 Sep 2014 17:59:26 +0200
Subject: [PATCH 4/6] skip GCM for FIPS
---
cipher/cipher.c | 5 ++++-
cipher/mac-gmac.c | 3 ++-
src/global.c | 3 ++-
tests/basic.c | 6 ++++++
4 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/cipher/cipher.c b/cipher/cipher.c
index f0a7973..ac59922 100644
--- a/cipher/cipher.c
+++ b/cipher/cipher.c
@@ -799,7 +799,10 @@ cipher_encrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
break;
case GCRY_CIPHER_MODE_GCM:
- rc = _gcry_cipher_gcm_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
+ if (fips_mode ())
+ rc = GPG_ERR_INV_CIPHER_MODE;
+ else
+ rc = _gcry_cipher_gcm_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
break;
case GCRY_CIPHER_MODE_STREAM:
diff --git a/cipher/mac-gmac.c b/cipher/mac-gmac.c
index 18d56b5..63cffe5 100644
--- a/cipher/mac-gmac.c
+++ b/cipher/mac-gmac.c
@@ -155,7 +155,8 @@ static gcry_mac_spec_ops_t gmac_ops = {
#if USE_AES
gcry_mac_spec_t _gcry_mac_type_spec_gmac_aes = {
- GCRY_MAC_GMAC_AES, {0, 1}, "GMAC_AES",
+ /* uses GCM so not available for FIPS at this point */
+ GCRY_MAC_GMAC_AES, {0, 0}, "GMAC_AES",
&gmac_ops
};
#endif
diff --git a/src/global.c b/src/global.c
index 2e5439b..91ee862 100644
--- a/src/global.c
+++ b/src/global.c
@@ -389,7 +389,8 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
case GCRYCTL_DISABLE_SECMEM:
global_init ();
- no_secure_memory = 1;
+ if (!fips_mode ())
+ no_secure_memory = 1;
break;
case GCRYCTL_INIT_SECMEM:
diff --git a/tests/basic.c b/tests/basic.c
index 8657936..f7e2005 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -1563,6 +1563,9 @@ _check_gcm_cipher (unsigned int step)
static void
check_gcm_cipher (void)
{
+ /* GCM not available in FIPS mode */
+ if (in_fips_mode)
+ return;
/* Large buffers, no splitting. */
_check_gcm_cipher(0xffffffff);
/* Split input to one byte buffers. */
@@ -3653,6 +3656,9 @@ check_ciphers (void)
check_one_cipher (algos[i], GCRY_CIPHER_MODE_CBC, 0);
check_one_cipher (algos[i], GCRY_CIPHER_MODE_CBC, GCRY_CIPHER_CBC_CTS);
check_one_cipher (algos[i], GCRY_CIPHER_MODE_CTR, 0);
+ /* GCM not available in FIPS mode */
+ if (in_fips_mode)
+ continue;
if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_GCM_BLOCK_LEN)
check_one_cipher (algos[i], GCRY_CIPHER_MODE_GCM, 0);
}
--
2.1.0