File libgcrypt-FIPS-module-version.patch of Package libgcrypt
From c74fde0c3f6114c594332fb28a09c7b817969231 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 17 Sep 2021 17:11:30 +0200
Subject: [PATCH 187/200] Allow passing FIPS module version
* README: Document new --with-fips-module-version=version switch
* configure.ac: Implementation of the --with-fips-module-version
* src/global.c (print_config): Print FIPS module version from above
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Moved the module version to a 3rd field to keep the semantics of that
line.
Signed-off-by: Werner Koch <wk@gnupg.org>
GnuPG-bug-id: 1600
---
README | 4 ++++
configure.ac | 7 +++++++
src/global.c | 16 +++++++++++++---
3 files changed, 24 insertions(+), 3 deletions(-)
Index: libgcrypt-1.9.4/README
===================================================================
--- libgcrypt-1.9.4.orig/README
+++ libgcrypt-1.9.4/README
@@ -165,6 +165,10 @@
against a HMAC checksum. This works only in FIPS
mode and on systems providing the dladdr function.
+ --with-fips-module-version=version
+ Specify a string used as a module version for FIPS
+ certification purposes.
+
--disable-padlock-support
Disable support for the PadLock engine of VIA
processors. The default is to use PadLock if
Index: libgcrypt-1.9.4/configure.ac
===================================================================
--- libgcrypt-1.9.4.orig/configure.ac
+++ libgcrypt-1.9.4/configure.ac
@@ -599,6 +599,12 @@ if test "$use_hmac_binary_check" = yes ;
[Define to support an HMAC based integrity check])
fi
+# Implementation of the --with-fips-module-version.
+AC_ARG_WITH(fips-module-version,
+ [ --with-fips-module-version=VERSION],
+ fips_module_version="$withval", fips_module_version="" )
+AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version",
+ [Define FIPS module version for certification])
# Implementation of the --disable-jent-support switch.
AC_MSG_CHECKING([whether jitter entropy support is requested])
@@ -3266,6 +3272,7 @@ GCRY_MSG_WRAP([Enabled pubkey algorithms
GCRY_MSG_SHOW([Random number generator: ],[$random])
GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport])
GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities])
+GCRY_MSG_SHOW([FIPS module version: ],[$fips_module_version])
GCRY_MSG_SHOW([Try using Padlock crypto: ],[$padlocksupport])
GCRY_MSG_SHOW([Try using AES-NI crypto: ],[$aesnisupport])
GCRY_MSG_SHOW([Try using Intel SHAEXT: ],[$shaextsupport])
Index: libgcrypt-1.9.4/src/global.c
===================================================================
--- libgcrypt-1.9.4.orig/src/global.c
+++ libgcrypt-1.9.4/src/global.c
@@ -379,10 +379,19 @@ print_config (const char *what, gpgrt_st
{
/* We use y/n instead of 1/0 for the stupid reason that
* Emacsen's compile error parser would accidentally flag that
- * line when printed during "make check" as an error. */
- gpgrt_fprintf (fp, "fips-mode:%c:%c:\n",
+ * line when printed during "make check" as an error. The
+ * second field is obsolete and thus empty (used to be used for
+ * a so-called enforced-fips-mode). The third field has an
+ * option static string describing the module versions; this is
+ * an optional configure option. */
+ gpgrt_fprintf (fp, "fips-mode:%c::%s:\n",
fips_mode ()? 'y':'n',
- _gcry_enforced_fips_mode ()? 'y':'n' );
+#ifdef FIPS_MODULE_VERSION
+ fips_mode () ? FIPS_MODULE_VERSION : ""
+#else
+ ""
+#endif /* FIPS_MODULE_VERSION */
+ );
}
if (!what || !strcmp (what, "rng-type"))
