File libgcrypt-FIPS-SLI-cipher-Don-t-differentiate-GCRY_CIPHER_MODE_CMAC-in-.patch of Package libgcrypt.38414
From 608ff4b2261e2d8961f0ef4189e74b1173b2802c Mon Sep 17 00:00:00 2001
From: Lucas Mulling <lucas.mulling@suse.com>
Date: Sun, 2 Feb 2025 12:58:21 -0300
Subject: [PATCH 2/2] cipher: Don't differentiate GCRY_CIPHER_MODE_CMAC in FIPS
mode.
* cipher/cipher.c (_gcry_cipher_mode_fips_compliance): Allow
GCRY_CIPHER_MODE_CMAC in fips mode.
* cipher/cipher.c (cipher_modes_fips_compliance)
(cipher_int_modes_fips_compliance): New.
--
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
Added some comments, changed scope of the new functions and shorted
their names. Also added restructured the switch and added all other
modes.
Signed-off-by: Werner Koch <wk@gnupg.org>
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
---
cipher/cipher.c | 49 ++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 44 insertions(+), 5 deletions(-)
diff --git a/cipher/cipher.c b/cipher/cipher.c
index 3b7970b3..fc130907 100644
--- a/cipher/cipher.c
+++ b/cipher/cipher.c
@@ -505,8 +505,9 @@ _gcry_cipher_open (gcry_cipher_hd_t *handle,
}
-gcry_err_code_t
-_gcry_cipher_mode_fips_compliance (enum gcry_cipher_modes mode)
+/* Return an error if the give cipher mode is non-FIPS compliant. */
+static gcry_err_code_t
+cipher_modes_fips_compliance (enum gcry_cipher_modes mode)
{
switch (mode)
{
@@ -519,10 +520,48 @@ _gcry_cipher_mode_fips_compliance (enum gcry_cipher_modes mode)
case GCRY_CIPHER_MODE_CCM:
case GCRY_CIPHER_MODE_XTS:
case GCRY_CIPHER_MODE_AESWRAP:
- return GPG_ERR_NO_ERROR;
- default:
- return GPG_ERR_NOT_SUPPORTED;
+ return 0;
+ case GCRY_CIPHER_MODE_NONE:
+ case GCRY_CIPHER_MODE_STREAM:
+ case GCRY_CIPHER_MODE_GCM:
+ case GCRY_CIPHER_MODE_POLY1305:
+ case GCRY_CIPHER_MODE_OCB:
+ case GCRY_CIPHER_MODE_EAX:
+ case GCRY_CIPHER_MODE_SIV:
+ case GCRY_CIPHER_MODE_GCM_SIV:
+ break;
}
+ return GPG_ERR_NOT_SUPPORTED;
+}
+
+
+/* This is similar to cipher_modes_fips_compliance but only for the
+ * internal modes (i.e. CMAC). Return an error if the mode is
+ * non-FIPS compliant. */
+static gcry_err_code_t
+cipher_int_modes_fips_compliance (enum gcry_cipher_internal_modes mode)
+{
+ switch (mode)
+ {
+ case GCRY_CIPHER_MODE_INTERNAL:
+ break;
+ case GCRY_CIPHER_MODE_CMAC:
+ return 0;
+ }
+ return GPG_ERR_NOT_SUPPORTED;
+}
+
+
+/* Return an error if the give cipher mode is non-FIPS compliant. The
+ * mode is not an enum here so that we can use it for real modes and
+ * for internal modes. */
+gcry_err_code_t
+_gcry_cipher_mode_fips_compliance (int mode)
+{
+ if (mode >= GCRY_CIPHER_MODE_INTERNAL)
+ return cipher_int_modes_fips_compliance (mode);
+ else
+ return cipher_modes_fips_compliance (mode);
}
--
2.48.1
