File libgcrypt-FIPS-SLI-Add-behavior-not-to-reject-but-mark-non-compliant.patch of Package libgcrypt.37939
From a776b692669af7a6c089779989b626c4795e30b0 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 20 Dec 2024 13:36:12 +0900
Subject: [PATCH] fips,cipher: Add behavior not to reject but mark
non-compliant.
* cipher/dsa.c (dsa_check_keysize): Check reject flag for rejection,
or mark non-comliant in FIPS mode.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
* cipher/ecc.c (ecc_sign, ecc_verify): Likewise.
* cipher/pubkey.c (_gcry_pk_encrypt, _gcry_pk_sign): Likewise.
(_gcry_pk_verify, _gcry_pk_testkey, _gcry_pk_genkey): Likewise.
(_gcry_pk_get_nbits, _gcry_pk_get_curve): Likewise.
* src/visibility.c (gcry_pk_encrypt): Initialize the indicator.
(gcry_pk_decrypt, gcry_pk_sign, gcry_pk_verify): Likewise.
(gcry_pk_testkey, gcry_pk_genkey), gcry_pk_get_nbits)
(gcry_pk_get_curve): Likewise.
--
GnuPG-bug-id: 7338
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
---
cipher/dsa.c | 7 ++++-
cipher/ecc-ecdsa.c | 5 +++-
cipher/ecc.c | 10 +++++--
cipher/pubkey.c | 74 ++++++++++++++++++++++++++++++++++++++--------
src/visibility.c | 9 +++++-
5 files changed, 87 insertions(+), 18 deletions(-)
Index: libgcrypt-1.10.3/cipher/dsa.c
===================================================================
--- libgcrypt-1.10.3.orig/cipher/dsa.c
+++ libgcrypt-1.10.3/cipher/dsa.c
@@ -150,7 +150,12 @@ static gpg_err_code_t
dsa_check_keysize (unsigned int nbits)
{
if (fips_mode () && nbits < 2048)
- return GPG_ERR_INV_VALUE;
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ return GPG_ERR_INV_VALUE;
+ else
+ fips_service_indicator_mark_non_compliant ();
+ }
return 0;
}
Index: libgcrypt-1.10.3/cipher/ecc-ecdsa.c
===================================================================
--- libgcrypt-1.10.3.orig/cipher/ecc-ecdsa.c
+++ libgcrypt-1.10.3/cipher/ecc-ecdsa.c
@@ -110,7 +110,10 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
(hashalgo == GCRY_MD_SHAKE128
|| hashalgo == GCRY_MD_SHAKE256))
{
- rc = GPG_ERR_DIGEST_ALGO;
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ rc = GPG_ERR_DIGEST_ALGO;
+ else
+ fips_service_indicator_mark_non_compliant ();
goto leave;
}
Index: libgcrypt-1.10.3/cipher/ecc.c
===================================================================
--- libgcrypt-1.10.3.orig/cipher/ecc.c
+++ libgcrypt-1.10.3/cipher/ecc.c
@@ -801,7 +801,10 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_
|| (ec->dialect == ECC_DIALECT_SAFECURVE
&& ctx.hash_algo != GCRY_MD_SHAKE256)))
{
- rc = GPG_ERR_DIGEST_ALGO;
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ rc = GPG_ERR_DIGEST_ALGO;
+ else
+ fips_service_indicator_mark_non_compliant ();
goto leave;
}
}
@@ -923,7 +926,10 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp
|| (ec->dialect == ECC_DIALECT_SAFECURVE
&& ctx.hash_algo != GCRY_MD_SHAKE256)))
{
- rc = GPG_ERR_DIGEST_ALGO;
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ rc = GPG_ERR_DIGEST_ALGO;
+ else
+ fips_service_indicator_mark_non_compliant ();
goto leave;
}
}
Index: libgcrypt-1.10.3/cipher/pubkey.c
===================================================================
--- libgcrypt-1.10.3.orig/cipher/pubkey.c
+++ libgcrypt-1.10.3/cipher/pubkey.c
@@ -327,7 +327,12 @@ _gcry_pk_encrypt (gcry_sexp_t *r_ciph, g
if (spec->flags.disabled)
rc = GPG_ERR_PUBKEY_ALGO;
else if (!spec->flags.fips && fips_mode ())
- rc = GPG_ERR_PUBKEY_ALGO;
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ rc = GPG_ERR_PUBKEY_ALGO;
+ else
+ fips_service_indicator_mark_non_compliant ();
+ }
else if (spec->encrypt)
rc = spec->encrypt (r_ciph, s_data, keyparms);
else
@@ -440,7 +445,12 @@ _gcry_pk_sign (gcry_sexp_t *r_sig, gcry_
if (spec->flags.disabled)
rc = GPG_ERR_PUBKEY_ALGO;
else if (!spec->flags.fips && fips_mode ())
- rc = GPG_ERR_PUBKEY_ALGO;
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ rc = GPG_ERR_PUBKEY_ALGO;
+ else
+ fips_service_indicator_mark_non_compliant ();
+ }
else if (spec->sign)
rc = spec->sign (r_sig, s_hash, keyparms);
else
@@ -622,7 +632,12 @@ _gcry_pk_verify (gcry_sexp_t s_sig, gcry
if (spec->flags.disabled)
rc = GPG_ERR_PUBKEY_ALGO;
else if (!spec->flags.fips && fips_mode ())
- rc = GPG_ERR_PUBKEY_ALGO;
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ rc = GPG_ERR_PUBKEY_ALGO;
+ else
+ fips_service_indicator_mark_non_compliant ();
+ }
else if (spec->verify)
rc = spec->verify (s_sig, s_hash, keyparms);
else
@@ -701,7 +716,12 @@ _gcry_pk_testkey (gcry_sexp_t s_key)
if (spec->flags.disabled)
rc = GPG_ERR_PUBKEY_ALGO;
else if (!spec->flags.fips && fips_mode ())
- rc = GPG_ERR_PUBKEY_ALGO;
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ rc = GPG_ERR_PUBKEY_ALGO;
+ else
+ fips_service_indicator_mark_non_compliant ();
+ }
else if (spec->check_secret_key)
rc = spec->check_secret_key (keyparms);
else
@@ -784,11 +804,21 @@ _gcry_pk_genkey (gcry_sexp_t *r_key, gcr
spec = spec_from_name (name);
xfree (name);
name = NULL;
- if (!spec || spec->flags.disabled || (!spec->flags.fips && fips_mode ()))
+ if (!spec || spec->flags.disabled)
{
rc = GPG_ERR_PUBKEY_ALGO; /* Unknown algorithm. */
goto leave;
}
+ else if (!spec->flags.fips && fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ {
+ rc = GPG_ERR_PUBKEY_ALGO;
+ goto leave;
+ }
+ else
+ fips_service_indicator_mark_non_compliant ();
+ }
if (spec->generate)
rc = spec->generate (list, r_key);
@@ -824,12 +854,22 @@ _gcry_pk_get_nbits (gcry_sexp_t key)
if (spec_from_sexp (key, 0, &spec, &parms))
return 0; /* Error - 0 is a suitable indication for that. */
+
if (spec->flags.disabled)
- return 0;
- if (!spec->flags.fips && fips_mode ())
- return 0;
+ nbits = 0; /* Error */
+ else if (!spec->flags.fips && fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ nbits = 0; /* Error */
+ else
+ {
+ fips_service_indicator_mark_non_compliant ();
+ nbits = spec->get_nbits (parms);
+ }
+ }
+ else
+ nbits = spec->get_nbits (parms);
- nbits = spec->get_nbits (parms);
sexp_release (parms);
return nbits;
}
@@ -962,10 +1002,18 @@ _gcry_pk_get_curve (gcry_sexp_t key, int
}
if (spec->flags.disabled)
- return NULL;
- if (!spec->flags.fips && fips_mode ())
- return NULL;
- if (spec->get_curve)
+ result = NULL;
+ else if (!spec->flags.fips && fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ result = NULL;
+ else
+ {
+ fips_service_indicator_mark_non_compliant ();
+ result = spec->get_curve (keyparms, iterator, r_nbits);
+ }
+ }
+ else if (spec->get_curve)
result = spec->get_curve (keyparms, iterator, r_nbits);
sexp_release (keyparms);
Index: libgcrypt-1.10.3/src/visibility.c
===================================================================
--- libgcrypt-1.10.3.orig/src/visibility.c
+++ libgcrypt-1.10.3/src/visibility.c
@@ -1006,6 +1006,7 @@ gcry_pk_encrypt (gcry_sexp_t *result, gc
*result = NULL;
return gpg_error (fips_not_operational ());
}
+ fips_service_indicator_init ();
return gpg_error (_gcry_pk_encrypt (result, data, pkey));
}
@@ -1017,6 +1018,7 @@ gcry_pk_decrypt (gcry_sexp_t *result, gc
*result = NULL;
return gpg_error (fips_not_operational ());
}
+ fips_service_indicator_init ();
return gpg_error (_gcry_pk_decrypt (result, data, skey));
}
@@ -1028,6 +1030,7 @@ gcry_pk_sign (gcry_sexp_t *result, gcry_
*result = NULL;
return gpg_error (fips_not_operational ());
}
+ fips_service_indicator_init ();
return gpg_error (_gcry_pk_sign (result, data, skey));
}
@@ -1049,6 +1052,7 @@ gcry_pk_verify (gcry_sexp_t sigval, gcry
{
if (!fips_is_operational ())
return gpg_error (fips_not_operational ());
+ fips_service_indicator_init ();
return gpg_error (_gcry_pk_verify (sigval, data, pkey));
}
@@ -1073,6 +1077,7 @@ gcry_pk_testkey (gcry_sexp_t key)
{
if (!fips_is_operational ())
return gpg_error (fips_not_operational ());
+ fips_service_indicator_init ();
return gpg_error (_gcry_pk_testkey (key));
}
@@ -1084,6 +1089,7 @@ gcry_pk_genkey (gcry_sexp_t *r_key, gcry
*r_key = NULL;
return gpg_error (fips_not_operational ());
}
+ fips_service_indicator_init ();
return gpg_error (_gcry_pk_genkey (r_key, s_parms));
}
@@ -1122,7 +1128,7 @@ gcry_pk_get_nbits (gcry_sexp_t key)
(void)fips_not_operational ();
return 0;
}
-
+ fips_service_indicator_init ();
return _gcry_pk_get_nbits (key);
}
@@ -1145,6 +1151,7 @@ gcry_pk_get_curve (gcry_sexp_t key, int
(void)fips_not_operational ();
return NULL;
}
+ fips_service_indicator_init ();
return _gcry_pk_get_curve (key, iterator, r_nbits);
}
