File skip-GCM-for-FIPS.patch of Package libgcrypt.openSUSE_Leap_42.1_Update

From bb35f855a9eca3171abed6848d29a95c85a68ffa Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Wed, 24 Sep 2014 17:59:26 +0200
Subject: [PATCH 4/6] skip GCM for FIPS

---
 cipher/cipher.c   | 5 ++++-
 cipher/mac-gmac.c | 3 ++-
 src/global.c      | 3 ++-
 tests/basic.c     | 6 ++++++
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/cipher/cipher.c b/cipher/cipher.c
index f0a7973..ac59922 100644
--- a/cipher/cipher.c
+++ b/cipher/cipher.c
@@ -799,7 +799,10 @@ cipher_encrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
       break;
 
     case GCRY_CIPHER_MODE_GCM:
-      rc = _gcry_cipher_gcm_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
+      if (fips_mode ())
+          rc = GPG_ERR_INV_CIPHER_MODE;
+      else
+          rc = _gcry_cipher_gcm_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
       break;
 
     case GCRY_CIPHER_MODE_STREAM:
diff --git a/cipher/mac-gmac.c b/cipher/mac-gmac.c
index 18d56b5..63cffe5 100644
--- a/cipher/mac-gmac.c
+++ b/cipher/mac-gmac.c
@@ -155,7 +155,8 @@ static gcry_mac_spec_ops_t gmac_ops = {
 
 #if USE_AES
 gcry_mac_spec_t _gcry_mac_type_spec_gmac_aes = {
-  GCRY_MAC_GMAC_AES, {0, 1}, "GMAC_AES",
+  /* uses GCM so not available for FIPS at this point */
+  GCRY_MAC_GMAC_AES, {0, 0}, "GMAC_AES",
   &gmac_ops
 };
 #endif
diff --git a/src/global.c b/src/global.c
index 2e5439b..91ee862 100644
--- a/src/global.c
+++ b/src/global.c
@@ -389,7 +389,8 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
 
     case GCRYCTL_DISABLE_SECMEM:
       global_init ();
-      no_secure_memory = 1;
+      if (!fips_mode ())
+        no_secure_memory = 1;
       break;
 
     case GCRYCTL_INIT_SECMEM:
diff --git a/tests/basic.c b/tests/basic.c
index 8657936..f7e2005 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -1563,6 +1563,9 @@ _check_gcm_cipher (unsigned int step)
 static void
 check_gcm_cipher (void)
 {
+  /* GCM not available in FIPS mode */
+  if (in_fips_mode)
+    return;
   /* Large buffers, no splitting. */
   _check_gcm_cipher(0xffffffff);
   /* Split input to one byte buffers. */
@@ -3653,6 +3656,9 @@ check_ciphers (void)
       check_one_cipher (algos[i], GCRY_CIPHER_MODE_CBC, 0);
       check_one_cipher (algos[i], GCRY_CIPHER_MODE_CBC, GCRY_CIPHER_CBC_CTS);
       check_one_cipher (algos[i], GCRY_CIPHER_MODE_CTR, 0);
+      /* GCM not available in FIPS mode */
+      if (in_fips_mode)
+        continue;
       if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_GCM_BLOCK_LEN)
         check_one_cipher (algos[i], GCRY_CIPHER_MODE_GCM, 0);
     }
-- 
2.1.0

openSUSE Build Service is sponsored by