Re: [PATCH] cipher: Check and mark non-compliant cipher modes in the SLI

Mon, 10 Feb 2025 03:05:47 -0800 

Hi,

Previous patch unintentionally differentiated GCRY_CIPHER_MODE_CMAC in
FIPS mode. Attached is a patch to fix this. Also, following previous
comments on this thread, implementation of
_gcry_cipher_mode_fips_compliance was factored out to support
enum gcry_cipher_modes and enum gcry_cipher_internal_modes.

Best,
Mülling

From 335297ad9b5c521bcdce958ba53143319a65ca5f Mon Sep 17 00:00:00 2001
From: Lucas Mulling <lucas.mull...@suse.com>
Date: Sun, 2 Feb 2025 12:58:21 -0300
Subject: [PATCH] cipher: Don't differentiate GCRY_CIPHER_MODE_CMAC in FIPS
 mode

* cipher/cipher.c (_gcry_cipher_mode_fips_compliance): Allow
GCRY_CIPHER_MODE_CMAC in fips mode.
* cipher/cipher.c (_gcry_cipher_modes_fips_compliance,
_gcry_cipher_internal_modes_fips_compliance): New.

Signed-off-by: Lucas Mulling <lucas.mull...@suse.com>
---
 cipher/cipher.c | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/cipher/cipher.c b/cipher/cipher.c
index b5420671..9756dc03 100644
--- a/cipher/cipher.c
+++ b/cipher/cipher.c
@@ -504,8 +504,9 @@ _gcry_cipher_open (gcry_cipher_hd_t *handle,
   return rc;
 }
 
-int
-_gcry_cipher_is_mode_fips_compliant(int mode)
+
+static gcry_err_code_t
+_gcry_cipher_modes_fips_compliance (enum gcry_cipher_modes mode)
 {
   switch (mode)
     {
@@ -525,6 +526,29 @@ _gcry_cipher_is_mode_fips_compliant(int mode)
 }
 
 
+static gcry_err_code_t
+_gcry_cipher_internal_modes_fips_compliance (enum gcry_cipher_internal_modes mode)
+{
+  switch (mode)
+    {
+    case GCRY_CIPHER_MODE_CMAC:
+      return GPG_ERR_NO_ERROR;
+    default:
+      return GPG_ERR_NOT_SUPPORTED;
+    }
+}
+
+
+gcry_err_code_t
+_gcry_cipher_mode_fips_compliance (int mode)
+{
+  if (mode >= GCRY_CIPHER_MODE_INTERNAL)
+    return _gcry_cipher_internal_modes_fips_compliance (mode);
+  else
+    return _gcry_cipher_modes_fips_compliance (mode);
+}
+
+
 gcry_err_code_t
 _gcry_cipher_open_internal (gcry_cipher_hd_t *handle,
 			    int algo, int mode, unsigned int flags)
@@ -555,7 +579,7 @@ _gcry_cipher_open_internal (gcry_cipher_hd_t *handle,
               err = 0;
             }
         }
-      else if ((err = _gcry_cipher_is_mode_fips_compliant(mode)))
+      else if ((err = _gcry_cipher_mode_fips_compliance (mode)))
         {
           if (!fips_check_rejection (GCRY_FIPS_FLAG_REJECT_CIPHER_MODE))
             {
-- 
2.48.1


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Reply via email to