Re: T7338: Make SHA1 non-FIPS and differentiate in the SLI

NIIBE Yutaka via Gcrypt-devel Mon, 10 Mar 2025 22:31:05 -0700

Hello,

I was wrong about SHA1.  I had thought that I were able to defer the
change.


Actually, we need to apply this patch (attached), to support 1.12 (the
new service indicator) forward compatibility in 1.11.1.

Well, the implementation in 1.11 is a bit confusing, it allows use of
SHA1 (it is an approved hash function in the static indicator, and no
rejection for its use), no behavior changes for existing applications,
but it is _internally_ marked non-FIPS.

This is (hopefully) the last change for T7338.
--

>From 4ee91a94bcdad32aed4364d09e3daf8841fa579f Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gni...@fsij.org>
Date: Tue, 11 Mar 2025 14:01:11 +0900
Subject: [PATCH] md: Make SHA-1 non-FIPS internally for 1.12 API.

* src/gcrypt.h.in (GCRY_FIPS_FLAG_REJECT_MD_SHA1): New.
* cipher/md.c (check_digest_algo_spec, _gcry_md_open, md_enable)
(_gcry_md_enable, md_copy): Care about SHA1.
* cipher/sha1.c (_gcry_digest_spec_sha1): Make SHA1 non-FIPS.
* tests/t-fips-service-ind.c (check_mac_o_w_r_c): SHA1 is non-FIPS.
(check_md_o_w_r_c, check_hash_buffer, check_hash_buffers): Likewise.
(main): Add GCRY_FIPS_FLAG_REJECT_MD_SHA1 for gcry_control.

--

For 1.10 ABI (which 1.11 keeps), SHA1 is an approved hash function
(while its use in public key crypto is non-FIPS).

For 1.12 API, the dynamic FIPS service indicator is going to be added.

In 1.11.1 implementation, we are trying to support 1.12 dynamic FIPS
service indicator in forward-compatible way.  For this purpose,
internally, it's specified as non-FIPS in _gcry_digest_spec_sha1.

Note that update for tests/basic.c and tests/pkcs1v2.c are needed to
use SHA256 (or one of approved hash functions) in 1.12, so that test
program can be a reference for programmers.

Co-authored-by: Lucas Mulling <lucas.mull...@suse.com>
Signed-off-by: NIIBE Yutaka <gni...@fsij.org>
---
 cipher/md.c                | 10 ++++++++++
 cipher/sha1.c              |  2 +-
 src/gcrypt.h.in            |  1 +
 tests/t-fips-service-ind.c |  9 +++++----
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/cipher/md.c b/cipher/md.c
index a8027e9e..183f36cc 100644
--- a/cipher/md.c
+++ b/cipher/md.c
@@ -451,6 +451,8 @@ check_digest_algo_spec (int algo, const gcry_md_spec_t *spec)
 
   if (algo == GCRY_MD_MD5)
     reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_MD5);
+  else if (algo == GCRY_MD_SHA1)
+    reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_SHA1);
   else
     reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_OTHERS);
 
@@ -590,6 +592,8 @@ _gcry_md_open (gcry_md_hd_t *h, int algo, unsigned int flags)
 
           if (algo == GCRY_MD_MD5)
             reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_MD5);
+          else if (algo == GCRY_MD_SHA1)
+            reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_SHA1);
           else
             reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_OTHERS);
 
@@ -625,6 +629,8 @@ md_enable (gcry_md_hd_t hd, int algorithm)
 
   if (algorithm == GCRY_MD_MD5)
     reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_MD5);
+  else if (algorithm == GCRY_MD_SHA1)
+    reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_SHA1);
   else
     reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_OTHERS);
 
@@ -703,6 +709,8 @@ _gcry_md_enable (gcry_md_hd_t hd, int algorithm)
 
           if (algorithm == GCRY_MD_MD5)
             reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_MD5);
+          else if (algorithm == GCRY_MD_SHA1)
+            reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_SHA1);
           else
             reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_OTHERS);
 
@@ -780,6 +788,8 @@ md_copy (gcry_md_hd_t ahd, gcry_md_hd_t *b_hd)
 
           if (spec->algo == GCRY_MD_MD5)
             reject |= fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_MD5);
+          else if (spec->algo == GCRY_MD_SHA1)
+            reject = fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_SHA1);
           else
             reject |= fips_check_rejection (GCRY_FIPS_FLAG_REJECT_MD_OTHERS);
         }
diff --git a/cipher/sha1.c b/cipher/sha1.c
index b83b9de0..e4069e1d 100644
--- a/cipher/sha1.c
+++ b/cipher/sha1.c
@@ -759,7 +759,7 @@ static const gcry_md_oid_spec_t oid_spec_sha1[] =
 
 const gcry_md_spec_t _gcry_digest_spec_sha1 =
   {
-    GCRY_MD_SHA1, {0, 1},
+    GCRY_MD_SHA1, {0, 0},
     "SHA1", asn, DIM (asn), oid_spec_sha1, 20,
     sha1_init, _gcry_md_block_write, sha1_final, sha1_read, NULL,
     _gcry_sha1_hash_buffers,
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index a282268d..b2b8853f 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -1990,6 +1990,7 @@ char *gcry_get_config (int mode, const char *what);
 #define GCRY_FIPS_FLAG_REJECT_PK_GOST_SM2   (1 << 7)
 #define GCRY_FIPS_FLAG_REJECT_CIPHER_MODE   (1 << 8)
 /**/
+#define GCRY_FIPS_FLAG_REJECT_MD_SHA1       (1 << 9)
 #define GCRY_FIPS_FLAG_REJECT_PK_ECC_K      (1 << 10)
 #define GCRY_FIPS_FLAG_REJECT_PK_FLAGS      (1 << 11)
 
diff --git a/tests/t-fips-service-ind.c b/tests/t-fips-service-ind.c
index 0a270b38..0a34d29a 100644
--- a/tests/t-fips-service-ind.c
+++ b/tests/t-fips-service-ind.c
@@ -1107,7 +1107,7 @@ check_mac_o_w_r_c (int reject)
 #if USE_SHA1
     { GCRY_MAC_HMAC_SHA1, "hmac input abc", 14, "hmac key input", 14,
       "\xc9\x62\x9d\x16\x0f\xc2\xc4\xcd\x38\xac\x3a\x00\xdc\x29\x61\x03"
-      "\x69\x50\xd7\x3a" },
+      "\x69\x50\xd7\x3a", 1 },
 #endif
     { GCRY_MAC_HMAC_SHA256, "hmac input abc", 14, "hmac key input", 14,
       "\x6a\xda\x4d\xd5\xf3\xa7\x32\x9d\xd2\x55\xc0\x7f\xe6\x0a\x93\xb8"
@@ -1264,7 +1264,7 @@ check_md_o_w_r_c (int reject)
 #if USE_SHA1
     { GCRY_MD_SHA1, "abc", 3,
       "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E"
-      "\x25\x71\x78\x50\xC2\x6C\x9C\xD0\xD8\x9D" },
+      "\x25\x71\x78\x50\xC2\x6C\x9C\xD0\xD8\x9D", 1 },
 #endif
     { GCRY_MD_SHA256, "abc", 3,
       "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
@@ -1390,7 +1390,7 @@ check_hash_buffer (void)
 #if USE_SHA1
     { GCRY_MD_SHA1, "abc", 3,
       "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E"
-      "\x25\x71\x78\x50\xC2\x6C\x9C\xD0\xD8\x9D" },
+      "\x25\x71\x78\x50\xC2\x6C\x9C\xD0\xD8\x9D", 1 },
 #endif
     { GCRY_MD_SHA256, "abc", 3,
       "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
@@ -1499,7 +1499,7 @@ check_hash_buffers (void)
     { GCRY_MD_SHA1, "abc", 3,
       "key", 3,
       "\x4f\xd0\xb2\x15\x27\x6e\xf1\x2f\x2b\x3e"
-      "\x4c\x8e\xca\xc2\x81\x14\x98\xb6\x56\xfc" },
+      "\x4c\x8e\xca\xc2\x81\x14\x98\xb6\x56\xfc", 1 },
 #endif
     { GCRY_MD_SHA256, "abc", 3,
       "key", 3,
@@ -1834,6 +1834,7 @@ main (int argc, char **argv)
                    | GCRY_FIPS_FLAG_REJECT_CIPHER_MODE
                    | GCRY_FIPS_FLAG_REJECT_PK_MD
                    | GCRY_FIPS_FLAG_REJECT_PK_GOST_SM2
+                   | GCRY_FIPS_FLAG_REJECT_MD_SHA1
                    | GCRY_FIPS_FLAG_REJECT_PK_ECC_K
                    | GCRY_FIPS_FLAG_REJECT_PK_FLAGS
                    | GCRY_FIPS_FLAG_REJECT_COMPAT110)));
-- 
2.39.5

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Re: T7338: Make SHA1 non-FIPS and differentiate in the SLI

Reply via email to