[PATCH 3/4] cipher, visibility: Differentiate use of random-override in the SLI
Lucas Mulling
lucas.mulling at suse.com
Wed Feb 26 21:19:24 CET 2025
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi,
_gcry_pk_single_data_push, _gcry_pk_util_free_encoding_ctx):
Differentiate use of random-override in the SLI.
* src/visibility.c (gcry_pk_random_override_new):
Differentiate use explicit random override in the SLI.
Signed-off-by: Lucas Mulling <lucas.mulling at suse.com>
---
cipher/pubkey-util.c | 37 ++++++++++++++++++++++++++++++++++++-
src/visibility.c | 13 +++++++++++++
2 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c
index 9c927638..ac2cde76 100644
--- a/cipher/pubkey-util.c
+++ b/cipher/pubkey-util.c
@@ -662,7 +662,6 @@ _gcry_pk_util_free_encoding_ctx (struct pk_encoding_ctx *ctx)
xfree (ctx->label);
}
-
/* Take the hash value and convert into an MPI, suitable for
passing to the low level functions. We currently support the
old style way of passing just a MPI and the modern interface which
@@ -973,6 +972,18 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
list = sexp_find_token (ldata, "random-override", 0);
if (list)
{
+ if(fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ {
+ sexp_release (list);
+ rc = GPG_ERR_INV_FLAG;
+ goto leave;
+ }
+ else
+ fips_service_indicator_mark_non_compliant ();
+
+ }
s = sexp_nth_data (list, 1, &n);
if (!s)
rc = GPG_ERR_NO_OBJ;
@@ -1149,6 +1160,18 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
list = sexp_find_token (ldata, "random-override", 0);
if (list)
{
+ if(fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ {
+ sexp_release (list);
+ rc = GPG_ERR_INV_FLAG;
+ goto leave;
+ }
+ else
+ fips_service_indicator_mark_non_compliant ();
+
+ }
s = sexp_nth_data (list, 1, &n);
if (!s)
rc = GPG_ERR_NO_OBJ;
@@ -1248,6 +1271,18 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
list = sexp_find_token (ldata, "random-override", 0);
if (list)
{
+ if(fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ {
+ sexp_release (list);
+ rc = GPG_ERR_INV_FLAG;
+ goto leave;
+ }
+ else
+ fips_service_indicator_mark_non_compliant ();
+
+ }
s = sexp_nth_data (list, 1, &n);
if (!s)
rc = GPG_ERR_NO_OBJ;
diff --git a/src/visibility.c b/src/visibility.c
index e02d6cfe..14b8fa25 100644
--- a/src/visibility.c
+++ b/src/visibility.c
@@ -1085,6 +1085,19 @@ gcry_pk_hash_verify (gcry_sexp_t sigval, const char *data_tmpl, gcry_sexp_t pkey
gcry_error_t
gcry_pk_random_override_new (gcry_ctx_t *r_ctx, const unsigned char *p, size_t len)
{
+ if (!fips_is_operational ())
+ return gpg_error (fips_not_operational ());
+ fips_service_indicator_init ();
+
+ if(fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ return GPG_ERR_INV_OP;
+ else
+ fips_service_indicator_mark_non_compliant ();
+
+ }
+
return gpg_error (_gcry_pk_single_data_push (r_ctx, p, len));
}
--
2.48.1
More information about the Gcrypt-devel
mailing list