[libgcrypt] Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command
Tomáš Mráz
tmraz at fedoraproject.org
Wed Apr 4 13:28:39 UTC 2012
commit 92db45d69375b4990a658c187d00537702382831
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Wed Apr 4 15:28:35 2012 +0200
Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command
libgcrypt-1.5.0-set-enforced-mode.patch | 127 +++++++++++++++++++++++++++++++
libgcrypt.spec | 8 ++-
2 files changed, 134 insertions(+), 1 deletions(-)
---
diff --git a/libgcrypt-1.5.0-set-enforced-mode.patch b/libgcrypt-1.5.0-set-enforced-mode.patch
new file mode 100644
index 0000000..05ee548
--- /dev/null
+++ b/libgcrypt-1.5.0-set-enforced-mode.patch
@@ -0,0 +1,127 @@
+diff -up libgcrypt-1.5.0/doc/gcrypt.texi.enforce libgcrypt-1.5.0/doc/gcrypt.texi
+--- libgcrypt-1.5.0/doc/gcrypt.texi.enforce 2011-06-29 10:36:37.000000000 +0200
++++ libgcrypt-1.5.0/doc/gcrypt.texi 2012-04-04 11:05:41.527430118 +0200
+@@ -577,8 +577,10 @@ initialization (i.e. before @code{gcry_c
+
+ In addition to the standard FIPS mode, Libgcrypt may also be put into
+ an Enforced FIPS mode by writing a non-zero value into the file
+- at file{/etc/gcrypt/fips_enabled}. The Enforced FIPS mode helps to
+-detect applications which don't fulfill all requirements for using
++ at file{/etc/gcrypt/fips_enabled} or by using the control command
++ at code{GCRYCTL_SET_ENFORCED_FIPS_FLAG} before any other calls to
++libgcrypt. The Enforced FIPS mode helps to detect applications
++which don't fulfill all requirements for using
+ Libgcrypt in FIPS mode (@pxref{FIPS Mode}).
+
+ Once Libgcrypt has been put into FIPS mode, it is not possible to
+@@ -787,20 +789,20 @@ proper random device.
+ This command dumps information pertaining to the configuration of the
+ library to the given stream. If NULL is given for @var{stream}, the log
+ system is used. This command may be used before the intialization has
+-been finished but not before a gcry_version_check.
++been finished but not before a @code{gcry_check_version}.
+
+ @item GCRYCTL_OPERATIONAL_P; Arguments: none
+ This command returns true if the library is in an operational state.
+ This information makes only sense in FIPS mode. In contrast to other
+ functions, this is a pure test function and won't put the library into
+ FIPS mode or change the internal state. This command may be used before
+-the intialization has been finished but not before a gcry_version_check.
++the intialization has been finished but not before a @code{gcry_check_version}.
+
+ @item GCRYCTL_FIPS_MODE_P; Arguments: none
+ This command returns true if the library is in FIPS mode. Note, that
+ this is no indication about the current state of the library. This
+ command may be used before the intialization has been finished but not
+-before a gcry_version_check. An application may use this command or
++before a @code{gcry_check_version}. An application may use this command or
+ the convenience macro below to check whether FIPS mode is actually
+ active.
+
+@@ -816,10 +818,19 @@ implemented as a macro.
+ Running this command puts the library into FIPS mode. If the library is
+ already in FIPS mode, a self-test is triggered and thus the library will
+ be put into operational state. This command may be used before a call
+-to gcry_check_version and that is actually the recommended way to let an
++to @code{gcry_check_version} and that is actually the recommended way to let an
+ application switch the library into FIPS mode. Note that Libgcrypt will
+ reject an attempt to switch to fips mode during or after the intialization.
+
++ at item GCRYCTL_SET_ENFORCED_FIPS_FLAG; Arguments: none
++Running this command sets the internal flag that puts the library into
++the enforced FIPS mode during the FIPS mode initialization. This command
++does not affect the library if the library is not put into the FIPS mode and
++it must be used before any other libgcrypt library calls that initialize
++the library such as @code{gcry_check_version}. Note that Libgcrypt will
++reject an attempt to switch to the enforced fips mode during or after
++the intialization.
++
+ @item GCRYCTL_SELFTEST; Arguments: none
+ This may be used at anytime to have the library run all implemented
+ self-tests. It works in standard and in FIPS mode. Returns 0 on
+diff -up libgcrypt-1.5.0/src/fips.c.enforce libgcrypt-1.5.0/src/fips.c
+--- libgcrypt-1.5.0/src/fips.c.enforce 2011-07-21 15:41:25.000000000 +0200
++++ libgcrypt-1.5.0/src/fips.c 2012-04-04 10:26:24.311525789 +0200
+@@ -274,9 +274,17 @@ _gcry_fips_mode (void)
+ int
+ _gcry_enforced_fips_mode (void)
+ {
++ if (!_gcry_fips_mode ())
++ return 0;
+ return enforced_fips_mode;
+ }
+
++/* Set a flag telling whether we are in the enforced fips mode. */
++void
++_gcry_set_enforced_fips_mode (void)
++{
++ enforced_fips_mode = 1;
++}
+
+ /* If we do not want to enforce the fips mode, we can set a flag so
+ that the application may check whether it is still in fips mode.
+diff -up libgcrypt-1.5.0/src/g10lib.h.enforce libgcrypt-1.5.0/src/g10lib.h
+--- libgcrypt-1.5.0/src/g10lib.h.enforce 2011-02-16 18:27:28.000000000 +0100
++++ libgcrypt-1.5.0/src/g10lib.h 2012-04-04 10:25:03.280777602 +0200
+@@ -326,6 +326,8 @@ int _gcry_fips_mode (void);
+
+ int _gcry_enforced_fips_mode (void);
+
++void _gcry_set_enforced_fips_mode (void);
++
+ void _gcry_inactivate_fips_mode (const char *text);
+ int _gcry_is_fips_mode_inactive (void);
+
+diff -up libgcrypt-1.5.0/src/gcrypt.h.in.enforce libgcrypt-1.5.0/src/gcrypt.h.in
+--- libgcrypt-1.5.0/src/gcrypt.h.in.enforce 2011-03-11 09:47:39.000000000 +0100
++++ libgcrypt-1.5.0/src/gcrypt.h.in 2012-04-04 10:25:53.806867670 +0200
+@@ -415,7 +415,8 @@ enum gcry_ctl_cmds
+ GCRYCTL_FORCE_FIPS_MODE = 56,
+ GCRYCTL_SELFTEST = 57,
+ /* Note: 58 .. 62 are used internally. */
+- GCRYCTL_DISABLE_HWF = 63
++ GCRYCTL_DISABLE_HWF = 63,
++ GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64
+ };
+
+ /* Perform various operations defined by CMD. */
+diff -up libgcrypt-1.5.0/src/global.c.enforce libgcrypt-1.5.0/src/global.c
+--- libgcrypt-1.5.0/src/global.c.enforce 2011-04-01 10:15:40.000000000 +0200
++++ libgcrypt-1.5.0/src/global.c 2012-04-04 10:24:12.647685222 +0200
+@@ -596,6 +596,16 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+ }
+ break;
+
++ case GCRYCTL_SET_ENFORCED_FIPS_FLAG:
++ if (!any_init_done)
++ {
++ /* Not yet intialized at all. Set the enforced fips mode flag */
++ _gcry_set_enforced_fips_mode ();
++ }
++ else
++ err = GPG_ERR_GENERAL;
++ break;
++
+ default:
+ /* A call to make sure that the dummy code is linked in. */
+ _gcry_compat_identification ();
diff --git a/libgcrypt.spec b/libgcrypt.spec
index 927807f..b4fc11c 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -1,6 +1,6 @@
Name: libgcrypt
Version: 1.5.0
-Release: 3%{?dist}
+Release: 4%{?dist}
URL: http://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.bz2
# The original libgcrypt sources now contain potentially patented ECC
@@ -21,6 +21,8 @@ Patch5: libgcrypt-1.5.0-tests.patch
Patch6: libgcrypt-1.5.0-fips-cfgrandom.patch
# make the FIPS-186-3 DSA CAVS testable
Patch7: libgcrypt-1.5.0-fips-cavs.patch
+# add GCRYCTL_SET_ENFORCED_FIPS_FLAG
+Patch8: libgcrypt-1.5.0-set-enforced-mode.patch
# Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction.
# Documentation and some utilities are GPLv2+ licensed. These files
@@ -58,6 +60,7 @@ applications using libgcrypt.
%patch5 -p1 -b .tests
%patch6 -p1 -b .cfgrandom
%patch7 -p1 -b .cavs
+%patch8 -p1 -b .enforce
mv AUTHORS AUTHORS.iso88591
iconv -f ISO-8859-1 -t UTF-8 AUTHORS.iso88591 >AUTHORS
@@ -169,6 +172,9 @@ exit 0
%doc COPYING
%changelog
+* Wed Apr 4 2012 Tomas Mraz <tmraz at redhat.com> 1.5.0-4
+- Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command
+
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
More information about the scm-commits
mailing list