|
 |
92db45d |
diff -up libgcrypt-1.5.0/doc/gcrypt.texi.enforce libgcrypt-1.5.0/doc/gcrypt.texi
|
|
|
92db45d |
--- libgcrypt-1.5.0/doc/gcrypt.texi.enforce 2011-06-29 10:36:37.000000000 +0200
|
|
|
92db45d |
+++ libgcrypt-1.5.0/doc/gcrypt.texi 2012-04-04 11:05:41.527430118 +0200
|
|
|
92db45d |
@@ -577,8 +577,10 @@ initialization (i.e. before @code{gcry_c
|
|
|
92db45d |
|
|
|
92db45d |
In addition to the standard FIPS mode, Libgcrypt may also be put into
|
|
|
92db45d |
an Enforced FIPS mode by writing a non-zero value into the file
|
|
|
92db45d |
-@file{/etc/gcrypt/fips_enabled}. The Enforced FIPS mode helps to
|
|
|
92db45d |
-detect applications which don't fulfill all requirements for using
|
|
|
92db45d |
+@file{/etc/gcrypt/fips_enabled} or by using the control command
|
|
|
92db45d |
+@code{GCRYCTL_SET_ENFORCED_FIPS_FLAG} before any other calls to
|
|
|
92db45d |
+libgcrypt. The Enforced FIPS mode helps to detect applications
|
|
|
92db45d |
+which don't fulfill all requirements for using
|
|
|
92db45d |
Libgcrypt in FIPS mode (@pxref{FIPS Mode}).
|
|
|
92db45d |
|
|
|
92db45d |
Once Libgcrypt has been put into FIPS mode, it is not possible to
|
|
|
92db45d |
@@ -787,20 +789,20 @@ proper random device.
|
|
|
92db45d |
This command dumps information pertaining to the configuration of the
|
|
|
92db45d |
library to the given stream. If NULL is given for @var{stream}, the log
|
|
|
92db45d |
system is used. This command may be used before the intialization has
|
|
|
92db45d |
-been finished but not before a gcry_version_check.
|
|
|
92db45d |
+been finished but not before a @code{gcry_check_version}.
|
|
|
92db45d |
|
|
|
92db45d |
@item GCRYCTL_OPERATIONAL_P; Arguments: none
|
|
|
92db45d |
This command returns true if the library is in an operational state.
|
|
|
92db45d |
This information makes only sense in FIPS mode. In contrast to other
|
|
|
92db45d |
functions, this is a pure test function and won't put the library into
|
|
|
92db45d |
FIPS mode or change the internal state. This command may be used before
|
|
|
92db45d |
-the intialization has been finished but not before a gcry_version_check.
|
|
|
92db45d |
+the intialization has been finished but not before a @code{gcry_check_version}.
|
|
|
92db45d |
|
|
|
92db45d |
@item GCRYCTL_FIPS_MODE_P; Arguments: none
|
|
|
92db45d |
This command returns true if the library is in FIPS mode. Note, that
|
|
|
92db45d |
this is no indication about the current state of the library. This
|
|
|
92db45d |
command may be used before the intialization has been finished but not
|
|
|
92db45d |
-before a gcry_version_check. An application may use this command or
|
|
|
92db45d |
+before a @code{gcry_check_version}. An application may use this command or
|
|
|
92db45d |
the convenience macro below to check whether FIPS mode is actually
|
|
|
92db45d |
active.
|
|
|
92db45d |
|
|
|
92db45d |
@@ -816,10 +818,19 @@ implemented as a macro.
|
|
|
92db45d |
Running this command puts the library into FIPS mode. If the library is
|
|
|
92db45d |
already in FIPS mode, a self-test is triggered and thus the library will
|
|
|
92db45d |
be put into operational state. This command may be used before a call
|
|
|
92db45d |
-to gcry_check_version and that is actually the recommended way to let an
|
|
|
92db45d |
+to @code{gcry_check_version} and that is actually the recommended way to let an
|
|
|
92db45d |
application switch the library into FIPS mode. Note that Libgcrypt will
|
|
|
92db45d |
reject an attempt to switch to fips mode during or after the intialization.
|
|
|
92db45d |
|
|
|
92db45d |
+@item GCRYCTL_SET_ENFORCED_FIPS_FLAG; Arguments: none
|
|
|
92db45d |
+Running this command sets the internal flag that puts the library into
|
|
|
92db45d |
+the enforced FIPS mode during the FIPS mode initialization. This command
|
|
|
92db45d |
+does not affect the library if the library is not put into the FIPS mode and
|
|
|
92db45d |
+it must be used before any other libgcrypt library calls that initialize
|
|
|
92db45d |
+the library such as @code{gcry_check_version}. Note that Libgcrypt will
|
|
|
92db45d |
+reject an attempt to switch to the enforced fips mode during or after
|
|
|
92db45d |
+the intialization.
|
|
|
92db45d |
+
|
|
|
92db45d |
@item GCRYCTL_SELFTEST; Arguments: none
|
|
|
92db45d |
This may be used at anytime to have the library run all implemented
|
|
|
92db45d |
self-tests. It works in standard and in FIPS mode. Returns 0 on
|
|
|
92db45d |
diff -up libgcrypt-1.5.0/src/fips.c.enforce libgcrypt-1.5.0/src/fips.c
|
|
|
92db45d |
--- libgcrypt-1.5.0/src/fips.c.enforce 2011-07-21 15:41:25.000000000 +0200
|
|
|
92db45d |
+++ libgcrypt-1.5.0/src/fips.c 2012-04-04 10:26:24.311525789 +0200
|
|
|
92db45d |
@@ -274,9 +274,17 @@ _gcry_fips_mode (void)
|
|
|
92db45d |
int
|
|
|
92db45d |
_gcry_enforced_fips_mode (void)
|
|
|
92db45d |
{
|
|
|
92db45d |
+ if (!_gcry_fips_mode ())
|
|
|
92db45d |
+ return 0;
|
|
|
92db45d |
return enforced_fips_mode;
|
|
|
92db45d |
}
|
|
|
92db45d |
|
|
|
92db45d |
+/* Set a flag telling whether we are in the enforced fips mode. */
|
|
|
92db45d |
+void
|
|
|
92db45d |
+_gcry_set_enforced_fips_mode (void)
|
|
|
92db45d |
+{
|
|
|
92db45d |
+ enforced_fips_mode = 1;
|
|
|
92db45d |
+}
|
|
|
92db45d |
|
|
|
92db45d |
/* If we do not want to enforce the fips mode, we can set a flag so
|
|
|
92db45d |
that the application may check whether it is still in fips mode.
|
|
|
92db45d |
diff -up libgcrypt-1.5.0/src/g10lib.h.enforce libgcrypt-1.5.0/src/g10lib.h
|
|
|
92db45d |
--- libgcrypt-1.5.0/src/g10lib.h.enforce 2011-02-16 18:27:28.000000000 +0100
|
|
|
92db45d |
+++ libgcrypt-1.5.0/src/g10lib.h 2012-04-04 10:25:03.280777602 +0200
|
|
|
92db45d |
@@ -326,6 +326,8 @@ int _gcry_fips_mode (void);
|
|
|
92db45d |
|
|
|
92db45d |
int _gcry_enforced_fips_mode (void);
|
|
|
92db45d |
|
|
|
92db45d |
+void _gcry_set_enforced_fips_mode (void);
|
|
|
92db45d |
+
|
|
|
92db45d |
void _gcry_inactivate_fips_mode (const char *text);
|
|
|
92db45d |
int _gcry_is_fips_mode_inactive (void);
|
|
|
92db45d |
|
|
|
92db45d |
diff -up libgcrypt-1.5.0/src/gcrypt.h.in.enforce libgcrypt-1.5.0/src/gcrypt.h.in
|
|
|
92db45d |
--- libgcrypt-1.5.0/src/gcrypt.h.in.enforce 2011-03-11 09:47:39.000000000 +0100
|
|
|
92db45d |
+++ libgcrypt-1.5.0/src/gcrypt.h.in 2012-04-04 10:25:53.806867670 +0200
|
|
|
92db45d |
@@ -415,7 +415,8 @@ enum gcry_ctl_cmds
|
|
|
92db45d |
GCRYCTL_FORCE_FIPS_MODE = 56,
|
|
|
92db45d |
GCRYCTL_SELFTEST = 57,
|
|
|
92db45d |
/* Note: 58 .. 62 are used internally. */
|
|
|
92db45d |
- GCRYCTL_DISABLE_HWF = 63
|
|
|
92db45d |
+ GCRYCTL_DISABLE_HWF = 63,
|
|
|
92db45d |
+ GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64
|
|
|
92db45d |
};
|
|
|
92db45d |
|
|
|
92db45d |
/* Perform various operations defined by CMD. */
|
|
|
92db45d |
diff -up libgcrypt-1.5.0/src/global.c.enforce libgcrypt-1.5.0/src/global.c
|
|
|
92db45d |
--- libgcrypt-1.5.0/src/global.c.enforce 2011-04-01 10:15:40.000000000 +0200
|
|
|
92db45d |
+++ libgcrypt-1.5.0/src/global.c 2012-04-04 10:24:12.647685222 +0200
|
|
|
92db45d |
@@ -596,6 +596,16 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
|
|
|
92db45d |
}
|
|
|
92db45d |
break;
|
|
|
92db45d |
|
|
|
92db45d |
+ case GCRYCTL_SET_ENFORCED_FIPS_FLAG:
|
|
|
92db45d |
+ if (!any_init_done)
|
|
|
92db45d |
+ {
|
|
|
92db45d |
+ /* Not yet intialized at all. Set the enforced fips mode flag */
|
|
|
92db45d |
+ _gcry_set_enforced_fips_mode ();
|
|
|
92db45d |
+ }
|
|
|
92db45d |
+ else
|
|
|
92db45d |
+ err = GPG_ERR_GENERAL;
|
|
|
92db45d |
+ break;
|
|
|
92db45d |
+
|
|
|
92db45d |
default:
|
|
|
92db45d |
/* A call to make sure that the dummy code is linked in. */
|
|
|
92db45d |
_gcry_compat_identification ();
|