fips: mark gnutls_key_generate with short key sizes non-approved

Signed-off-by: Daiki Ueno <ueno@gnu.org>
author: Daiki Ueno <ueno@gnu.org> 2022-09-20 01:25:51 +0900
committer: Daiki Ueno <ueno@gnu.org> 2022-10-17 19:16:36 +0900
commit: 49df693293d706f89a1efb84f0a75e9537619fe4 (patch)
tree: 9c1cf546a47f2443c9ef17ed18da72558d3edf1e /lib
parent: 36078e7b3b73bc4d61d546da461e7cbbac645e52 (diff)
download: gnutls-49df693293d706f89a1efb84f0a75e9537619fe4.tar.gz
1 files changed, 18 insertions, 3 deletions
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index 9e246ce537..d3e601ab3a 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -1056,6 +1056,7 @@ gnutls_hash_hd_t gnutls_hash_copy(gnutls_hash_hd_t handle)
 int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size)
 {
 	int ret;
+	bool not_approved = false;
 
 	FAIL_IF_LIB_ERROR;
 
@@ -1072,17 +1073,31 @@ int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size)
 	key->data = gnutls_malloc(key->size);
 	if (!key->data) {
 		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
+		ret = GNUTLS_E_MEMORY_ERROR;
+		goto error;
+	}
+
+	/* Key lengths of less than 112 bits are not approved */
+	if (key_size < 14) {
+		not_approved = true;
 	}
 
 	ret = gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size);
 	if (ret < 0) {
 		gnutls_assert();
 		_gnutls_free_datum(key);
-		return ret;
+		goto error;
 	}
 
-	return 0;
+ error:
+	if (ret < 0) {
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+	} else if (not_approved) {
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+	} else {
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
+	}
+	return ret;
 }
 
 /* AEAD API */
author	Daiki Ueno <ueno@gnu.org>	2022-09-20 01:25:51 +0900
committer	Daiki Ueno <ueno@gnu.org>	2022-10-17 19:16:36 +0900
commit	49df693293d706f89a1efb84f0a75e9537619fe4 (patch)
tree	9c1cf546a47f2443c9ef17ed18da72558d3edf1e /lib
parent	36078e7b3b73bc4d61d546da461e7cbbac645e52 (diff)
download	gnutls-49df693293d706f89a1efb84f0a75e9537619fe4.tar.gz