diff options
author | Daiki Ueno <ueno@gnu.org> | 2022-09-20 01:25:51 +0900 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2022-10-17 19:16:36 +0900 |
commit | 49df693293d706f89a1efb84f0a75e9537619fe4 (patch) | |
tree | 9c1cf546a47f2443c9ef17ed18da72558d3edf1e /lib | |
parent | 36078e7b3b73bc4d61d546da461e7cbbac645e52 (diff) | |
download | gnutls-49df693293d706f89a1efb84f0a75e9537619fe4.tar.gz |
fips: mark gnutls_key_generate with short key sizes non-approved
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/crypto-api.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/lib/crypto-api.c b/lib/crypto-api.c index 9e246ce537..d3e601ab3a 100644 --- a/lib/crypto-api.c +++ b/lib/crypto-api.c @@ -1056,6 +1056,7 @@ gnutls_hash_hd_t gnutls_hash_copy(gnutls_hash_hd_t handle) int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size) { int ret; + bool not_approved = false; FAIL_IF_LIB_ERROR; @@ -1072,17 +1073,31 @@ int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size) key->data = gnutls_malloc(key->size); if (!key->data) { gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + /* Key lengths of less than 112 bits are not approved */ + if (key_size < 14) { + not_approved = true; } ret = gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size); if (ret < 0) { gnutls_assert(); _gnutls_free_datum(key); - return ret; + goto error; } - return 0; + error: + if (ret < 0) { + _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); + } else if (not_approved) { + _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); + } else { + _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED); + } + return ret; } /* AEAD API */ |