Home GnuPG

md: Make SHA1 non-FIPS and differentiate in the SLI

Description

md: Make SHA1 non-FIPS and differentiate in the SLI

* cipher/md.c (_gcry_md_open, md_enable, _gcry_md_enable, md_copy):
Differentiate SHA1.
* cipher/sha1.c (_gcry_digest_spec_sha1): Make SHA1 not FIPS.
* src/fips.c (_gcry_fips_indicator_mac, _gcry_fips_indicator_md,
run_digest_selftests, run_mac_selftests): Differentiate SHA1.
* src/gcrypt.h.in (GCRY_FIPS_FLAG_REJECT_MD_SHA1): New.
* tests/basic.c: (check_pubkey_sign): Use sha256 for baddata, add
FLAG_NOFIPS to non FIPS compliant tests that use SHA1, and improve error
messages.
* tests/pkcs1v2.c (main): Skip tests in FIPS mode.
* tests/t-fips-service-ind.c (check_kdf_derive): Use sha256 as pbkdf2
subalgo.
* tests/t-fips-service-ind.c (check_mac_o_w_r_c): Check for rejection of
SHA1 test cases if in FIPS mode.
  • GnuPG-bug-id: T7338
  • Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>