c_cpp/libgcrypt
SHA256
8
0
Fork 0
forked from pool/libgcrypt
Code Pull Requests Activity
Files
devel
libgcrypt/libgcrypt-cipher-fips-Fix-for-random-override.patch

84 lines
3.1 KiB
Diff
Raw Permalink Normal View History

- Security fix [bsc#1221107, CVE-2024-2236] * Add --enable-marvin-workaround to spec to enable workaround * Fix timing based side-channel in RSA implementation ( Marvin attack ) * Add libgcrypt-CVE-2024-2236.patch OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=193
2025-06-10 07:06:49 +00:00
From ca8bf05e111b41e482a2a4b34cda6bcf5aa1f27e Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 6 Mar 2025 09:45:36 +0900
Subject: [PATCH 09/14] cipher,fips: Fix for random-override.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* cipher/pubkey-util.c (gcry_pk_util_data_to_mpi): Keep
the behavior of 1.10.
* src/visibility.c (gcry_pk_random_override_new): Likewise.
* tests/t-fips-service-ind.c (main): Use GCRY_FIPS_FLAG_REJECT_PK_FLAGS.
--
GnuPG-bug-id: 7338
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: Lucas Mülling <lucas.mulling@suse.com>
---
cipher/pubkey-util.c | 6 +++---
src/visibility.c | 2 +-
tests/t-fips-service-ind.c | 1 +
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c
index 66a04f13..0e67f892 100644
--- a/cipher/pubkey-util.c
+++ b/cipher/pubkey-util.c
@@ -975,7 +975,7 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
{
if (fips_mode ())
{
- if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK_FLAGS))
{
sexp_release (list);
rc = GPG_ERR_INV_FLAG;
@@ -1162,7 +1162,7 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
{
if (fips_mode ())
{
- if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK_FLAGS))
{
sexp_release (list);
rc = GPG_ERR_INV_FLAG;
@@ -1272,7 +1272,7 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
{
if (fips_mode ())
{
- if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK_FLAGS))
{
sexp_release (list);
rc = GPG_ERR_INV_FLAG;
diff --git a/src/visibility.c b/src/visibility.c
index ccd0de69..edb972bc 100644
--- a/src/visibility.c
+++ b/src/visibility.c
@@ -1091,7 +1091,7 @@ gcry_pk_random_override_new (gcry_ctx_t *r_ctx, const unsigned char *p, size_t l
if (fips_mode ())
{
- if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK_FLAGS))
return gpg_error (GPG_ERR_INV_OP);
else
fips_service_indicator_mark_non_compliant ();
diff --git a/tests/t-fips-service-ind.c b/tests/t-fips-service-ind.c
index 0ece55b8..0a270b38 100644
--- a/tests/t-fips-service-ind.c
+++ b/tests/t-fips-service-ind.c
@@ -1835,6 +1835,7 @@ main (int argc, char **argv)
| GCRY_FIPS_FLAG_REJECT_PK_MD
| GCRY_FIPS_FLAG_REJECT_PK_GOST_SM2
| GCRY_FIPS_FLAG_REJECT_PK_ECC_K
+ | GCRY_FIPS_FLAG_REJECT_PK_FLAGS
| GCRY_FIPS_FLAG_REJECT_COMPAT110)));
check_md_o_w_r_c (1);
--
2.49.0
Copy Permalink