c_cpp/libgcrypt
SHA256
8
0
Fork 0
forked from pool/libgcrypt
Code Pull Requests Activity
Files
devel
libgcrypt/libgcrypt-cipher-visibility-Differentiate-use-of-random-override-in-the-SLI.patch

108 lines
3.7 KiB
Diff
Raw Permalink Normal View History

- Security fix [bsc#1221107, CVE-2024-2236] * Add --enable-marvin-workaround to spec to enable workaround * Fix timing based side-channel in RSA implementation ( Marvin attack ) * Add libgcrypt-CVE-2024-2236.patch OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=193
2025-06-10 07:06:49 +00:00
From 234eb316b0a04c50e8511a570775ded45060f18b Mon Sep 17 00:00:00 2001
From: Lucas Mulling via Gcrypt-devel <gcrypt-devel@gnupg.org>
Date: Wed, 26 Feb 2025 17:19:24 -0300
Subject: [PATCH 08/14] cipher,visibility: Differentiate use of random-override
in the SLI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi,
_gcry_pk_single_data_push, _gcry_pk_util_free_encoding_ctx):
Differentiate use of random-override in the SLI.
* src/visibility.c (gcry_pk_random_override_new):
Differentiate use explicit random override in the SLI.
GnuPG-bug-id: 7338
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
Signed-off-by: Lucas Mülling <lucas.mulling@suse.com>
---
cipher/pubkey-util.c | 33 +++++++++++++++++++++++++++++++++
src/visibility.c | 12 ++++++++++++
2 files changed, 45 insertions(+)
diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c
index e7355569..66a04f13 100644
--- a/cipher/pubkey-util.c
+++ b/cipher/pubkey-util.c
@@ -973,6 +973,17 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
list = sexp_find_token (ldata, "random-override", 0);
if (list)
{
+ if (fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ {
+ sexp_release (list);
+ rc = GPG_ERR_INV_FLAG;
+ goto leave;
+ }
+ else
+ fips_service_indicator_mark_non_compliant ();
+ }
s = sexp_nth_data (list, 1, &n);
if (!s)
rc = GPG_ERR_NO_OBJ;
@@ -1149,6 +1160,17 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
list = sexp_find_token (ldata, "random-override", 0);
if (list)
{
+ if (fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ {
+ sexp_release (list);
+ rc = GPG_ERR_INV_FLAG;
+ goto leave;
+ }
+ else
+ fips_service_indicator_mark_non_compliant ();
+ }
s = sexp_nth_data (list, 1, &n);
if (!s)
rc = GPG_ERR_NO_OBJ;
@@ -1248,6 +1270,17 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
list = sexp_find_token (ldata, "random-override", 0);
if (list)
{
+ if (fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ {
+ sexp_release (list);
+ rc = GPG_ERR_INV_FLAG;
+ goto leave;
+ }
+ else
+ fips_service_indicator_mark_non_compliant ();
+ }
s = sexp_nth_data (list, 1, &n);
if (!s)
rc = GPG_ERR_NO_OBJ;
diff --git a/src/visibility.c b/src/visibility.c
index 4134446a..ccd0de69 100644
--- a/src/visibility.c
+++ b/src/visibility.c
@@ -1085,6 +1085,18 @@ gcry_pk_hash_verify (gcry_sexp_t sigval, const char *data_tmpl, gcry_sexp_t pkey
gcry_error_t
gcry_pk_random_override_new (gcry_ctx_t *r_ctx, const unsigned char *p, size_t len)
{
+ if (!fips_is_operational ())
+ return gpg_error (fips_not_operational ());
+ fips_service_indicator_init ();
+
+ if (fips_mode ())
+ {
+ if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK))
+ return gpg_error (GPG_ERR_INV_OP);
+ else
+ fips_service_indicator_mark_non_compliant ();
+ }
+
return gpg_error (_gcry_pk_single_data_push (r_ctx, p, len));
}
--
2.49.0
Copy Permalink