forked from pool/libgcrypt
Pedro Monreal Gonzalez
f7ff22f6aa
* Bug fixes:
- Fix Kyber secret-dependent branch introduced by recent versions of Clang. [rCf765778e82]
- Fix build regression due to the use of AVX512 in Blake. [T7184]
- Do not build i386 asm on amd64 and vice versa. [T7220]
- Fix build regression on armhf with gcc-14. [T7226]
- Return the proper error code on malloc failure in hex2buffer. [rCc51151f5b0]
- Fix long standing bug for PRIME % 2 == 0. [rC639b0fca15]
* Performance:
- Add AES Vector Permute intrinsics implementation for AArch64. [rC94a63aedbb]
- Add GHASH AArch64/SIMD intrinsics implementation. [rCfec871fd18]
- Add RISC-V vector permute AES. [rCb24ebd6163]
- Add GHASH RISC-V Zbb+Zbc implementation. [rC0f1fec12b0]
- Add ChaCha20 RISC-V vector intrinsics implementation. [rC8dbee93ac2]
- Add SHA3 acceleration for RISC-V Zbb extension. [rC1a660068ba]
* Other:
- Add CET support for i386 and amd64 assembly. [T7220]
- Add PAC/BTI support for AArch64 asm. [T7220]
- Apply changes to Kyber from upstream for final FIPS 203. [rCcc95c36e7f]
- Introduce an internal API for a revampled FIPS service indicator. [T7340]
- Several improvements for constant time operation by the introduction of Least Leak Intended (LLI) variants of internal functions. [T7519,T7490]
* Rebase patches:
- libgcrypt-FIPS-SLI-hash-mac.patch
- libgcrypt-FIPS-SLI-pk.patch
- libgcrypt-FIPS-jitter-standalone.patch
* Remove patches:
- libgcrypt-fips-Introduce-an-internal-API-for-FIPS-service-indicator.patch
- libgcrypt-fips-Introduce-GCRYCTL_FIPS_SERVICE_INDICATOR-and-the-macro.patch
- libgcrypt-fips-kdf-Implement-new-FIPS-service-indicator-for-gcry_kdf_derive.patch
- libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_hash_.patch
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=190
173 lines
5.8 KiB
Diff
173 lines
5.8 KiB
Diff
Index: libgcrypt-1.11.1/doc/gcrypt.texi
|
|
===================================================================
|
|
--- libgcrypt-1.11.1.orig/doc/gcrypt.texi
|
|
+++ libgcrypt-1.11.1/doc/gcrypt.texi
|
|
@@ -998,13 +998,21 @@ certification. If the function is approv
|
|
@code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
|
|
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
|
|
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos
|
|
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos
|
|
|
|
-Check if the given MAC is approved under the current FIPS 140-3
|
|
-certification. If the MAC is approved, this function returns
|
|
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
|
+Check if the given HASH is approved under the current FIPS 140-3
|
|
+certification. If the HASH is approved, this function returns
|
|
+@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
|
is returned.
|
|
|
|
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int]
|
|
+
|
|
+Check if the given MAC is approved under the current FIPS 140-3
|
|
+certification. The second parameter provides the keylen (if the
|
|
+algorithm supports different key sizes). If the MAC is approved,
|
|
+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise
|
|
+@code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
+
|
|
@item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
|
|
|
|
Check if the given message digest algorithm is approved under the current
|
|
Index: libgcrypt-1.11.1/src/fips.c
|
|
===================================================================
|
|
--- libgcrypt-1.11.1.orig/src/fips.c
|
|
+++ libgcrypt-1.11.1/src/fips.c
|
|
@@ -512,31 +512,6 @@ _gcry_fips_indicator_pk (va_list arg_ptr
|
|
}
|
|
|
|
int
|
|
-_gcry_fips_indicator_mac (va_list arg_ptr)
|
|
-{
|
|
- enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
|
|
-
|
|
- switch (alg)
|
|
- {
|
|
- case GCRY_MAC_CMAC_AES:
|
|
- case GCRY_MAC_HMAC_SHA1:
|
|
- case GCRY_MAC_HMAC_SHA224:
|
|
- case GCRY_MAC_HMAC_SHA256:
|
|
- case GCRY_MAC_HMAC_SHA384:
|
|
- case GCRY_MAC_HMAC_SHA512:
|
|
- case GCRY_MAC_HMAC_SHA512_224:
|
|
- case GCRY_MAC_HMAC_SHA512_256:
|
|
- case GCRY_MAC_HMAC_SHA3_224:
|
|
- case GCRY_MAC_HMAC_SHA3_256:
|
|
- case GCRY_MAC_HMAC_SHA3_384:
|
|
- case GCRY_MAC_HMAC_SHA3_512:
|
|
- return GPG_ERR_NO_ERROR;
|
|
- default:
|
|
- return GPG_ERR_NOT_SUPPORTED;
|
|
- }
|
|
-}
|
|
-
|
|
-int
|
|
_gcry_fips_indicator_md (va_list arg_ptr)
|
|
{
|
|
enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
|
|
@@ -647,6 +622,62 @@ _gcry_fips_indicator_pk_flags (va_list a
|
|
return GPG_ERR_NOT_SUPPORTED;
|
|
}
|
|
|
|
+int
|
|
+_gcry_fips_indicator_hash (va_list arg_ptr)
|
|
+{
|
|
+ enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
|
|
+
|
|
+ switch (alg)
|
|
+ {
|
|
+ case GCRY_MD_SHA1:
|
|
+ case GCRY_MD_SHA224:
|
|
+ case GCRY_MD_SHA256:
|
|
+ case GCRY_MD_SHA384:
|
|
+ case GCRY_MD_SHA512:
|
|
+ case GCRY_MD_SHA512_224:
|
|
+ case GCRY_MD_SHA512_256:
|
|
+ case GCRY_MD_SHA3_224:
|
|
+ case GCRY_MD_SHA3_256:
|
|
+ case GCRY_MD_SHA3_384:
|
|
+ case GCRY_MD_SHA3_512:
|
|
+ case GCRY_MD_SHAKE128:
|
|
+ case GCRY_MD_SHAKE256:
|
|
+ return GPG_ERR_NO_ERROR;
|
|
+ default:
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
+ }
|
|
+}
|
|
+
|
|
+int
|
|
+_gcry_fips_indicator_mac (va_list arg_ptr)
|
|
+{
|
|
+ enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
|
|
+ unsigned int keylen = va_arg (arg_ptr, unsigned int);
|
|
+
|
|
+ switch (alg)
|
|
+ {
|
|
+ case GCRY_MAC_HMAC_SHA1:
|
|
+ case GCRY_MAC_HMAC_SHA224:
|
|
+ case GCRY_MAC_HMAC_SHA256:
|
|
+ case GCRY_MAC_HMAC_SHA384:
|
|
+ case GCRY_MAC_HMAC_SHA512:
|
|
+ case GCRY_MAC_HMAC_SHA512_224:
|
|
+ case GCRY_MAC_HMAC_SHA512_256:
|
|
+ case GCRY_MAC_HMAC_SHA3_224:
|
|
+ case GCRY_MAC_HMAC_SHA3_256:
|
|
+ case GCRY_MAC_HMAC_SHA3_384:
|
|
+ case GCRY_MAC_HMAC_SHA3_512:
|
|
+ if (keylen >= 112) {
|
|
+ return GPG_ERR_NO_ERROR;
|
|
+ }
|
|
+ case GCRY_MAC_CMAC_AES:
|
|
+ if (keylen == 128 || keylen == 192 || keylen == 256) {
|
|
+ return GPG_ERR_NO_ERROR;
|
|
+ }
|
|
+ default:
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
+ }
|
|
+}
|
|
|
|
/* This is a test on whether the library is in the error or
|
|
operational state. */
|
|
Index: libgcrypt-1.11.1/src/g10lib.h
|
|
===================================================================
|
|
--- libgcrypt-1.11.1.orig/src/g10lib.h
|
|
+++ libgcrypt-1.11.1/src/g10lib.h
|
|
@@ -478,6 +478,7 @@ void _gcry_fips_signal_error (const char
|
|
gpg_err_code_t _gcry_fips_indicator (void);
|
|
|
|
int _gcry_fips_indicator_cipher (va_list arg_ptr);
|
|
+int _gcry_fips_indicator_hash (va_list arg_ptr);
|
|
int _gcry_fips_indicator_mac (va_list arg_ptr);
|
|
int _gcry_fips_indicator_md (va_list arg_ptr);
|
|
int _gcry_fips_indicator_kdf (va_list arg_ptr);
|
|
Index: libgcrypt-1.11.1/src/gcrypt.h.in
|
|
===================================================================
|
|
--- libgcrypt-1.11.1.orig/src/gcrypt.h.in
|
|
+++ libgcrypt-1.11.1/src/gcrypt.h.in
|
|
@@ -338,7 +338,8 @@ enum gcry_ctl_cmds
|
|
GCRYCTL_MD_CUSTOMIZE = 88,
|
|
GCRYCTL_FIPS_SERVICE_INDICATOR = 89,
|
|
GCRYCTL_FIPS_REJECT_NON_FIPS = 90,
|
|
- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 91
|
|
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 91,
|
|
+ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 92
|
|
};
|
|
|
|
/* Perform various operations defined by CMD. */
|
|
Index: libgcrypt-1.11.1/src/global.c
|
|
===================================================================
|
|
--- libgcrypt-1.11.1.orig/src/global.c
|
|
+++ libgcrypt-1.11.1/src/global.c
|
|
@@ -808,6 +808,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
|
|
rc = _gcry_fips_indicator_cipher (arg_ptr);
|
|
break;
|
|
|
|
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_HASH:
|
|
+ /* Get FIPS Service Indicator for a given HASH. Returns GPG_ERR_NO_ERROR
|
|
+ * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
|
|
+ rc = _gcry_fips_indicator_hash (arg_ptr);
|
|
+ break;
|
|
+
|
|
case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
|
|
/* Get FIPS Service Indicator for a given message authentication code.
|
|
* Returns GPG_ERR_NO_ERROR if algorithm is allowed or
|