forked from pool/libgcrypt
Pedro Monreal Gonzalez
63766c912b
* Include upstream SLI revamp and fips certification fixes
* Add patches:
- libgcrypt-fips-Introduce-an-internal-API-for-FIPS-service-indicator.patch
- libgcrypt-fips-Introduce-GCRYCTL_FIPS_SERVICE_INDICATOR-and-the-macro.patch
- libgcrypt-fips-kdf-Implement-new-FIPS-service-indicator-for-gcry_kdf_derive.patch
- libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_hash_.patch
- libgcrypt-fips-tests-Add-t-digest.patch
- libgcrypt-fips-Change-the-internal-API-for-new-FIPS-service-indicator.patch
- libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_open-API.patch
- libgcrypt-fips-tests-Add-tests-for-md_open-write-read-close-for-t-digest.patch
- libgcrypt-fips-mac-Implement-new-FIPS-service-indicator-for-gcry_mac_open.patch
- libgcrypt-fips-cipher-Implement-new-FIPS-service-indicator-for-cipher_open.patch
- libgcrypt-tests-fips-Add-gcry_mac_open-tests.patch
- libgcrypt-tests-fips-Rename-t-fips-service-ind.patch
- libgcrypt-tests-fips-Move-KDF-tests-to-t-fips-service-ind.patch
- libgcrypt-tests-fips-Add-gcry_cipher_open-tests.patch
- libgcrypt-fips-md-gcry_md_copy-should-care-about-FIPS-service-indicator.patch
- libgcrypt-fips-cipher-Implement-FIPS-service-indicator-for-gcry_pk_hash_-API.patch
- libgcrypt-fips-Introduce-GCRYCTL_FIPS_REJECT_NON_FIPS.patch
- libgcrypt-Fix-the-previous-change.patch
- libgcrypt-fips-Rejection-by-GCRYCTL_FIPS_REJECT_NON_FIPS-not-by-open-flags.patch
- libgcrypt-fips-cipher-Add-behavior-not-to-reject-but-mark-non-compliant.patch
- libgcrypt-fips-ecc-Add-rejecting-or-marking-for-gcry_pk_get_curve.patch
- libgcrypt-tests-Add-more-tests-to-tests-t-fips-service-ind.patch
- libgcrypt-fips-ecc-Check-DATA-in-gcry_pk_sign-verify-in-FIPS-mode.patch
- libgcrypt-fips-cipher-Fix-memory-leak-for-gcry_pk_hash_sign.patch
- libgcrypt-build-Improve-__thread-specifier-check.patch
- libgcrypt-cipher-Check-and-mark-non-compliant-cipher-modes-in-the-SLI.patch
- libgcrypt-cipher-Rename-_gcry_cipher_is_mode_fips_compliant.patch
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=186
61 lines
2.5 KiB
Diff
61 lines
2.5 KiB
Diff
Index: libgcrypt-1.11.0/src/fips.c
|
|
===================================================================
|
|
--- libgcrypt-1.11.0.orig/src/fips.c
|
|
+++ libgcrypt-1.11.0/src/fips.c
|
|
@@ -523,10 +523,15 @@ int
|
|
_gcry_fips_indicator_kdf (va_list arg_ptr)
|
|
{
|
|
enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
|
|
+ unsigned int keylen = 0;
|
|
|
|
switch (alg)
|
|
{
|
|
case GCRY_KDF_PBKDF2:
|
|
+ keylen = va_arg (arg_ptr, unsigned int);
|
|
+ if (keylen < 112) {
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
+ }
|
|
return GPG_ERR_NO_ERROR;
|
|
default:
|
|
return GPG_ERR_NOT_SUPPORTED;
|
|
Index: libgcrypt-1.11.0/doc/gcrypt.texi
|
|
===================================================================
|
|
--- libgcrypt-1.11.0.orig/doc/gcrypt.texi
|
|
+++ libgcrypt-1.11.0/doc/gcrypt.texi
|
|
@@ -983,12 +983,13 @@ is approved under the current FIPS 140-3
|
|
combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
|
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
|
|
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
|
|
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
|
|
|
|
Check if the given KDF is approved under the current FIPS 140-3
|
|
-certification. If the KDF is approved, this function returns
|
|
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
|
-is returned.
|
|
+certification. The second parameter provides the keylength in bits.
|
|
+Keylength values of less that 112 bits are considered non-approved.
|
|
+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
|
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
|
|
@item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
|
|
|
|
Index: libgcrypt-1.11.0/tests/t-kdf.c
|
|
===================================================================
|
|
--- libgcrypt-1.11.0.orig/tests/t-kdf.c
|
|
+++ libgcrypt-1.11.0/tests/t-kdf.c
|
|
@@ -1889,7 +1889,12 @@ check_fips_indicators (void)
|
|
for (i = 0; i < sizeof(kdf_algos) / sizeof(*kdf_algos); i++)
|
|
{
|
|
int is_fips_kdf_algo = 0;
|
|
- gcry_error_t err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]);
|
|
+ gcry_error_t err;
|
|
+ // On SUSE/openSUSE builds PBKDF2 with keysize < 112 is not allowed
|
|
+ if (kdf_algos[i] == GCRY_KDF_PBKDF2)
|
|
+ err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i], 112);
|
|
+ else
|
|
+ err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]);
|
|
|
|
if (verbose)
|
|
fprintf (stderr, "checking FIPS indicator for KDF %d: %s\n",
|