libgcrypt/libgcrypt-FIPS-module-version.patch

From c74fde0c3f6114c594332fb28a09c7b817969231 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 17 Sep 2021 17:11:30 +0200
Subject: [PATCH 187/200] Allow passing FIPS module version

* README: Document new --with-fips-module-version=version switch
* configure.ac: Implementation of the --with-fips-module-version
* src/global.c (print_config): Print FIPS module version from above
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>

Moved the module version to a 3rd field to keep the semantics of that
line.

Signed-off-by: Werner Koch <wk@gnupg.org>
GnuPG-bug-id: 1600
---
 README       |  4 ++++
 configure.ac |  7 +++++++
 src/global.c | 16 +++++++++++++---
 3 files changed, 24 insertions(+), 3 deletions(-)

Index: libgcrypt-1.9.4/README
===================================================================
--- libgcrypt-1.9.4.orig/README
+++ libgcrypt-1.9.4/README
@@ -165,6 +165,10 @@
                      against a HMAC checksum.  This works only in FIPS
                      mode and on systems providing the dladdr function.
 
+     --with-fips-module-version=version
+                     Specify a string used as a module version for FIPS
+                     certification purposes.
+
      --disable-padlock-support
                      Disable support for the PadLock engine of VIA
                      processors.  The default is to use PadLock if
Index: libgcrypt-1.9.4/configure.ac
===================================================================
--- libgcrypt-1.9.4.orig/configure.ac
+++ libgcrypt-1.9.4/configure.ac
@@ -599,6 +599,12 @@ if test "$use_hmac_binary_check" = yes ;
               [Define to support an HMAC based integrity check])
 fi
 
+# Implementation of the --with-fips-module-version.
+AC_ARG_WITH(fips-module-version,
+    [  --with-fips-module-version=VERSION],
+            fips_module_version="$withval", fips_module_version="" )
+AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version",
+                   [Define FIPS module version for certification])
 
 # Implementation of the --disable-jent-support switch.
 AC_MSG_CHECKING([whether jitter entropy support is requested])
@@ -3266,6 +3272,7 @@ GCRY_MSG_WRAP([Enabled pubkey algorithms
 GCRY_MSG_SHOW([Random number generator:  ],[$random])
 GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport])
 GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities])
+GCRY_MSG_SHOW([FIPS module version:      ],[$fips_module_version])
 GCRY_MSG_SHOW([Try using Padlock crypto: ],[$padlocksupport])
 GCRY_MSG_SHOW([Try using AES-NI crypto:  ],[$aesnisupport])
 GCRY_MSG_SHOW([Try using Intel SHAEXT:   ],[$shaextsupport])
Index: libgcrypt-1.9.4/src/global.c
===================================================================
--- libgcrypt-1.9.4.orig/src/global.c
+++ libgcrypt-1.9.4/src/global.c
@@ -379,10 +379,19 @@ print_config (const char *what, gpgrt_st
     {
       /* We use y/n instead of 1/0 for the stupid reason that
        * Emacsen's compile error parser would accidentally flag that
-       * line when printed during "make check" as an error.  */
-      gpgrt_fprintf (fp, "fips-mode:%c:%c:\n",
+       * line when printed during "make check" as an error.  The
+       * second field is obsolete and thus empty (used to be used for
+       * a so-called enforced-fips-mode).  The third field has an
+       * option static string describing the module versions; this is
+       * an optional configure option.  */
+      gpgrt_fprintf (fp, "fips-mode:%c::%s:\n",
                      fips_mode ()? 'y':'n',
-                     _gcry_enforced_fips_mode ()? 'y':'n' );
+#ifdef FIPS_MODULE_VERSION
+                     fips_mode () ? FIPS_MODULE_VERSION : ""
+#else
+                     ""
+#endif /* FIPS_MODULE_VERSION */
+                     );
     }
 
   if (!what || !strcmp (what, "rng-type"))
Accepting request 950433 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - FIPS: Disable DSA in FIPS mode [bsc#1195385] * Upstream task: https://dev.gnupg.org/T5710 * Add libgcrypt-FIPS-disable-DSA.patch - FIPS: Service level indicator [bsc#1190700] * Provide an indicator to check wether the service utilizes an approved cryptographic algorithm or not. * Add patches: - libgcrypt-FIPS-service-indicators.patch - libgcrypt-FIPS-verify-unsupported-KDF-test.patch - libgcrypt-FIPS-HMAC-short-keylen.patch - FIPS: Define an entropy source SP800-90B compliant [bsc#1185140] * Disable jitter entropy by default in random.conf * Disable only-urandom option by default in random.conf - FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192240] * rsa: Check RSA keylen constraints for key operations. * rsa: Fix regression in not returning an error for prime generation. * tests: Add 2k RSA key working in FIPS mode. * tests: pubkey: Replace RSA key to one of 2k. * tests: pkcs1v2: Skip tests with small keys in FIPS. * Add patches: - libgcrypt-FIPS-RSA-keylen.patch - libgcrypt-FIPS-RSA-keylen-tests.patch - FIPS: Disable 3DES/Triple-DES in FIPS mode [bsc#1185138] * Add libgcrypt-FIPS-disable-3DES.patch - FIPS: PBKDF requirements [bsc#1185137] OBS-URL: https://build.opensuse.org/request/show/950433 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=153 2022-02-01 14:12:14 +01:00			`From c74fde0c3f6114c594332fb28a09c7b817969231 Mon Sep 17 00:00:00 2001`
			`From: Jakub Jelen <jjelen@redhat.com>`
			`Date: Fri, 17 Sep 2021 17:11:30 +0200`
			`Subject: [PATCH 187/200] Allow passing FIPS module version`

			`* README: Document new --with-fips-module-version=version switch`
			`* configure.ac: Implementation of the --with-fips-module-version`
			`* src/global.c (print_config): Print FIPS module version from above`
			`--`
			`Signed-off-by: Jakub Jelen <jjelen@redhat.com>`

			`Moved the module version to a 3rd field to keep the semantics of that`
			`line.`

			`Signed-off-by: Werner Koch <wk@gnupg.org>`
			`GnuPG-bug-id: 1600`
			`---`
			`README \| 4 ++++`
			`configure.ac \| 7 +++++++`
			`src/global.c \| 16 +++++++++++++---`
			`3 files changed, 24 insertions(+), 3 deletions(-)`

			`Index: libgcrypt-1.9.4/README`
			`===================================================================`
			`--- libgcrypt-1.9.4.orig/README`
			`+++ libgcrypt-1.9.4/README`
			`@@ -165,6 +165,10 @@`
			`against a HMAC checksum. This works only in FIPS`
			`mode and on systems providing the dladdr function.`

			`+ --with-fips-module-version=version`
			`+ Specify a string used as a module version for FIPS`
			`+ certification purposes.`
			`+`
			`--disable-padlock-support`
			`Disable support for the PadLock engine of VIA`
			`processors. The default is to use PadLock if`
			`Index: libgcrypt-1.9.4/configure.ac`
			`===================================================================`
			`--- libgcrypt-1.9.4.orig/configure.ac`
			`+++ libgcrypt-1.9.4/configure.ac`
			`@@ -599,6 +599,12 @@ if test "$use_hmac_binary_check" = yes ;`
			`[Define to support an HMAC based integrity check])`
			`fi`

			`+# Implementation of the --with-fips-module-version.`
			`+AC_ARG_WITH(fips-module-version,`
			`+ [ --with-fips-module-version=VERSION],`
			`+ fips_module_version="$withval", fips_module_version="" )`
			`+AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version",`
			`+ [Define FIPS module version for certification])`

			`# Implementation of the --disable-jent-support switch.`
			`AC_MSG_CHECKING([whether jitter entropy support is requested])`
			`@@ -3266,6 +3272,7 @@ GCRY_MSG_WRAP([Enabled pubkey algorithms`
			`GCRY_MSG_SHOW([Random number generator: ],[$random])`
			`GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport])`
			`GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities])`
			`+GCRY_MSG_SHOW([FIPS module version: ],[$fips_module_version])`
			`GCRY_MSG_SHOW([Try using Padlock crypto: ],[$padlocksupport])`
			`GCRY_MSG_SHOW([Try using AES-NI crypto: ],[$aesnisupport])`
			`GCRY_MSG_SHOW([Try using Intel SHAEXT: ],[$shaextsupport])`
			`Index: libgcrypt-1.9.4/src/global.c`
			`===================================================================`
			`--- libgcrypt-1.9.4.orig/src/global.c`
			`+++ libgcrypt-1.9.4/src/global.c`
			`@@ -379,10 +379,19 @@ print_config (const char *what, gpgrt_st`
			`{`
			`/* We use y/n instead of 1/0 for the stupid reason that`
			`* Emacsen's compile error parser would accidentally flag that`
			`- * line when printed during "make check" as an error. */`
			`- gpgrt_fprintf (fp, "fips-mode:%c:%c:\n",`
			`+ * line when printed during "make check" as an error. The`
			`+ * second field is obsolete and thus empty (used to be used for`
			`+ * a so-called enforced-fips-mode). The third field has an`
			`+ * option static string describing the module versions; this is`
			`+ * an optional configure option. */`
			`+ gpgrt_fprintf (fp, "fips-mode:%c::%s:\n",`
			`fips_mode ()? 'y':'n',`
			`- _gcry_enforced_fips_mode ()? 'y':'n' );`
			`+#ifdef FIPS_MODULE_VERSION`
			`+ fips_mode () ? FIPS_MODULE_VERSION : ""`
			`+#else`
			`+ ""`
			`+#endif /* FIPS_MODULE_VERSION */`
			`+ );`
			`}`

			`if (!what \|\| !strcmp (what, "rng-type"))`