Accepting request 1078466 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Update to 1.10.2: * Bug fixes: - Fix Argon2 for the case output > 64. [rC13b5454d26] - Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44] - Fix RSA key generation failure in forced FIPS mode. [T5919] - Fix gcry_pk_hash_verify for explicit hash. [T6066] - Fix a wrong result of gcry_mpi_invm. [T5970] - Allow building with --disable-asm for HPPA. [T5976] - Allow building with -Oz. [T6432] - Enable the fast path to ChaCha20 only when supported. [T6384] - Use size_t to avoid counter overflow in Keccak when directly feeding more than 4GiB. [T6217] * Other: - Do not use secure memory for a DRBG instance. [T5933] - Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918] - Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990] - Allow verification of small RSA signatures in FIPS mode. [T5975] - Allow the use of a shorter salt for KDFs in FIPS mode. [T6039] - Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165] - Add function-name based FIPS indicator function. GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered an ABI changes because the new FIPS features were not yet approved. [rC822ee57f07] - Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397] - Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9] - Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a] - Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219] - Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba] - Prefer gpgrt-config when available. [T5034] - Mark AESWRAP as approved FIPS algorithm. [T5512] OBS-URL: https://build.opensuse.org/request/show/1078466 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=165
2023-04-11 14:55:16 +00:00 · 2023-04-11 14:55:16 +00:00 · 07ae165632
commit 07ae165632
parent 7483d2b690
7 changed files with 213 additions and 213 deletions
--- a/libgcrypt-1.10.2.tar.bz2
+++ b/libgcrypt-1.10.2.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03
+size 3795164
--- a/libgcrypt-1.10.2.tar.bz2.sig
+++ b/libgcrypt-1.10.2.tar.bz2.sig
--- a/libgcrypt-FIPS-SLI-hash-mac.patch
+++ b/libgcrypt-FIPS-SLI-hash-mac.patch
@ -1,126 +1,73 @@
-Index: libgcrypt-1.10.0/doc/gcrypt.texi
+Index: libgcrypt-1.10.2/doc/gcrypt.texi
 ===================================================================
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi
-+++ libgcrypt-1.10.0/doc/gcrypt.texi
-@@ -980,23 +980,39 @@ is approved under the current FIPS 140-3
- combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
+--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.2/doc/gcrypt.texi
+@@ -985,13 +985,21 @@ certification. If the function is approv
+ @code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
 Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
+-@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos
 +@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos
-+
+ 
+-Check if the given MAC is approved under the current FIPS 140-3
+-certification. If the MAC is approved, this function returns
+-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
 +Check if the given HASH is approved under the current FIPS 140-3
 +certification. If the HASH is approved, this function returns
 +@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
-+is returned.
-+
+ is returned.
+ 
 +@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int]
 +
 +Check if the given MAC is approved under the current FIPS 140-3
 +certification. The second parameter provides the keylen (if the
 +algorithm supports different key sizes). If the MAC is approved,
-+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
-+is returned.
+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise
+@code{GPG_ERR_NOT_SUPPORTED} is returned.
 +
- @item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
+ @item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
 
- Check if the given KDF is approved under the current FIPS 140-3
-certification. If the KDF is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
-is returned.
-+certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
-+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
- 
- @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
-[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for
-GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
-+[, constants GCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)]
-+[, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
- 
- Check if the given asymmetric cipher is approved under the current FIPS
-140-3 certification. For GCRY_PK_RSA, an additional parameter for the
-operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC,
-GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve
-name or its alias as @code{const char *}. If the combination is
-approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
-+140-3 certification. For GCRY_PK_RSA, two additional parameter are required:
-+first describes the purpose of the algorithm through one of the constants
-+(GCRY_PK_USAGE_ENCR for encryption or decryption operations; GCRY_PK_USAGE_SIGN for
-+sign or verify operations).
-+Second one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and GCRY_PK_ECDSA,
-+only a single parameter is needed: the curve name or its alias as @code{const char *}.
-+If the combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
- @code{GPG_ERR_NOT_SUPPORTED} is returned.
- 
- @end table
-Index: libgcrypt-1.10.0/src/fips.c
+ Check if the given message digest algorithm is approved under the current
+Index: libgcrypt-1.10.2/src/fips.c
 ===================================================================
--- libgcrypt-1.10.0.orig/src/fips.c
-+++ libgcrypt-1.10.0/src/fips.c
-@@ -357,6 +357,7 @@ _gcry_fips_indicator_cipher (va_list arg
-       mode = va_arg (arg_ptr, enum gcry_cipher_modes);
-       switch (mode)
-         {
-+        case GCRY_CIPHER_MODE_AESWRAP:
-         case GCRY_CIPHER_MODE_ECB:
-         case GCRY_CIPHER_MODE_CBC:
-         case GCRY_CIPHER_MODE_CFB:
-@@ -364,7 +365,6 @@ _gcry_fips_indicator_cipher (va_list arg
-         case GCRY_CIPHER_MODE_OFB:
-         case GCRY_CIPHER_MODE_CTR:
-         case GCRY_CIPHER_MODE_CCM:
-        case GCRY_CIPHER_MODE_GCM:
-         case GCRY_CIPHER_MODE_XTS:
-           return GPG_ERR_NO_ERROR;
-         default:
-@@ -422,11 +422,25 @@ static const struct
-     { NULL, NULL}
-   };
- 
-+enum pk_operation convert_from_pk_usage(unsigned int pk_usage)
-+{
-+  switch (pk_usage)
-+    {
-+    case GCRY_PK_USAGE_SIGN:
-+      return PUBKEY_OP_SIGN;
-+    case GCRY_PK_USAGE_ENCR:
-+      return PUBKEY_OP_ENCRYPT;
-+    default:
-+      return PUBKEY_OP_DECRYPT;
-+    }
-+}
-+
- int
- _gcry_fips_indicator_pk (va_list arg_ptr)
- {
-   enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
-   enum pk_operation oper;
-+  unsigned int keylen;
-   const char *curve_name;
- 
-   switch (alg)
-@@ -434,13 +448,17 @@ _gcry_fips_indicator_pk (va_list arg_ptr
-     case GCRY_PK_RSA:
-     case GCRY_PK_RSA_E:
-     case GCRY_PK_RSA_S:
-      oper = va_arg (arg_ptr, enum pk_operation);
-+      oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int));
-       switch (oper)
-         {
-         case PUBKEY_OP_ENCRYPT:
-         case PUBKEY_OP_DECRYPT:
-           return GPG_ERR_NOT_SUPPORTED;
-         default:
-+          keylen = va_arg (arg_ptr, unsigned int);
-+          if (keylen < 2048) {
-+            return GPG_ERR_NOT_SUPPORTED;
-+          }
-           return GPG_ERR_NO_ERROR;
-         }
-     case GCRY_PK_ECC:
-@@ -460,6 +478,62 @@ _gcry_fips_indicator_pk (va_list arg_ptr
+--- libgcrypt-1.10.2.orig/src/fips.c
+++ libgcrypt-1.10.2/src/fips.c
+@@ -377,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg
     }
 }
 
+-int
+-_gcry_fips_indicator_mac (va_list arg_ptr)
+-{
+-  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
+-
+-  switch (alg)
+-    {
+-    case GCRY_MAC_CMAC_AES:
+-    case GCRY_MAC_HMAC_SHA1:
+-    case GCRY_MAC_HMAC_SHA224:
+-    case GCRY_MAC_HMAC_SHA256:
+-    case GCRY_MAC_HMAC_SHA384:
+-    case GCRY_MAC_HMAC_SHA512:
+-    case GCRY_MAC_HMAC_SHA512_224:
+-    case GCRY_MAC_HMAC_SHA512_256:
+-    case GCRY_MAC_HMAC_SHA3_224:
+-    case GCRY_MAC_HMAC_SHA3_256:
+-    case GCRY_MAC_HMAC_SHA3_384:
+-    case GCRY_MAC_HMAC_SHA3_512:
+-      return GPG_ERR_NO_ERROR;
+-    default:
+-      return GPG_ERR_NOT_SUPPORTED;
+-    }
+-}
+-
+ /* FIPS approved curves, extracted from:
+  *   cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
+ static const struct
+@@ -598,6 +574,62 @@ _gcry_fips_indicator_pk_flags (va_list a
+   return GPG_ERR_NOT_SUPPORTED;
+ }
+ 
 +int
 +_gcry_fips_indicator_hash (va_list arg_ptr)
 +{
@ -180,40 +127,37 @@ Index: libgcrypt-1.10.0/src/fips.c
 
 /* This is a test on whether the library is in the error or
    operational state. */
-Index: libgcrypt-1.10.0/src/g10lib.h
+Index: libgcrypt-1.10.2/src/g10lib.h
 ===================================================================
--- libgcrypt-1.10.0.orig/src/g10lib.h
-+++ libgcrypt-1.10.0/src/g10lib.h
-@@ -456,7 +456,9 @@ void _gcry_fips_signal_error (const char
+--- libgcrypt-1.10.2.orig/src/g10lib.h
+++ libgcrypt-1.10.2/src/g10lib.h
+@@ -456,6 +456,7 @@ void _gcry_fips_signal_error (const char
 #endif
 
 int _gcry_fips_indicator_cipher (va_list arg_ptr);
 +int _gcry_fips_indicator_hash (va_list arg_ptr);
+ int _gcry_fips_indicator_mac (va_list arg_ptr);
+ int _gcry_fips_indicator_md (va_list arg_ptr);
 int _gcry_fips_indicator_kdf (va_list arg_ptr);
-+int _gcry_fips_indicator_mac (va_list arg_ptr);
- int _gcry_fips_indicator_pk (va_list arg_ptr);
- 
- int _gcry_fips_is_operational (void);
-Index: libgcrypt-1.10.0/src/gcrypt.h.in
+Index: libgcrypt-1.10.2/src/gcrypt.h.in
 ===================================================================
--- libgcrypt-1.10.0.orig/src/gcrypt.h.in
-+++ libgcrypt-1.10.0/src/gcrypt.h.in
-@@ -331,7 +331,9 @@ enum gcry_ctl_cmds
-     GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
-     GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
-     GCRYCTL_NO_FIPS_MODE = 83,
-	GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84
-+    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84,
-+    GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 85,
-+    GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 86
+--- libgcrypt-1.10.2.orig/src/gcrypt.h.in
+++ libgcrypt-1.10.2/src/gcrypt.h.in
+@@ -335,7 +335,8 @@ enum gcry_ctl_cmds
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
+-    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
+    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88,
+    GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 89
   };
 
 /* Perform various operations defined by CMD. */
-Index: libgcrypt-1.10.0/src/global.c
+Index: libgcrypt-1.10.2/src/global.c
 ===================================================================
--- libgcrypt-1.10.0.orig/src/global.c
-+++ libgcrypt-1.10.0/src/global.c
-@@ -791,12 +791,24 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+--- libgcrypt-1.10.2.orig/src/global.c
+++ libgcrypt-1.10.2/src/global.c
+@@ -791,6 +791,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
       rc = _gcry_fips_indicator_cipher (arg_ptr);
       break;
 
@ -223,18 +167,6 @@ Index: libgcrypt-1.10.0/src/global.c
 +      rc = _gcry_fips_indicator_hash (arg_ptr);
 +      break;
 +
-     case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF:
-       /* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR
-        * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
-       rc = _gcry_fips_indicator_kdf (arg_ptr);
-       break;
- 
-+    case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
-+      /* Get FIPS Service Indicator for a given HMAC. Returns GPG_ERR_NO_ERROR
-+       * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
-+      rc = _gcry_fips_indicator_mac (arg_ptr);
-+      break;
-+
-     case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
-       /* Get FIPS Service Indicator for a given asymmetric algorithm. For
-        * GCRY_PK_RSA, an additional parameter for the operation mode is
+     case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
+       /* Get FIPS Service Indicator for a given message authentication code.
+        * Returns GPG_ERR_NO_ERROR if algorithm is allowed or
--- a/libgcrypt-FIPS-SLI-kdf-leylength.patch
+++ b/libgcrypt-FIPS-SLI-kdf-leylength.patch
@ -1,8 +1,8 @@
-Index: libgcrypt-1.10.0/src/fips.c
+Index: libgcrypt-1.10.2/src/fips.c
 ===================================================================
--- libgcrypt-1.10.0.orig/src/fips.c
-+++ libgcrypt-1.10.0/src/fips.c
-@@ -379,10 +379,15 @@ int
+--- libgcrypt-1.10.2.orig/src/fips.c
+++ libgcrypt-1.10.2/src/fips.c
+@@ -520,10 +520,15 @@ int
 _gcry_fips_indicator_kdf (va_list arg_ptr)
 {
   enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
@ -18,22 +18,25 @@ Index: libgcrypt-1.10.0/src/fips.c
       return GPG_ERR_NO_ERROR;
     default:
       return GPG_ERR_NOT_SUPPORTED;
-Index: libgcrypt-1.10.0/doc/gcrypt.texi
+Index: libgcrypt-1.10.2/doc/gcrypt.texi
 ===================================================================
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi
-+++ libgcrypt-1.10.0/doc/gcrypt.texi
-@@ -995,10 +995,12 @@ algorithm supports different key sizes).
- this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
- is returned.
+--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.2/doc/gcrypt.texi
+@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3
+ combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
+ Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
 -@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
 +@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
 
 Check if the given KDF is approved under the current FIPS 140-3
-certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
+-certification. If the KDF is approved, this function returns
+-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
+-is returned.
 +certification. The second parameter provides the keylength in bits.
 +Keylength values of less that 112 bits are considered non-approved.
 +If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
- Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+ 
+ @item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
 
- @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
--- a/libgcrypt-FIPS-SLI-pk.patch
+++ b/libgcrypt-FIPS-SLI-pk.patch
@ -1,8 +1,8 @@
-Index: libgcrypt-1.10.0/src/fips.c
+Index: libgcrypt-1.10.2/src/fips.c
 ===================================================================
--- libgcrypt-1.10.0.orig/src/fips.c
-+++ libgcrypt-1.10.0/src/fips.c
-@@ -36,6 +36,7 @@
+--- libgcrypt-1.10.2.orig/src/fips.c
+++ libgcrypt-1.10.2/src/fips.c
+@@ -38,6 +38,7 @@
 
 #include "g10lib.h"
 #include "cipher-proto.h"
@ -10,7 +10,7 @@ Index: libgcrypt-1.10.0/src/fips.c
 #include "../random/random.h"
 
 /* The states of the finite state machine used in fips mode.  */
-@@ -386,6 +387,77 @@ _gcry_fips_indicator_kdf (va_list arg_pt
+@@ -399,6 +400,94 @@ _gcry_fips_indicator_mac (va_list arg_pt
     default:
       return GPG_ERR_NOT_SUPPORTED;
     }
@ -49,11 +49,25 @@ Index: libgcrypt-1.10.0/src/fips.c
 +    { NULL, NULL}
 +  };
 +
+enum pk_operation convert_from_pk_usage(unsigned int pk_usage)
+{
+  switch (pk_usage)
+    {
+    case GCRY_PK_USAGE_SIGN:
+      return PUBKEY_OP_SIGN;
+    case GCRY_PK_USAGE_ENCR:
+      return PUBKEY_OP_ENCRYPT;
+    default:
+      return PUBKEY_OP_DECRYPT;
+    }
+}
+
 +int
 +_gcry_fips_indicator_pk (va_list arg_ptr)
 +{
 +  enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
 +  enum pk_operation oper;
+  unsigned int keylen;
 +  const char *curve_name;
 +
 +  switch (alg)
@ -61,13 +75,16 @@ Index: libgcrypt-1.10.0/src/fips.c
 +    case GCRY_PK_RSA:
 +    case GCRY_PK_RSA_E:
 +    case GCRY_PK_RSA_S:
-+      oper = va_arg (arg_ptr, enum pk_operation);
+      oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int));
 +      switch (oper)
 +        {
 +        case PUBKEY_OP_ENCRYPT:
 +        case PUBKEY_OP_DECRYPT:
 +          return GPG_ERR_NOT_SUPPORTED;
 +        default:
+          keylen = va_arg (arg_ptr, unsigned int);
+          if (keylen < 2048)
+            return GPG_ERR_NOT_SUPPORTED;
 +          return GPG_ERR_NO_ERROR;
 +        }
 +    case GCRY_PK_ECC:
@ -87,62 +104,63 @@ Index: libgcrypt-1.10.0/src/fips.c
 +    }
 }
 
- 
-Index: libgcrypt-1.10.0/src/gcrypt.h.in
+ int
+Index: libgcrypt-1.10.2/src/gcrypt.h.in
 ===================================================================
--- libgcrypt-1.10.0.orig/src/gcrypt.h.in
-+++ libgcrypt-1.10.0/src/gcrypt.h.in
-@@ -330,7 +330,8 @@ enum gcry_ctl_cmds
-     GCRYCTL_SET_DECRYPTION_TAG = 80,
-     GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
-     GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
-    GCRYCTL_NO_FIPS_MODE = 83
-+    GCRYCTL_NO_FIPS_MODE = 83,
-+	GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84
+--- libgcrypt-1.10.2.orig/src/gcrypt.h.in
+++ libgcrypt-1.10.2/src/gcrypt.h.in
+@@ -334,7 +334,8 @@ enum gcry_ctl_cmds
+     GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
+-    GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87
+    GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
+    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
   };
 
 /* Perform various operations defined by CMD. */
-Index: libgcrypt-1.10.0/doc/gcrypt.texi
+Index: libgcrypt-1.10.2/doc/gcrypt.texi
 ===================================================================
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi
-+++ libgcrypt-1.10.0/doc/gcrypt.texi
-@@ -987,6 +987,18 @@ certification. If the KDF is approved, t
- @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
- is returned.
+--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.2/doc/gcrypt.texi
+@@ -997,6 +997,19 @@ Check if the given message digest algori
+ FIPS 140-3 certification. If the algorithm is approved, this function returns
+ @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
-+@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
-+[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for
-+GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos [, constantsGCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)] [, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
 +
-+Check if the given asymmetric cipher is approved under the current FIPS
-+140-3 certification. For GCRY_PK_RSA, an additional parameter for the
-+operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC,
-+GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve
-+name or its alias as @code{const char *}. If the combination is
-+approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
+Check if the given asymmetric cipher is approved under the current
+FIPS 140-3 certification. For GCRY_PK_RSA, two additional parameter
+are required: first describes the purpose of the algorithm through one
+of the constants (GCRY_PK_USAGE_ENCR for encryption or decryption
+operations; GCRY_PK_USAGE_SIGN for sign or verify operations). Second
+one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and
+GCRY_PK_ECDSA, only a single parameter is needed: the curve name or
+its alias as @code{const char *}. If the combination is approved, this
+function returns @code{GPG_ERR_NO_ERROR}. Otherwise
 +@code{GPG_ERR_NOT_SUPPORTED} is returned.
 +
- @end table
+ @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
 
- @end deftypefun
-Index: libgcrypt-1.10.0/src/g10lib.h
+ Check if the given public key operation flag or s-expression object name is
+Index: libgcrypt-1.10.2/src/g10lib.h
 ===================================================================
--- libgcrypt-1.10.0.orig/src/g10lib.h
-+++ libgcrypt-1.10.0/src/g10lib.h
-@@ -457,6 +457,7 @@ void _gcry_fips_signal_error (const char
- 
- int _gcry_fips_indicator_cipher (va_list arg_ptr);
+--- libgcrypt-1.10.2.orig/src/g10lib.h
+++ libgcrypt-1.10.2/src/g10lib.h
+@@ -460,6 +460,7 @@ int _gcry_fips_indicator_mac (va_list ar
+ int _gcry_fips_indicator_md (va_list arg_ptr);
 int _gcry_fips_indicator_kdf (va_list arg_ptr);
+ int _gcry_fips_indicator_function (va_list arg_ptr);
 +int _gcry_fips_indicator_pk (va_list arg_ptr);
+ int _gcry_fips_indicator_pk_flags (va_list arg_ptr);
 
 int _gcry_fips_is_operational (void);
- 
-Index: libgcrypt-1.10.0/src/global.c
+Index: libgcrypt-1.10.2/src/global.c
 ===================================================================
--- libgcrypt-1.10.0.orig/src/global.c
-+++ libgcrypt-1.10.0/src/global.c
-@@ -797,6 +797,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
-       rc = _gcry_fips_indicator_kdf (arg_ptr);
+--- libgcrypt-1.10.2.orig/src/global.c
+++ libgcrypt-1.10.2/src/global.c
+@@ -825,6 +834,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+       rc = _gcry_fips_indicator_pk_flags (arg_ptr);
       break;
 
 +    case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
--- a/libgcrypt.changes
+++ b/libgcrypt.changes
@ -1,3 +1,46 @@
+-------------------------------------------------------------------
+Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 1.10.2:
+  * Bug fixes:
+    - Fix Argon2 for the case output > 64. [rC13b5454d26]
+    - Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44]
+    - Fix RSA key generation failure in forced FIPS mode. [T5919]
+    - Fix gcry_pk_hash_verify for explicit hash. [T6066]
+    - Fix a wrong result of gcry_mpi_invm. [T5970]
+    - Allow building with --disable-asm for HPPA. [T5976]
+    - Allow building with -Oz. [T6432]
+    - Enable the fast path to ChaCha20 only when supported. [T6384]
+    - Use size_t to avoid counter overflow in Keccak when directly
+      feeding more than 4GiB. [T6217]
+  * Other:
+    - Do not use secure memory for a DRBG instance. [T5933]
+    - Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918]
+    - Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990]
+    - Allow verification of small RSA signatures in FIPS mode. [T5975]
+    - Allow the use of a shorter salt for KDFs in FIPS mode. [T6039]
+    - Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165]
+    - Add function-name based FIPS indicator function.
+      GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered
+      an ABI changes because the new FIPS features were not yet
+      approved. [rC822ee57f07]
+    - Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397]
+    - Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9]
+    - Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a]
+    - Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219]
+    - Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba]
+    - Prefer gpgrt-config when available. [T5034]
+    - Mark AESWRAP as approved FIPS algorithm. [T5512]
+    - Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332]
+    - Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25]
+    - Remove GCM mode from the allowed FIPS indicators. [rC1540698389]
+    - Add explicit FIPS indicators for hash and MAC algorithms. [T6376]
+  * Release-info: https://dev.gnupg.org/T5905
+  * Rebase FIPS patches:
+    - libgcrypt-FIPS-SLI-hash-mac.patch
+    - libgcrypt-FIPS-SLI-kdf-leylength.patch
+    - libgcrypt-FIPS-SLI-pk.patch
+
 -------------------------------------------------------------------
 Wed Mar  8 10:34:34 UTC 2023 - Martin Pluskal <mpluskal@suse.com>

--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@ -21,7 +21,7 @@
 %define libsoname %{name}%{libsover}
 %define hmac_key orboDeJITITejsirpADONivirpUkvarP
 Name:           libgcrypt
-Version:        1.10.1
+Version:        1.10.2
 Release:        0
 Summary:        The GNU Crypto Library
 License:        GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
@ -36,20 +36,21 @@ Source4:        hwf.deny
 Source5:        libgcrypt.keyring
 Source99:       libgcrypt.changes
 Patch1:         libgcrypt-1.10.0-allow_FSM_same_state.patch
-#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK
-Patch2:         libgcrypt-FIPS-SLI-pk.patch
-#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
-Patch3:         libgcrypt-FIPS-SLI-hash-mac.patch
-#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf()
-Patch4:         libgcrypt-FIPS-SLI-kdf-leylength.patch
 #PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion
-Patch5:         libgcrypt-1.10.0-out-of-core-handler.patch
+Patch2:         libgcrypt-1.10.0-out-of-core-handler.patch
+# FIPS patches:
+#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK
+Patch100:       libgcrypt-FIPS-SLI-pk.patch
+#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf()
+Patch101:       libgcrypt-FIPS-SLI-kdf-leylength.patch
+#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
+Patch102:       libgcrypt-FIPS-SLI-hash-mac.patch
 #PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy
-Patch6:         libgcrypt-jitterentropy-3.4.0.patch
+Patch103:       libgcrypt-jitterentropy-3.4.0.patch
 #PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
-Patch7:         libgcrypt-FIPS-rndjent_poll.patch
+Patch104:       libgcrypt-FIPS-rndjent_poll.patch
 #PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips
-Patch8:         libgcrypt-1.10.0-use-fipscheck.patch
+Patch105:       libgcrypt-1.10.0-use-fipscheck.patch
 BuildRequires:  automake >= 1.14
 BuildRequires:  libgpg-error-devel >= 1.27
 BuildRequires:  libtool