Pedro Monreal Gonzalez
07ae165632
- Update to 1.10.2:
* Bug fixes:
- Fix Argon2 for the case output > 64. [rC13b5454d26]
- Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44]
- Fix RSA key generation failure in forced FIPS mode. [T5919]
- Fix gcry_pk_hash_verify for explicit hash. [T6066]
- Fix a wrong result of gcry_mpi_invm. [T5970]
- Allow building with --disable-asm for HPPA. [T5976]
- Allow building with -Oz. [T6432]
- Enable the fast path to ChaCha20 only when supported. [T6384]
- Use size_t to avoid counter overflow in Keccak when directly
feeding more than 4GiB. [T6217]
* Other:
- Do not use secure memory for a DRBG instance. [T5933]
- Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918]
- Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990]
- Allow verification of small RSA signatures in FIPS mode. [T5975]
- Allow the use of a shorter salt for KDFs in FIPS mode. [T6039]
- Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165]
- Add function-name based FIPS indicator function.
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered
an ABI changes because the new FIPS features were not yet
approved. [rC822ee57f07]
- Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397]
- Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9]
- Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a]
- Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219]
- Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba]
- Prefer gpgrt-config when available. [T5034]
- Mark AESWRAP as approved FIPS algorithm. [T5512]
OBS-URL: https://build.opensuse.org/request/show/1078466
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=165
43 lines
1.6 KiB
Diff
43 lines
1.6 KiB
Diff
Index: libgcrypt-1.10.2/src/fips.c
|
|
===================================================================
|
|
--- libgcrypt-1.10.2.orig/src/fips.c
|
|
+++ libgcrypt-1.10.2/src/fips.c
|
|
@@ -520,10 +520,15 @@ int
|
|
_gcry_fips_indicator_kdf (va_list arg_ptr)
|
|
{
|
|
enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
|
|
+ unsigned int keylen = 0;
|
|
|
|
switch (alg)
|
|
{
|
|
case GCRY_KDF_PBKDF2:
|
|
+ keylen = va_arg (arg_ptr, unsigned int);
|
|
+ if (keylen < 112) {
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
+ }
|
|
return GPG_ERR_NO_ERROR;
|
|
default:
|
|
return GPG_ERR_NOT_SUPPORTED;
|
|
Index: libgcrypt-1.10.2/doc/gcrypt.texi
|
|
===================================================================
|
|
--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
|
|
+++ libgcrypt-1.10.2/doc/gcrypt.texi
|
|
@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3
|
|
combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
|
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
|
|
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
|
|
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
|
|
|
|
Check if the given KDF is approved under the current FIPS 140-3
|
|
-certification. If the KDF is approved, this function returns
|
|
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
|
-is returned.
|
|
+certification. The second parameter provides the keylength in bits.
|
|
+Keylength values of less that 112 bits are considered non-approved.
|
|
+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
|
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
|
|
@item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
|
|
|