libgcrypt/libgcrypt-FIPS-SLI-kdf-leylength.patch

Index: libgcrypt-1.10.2/src/fips.c
===================================================================
--- libgcrypt-1.10.2.orig/src/fips.c
+++ libgcrypt-1.10.2/src/fips.c
@@ -520,10 +520,15 @@ int
 _gcry_fips_indicator_kdf (va_list arg_ptr)
 {
   enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
+  unsigned int keylen = 0;
 
   switch (alg)
     {
     case GCRY_KDF_PBKDF2:
+      keylen = va_arg (arg_ptr, unsigned int);
+      if (keylen < 112) {
+        return GPG_ERR_NOT_SUPPORTED;
+      }
       return GPG_ERR_NO_ERROR;
     default:
       return GPG_ERR_NOT_SUPPORTED;
Index: libgcrypt-1.10.2/doc/gcrypt.texi
===================================================================
--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.2/doc/gcrypt.texi
@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3
 combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
 Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
 
 Check if the given KDF is approved under the current FIPS 140-3
-certification. If the KDF is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
-is returned.
+certification. The second parameter provides the keylength in bits.
+Keylength values of less that 112 bits are considered non-approved.
+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
 @item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
Accepting request 1183811 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 1.11.0: * New and extended interfaces: - Add an API for Key Encapsulation Mechanism (KEM). [T6755] - Add Streamlined NTRU Prime sntrup761 algorithm. [rCcf9923e1a5] - Add Kyber algorithm according to FIPS 203 ipd 2023-08-24. [rC18e5c0d268] - Add Classic McEliece algorithm. [rC003367b912] - Add One-Step KDF with hash and MAC. [T5964] - Add KDF algorithm HKDF of RFC-5869. [T5964] - Add KDF algorithm X963KDF for use in CMS. [rC3abac420b3] - Add GMAC-SM4 and Poly1305-SM4. [rCd1ccc409d4] - Add ARIA block cipher algorithm. [rC316c6d7715] - Add explicit FIPS indicators for MD and MAC algorithms. [T6376] - Add support for SHAKE as MGF in RSA. [T6557] - Add gcry_md_read support for SHAKE algorithms. [T6539] - Add gcry_md_hash_buffers_ext function. [T7035] - Add cSHAKE hash algorithm. [rC065b3f4e02] - Support internal generation of IV for AEAD cipher mode. [T4873] * Performance: - Add SM3 ARMv8/AArch64/CE assembly implementation. [rCfe891ff4a3] - Add SM4 ARMv8/AArch64 assembly implementation. [rCd8825601f1] - Add SM4 GFNI/AVX2 and GFI/AVX512 implementation. [rC5095d60af4,rCeaed633c16] - Add SM4 ARMv9 SVE CE assembly implementation. [rC2dc2654006] - Add PowerPC vector implementation of SM4. [rC0b2da804ee] - Optimize ChaCha20 and Poly1305 for PPC P10 LE. [T6006] - Add CTR32LE bulk acceleration for AES on PPC. [rC84f2e2d0b5] - Add generic bulk acceleration for CTR32LE mode (GCM-SIV) for SM4 and Camellia. [rCcf956793af] - Add GFNI/AVX2 implementation of Camellia. [rC4e6896eb9f] - Add AVX2 and AVX512 accelerated implementations for GHASH (GCM) and POLYVAL (GCM-SIV). [rCd857e85cb4, rCe6f3600193] OBS-URL: https://build.opensuse.org/request/show/1183811 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=180 2024-06-28 09:08:29 +00:00			`Index: libgcrypt-1.10.2/src/fips.c`
			`===================================================================`
			`--- libgcrypt-1.10.2.orig/src/fips.c`
			`+++ libgcrypt-1.10.2/src/fips.c`
			`@@ -520,10 +520,15 @@ int`
			`_gcry_fips_indicator_kdf (va_list arg_ptr)`
			`{`
			`enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);`
			`+ unsigned int keylen = 0;`

			`switch (alg)`
			`{`
			`case GCRY_KDF_PBKDF2:`
			`+ keylen = va_arg (arg_ptr, unsigned int);`
			`+ if (keylen < 112) {`
			`+ return GPG_ERR_NOT_SUPPORTED;`
			`+ }`
			`return GPG_ERR_NO_ERROR;`
			`default:`
			`return GPG_ERR_NOT_SUPPORTED;`
			`Index: libgcrypt-1.10.2/doc/gcrypt.texi`
			`===================================================================`
			`--- libgcrypt-1.10.2.orig/doc/gcrypt.texi`
			`+++ libgcrypt-1.10.2/doc/gcrypt.texi`
			`@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3`
			`combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.`
			`Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.`

			`-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos`
			`+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]`

			`Check if the given KDF is approved under the current FIPS 140-3`
			`-certification. If the KDF is approved, this function returns`
			`-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}`
			`-is returned.`
			`+certification. The second parameter provides the keylength in bits.`
			`+Keylength values of less that 112 bits are considered non-approved.`
			`+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.`
			`+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.`

			`@item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *`