rpm/libgcrypt
SHA256
1
0
Fork 0
forked from pool/libgcrypt
Code Pull Requests Activity
82bc8eba9a
libgcrypt/libgcrypt-FIPS-disable-3DES.patch

53 lines
1.9 KiB
Diff
Raw Normal View History

Accepting request 950433 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - FIPS: Disable DSA in FIPS mode [bsc#1195385] * Upstream task: https://dev.gnupg.org/T5710 * Add libgcrypt-FIPS-disable-DSA.patch - FIPS: Service level indicator [bsc#1190700] * Provide an indicator to check wether the service utilizes an approved cryptographic algorithm or not. * Add patches: - libgcrypt-FIPS-service-indicators.patch - libgcrypt-FIPS-verify-unsupported-KDF-test.patch - libgcrypt-FIPS-HMAC-short-keylen.patch - FIPS: Define an entropy source SP800-90B compliant [bsc#1185140] * Disable jitter entropy by default in random.conf * Disable only-urandom option by default in random.conf - FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192240] * rsa: Check RSA keylen constraints for key operations. * rsa: Fix regression in not returning an error for prime generation. * tests: Add 2k RSA key working in FIPS mode. * tests: pubkey: Replace RSA key to one of 2k. * tests: pkcs1v2: Skip tests with small keys in FIPS. * Add patches: - libgcrypt-FIPS-RSA-keylen.patch - libgcrypt-FIPS-RSA-keylen-tests.patch - FIPS: Disable 3DES/Triple-DES in FIPS mode [bsc#1185138] * Add libgcrypt-FIPS-disable-3DES.patch - FIPS: PBKDF requirements [bsc#1185137] OBS-URL: https://build.opensuse.org/request/show/950433 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=153
2022-02-01 14:12:14 +01:00
Index: libgcrypt-1.9.4/cipher/des.c
===================================================================
--- libgcrypt-1.9.4.orig/cipher/des.c
+++ libgcrypt-1.9.4/cipher/des.c
@@ -1498,7 +1498,7 @@ static gcry_cipher_oid_spec_t oids_tripl
gcry_cipher_spec_t _gcry_cipher_spec_tripledes =
{
- GCRY_CIPHER_3DES, {0, 1},
+ GCRY_CIPHER_3DES, {0, 0},
"3DES", NULL, oids_tripledes, 8, 192, sizeof (struct _tripledes_ctx),
do_tripledes_setkey, do_tripledes_encrypt, do_tripledes_decrypt,
NULL, NULL,
Index: libgcrypt-1.9.4/cipher/mac-cmac.c
===================================================================
--- libgcrypt-1.9.4.orig/cipher/mac-cmac.c
+++ libgcrypt-1.9.4/cipher/mac-cmac.c
@@ -458,7 +458,7 @@ gcry_mac_spec_t _gcry_mac_type_spec_cmac
#endif
#if USE_DES
gcry_mac_spec_t _gcry_mac_type_spec_cmac_tripledes = {
- GCRY_MAC_CMAC_3DES, {0, 1}, "CMAC_3DES",
+ GCRY_MAC_CMAC_3DES, {0, 0}, "CMAC_3DES",
&cmac_ops
};
#endif
Index: libgcrypt-1.9.4/src/fips.c
===================================================================
--- libgcrypt-1.9.4.orig/src/fips.c
+++ libgcrypt-1.9.4/src/fips.c
@@ -493,6 +493,10 @@ run_cipher_selftests (int extended)
for (idx=0; algos[idx]; idx++)
{
+ /* Skip non-approved cipher in FIPS mode */
+ if (fips_mode() && algos[idx] == GCRY_CIPHER_3DES)
+ continue;
+
err = _gcry_cipher_selftest (algos[idx], extended, reporter);
reporter ("cipher", algos[idx], NULL,
err? gpg_strerror (err):NULL);
@@ -558,6 +562,10 @@ run_mac_selftests (int extended)
for (idx=0; algos[idx]; idx++)
{
+ /* Skip non-approved MAC algorithm in FIPS mode */
+ if (fips_mode() && algos[idx] == GCRY_MAC_CMAC_3DES)
+ continue;
+
err = _gcry_mac_selftest (algos[idx], extended, reporter);
reporter ("mac", algos[idx], NULL,
err? gpg_strerror (err):NULL);
Copy Permalink