SHA256
1
0
forked from pool/libgcrypt

Accepting request 1078466 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Update to 1.10.2:
  * Bug fixes:
    - Fix Argon2 for the case output > 64. [rC13b5454d26]
    - Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44]
    - Fix RSA key generation failure in forced FIPS mode. [T5919]
    - Fix gcry_pk_hash_verify for explicit hash. [T6066]
    - Fix a wrong result of gcry_mpi_invm. [T5970]
    - Allow building with --disable-asm for HPPA. [T5976]
    - Allow building with -Oz. [T6432]
    - Enable the fast path to ChaCha20 only when supported. [T6384]
    - Use size_t to avoid counter overflow in Keccak when directly
      feeding more than 4GiB. [T6217]
  * Other:
    - Do not use secure memory for a DRBG instance. [T5933]
    - Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918]
    - Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990]
    - Allow verification of small RSA signatures in FIPS mode. [T5975]
    - Allow the use of a shorter salt for KDFs in FIPS mode. [T6039]
    - Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165]
    - Add function-name based FIPS indicator function.
      GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered
      an ABI changes because the new FIPS features were not yet
      approved. [rC822ee57f07]
    - Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397]
    - Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9]
    - Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a]
    - Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219]
    - Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba]
    - Prefer gpgrt-config when available. [T5034]
    - Mark AESWRAP as approved FIPS algorithm. [T5512]

OBS-URL: https://build.opensuse.org/request/show/1078466
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=165
This commit is contained in:
Pedro Monreal Gonzalez 2023-04-11 14:55:16 +00:00 committed by Git OBS Bridge
parent 7483d2b690
commit 07ae165632
7 changed files with 213 additions and 213 deletions

3
libgcrypt-1.10.2.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03
size 3795164

Binary file not shown.

View File

@ -1,126 +1,73 @@
Index: libgcrypt-1.10.0/doc/gcrypt.texi Index: libgcrypt-1.10.2/doc/gcrypt.texi
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi --- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.0/doc/gcrypt.texi +++ libgcrypt-1.10.2/doc/gcrypt.texi
@@ -980,23 +980,39 @@ is approved under the current FIPS 140-3 @@ -985,13 +985,21 @@ certification. If the function is approv
combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. @code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos +@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos
+
-Check if the given MAC is approved under the current FIPS 140-3
-certification. If the MAC is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
+Check if the given HASH is approved under the current FIPS 140-3 +Check if the given HASH is approved under the current FIPS 140-3
+certification. If the HASH is approved, this function returns +certification. If the HASH is approved, this function returns
+@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} +@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
+is returned. is returned.
+
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int] +@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int]
+ +
+Check if the given MAC is approved under the current FIPS 140-3 +Check if the given MAC is approved under the current FIPS 140-3
+certification. The second parameter provides the keylen (if the +certification. The second parameter provides the keylen (if the
+algorithm supports different key sizes). If the MAC is approved, +algorithm supports different key sizes). If the MAC is approved,
+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} +this function returns @code{GPS_ERR_NO_ERROR}. Otherwise
+is returned. +@code{GPG_ERR_NOT_SUPPORTED} is returned.
+ +
@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos @item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
Check if the given KDF is approved under the current FIPS 140-3 Check if the given message digest algorithm is approved under the current
-certification. If the KDF is approved, this function returns Index: libgcrypt-1.10.2/src/fips.c
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
-is returned.
+certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
-[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for
-GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
+[, constants GCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)]
+[, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
Check if the given asymmetric cipher is approved under the current FIPS
-140-3 certification. For GCRY_PK_RSA, an additional parameter for the
-operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC,
-GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve
-name or its alias as @code{const char *}. If the combination is
-approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
+140-3 certification. For GCRY_PK_RSA, two additional parameter are required:
+first describes the purpose of the algorithm through one of the constants
+(GCRY_PK_USAGE_ENCR for encryption or decryption operations; GCRY_PK_USAGE_SIGN for
+sign or verify operations).
+Second one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and GCRY_PK_ECDSA,
+only a single parameter is needed: the curve name or its alias as @code{const char *}.
+If the combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
@code{GPG_ERR_NOT_SUPPORTED} is returned.
@end table
Index: libgcrypt-1.10.0/src/fips.c
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/src/fips.c --- libgcrypt-1.10.2.orig/src/fips.c
+++ libgcrypt-1.10.0/src/fips.c +++ libgcrypt-1.10.2/src/fips.c
@@ -357,6 +357,7 @@ _gcry_fips_indicator_cipher (va_list arg @@ -377,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg
mode = va_arg (arg_ptr, enum gcry_cipher_modes);
switch (mode)
{
+ case GCRY_CIPHER_MODE_AESWRAP:
case GCRY_CIPHER_MODE_ECB:
case GCRY_CIPHER_MODE_CBC:
case GCRY_CIPHER_MODE_CFB:
@@ -364,7 +365,6 @@ _gcry_fips_indicator_cipher (va_list arg
case GCRY_CIPHER_MODE_OFB:
case GCRY_CIPHER_MODE_CTR:
case GCRY_CIPHER_MODE_CCM:
- case GCRY_CIPHER_MODE_GCM:
case GCRY_CIPHER_MODE_XTS:
return GPG_ERR_NO_ERROR;
default:
@@ -422,11 +422,25 @@ static const struct
{ NULL, NULL}
};
+enum pk_operation convert_from_pk_usage(unsigned int pk_usage)
+{
+ switch (pk_usage)
+ {
+ case GCRY_PK_USAGE_SIGN:
+ return PUBKEY_OP_SIGN;
+ case GCRY_PK_USAGE_ENCR:
+ return PUBKEY_OP_ENCRYPT;
+ default:
+ return PUBKEY_OP_DECRYPT;
+ }
+}
+
int
_gcry_fips_indicator_pk (va_list arg_ptr)
{
enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
enum pk_operation oper;
+ unsigned int keylen;
const char *curve_name;
switch (alg)
@@ -434,13 +448,17 @@ _gcry_fips_indicator_pk (va_list arg_ptr
case GCRY_PK_RSA:
case GCRY_PK_RSA_E:
case GCRY_PK_RSA_S:
- oper = va_arg (arg_ptr, enum pk_operation);
+ oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int));
switch (oper)
{
case PUBKEY_OP_ENCRYPT:
case PUBKEY_OP_DECRYPT:
return GPG_ERR_NOT_SUPPORTED;
default:
+ keylen = va_arg (arg_ptr, unsigned int);
+ if (keylen < 2048) {
+ return GPG_ERR_NOT_SUPPORTED;
+ }
return GPG_ERR_NO_ERROR;
}
case GCRY_PK_ECC:
@@ -460,6 +478,62 @@ _gcry_fips_indicator_pk (va_list arg_ptr
} }
} }
-int
-_gcry_fips_indicator_mac (va_list arg_ptr)
-{
- enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
-
- switch (alg)
- {
- case GCRY_MAC_CMAC_AES:
- case GCRY_MAC_HMAC_SHA1:
- case GCRY_MAC_HMAC_SHA224:
- case GCRY_MAC_HMAC_SHA256:
- case GCRY_MAC_HMAC_SHA384:
- case GCRY_MAC_HMAC_SHA512:
- case GCRY_MAC_HMAC_SHA512_224:
- case GCRY_MAC_HMAC_SHA512_256:
- case GCRY_MAC_HMAC_SHA3_224:
- case GCRY_MAC_HMAC_SHA3_256:
- case GCRY_MAC_HMAC_SHA3_384:
- case GCRY_MAC_HMAC_SHA3_512:
- return GPG_ERR_NO_ERROR;
- default:
- return GPG_ERR_NOT_SUPPORTED;
- }
-}
-
/* FIPS approved curves, extracted from:
* cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
static const struct
@@ -598,6 +574,62 @@ _gcry_fips_indicator_pk_flags (va_list a
return GPG_ERR_NOT_SUPPORTED;
}
+int +int
+_gcry_fips_indicator_hash (va_list arg_ptr) +_gcry_fips_indicator_hash (va_list arg_ptr)
+{ +{
@ -180,40 +127,37 @@ Index: libgcrypt-1.10.0/src/fips.c
/* This is a test on whether the library is in the error or /* This is a test on whether the library is in the error or
operational state. */ operational state. */
Index: libgcrypt-1.10.0/src/g10lib.h Index: libgcrypt-1.10.2/src/g10lib.h
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/src/g10lib.h --- libgcrypt-1.10.2.orig/src/g10lib.h
+++ libgcrypt-1.10.0/src/g10lib.h +++ libgcrypt-1.10.2/src/g10lib.h
@@ -456,7 +456,9 @@ void _gcry_fips_signal_error (const char @@ -456,6 +456,7 @@ void _gcry_fips_signal_error (const char
#endif #endif
int _gcry_fips_indicator_cipher (va_list arg_ptr); int _gcry_fips_indicator_cipher (va_list arg_ptr);
+int _gcry_fips_indicator_hash (va_list arg_ptr); +int _gcry_fips_indicator_hash (va_list arg_ptr);
int _gcry_fips_indicator_mac (va_list arg_ptr);
int _gcry_fips_indicator_md (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr);
+int _gcry_fips_indicator_mac (va_list arg_ptr); Index: libgcrypt-1.10.2/src/gcrypt.h.in
int _gcry_fips_indicator_pk (va_list arg_ptr);
int _gcry_fips_is_operational (void);
Index: libgcrypt-1.10.0/src/gcrypt.h.in
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/src/gcrypt.h.in --- libgcrypt-1.10.2.orig/src/gcrypt.h.in
+++ libgcrypt-1.10.0/src/gcrypt.h.in +++ libgcrypt-1.10.2/src/gcrypt.h.in
@@ -331,7 +331,9 @@ enum gcry_ctl_cmds @@ -335,7 +335,8 @@ enum gcry_ctl_cmds
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81, GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82, GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
GCRYCTL_NO_FIPS_MODE = 83, GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84 - GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84, + GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 85, + GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 89
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 86
}; };
/* Perform various operations defined by CMD. */ /* Perform various operations defined by CMD. */
Index: libgcrypt-1.10.0/src/global.c Index: libgcrypt-1.10.2/src/global.c
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/src/global.c --- libgcrypt-1.10.2.orig/src/global.c
+++ libgcrypt-1.10.0/src/global.c +++ libgcrypt-1.10.2/src/global.c
@@ -791,12 +791,24 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, @@ -791,6 +791,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
rc = _gcry_fips_indicator_cipher (arg_ptr); rc = _gcry_fips_indicator_cipher (arg_ptr);
break; break;
@ -223,18 +167,6 @@ Index: libgcrypt-1.10.0/src/global.c
+ rc = _gcry_fips_indicator_hash (arg_ptr); + rc = _gcry_fips_indicator_hash (arg_ptr);
+ break; + break;
+ +
case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF: case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
/* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR /* Get FIPS Service Indicator for a given message authentication code.
* if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */ * Returns GPG_ERR_NO_ERROR if algorithm is allowed or
rc = _gcry_fips_indicator_kdf (arg_ptr);
break;
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
+ /* Get FIPS Service Indicator for a given HMAC. Returns GPG_ERR_NO_ERROR
+ * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
+ rc = _gcry_fips_indicator_mac (arg_ptr);
+ break;
+
case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
/* Get FIPS Service Indicator for a given asymmetric algorithm. For
* GCRY_PK_RSA, an additional parameter for the operation mode is

View File

@ -1,8 +1,8 @@
Index: libgcrypt-1.10.0/src/fips.c Index: libgcrypt-1.10.2/src/fips.c
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/src/fips.c --- libgcrypt-1.10.2.orig/src/fips.c
+++ libgcrypt-1.10.0/src/fips.c +++ libgcrypt-1.10.2/src/fips.c
@@ -379,10 +379,15 @@ int @@ -520,10 +520,15 @@ int
_gcry_fips_indicator_kdf (va_list arg_ptr) _gcry_fips_indicator_kdf (va_list arg_ptr)
{ {
enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos); enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
@ -18,22 +18,25 @@ Index: libgcrypt-1.10.0/src/fips.c
return GPG_ERR_NO_ERROR; return GPG_ERR_NO_ERROR;
default: default:
return GPG_ERR_NOT_SUPPORTED; return GPG_ERR_NOT_SUPPORTED;
Index: libgcrypt-1.10.0/doc/gcrypt.texi Index: libgcrypt-1.10.2/doc/gcrypt.texi
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi --- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.0/doc/gcrypt.texi +++ libgcrypt-1.10.2/doc/gcrypt.texi
@@ -995,10 +995,12 @@ algorithm supports different key sizes). @@ -970,12 +970,13 @@ is approved under the current FIPS 140-3
this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
is returned. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos -@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int] +@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
Check if the given KDF is approved under the current FIPS 140-3 Check if the given KDF is approved under the current FIPS 140-3
-certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. -certification. If the KDF is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
-is returned.
+certification. The second parameter provides the keylength in bits. +certification. The second parameter provides the keylength in bits.
+Keylength values of less that 112 bits are considered non-approved. +Keylength values of less that 112 bits are considered non-approved.
+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. +If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. +Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
@item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos

View File

@ -1,8 +1,8 @@
Index: libgcrypt-1.10.0/src/fips.c Index: libgcrypt-1.10.2/src/fips.c
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/src/fips.c --- libgcrypt-1.10.2.orig/src/fips.c
+++ libgcrypt-1.10.0/src/fips.c +++ libgcrypt-1.10.2/src/fips.c
@@ -36,6 +36,7 @@ @@ -38,6 +38,7 @@
#include "g10lib.h" #include "g10lib.h"
#include "cipher-proto.h" #include "cipher-proto.h"
@ -10,7 +10,7 @@ Index: libgcrypt-1.10.0/src/fips.c
#include "../random/random.h" #include "../random/random.h"
/* The states of the finite state machine used in fips mode. */ /* The states of the finite state machine used in fips mode. */
@@ -386,6 +387,77 @@ _gcry_fips_indicator_kdf (va_list arg_pt @@ -399,6 +400,94 @@ _gcry_fips_indicator_mac (va_list arg_pt
default: default:
return GPG_ERR_NOT_SUPPORTED; return GPG_ERR_NOT_SUPPORTED;
} }
@ -49,11 +49,25 @@ Index: libgcrypt-1.10.0/src/fips.c
+ { NULL, NULL} + { NULL, NULL}
+ }; + };
+ +
+enum pk_operation convert_from_pk_usage(unsigned int pk_usage)
+{
+ switch (pk_usage)
+ {
+ case GCRY_PK_USAGE_SIGN:
+ return PUBKEY_OP_SIGN;
+ case GCRY_PK_USAGE_ENCR:
+ return PUBKEY_OP_ENCRYPT;
+ default:
+ return PUBKEY_OP_DECRYPT;
+ }
+}
+
+int +int
+_gcry_fips_indicator_pk (va_list arg_ptr) +_gcry_fips_indicator_pk (va_list arg_ptr)
+{ +{
+ enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos); + enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
+ enum pk_operation oper; + enum pk_operation oper;
+ unsigned int keylen;
+ const char *curve_name; + const char *curve_name;
+ +
+ switch (alg) + switch (alg)
@ -61,13 +75,16 @@ Index: libgcrypt-1.10.0/src/fips.c
+ case GCRY_PK_RSA: + case GCRY_PK_RSA:
+ case GCRY_PK_RSA_E: + case GCRY_PK_RSA_E:
+ case GCRY_PK_RSA_S: + case GCRY_PK_RSA_S:
+ oper = va_arg (arg_ptr, enum pk_operation); + oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int));
+ switch (oper) + switch (oper)
+ { + {
+ case PUBKEY_OP_ENCRYPT: + case PUBKEY_OP_ENCRYPT:
+ case PUBKEY_OP_DECRYPT: + case PUBKEY_OP_DECRYPT:
+ return GPG_ERR_NOT_SUPPORTED; + return GPG_ERR_NOT_SUPPORTED;
+ default: + default:
+ keylen = va_arg (arg_ptr, unsigned int);
+ if (keylen < 2048)
+ return GPG_ERR_NOT_SUPPORTED;
+ return GPG_ERR_NO_ERROR; + return GPG_ERR_NO_ERROR;
+ } + }
+ case GCRY_PK_ECC: + case GCRY_PK_ECC:
@ -87,62 +104,63 @@ Index: libgcrypt-1.10.0/src/fips.c
+ } + }
} }
int
Index: libgcrypt-1.10.0/src/gcrypt.h.in Index: libgcrypt-1.10.2/src/gcrypt.h.in
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/src/gcrypt.h.in --- libgcrypt-1.10.2.orig/src/gcrypt.h.in
+++ libgcrypt-1.10.0/src/gcrypt.h.in +++ libgcrypt-1.10.2/src/gcrypt.h.in
@@ -330,7 +330,8 @@ enum gcry_ctl_cmds @@ -334,7 +334,8 @@ enum gcry_ctl_cmds
GCRYCTL_SET_DECRYPTION_TAG = 80, GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81, GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82, GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
- GCRYCTL_NO_FIPS_MODE = 83 - GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87
+ GCRYCTL_NO_FIPS_MODE = 83, + GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84 + GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
}; };
/* Perform various operations defined by CMD. */ /* Perform various operations defined by CMD. */
Index: libgcrypt-1.10.0/doc/gcrypt.texi Index: libgcrypt-1.10.2/doc/gcrypt.texi
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi --- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.0/doc/gcrypt.texi +++ libgcrypt-1.10.2/doc/gcrypt.texi
@@ -987,6 +987,18 @@ certification. If the KDF is approved, t @@ -997,6 +997,19 @@ Check if the given message digest algori
@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} FIPS 140-3 certification. If the algorithm is approved, this function returns
is returned. @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos +@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos [, constantsGCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)] [, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
+[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for
+GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
+ +
+Check if the given asymmetric cipher is approved under the current FIPS +Check if the given asymmetric cipher is approved under the current
+140-3 certification. For GCRY_PK_RSA, an additional parameter for the +FIPS 140-3 certification. For GCRY_PK_RSA, two additional parameter
+operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC, +are required: first describes the purpose of the algorithm through one
+GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve +of the constants (GCRY_PK_USAGE_ENCR for encryption or decryption
+name or its alias as @code{const char *}. If the combination is +operations; GCRY_PK_USAGE_SIGN for sign or verify operations). Second
+approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise +one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and
+GCRY_PK_ECDSA, only a single parameter is needed: the curve name or
+its alias as @code{const char *}. If the combination is approved, this
+function returns @code{GPG_ERR_NO_ERROR}. Otherwise
+@code{GPG_ERR_NOT_SUPPORTED} is returned. +@code{GPG_ERR_NOT_SUPPORTED} is returned.
+ +
@end table @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
@end deftypefun Check if the given public key operation flag or s-expression object name is
Index: libgcrypt-1.10.0/src/g10lib.h Index: libgcrypt-1.10.2/src/g10lib.h
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/src/g10lib.h --- libgcrypt-1.10.2.orig/src/g10lib.h
+++ libgcrypt-1.10.0/src/g10lib.h +++ libgcrypt-1.10.2/src/g10lib.h
@@ -457,6 +457,7 @@ void _gcry_fips_signal_error (const char @@ -460,6 +460,7 @@ int _gcry_fips_indicator_mac (va_list ar
int _gcry_fips_indicator_md (va_list arg_ptr);
int _gcry_fips_indicator_cipher (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr);
int _gcry_fips_indicator_function (va_list arg_ptr);
+int _gcry_fips_indicator_pk (va_list arg_ptr); +int _gcry_fips_indicator_pk (va_list arg_ptr);
int _gcry_fips_indicator_pk_flags (va_list arg_ptr);
int _gcry_fips_is_operational (void); int _gcry_fips_is_operational (void);
Index: libgcrypt-1.10.2/src/global.c
Index: libgcrypt-1.10.0/src/global.c
=================================================================== ===================================================================
--- libgcrypt-1.10.0.orig/src/global.c --- libgcrypt-1.10.2.orig/src/global.c
+++ libgcrypt-1.10.0/src/global.c +++ libgcrypt-1.10.2/src/global.c
@@ -797,6 +797,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, @@ -825,6 +834,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
rc = _gcry_fips_indicator_kdf (arg_ptr); rc = _gcry_fips_indicator_pk_flags (arg_ptr);
break; break;
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_PK: + case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:

View File

@ -1,3 +1,46 @@
-------------------------------------------------------------------
Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.10.2:
* Bug fixes:
- Fix Argon2 for the case output > 64. [rC13b5454d26]
- Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44]
- Fix RSA key generation failure in forced FIPS mode. [T5919]
- Fix gcry_pk_hash_verify for explicit hash. [T6066]
- Fix a wrong result of gcry_mpi_invm. [T5970]
- Allow building with --disable-asm for HPPA. [T5976]
- Allow building with -Oz. [T6432]
- Enable the fast path to ChaCha20 only when supported. [T6384]
- Use size_t to avoid counter overflow in Keccak when directly
feeding more than 4GiB. [T6217]
* Other:
- Do not use secure memory for a DRBG instance. [T5933]
- Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918]
- Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990]
- Allow verification of small RSA signatures in FIPS mode. [T5975]
- Allow the use of a shorter salt for KDFs in FIPS mode. [T6039]
- Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165]
- Add function-name based FIPS indicator function.
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered
an ABI changes because the new FIPS features were not yet
approved. [rC822ee57f07]
- Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397]
- Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9]
- Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a]
- Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219]
- Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba]
- Prefer gpgrt-config when available. [T5034]
- Mark AESWRAP as approved FIPS algorithm. [T5512]
- Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332]
- Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25]
- Remove GCM mode from the allowed FIPS indicators. [rC1540698389]
- Add explicit FIPS indicators for hash and MAC algorithms. [T6376]
* Release-info: https://dev.gnupg.org/T5905
* Rebase FIPS patches:
- libgcrypt-FIPS-SLI-hash-mac.patch
- libgcrypt-FIPS-SLI-kdf-leylength.patch
- libgcrypt-FIPS-SLI-pk.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Mar 8 10:34:34 UTC 2023 - Martin Pluskal <mpluskal@suse.com> Wed Mar 8 10:34:34 UTC 2023 - Martin Pluskal <mpluskal@suse.com>

View File

@ -21,7 +21,7 @@
%define libsoname %{name}%{libsover} %define libsoname %{name}%{libsover}
%define hmac_key orboDeJITITejsirpADONivirpUkvarP %define hmac_key orboDeJITITejsirpADONivirpUkvarP
Name: libgcrypt Name: libgcrypt
Version: 1.10.1 Version: 1.10.2
Release: 0 Release: 0
Summary: The GNU Crypto Library Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
@ -36,20 +36,21 @@ Source4: hwf.deny
Source5: libgcrypt.keyring Source5: libgcrypt.keyring
Source99: libgcrypt.changes Source99: libgcrypt.changes
Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch
#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK
Patch2: libgcrypt-FIPS-SLI-pk.patch
#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
Patch3: libgcrypt-FIPS-SLI-hash-mac.patch
#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf()
Patch4: libgcrypt-FIPS-SLI-kdf-leylength.patch
#PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion #PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion
Patch5: libgcrypt-1.10.0-out-of-core-handler.patch Patch2: libgcrypt-1.10.0-out-of-core-handler.patch
# FIPS patches:
#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK
Patch100: libgcrypt-FIPS-SLI-pk.patch
#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf()
Patch101: libgcrypt-FIPS-SLI-kdf-leylength.patch
#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
Patch102: libgcrypt-FIPS-SLI-hash-mac.patch
#PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy #PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy
Patch6: libgcrypt-jitterentropy-3.4.0.patch Patch103: libgcrypt-jitterentropy-3.4.0.patch
#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll #PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
Patch7: libgcrypt-FIPS-rndjent_poll.patch Patch104: libgcrypt-FIPS-rndjent_poll.patch
#PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips #PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips
Patch8: libgcrypt-1.10.0-use-fipscheck.patch Patch105: libgcrypt-1.10.0-use-fipscheck.patch
BuildRequires: automake >= 1.14 BuildRequires: automake >= 1.14
BuildRequires: libgpg-error-devel >= 1.27 BuildRequires: libgpg-error-devel >= 1.27
BuildRequires: libtool BuildRequires: libtool