From 07ae1656327ca738bef994ec3455d184d9d9c8f6517186faaeaeed912600e1ee Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Tue, 11 Apr 2023 14:55:16 +0000 Subject: [PATCH 1/2] Accepting request 1078466 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 1.10.2: * Bug fixes: - Fix Argon2 for the case output > 64. [rC13b5454d26] - Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44] - Fix RSA key generation failure in forced FIPS mode. [T5919] - Fix gcry_pk_hash_verify for explicit hash. [T6066] - Fix a wrong result of gcry_mpi_invm. [T5970] - Allow building with --disable-asm for HPPA. [T5976] - Allow building with -Oz. [T6432] - Enable the fast path to ChaCha20 only when supported. [T6384] - Use size_t to avoid counter overflow in Keccak when directly feeding more than 4GiB. [T6217] * Other: - Do not use secure memory for a DRBG instance. [T5933] - Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918] - Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990] - Allow verification of small RSA signatures in FIPS mode. [T5975] - Allow the use of a shorter salt for KDFs in FIPS mode. [T6039] - Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165] - Add function-name based FIPS indicator function. GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered an ABI changes because the new FIPS features were not yet approved. [rC822ee57f07] - Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397] - Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9] - Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a] - Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219] - Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba] - Prefer gpgrt-config when available. [T5034] - Mark AESWRAP as approved FIPS algorithm. [T5512] OBS-URL: https://build.opensuse.org/request/show/1078466 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=165 --- libgcrypt-1.10.2.tar.bz2 | 3 + libgcrypt-1.10.2.tar.bz2.sig | Bin 0 -> 119 bytes libgcrypt-FIPS-SLI-hash-mac.patch | 218 +++++++++---------------- libgcrypt-FIPS-SLI-kdf-leylength.patch | 29 ++-- libgcrypt-FIPS-SLI-pk.patch | 110 +++++++------ libgcrypt.changes | 43 +++++ libgcrypt.spec | 23 +-- 7 files changed, 213 insertions(+), 213 deletions(-) create mode 100644 libgcrypt-1.10.2.tar.bz2 create mode 100644 libgcrypt-1.10.2.tar.bz2.sig diff --git a/libgcrypt-1.10.2.tar.bz2 b/libgcrypt-1.10.2.tar.bz2 new file mode 100644 index 0000000..2cb2469 --- /dev/null +++ b/libgcrypt-1.10.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03 +size 3795164 diff --git a/libgcrypt-1.10.2.tar.bz2.sig b/libgcrypt-1.10.2.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..6d58fa848cdb5b2c084b37516630fe43ced80f8fffe88ce23312035106714adf GIT binary patch literal 119 zcmeAuWnmEGV2~A4WXWBXm$E!p!y#PSlPRcU`VKV*t6Qv0Df*H+3|yQ7Fp)TChX0YJ zF)ug|uH3Qm)a=i4^K@f#1<%{?!%xFqj0|gxyq9L`e80K-@{+o*t2z7E Ut}y-oE;&BedYW0(?CxDm0KU60HUIzs literal 0 HcmV?d00001 diff --git a/libgcrypt-FIPS-SLI-hash-mac.patch b/libgcrypt-FIPS-SLI-hash-mac.patch index b12abc2..b3fa94d 100644 --- a/libgcrypt-FIPS-SLI-hash-mac.patch +++ b/libgcrypt-FIPS-SLI-hash-mac.patch @@ -1,126 +1,73 @@ -Index: libgcrypt-1.10.0/doc/gcrypt.texi +Index: libgcrypt-1.10.2/doc/gcrypt.texi =================================================================== ---- libgcrypt-1.10.0.orig/doc/gcrypt.texi -+++ libgcrypt-1.10.0/doc/gcrypt.texi -@@ -980,23 +980,39 @@ is approved under the current FIPS 140-3 - combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. +--- libgcrypt-1.10.2.orig/doc/gcrypt.texi ++++ libgcrypt-1.10.2/doc/gcrypt.texi +@@ -985,13 +985,21 @@ certification. If the function is approv + @code{GPG_ERR_NO_ERROR} (other restrictions might still apply). Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. +-@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos +@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos -+ + +-Check if the given MAC is approved under the current FIPS 140-3 +-certification. If the MAC is approved, this function returns +-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} +Check if the given HASH is approved under the current FIPS 140-3 +certification. If the HASH is approved, this function returns +@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} -+is returned. -+ + is returned. + +@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int] + +Check if the given MAC is approved under the current FIPS 140-3 +certification. The second parameter provides the keylen (if the +algorithm supports different key sizes). If the MAC is approved, -+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} -+is returned. ++this function returns @code{GPS_ERR_NO_ERROR}. Otherwise ++@code{GPG_ERR_NOT_SUPPORTED} is returned. + - @item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos + @item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos - Check if the given KDF is approved under the current FIPS 140-3 --certification. If the KDF is approved, this function returns --@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} --is returned. -+certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. -+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. - - @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos --[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for --GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)] -+[, constants GCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)] -+[, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)] - - Check if the given asymmetric cipher is approved under the current FIPS --140-3 certification. For GCRY_PK_RSA, an additional parameter for the --operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC, --GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve --name or its alias as @code{const char *}. If the combination is --approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise -+140-3 certification. For GCRY_PK_RSA, two additional parameter are required: -+first describes the purpose of the algorithm through one of the constants -+(GCRY_PK_USAGE_ENCR for encryption or decryption operations; GCRY_PK_USAGE_SIGN for -+sign or verify operations). -+Second one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and GCRY_PK_ECDSA, -+only a single parameter is needed: the curve name or its alias as @code{const char *}. -+If the combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise - @code{GPG_ERR_NOT_SUPPORTED} is returned. - - @end table -Index: libgcrypt-1.10.0/src/fips.c + Check if the given message digest algorithm is approved under the current +Index: libgcrypt-1.10.2/src/fips.c =================================================================== ---- libgcrypt-1.10.0.orig/src/fips.c -+++ libgcrypt-1.10.0/src/fips.c -@@ -357,6 +357,7 @@ _gcry_fips_indicator_cipher (va_list arg - mode = va_arg (arg_ptr, enum gcry_cipher_modes); - switch (mode) - { -+ case GCRY_CIPHER_MODE_AESWRAP: - case GCRY_CIPHER_MODE_ECB: - case GCRY_CIPHER_MODE_CBC: - case GCRY_CIPHER_MODE_CFB: -@@ -364,7 +365,6 @@ _gcry_fips_indicator_cipher (va_list arg - case GCRY_CIPHER_MODE_OFB: - case GCRY_CIPHER_MODE_CTR: - case GCRY_CIPHER_MODE_CCM: -- case GCRY_CIPHER_MODE_GCM: - case GCRY_CIPHER_MODE_XTS: - return GPG_ERR_NO_ERROR; - default: -@@ -422,11 +422,25 @@ static const struct - { NULL, NULL} - }; - -+enum pk_operation convert_from_pk_usage(unsigned int pk_usage) -+{ -+ switch (pk_usage) -+ { -+ case GCRY_PK_USAGE_SIGN: -+ return PUBKEY_OP_SIGN; -+ case GCRY_PK_USAGE_ENCR: -+ return PUBKEY_OP_ENCRYPT; -+ default: -+ return PUBKEY_OP_DECRYPT; -+ } -+} -+ - int - _gcry_fips_indicator_pk (va_list arg_ptr) - { - enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos); - enum pk_operation oper; -+ unsigned int keylen; - const char *curve_name; - - switch (alg) -@@ -434,13 +448,17 @@ _gcry_fips_indicator_pk (va_list arg_ptr - case GCRY_PK_RSA: - case GCRY_PK_RSA_E: - case GCRY_PK_RSA_S: -- oper = va_arg (arg_ptr, enum pk_operation); -+ oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int)); - switch (oper) - { - case PUBKEY_OP_ENCRYPT: - case PUBKEY_OP_DECRYPT: - return GPG_ERR_NOT_SUPPORTED; - default: -+ keylen = va_arg (arg_ptr, unsigned int); -+ if (keylen < 2048) { -+ return GPG_ERR_NOT_SUPPORTED; -+ } - return GPG_ERR_NO_ERROR; - } - case GCRY_PK_ECC: -@@ -460,6 +478,62 @@ _gcry_fips_indicator_pk (va_list arg_ptr +--- libgcrypt-1.10.2.orig/src/fips.c ++++ libgcrypt-1.10.2/src/fips.c +@@ -377,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg } } +-int +-_gcry_fips_indicator_mac (va_list arg_ptr) +-{ +- enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos); +- +- switch (alg) +- { +- case GCRY_MAC_CMAC_AES: +- case GCRY_MAC_HMAC_SHA1: +- case GCRY_MAC_HMAC_SHA224: +- case GCRY_MAC_HMAC_SHA256: +- case GCRY_MAC_HMAC_SHA384: +- case GCRY_MAC_HMAC_SHA512: +- case GCRY_MAC_HMAC_SHA512_224: +- case GCRY_MAC_HMAC_SHA512_256: +- case GCRY_MAC_HMAC_SHA3_224: +- case GCRY_MAC_HMAC_SHA3_256: +- case GCRY_MAC_HMAC_SHA3_384: +- case GCRY_MAC_HMAC_SHA3_512: +- return GPG_ERR_NO_ERROR; +- default: +- return GPG_ERR_NOT_SUPPORTED; +- } +-} +- + /* FIPS approved curves, extracted from: + * cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */ + static const struct +@@ -598,6 +574,62 @@ _gcry_fips_indicator_pk_flags (va_list a + return GPG_ERR_NOT_SUPPORTED; + } + +int +_gcry_fips_indicator_hash (va_list arg_ptr) +{ @@ -180,40 +127,37 @@ Index: libgcrypt-1.10.0/src/fips.c /* This is a test on whether the library is in the error or operational state. */ -Index: libgcrypt-1.10.0/src/g10lib.h +Index: libgcrypt-1.10.2/src/g10lib.h =================================================================== ---- libgcrypt-1.10.0.orig/src/g10lib.h -+++ libgcrypt-1.10.0/src/g10lib.h -@@ -456,7 +456,9 @@ void _gcry_fips_signal_error (const char +--- libgcrypt-1.10.2.orig/src/g10lib.h ++++ libgcrypt-1.10.2/src/g10lib.h +@@ -456,6 +456,7 @@ void _gcry_fips_signal_error (const char #endif int _gcry_fips_indicator_cipher (va_list arg_ptr); +int _gcry_fips_indicator_hash (va_list arg_ptr); + int _gcry_fips_indicator_mac (va_list arg_ptr); + int _gcry_fips_indicator_md (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr); -+int _gcry_fips_indicator_mac (va_list arg_ptr); - int _gcry_fips_indicator_pk (va_list arg_ptr); - - int _gcry_fips_is_operational (void); -Index: libgcrypt-1.10.0/src/gcrypt.h.in +Index: libgcrypt-1.10.2/src/gcrypt.h.in =================================================================== ---- libgcrypt-1.10.0.orig/src/gcrypt.h.in -+++ libgcrypt-1.10.0/src/gcrypt.h.in -@@ -331,7 +331,9 @@ enum gcry_ctl_cmds - GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81, - GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82, - GCRYCTL_NO_FIPS_MODE = 83, -- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84 -+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84, -+ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 85, -+ GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 86 +--- libgcrypt-1.10.2.orig/src/gcrypt.h.in ++++ libgcrypt-1.10.2/src/gcrypt.h.in +@@ -335,7 +335,8 @@ enum gcry_ctl_cmds + GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, + GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86, + GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87, +- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88 ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88, ++ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 89 }; /* Perform various operations defined by CMD. */ -Index: libgcrypt-1.10.0/src/global.c +Index: libgcrypt-1.10.2/src/global.c =================================================================== ---- libgcrypt-1.10.0.orig/src/global.c -+++ libgcrypt-1.10.0/src/global.c -@@ -791,12 +791,24 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, +--- libgcrypt-1.10.2.orig/src/global.c ++++ libgcrypt-1.10.2/src/global.c +@@ -791,6 +791,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, rc = _gcry_fips_indicator_cipher (arg_ptr); break; @@ -223,18 +167,6 @@ Index: libgcrypt-1.10.0/src/global.c + rc = _gcry_fips_indicator_hash (arg_ptr); + break; + - case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF: - /* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR - * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */ - rc = _gcry_fips_indicator_kdf (arg_ptr); - break; - -+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC: -+ /* Get FIPS Service Indicator for a given HMAC. Returns GPG_ERR_NO_ERROR -+ * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */ -+ rc = _gcry_fips_indicator_mac (arg_ptr); -+ break; -+ - case GCRYCTL_FIPS_SERVICE_INDICATOR_PK: - /* Get FIPS Service Indicator for a given asymmetric algorithm. For - * GCRY_PK_RSA, an additional parameter for the operation mode is + case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC: + /* Get FIPS Service Indicator for a given message authentication code. + * Returns GPG_ERR_NO_ERROR if algorithm is allowed or diff --git a/libgcrypt-FIPS-SLI-kdf-leylength.patch b/libgcrypt-FIPS-SLI-kdf-leylength.patch index fd415f4..4a55513 100644 --- a/libgcrypt-FIPS-SLI-kdf-leylength.patch +++ b/libgcrypt-FIPS-SLI-kdf-leylength.patch @@ -1,8 +1,8 @@ -Index: libgcrypt-1.10.0/src/fips.c +Index: libgcrypt-1.10.2/src/fips.c =================================================================== ---- libgcrypt-1.10.0.orig/src/fips.c -+++ libgcrypt-1.10.0/src/fips.c -@@ -379,10 +379,15 @@ int +--- libgcrypt-1.10.2.orig/src/fips.c ++++ libgcrypt-1.10.2/src/fips.c +@@ -520,10 +520,15 @@ int _gcry_fips_indicator_kdf (va_list arg_ptr) { enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos); @@ -18,22 +18,25 @@ Index: libgcrypt-1.10.0/src/fips.c return GPG_ERR_NO_ERROR; default: return GPG_ERR_NOT_SUPPORTED; -Index: libgcrypt-1.10.0/doc/gcrypt.texi +Index: libgcrypt-1.10.2/doc/gcrypt.texi =================================================================== ---- libgcrypt-1.10.0.orig/doc/gcrypt.texi -+++ libgcrypt-1.10.0/doc/gcrypt.texi -@@ -995,10 +995,12 @@ algorithm supports different key sizes). - this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} - is returned. +--- libgcrypt-1.10.2.orig/doc/gcrypt.texi ++++ libgcrypt-1.10.2/doc/gcrypt.texi +@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3 + combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. + Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. -@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos +@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int] Check if the given KDF is approved under the current FIPS 140-3 --certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. +-certification. If the KDF is approved, this function returns +-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} +-is returned. +certification. The second parameter provides the keylength in bits. +Keylength values of less that 112 bits are considered non-approved. +If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. - Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. ++Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + + @item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char * - @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos diff --git a/libgcrypt-FIPS-SLI-pk.patch b/libgcrypt-FIPS-SLI-pk.patch index a85f60c..541c08b 100644 --- a/libgcrypt-FIPS-SLI-pk.patch +++ b/libgcrypt-FIPS-SLI-pk.patch @@ -1,8 +1,8 @@ -Index: libgcrypt-1.10.0/src/fips.c +Index: libgcrypt-1.10.2/src/fips.c =================================================================== ---- libgcrypt-1.10.0.orig/src/fips.c -+++ libgcrypt-1.10.0/src/fips.c -@@ -36,6 +36,7 @@ +--- libgcrypt-1.10.2.orig/src/fips.c ++++ libgcrypt-1.10.2/src/fips.c +@@ -38,6 +38,7 @@ #include "g10lib.h" #include "cipher-proto.h" @@ -10,7 +10,7 @@ Index: libgcrypt-1.10.0/src/fips.c #include "../random/random.h" /* The states of the finite state machine used in fips mode. */ -@@ -386,6 +387,77 @@ _gcry_fips_indicator_kdf (va_list arg_pt +@@ -399,6 +400,94 @@ _gcry_fips_indicator_mac (va_list arg_pt default: return GPG_ERR_NOT_SUPPORTED; } @@ -49,11 +49,25 @@ Index: libgcrypt-1.10.0/src/fips.c + { NULL, NULL} + }; + ++enum pk_operation convert_from_pk_usage(unsigned int pk_usage) ++{ ++ switch (pk_usage) ++ { ++ case GCRY_PK_USAGE_SIGN: ++ return PUBKEY_OP_SIGN; ++ case GCRY_PK_USAGE_ENCR: ++ return PUBKEY_OP_ENCRYPT; ++ default: ++ return PUBKEY_OP_DECRYPT; ++ } ++} ++ +int +_gcry_fips_indicator_pk (va_list arg_ptr) +{ + enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos); + enum pk_operation oper; ++ unsigned int keylen; + const char *curve_name; + + switch (alg) @@ -61,13 +75,16 @@ Index: libgcrypt-1.10.0/src/fips.c + case GCRY_PK_RSA: + case GCRY_PK_RSA_E: + case GCRY_PK_RSA_S: -+ oper = va_arg (arg_ptr, enum pk_operation); ++ oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int)); + switch (oper) + { + case PUBKEY_OP_ENCRYPT: + case PUBKEY_OP_DECRYPT: + return GPG_ERR_NOT_SUPPORTED; + default: ++ keylen = va_arg (arg_ptr, unsigned int); ++ if (keylen < 2048) ++ return GPG_ERR_NOT_SUPPORTED; + return GPG_ERR_NO_ERROR; + } + case GCRY_PK_ECC: @@ -87,62 +104,63 @@ Index: libgcrypt-1.10.0/src/fips.c + } } - -Index: libgcrypt-1.10.0/src/gcrypt.h.in + int +Index: libgcrypt-1.10.2/src/gcrypt.h.in =================================================================== ---- libgcrypt-1.10.0.orig/src/gcrypt.h.in -+++ libgcrypt-1.10.0/src/gcrypt.h.in -@@ -330,7 +330,8 @@ enum gcry_ctl_cmds - GCRYCTL_SET_DECRYPTION_TAG = 80, - GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81, - GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82, -- GCRYCTL_NO_FIPS_MODE = 83 -+ GCRYCTL_NO_FIPS_MODE = 83, -+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84 +--- libgcrypt-1.10.2.orig/src/gcrypt.h.in ++++ libgcrypt-1.10.2/src/gcrypt.h.in +@@ -334,7 +334,8 @@ enum gcry_ctl_cmds + GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84, + GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, + GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86, +- GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87 ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87, ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88 }; /* Perform various operations defined by CMD. */ -Index: libgcrypt-1.10.0/doc/gcrypt.texi +Index: libgcrypt-1.10.2/doc/gcrypt.texi =================================================================== ---- libgcrypt-1.10.0.orig/doc/gcrypt.texi -+++ libgcrypt-1.10.0/doc/gcrypt.texi -@@ -987,6 +987,18 @@ certification. If the KDF is approved, t - @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} - is returned. +--- libgcrypt-1.10.2.orig/doc/gcrypt.texi ++++ libgcrypt-1.10.2/doc/gcrypt.texi +@@ -997,6 +997,19 @@ Check if the given message digest algori + FIPS 140-3 certification. If the algorithm is approved, this function returns + @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. -+@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos -+[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for -+GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)] ++@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos [, constantsGCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)] [, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)] + -+Check if the given asymmetric cipher is approved under the current FIPS -+140-3 certification. For GCRY_PK_RSA, an additional parameter for the -+operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC, -+GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve -+name or its alias as @code{const char *}. If the combination is -+approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise ++Check if the given asymmetric cipher is approved under the current ++FIPS 140-3 certification. For GCRY_PK_RSA, two additional parameter ++are required: first describes the purpose of the algorithm through one ++of the constants (GCRY_PK_USAGE_ENCR for encryption or decryption ++operations; GCRY_PK_USAGE_SIGN for sign or verify operations). Second ++one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and ++GCRY_PK_ECDSA, only a single parameter is needed: the curve name or ++its alias as @code{const char *}. If the combination is approved, this ++function returns @code{GPG_ERR_NO_ERROR}. Otherwise +@code{GPG_ERR_NOT_SUPPORTED} is returned. + - @end table + @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char * - @end deftypefun -Index: libgcrypt-1.10.0/src/g10lib.h + Check if the given public key operation flag or s-expression object name is +Index: libgcrypt-1.10.2/src/g10lib.h =================================================================== ---- libgcrypt-1.10.0.orig/src/g10lib.h -+++ libgcrypt-1.10.0/src/g10lib.h -@@ -457,6 +457,7 @@ void _gcry_fips_signal_error (const char - - int _gcry_fips_indicator_cipher (va_list arg_ptr); +--- libgcrypt-1.10.2.orig/src/g10lib.h ++++ libgcrypt-1.10.2/src/g10lib.h +@@ -460,6 +460,7 @@ int _gcry_fips_indicator_mac (va_list ar + int _gcry_fips_indicator_md (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr); + int _gcry_fips_indicator_function (va_list arg_ptr); +int _gcry_fips_indicator_pk (va_list arg_ptr); + int _gcry_fips_indicator_pk_flags (va_list arg_ptr); int _gcry_fips_is_operational (void); - -Index: libgcrypt-1.10.0/src/global.c +Index: libgcrypt-1.10.2/src/global.c =================================================================== ---- libgcrypt-1.10.0.orig/src/global.c -+++ libgcrypt-1.10.0/src/global.c -@@ -797,6 +797,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, - rc = _gcry_fips_indicator_kdf (arg_ptr); +--- libgcrypt-1.10.2.orig/src/global.c ++++ libgcrypt-1.10.2/src/global.c +@@ -825,6 +834,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, + rc = _gcry_fips_indicator_pk_flags (arg_ptr); break; + case GCRYCTL_FIPS_SERVICE_INDICATOR_PK: diff --git a/libgcrypt.changes b/libgcrypt.changes index 5fbf31e..f36a23a 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,46 @@ +------------------------------------------------------------------- +Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal + +- Update to 1.10.2: + * Bug fixes: + - Fix Argon2 for the case output > 64. [rC13b5454d26] + - Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44] + - Fix RSA key generation failure in forced FIPS mode. [T5919] + - Fix gcry_pk_hash_verify for explicit hash. [T6066] + - Fix a wrong result of gcry_mpi_invm. [T5970] + - Allow building with --disable-asm for HPPA. [T5976] + - Allow building with -Oz. [T6432] + - Enable the fast path to ChaCha20 only when supported. [T6384] + - Use size_t to avoid counter overflow in Keccak when directly + feeding more than 4GiB. [T6217] + * Other: + - Do not use secure memory for a DRBG instance. [T5933] + - Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918] + - Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990] + - Allow verification of small RSA signatures in FIPS mode. [T5975] + - Allow the use of a shorter salt for KDFs in FIPS mode. [T6039] + - Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165] + - Add function-name based FIPS indicator function. + GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered + an ABI changes because the new FIPS features were not yet + approved. [rC822ee57f07] + - Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397] + - Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9] + - Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a] + - Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219] + - Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba] + - Prefer gpgrt-config when available. [T5034] + - Mark AESWRAP as approved FIPS algorithm. [T5512] + - Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332] + - Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25] + - Remove GCM mode from the allowed FIPS indicators. [rC1540698389] + - Add explicit FIPS indicators for hash and MAC algorithms. [T6376] + * Release-info: https://dev.gnupg.org/T5905 + * Rebase FIPS patches: + - libgcrypt-FIPS-SLI-hash-mac.patch + - libgcrypt-FIPS-SLI-kdf-leylength.patch + - libgcrypt-FIPS-SLI-pk.patch + ------------------------------------------------------------------- Wed Mar 8 10:34:34 UTC 2023 - Martin Pluskal diff --git a/libgcrypt.spec b/libgcrypt.spec index a60baf3..afcbd18 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -21,7 +21,7 @@ %define libsoname %{name}%{libsover} %define hmac_key orboDeJITITejsirpADONivirpUkvarP Name: libgcrypt -Version: 1.10.1 +Version: 1.10.2 Release: 0 Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later @@ -36,20 +36,21 @@ Source4: hwf.deny Source5: libgcrypt.keyring Source99: libgcrypt.changes Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch -#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK -Patch2: libgcrypt-FIPS-SLI-pk.patch -#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators -Patch3: libgcrypt-FIPS-SLI-hash-mac.patch -#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf() -Patch4: libgcrypt-FIPS-SLI-kdf-leylength.patch #PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion -Patch5: libgcrypt-1.10.0-out-of-core-handler.patch +Patch2: libgcrypt-1.10.0-out-of-core-handler.patch +# FIPS patches: +#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK +Patch100: libgcrypt-FIPS-SLI-pk.patch +#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf() +Patch101: libgcrypt-FIPS-SLI-kdf-leylength.patch +#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators +Patch102: libgcrypt-FIPS-SLI-hash-mac.patch #PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy -Patch6: libgcrypt-jitterentropy-3.4.0.patch +Patch103: libgcrypt-jitterentropy-3.4.0.patch #PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll -Patch7: libgcrypt-FIPS-rndjent_poll.patch +Patch104: libgcrypt-FIPS-rndjent_poll.patch #PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips -Patch8: libgcrypt-1.10.0-use-fipscheck.patch +Patch105: libgcrypt-1.10.0-use-fipscheck.patch BuildRequires: automake >= 1.14 BuildRequires: libgpg-error-devel >= 1.27 BuildRequires: libtool From d2525ea576912c94f5c5e6d48058272b92e875899ba02ebef320ff44da907340 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 12 Apr 2023 09:52:01 +0000 Subject: [PATCH 2/2] Accepting request 1078614 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ OBS-URL: https://build.opensuse.org/request/show/1078614 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=166 --- libgcrypt-1.10.1.tar.bz2 | 3 --- libgcrypt-1.10.1.tar.bz2.sig | Bin 238 -> 0 bytes libgcrypt.spec | 4 ++-- 3 files changed, 2 insertions(+), 5 deletions(-) delete mode 100644 libgcrypt-1.10.1.tar.bz2 delete mode 100644 libgcrypt-1.10.1.tar.bz2.sig diff --git a/libgcrypt-1.10.1.tar.bz2 b/libgcrypt-1.10.1.tar.bz2 deleted file mode 100644 index 7dccb2d..0000000 --- a/libgcrypt-1.10.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ef14ae546b0084cd84259f61a55e07a38c3b53afc0f546bffcef2f01baffe9de -size 3778457 diff --git a/libgcrypt-1.10.1.tar.bz2.sig b/libgcrypt-1.10.1.tar.bz2.sig deleted file mode 100644 index 1798eb3229061cb3bbf0ae7b18d99ad4d0b087ca0a03945e79d26a57600c0914..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 238 zcmeAuWnmEGV2~A4WXWBXm$E!p!y#PSlPRcU`VKV*t6Qv0Nsjv;FmQ1Sz(kl^7#TJd zylDS$$Lxvm%=>$bm&I_YIM`2r&@$&)*v-a!PR9%c85uUOT)t-NDvSS8CWe`2E2Jkz z>E-LS7rb77>F^xQi@6^;I}p~c=@X3pZl~Mp{%a=3%f8vVlE+T$1zPLBC=_HZOyuTz zhW|B=>wTTJM>iG)L|)o>r)#~j^v$?C@ePT$&8q?eSFK#a$ndvfx&L&PLW|G~9