forked from pool/libgcrypt
Pedro Monreal Gonzalez
725ec59b57
- Update to 1.10.1: * Bug fixes: - Fix minor memory leaks in FIPS mode. - Build fixes for MUSL libc. * Other: - More portable integrity check in FIPS mode. - Add X9.62 OIDs to sha256 and sha512 modules. * Add the hardware optimizations config file hwf.deny to the /etc/gcrypt/ directory. This file can be used to globally disable the use of hardware based optimizations. * Remove not needed separate_hmac256_binary hmac256 package - Update to 1.10.0: * New and extended interfaces: - New control codes to check for FIPS 140-3 approved algorithms. - New control code to switch into non-FIPS mode. - New cipher modes SIV and GCM-SIV as specified by RFC-5297. - Extended cipher mode AESWRAP with padding as specified by RFC-5649. - New set of KDF functions. - New KDF modes Argon2 and Balloon. - New functions for combining hashing and signing/verification. * Performance: - Improved support for PowerPC architectures. - Improved ECC performance on zSeries/s390x by using accelerated scalar multiplication. - Many more assembler performance improvements for several architectures. * Bug fixes: - Fix Elgamal encryption for other implementations. OBS-URL: https://build.opensuse.org/request/show/1038172 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=160
241 lines
8.6 KiB
Diff
241 lines
8.6 KiB
Diff
Index: libgcrypt-1.10.0/doc/gcrypt.texi
|
|
===================================================================
|
|
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi
|
|
+++ libgcrypt-1.10.0/doc/gcrypt.texi
|
|
@@ -980,23 +980,39 @@ is approved under the current FIPS 140-3
|
|
combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
|
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
|
|
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos
|
|
+
|
|
+Check if the given HASH is approved under the current FIPS 140-3
|
|
+certification. If the HASH is approved, this function returns
|
|
+@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
|
+is returned.
|
|
+
|
|
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int]
|
|
+
|
|
+Check if the given MAC is approved under the current FIPS 140-3
|
|
+certification. The second parameter provides the keylen (if the
|
|
+algorithm supports different key sizes). If the MAC is approved,
|
|
+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
|
+is returned.
|
|
+
|
|
@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
|
|
|
|
Check if the given KDF is approved under the current FIPS 140-3
|
|
-certification. If the KDF is approved, this function returns
|
|
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
|
-is returned.
|
|
+certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
|
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
|
|
@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
|
|
-[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for
|
|
-GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
|
|
+[, constants GCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)]
|
|
+[, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
|
|
|
|
Check if the given asymmetric cipher is approved under the current FIPS
|
|
-140-3 certification. For GCRY_PK_RSA, an additional parameter for the
|
|
-operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC,
|
|
-GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve
|
|
-name or its alias as @code{const char *}. If the combination is
|
|
-approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
|
|
+140-3 certification. For GCRY_PK_RSA, two additional parameter are required:
|
|
+first describes the purpose of the algorithm through one of the constants
|
|
+(GCRY_PK_USAGE_ENCR for encryption or decryption operations; GCRY_PK_USAGE_SIGN for
|
|
+sign or verify operations).
|
|
+Second one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and GCRY_PK_ECDSA,
|
|
+only a single parameter is needed: the curve name or its alias as @code{const char *}.
|
|
+If the combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
|
|
@code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
|
|
@end table
|
|
Index: libgcrypt-1.10.0/src/fips.c
|
|
===================================================================
|
|
--- libgcrypt-1.10.0.orig/src/fips.c
|
|
+++ libgcrypt-1.10.0/src/fips.c
|
|
@@ -357,6 +357,7 @@ _gcry_fips_indicator_cipher (va_list arg
|
|
mode = va_arg (arg_ptr, enum gcry_cipher_modes);
|
|
switch (mode)
|
|
{
|
|
+ case GCRY_CIPHER_MODE_AESWRAP:
|
|
case GCRY_CIPHER_MODE_ECB:
|
|
case GCRY_CIPHER_MODE_CBC:
|
|
case GCRY_CIPHER_MODE_CFB:
|
|
@@ -364,7 +365,6 @@ _gcry_fips_indicator_cipher (va_list arg
|
|
case GCRY_CIPHER_MODE_OFB:
|
|
case GCRY_CIPHER_MODE_CTR:
|
|
case GCRY_CIPHER_MODE_CCM:
|
|
- case GCRY_CIPHER_MODE_GCM:
|
|
case GCRY_CIPHER_MODE_XTS:
|
|
return GPG_ERR_NO_ERROR;
|
|
default:
|
|
@@ -422,11 +422,25 @@ static const struct
|
|
{ NULL, NULL}
|
|
};
|
|
|
|
+enum pk_operation convert_from_pk_usage(unsigned int pk_usage)
|
|
+{
|
|
+ switch (pk_usage)
|
|
+ {
|
|
+ case GCRY_PK_USAGE_SIGN:
|
|
+ return PUBKEY_OP_SIGN;
|
|
+ case GCRY_PK_USAGE_ENCR:
|
|
+ return PUBKEY_OP_ENCRYPT;
|
|
+ default:
|
|
+ return PUBKEY_OP_DECRYPT;
|
|
+ }
|
|
+}
|
|
+
|
|
int
|
|
_gcry_fips_indicator_pk (va_list arg_ptr)
|
|
{
|
|
enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
|
|
enum pk_operation oper;
|
|
+ unsigned int keylen;
|
|
const char *curve_name;
|
|
|
|
switch (alg)
|
|
@@ -434,13 +448,17 @@ _gcry_fips_indicator_pk (va_list arg_ptr
|
|
case GCRY_PK_RSA:
|
|
case GCRY_PK_RSA_E:
|
|
case GCRY_PK_RSA_S:
|
|
- oper = va_arg (arg_ptr, enum pk_operation);
|
|
+ oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int));
|
|
switch (oper)
|
|
{
|
|
case PUBKEY_OP_ENCRYPT:
|
|
case PUBKEY_OP_DECRYPT:
|
|
return GPG_ERR_NOT_SUPPORTED;
|
|
default:
|
|
+ keylen = va_arg (arg_ptr, unsigned int);
|
|
+ if (keylen < 2048) {
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
+ }
|
|
return GPG_ERR_NO_ERROR;
|
|
}
|
|
case GCRY_PK_ECC:
|
|
@@ -460,6 +478,62 @@ _gcry_fips_indicator_pk (va_list arg_ptr
|
|
}
|
|
}
|
|
|
|
+int
|
|
+_gcry_fips_indicator_hash (va_list arg_ptr)
|
|
+{
|
|
+ enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
|
|
+
|
|
+ switch (alg)
|
|
+ {
|
|
+ case GCRY_MD_SHA1:
|
|
+ case GCRY_MD_SHA224:
|
|
+ case GCRY_MD_SHA256:
|
|
+ case GCRY_MD_SHA384:
|
|
+ case GCRY_MD_SHA512:
|
|
+ case GCRY_MD_SHA512_224:
|
|
+ case GCRY_MD_SHA512_256:
|
|
+ case GCRY_MD_SHA3_224:
|
|
+ case GCRY_MD_SHA3_256:
|
|
+ case GCRY_MD_SHA3_384:
|
|
+ case GCRY_MD_SHA3_512:
|
|
+ case GCRY_MD_SHAKE128:
|
|
+ case GCRY_MD_SHAKE256:
|
|
+ return GPG_ERR_NO_ERROR;
|
|
+ default:
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
+ }
|
|
+}
|
|
+
|
|
+int
|
|
+_gcry_fips_indicator_mac (va_list arg_ptr)
|
|
+{
|
|
+ enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
|
|
+ unsigned int keylen = va_arg (arg_ptr, unsigned int);
|
|
+
|
|
+ switch (alg)
|
|
+ {
|
|
+ case GCRY_MAC_HMAC_SHA1:
|
|
+ case GCRY_MAC_HMAC_SHA224:
|
|
+ case GCRY_MAC_HMAC_SHA256:
|
|
+ case GCRY_MAC_HMAC_SHA384:
|
|
+ case GCRY_MAC_HMAC_SHA512:
|
|
+ case GCRY_MAC_HMAC_SHA512_224:
|
|
+ case GCRY_MAC_HMAC_SHA512_256:
|
|
+ case GCRY_MAC_HMAC_SHA3_224:
|
|
+ case GCRY_MAC_HMAC_SHA3_256:
|
|
+ case GCRY_MAC_HMAC_SHA3_384:
|
|
+ case GCRY_MAC_HMAC_SHA3_512:
|
|
+ if (keylen >= 112) {
|
|
+ return GPG_ERR_NO_ERROR;
|
|
+ }
|
|
+ case GCRY_MAC_CMAC_AES:
|
|
+ if (keylen == 128 || keylen == 192 || keylen == 256) {
|
|
+ return GPG_ERR_NO_ERROR;
|
|
+ }
|
|
+ default:
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
+ }
|
|
+}
|
|
|
|
/* This is a test on whether the library is in the error or
|
|
operational state. */
|
|
Index: libgcrypt-1.10.0/src/g10lib.h
|
|
===================================================================
|
|
--- libgcrypt-1.10.0.orig/src/g10lib.h
|
|
+++ libgcrypt-1.10.0/src/g10lib.h
|
|
@@ -456,7 +456,9 @@ void _gcry_fips_signal_error (const char
|
|
#endif
|
|
|
|
int _gcry_fips_indicator_cipher (va_list arg_ptr);
|
|
+int _gcry_fips_indicator_hash (va_list arg_ptr);
|
|
int _gcry_fips_indicator_kdf (va_list arg_ptr);
|
|
+int _gcry_fips_indicator_mac (va_list arg_ptr);
|
|
int _gcry_fips_indicator_pk (va_list arg_ptr);
|
|
|
|
int _gcry_fips_is_operational (void);
|
|
Index: libgcrypt-1.10.0/src/gcrypt.h.in
|
|
===================================================================
|
|
--- libgcrypt-1.10.0.orig/src/gcrypt.h.in
|
|
+++ libgcrypt-1.10.0/src/gcrypt.h.in
|
|
@@ -331,7 +331,9 @@ enum gcry_ctl_cmds
|
|
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
|
|
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
|
|
GCRYCTL_NO_FIPS_MODE = 83,
|
|
- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84
|
|
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84,
|
|
+ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 85,
|
|
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 86
|
|
};
|
|
|
|
/* Perform various operations defined by CMD. */
|
|
Index: libgcrypt-1.10.0/src/global.c
|
|
===================================================================
|
|
--- libgcrypt-1.10.0.orig/src/global.c
|
|
+++ libgcrypt-1.10.0/src/global.c
|
|
@@ -791,12 +791,24 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
|
|
rc = _gcry_fips_indicator_cipher (arg_ptr);
|
|
break;
|
|
|
|
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_HASH:
|
|
+ /* Get FIPS Service Indicator for a given HASH. Returns GPG_ERR_NO_ERROR
|
|
+ * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
|
|
+ rc = _gcry_fips_indicator_hash (arg_ptr);
|
|
+ break;
|
|
+
|
|
case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF:
|
|
/* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR
|
|
* if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
|
|
rc = _gcry_fips_indicator_kdf (arg_ptr);
|
|
break;
|
|
|
|
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
|
|
+ /* Get FIPS Service Indicator for a given HMAC. Returns GPG_ERR_NO_ERROR
|
|
+ * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
|
|
+ rc = _gcry_fips_indicator_mac (arg_ptr);
|
|
+ break;
|
|
+
|
|
case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
|
|
/* Get FIPS Service Indicator for a given asymmetric algorithm. For
|
|
* GCRY_PK_RSA, an additional parameter for the operation mode is
|