forked from pool/libgcrypt
Pedro Monreal Gonzalez
c941c8db1e
- FIPS: Disable DSA in FIPS mode [bsc#1195385] * Upstream task: https://dev.gnupg.org/T5710 * Add libgcrypt-FIPS-disable-DSA.patch - FIPS: Service level indicator [bsc#1190700] * Provide an indicator to check wether the service utilizes an approved cryptographic algorithm or not. * Add patches: - libgcrypt-FIPS-service-indicators.patch - libgcrypt-FIPS-verify-unsupported-KDF-test.patch - libgcrypt-FIPS-HMAC-short-keylen.patch - FIPS: Define an entropy source SP800-90B compliant [bsc#1185140] * Disable jitter entropy by default in random.conf * Disable only-urandom option by default in random.conf - FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192240] * rsa: Check RSA keylen constraints for key operations. * rsa: Fix regression in not returning an error for prime generation. * tests: Add 2k RSA key working in FIPS mode. * tests: pubkey: Replace RSA key to one of 2k. * tests: pkcs1v2: Skip tests with small keys in FIPS. * Add patches: - libgcrypt-FIPS-RSA-keylen.patch - libgcrypt-FIPS-RSA-keylen-tests.patch - FIPS: Disable 3DES/Triple-DES in FIPS mode [bsc#1185138] * Add libgcrypt-FIPS-disable-3DES.patch - FIPS: PBKDF requirements [bsc#1185137] OBS-URL: https://build.opensuse.org/request/show/950433 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=153
53 lines
1.9 KiB
Diff
53 lines
1.9 KiB
Diff
Index: libgcrypt-1.9.4/cipher/des.c
|
|
===================================================================
|
|
--- libgcrypt-1.9.4.orig/cipher/des.c
|
|
+++ libgcrypt-1.9.4/cipher/des.c
|
|
@@ -1498,7 +1498,7 @@ static gcry_cipher_oid_spec_t oids_tripl
|
|
|
|
gcry_cipher_spec_t _gcry_cipher_spec_tripledes =
|
|
{
|
|
- GCRY_CIPHER_3DES, {0, 1},
|
|
+ GCRY_CIPHER_3DES, {0, 0},
|
|
"3DES", NULL, oids_tripledes, 8, 192, sizeof (struct _tripledes_ctx),
|
|
do_tripledes_setkey, do_tripledes_encrypt, do_tripledes_decrypt,
|
|
NULL, NULL,
|
|
Index: libgcrypt-1.9.4/cipher/mac-cmac.c
|
|
===================================================================
|
|
--- libgcrypt-1.9.4.orig/cipher/mac-cmac.c
|
|
+++ libgcrypt-1.9.4/cipher/mac-cmac.c
|
|
@@ -458,7 +458,7 @@ gcry_mac_spec_t _gcry_mac_type_spec_cmac
|
|
#endif
|
|
#if USE_DES
|
|
gcry_mac_spec_t _gcry_mac_type_spec_cmac_tripledes = {
|
|
- GCRY_MAC_CMAC_3DES, {0, 1}, "CMAC_3DES",
|
|
+ GCRY_MAC_CMAC_3DES, {0, 0}, "CMAC_3DES",
|
|
&cmac_ops
|
|
};
|
|
#endif
|
|
Index: libgcrypt-1.9.4/src/fips.c
|
|
===================================================================
|
|
--- libgcrypt-1.9.4.orig/src/fips.c
|
|
+++ libgcrypt-1.9.4/src/fips.c
|
|
@@ -493,6 +493,10 @@ run_cipher_selftests (int extended)
|
|
|
|
for (idx=0; algos[idx]; idx++)
|
|
{
|
|
+ /* Skip non-approved cipher in FIPS mode */
|
|
+ if (fips_mode() && algos[idx] == GCRY_CIPHER_3DES)
|
|
+ continue;
|
|
+
|
|
err = _gcry_cipher_selftest (algos[idx], extended, reporter);
|
|
reporter ("cipher", algos[idx], NULL,
|
|
err? gpg_strerror (err):NULL);
|
|
@@ -558,6 +562,10 @@ run_mac_selftests (int extended)
|
|
|
|
for (idx=0; algos[idx]; idx++)
|
|
{
|
|
+ /* Skip non-approved MAC algorithm in FIPS mode */
|
|
+ if (fips_mode() && algos[idx] == GCRY_MAC_CMAC_3DES)
|
|
+ continue;
|
|
+
|
|
err = _gcry_mac_selftest (algos[idx], extended, reporter);
|
|
reporter ("mac", algos[idx], NULL,
|
|
err? gpg_strerror (err):NULL);
|