forked from pool/libgcrypt
Pedro Monreal Gonzalez
c941c8db1e
- FIPS: Disable DSA in FIPS mode [bsc#1195385] * Upstream task: https://dev.gnupg.org/T5710 * Add libgcrypt-FIPS-disable-DSA.patch - FIPS: Service level indicator [bsc#1190700] * Provide an indicator to check wether the service utilizes an approved cryptographic algorithm or not. * Add patches: - libgcrypt-FIPS-service-indicators.patch - libgcrypt-FIPS-verify-unsupported-KDF-test.patch - libgcrypt-FIPS-HMAC-short-keylen.patch - FIPS: Define an entropy source SP800-90B compliant [bsc#1185140] * Disable jitter entropy by default in random.conf * Disable only-urandom option by default in random.conf - FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192240] * rsa: Check RSA keylen constraints for key operations. * rsa: Fix regression in not returning an error for prime generation. * tests: Add 2k RSA key working in FIPS mode. * tests: pubkey: Replace RSA key to one of 2k. * tests: pkcs1v2: Skip tests with small keys in FIPS. * Add patches: - libgcrypt-FIPS-RSA-keylen.patch - libgcrypt-FIPS-RSA-keylen-tests.patch - FIPS: Disable 3DES/Triple-DES in FIPS mode [bsc#1185138] * Add libgcrypt-FIPS-disable-3DES.patch - FIPS: PBKDF requirements [bsc#1185137] OBS-URL: https://build.opensuse.org/request/show/950433 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=153
90 lines
3.8 KiB
Diff
90 lines
3.8 KiB
Diff
From c74fde0c3f6114c594332fb28a09c7b817969231 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Jelen <jjelen@redhat.com>
|
|
Date: Fri, 17 Sep 2021 17:11:30 +0200
|
|
Subject: [PATCH 187/200] Allow passing FIPS module version
|
|
|
|
* README: Document new --with-fips-module-version=version switch
|
|
* configure.ac: Implementation of the --with-fips-module-version
|
|
* src/global.c (print_config): Print FIPS module version from above
|
|
--
|
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
Moved the module version to a 3rd field to keep the semantics of that
|
|
line.
|
|
|
|
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
GnuPG-bug-id: 1600
|
|
---
|
|
README | 4 ++++
|
|
configure.ac | 7 +++++++
|
|
src/global.c | 16 +++++++++++++---
|
|
3 files changed, 24 insertions(+), 3 deletions(-)
|
|
|
|
Index: libgcrypt-1.9.4/README
|
|
===================================================================
|
|
--- libgcrypt-1.9.4.orig/README
|
|
+++ libgcrypt-1.9.4/README
|
|
@@ -165,6 +165,10 @@
|
|
against a HMAC checksum. This works only in FIPS
|
|
mode and on systems providing the dladdr function.
|
|
|
|
+ --with-fips-module-version=version
|
|
+ Specify a string used as a module version for FIPS
|
|
+ certification purposes.
|
|
+
|
|
--disable-padlock-support
|
|
Disable support for the PadLock engine of VIA
|
|
processors. The default is to use PadLock if
|
|
Index: libgcrypt-1.9.4/configure.ac
|
|
===================================================================
|
|
--- libgcrypt-1.9.4.orig/configure.ac
|
|
+++ libgcrypt-1.9.4/configure.ac
|
|
@@ -599,6 +599,12 @@ if test "$use_hmac_binary_check" = yes ;
|
|
[Define to support an HMAC based integrity check])
|
|
fi
|
|
|
|
+# Implementation of the --with-fips-module-version.
|
|
+AC_ARG_WITH(fips-module-version,
|
|
+ [ --with-fips-module-version=VERSION],
|
|
+ fips_module_version="$withval", fips_module_version="" )
|
|
+AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version",
|
|
+ [Define FIPS module version for certification])
|
|
|
|
# Implementation of the --disable-jent-support switch.
|
|
AC_MSG_CHECKING([whether jitter entropy support is requested])
|
|
@@ -3266,6 +3272,7 @@ GCRY_MSG_WRAP([Enabled pubkey algorithms
|
|
GCRY_MSG_SHOW([Random number generator: ],[$random])
|
|
GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport])
|
|
GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities])
|
|
+GCRY_MSG_SHOW([FIPS module version: ],[$fips_module_version])
|
|
GCRY_MSG_SHOW([Try using Padlock crypto: ],[$padlocksupport])
|
|
GCRY_MSG_SHOW([Try using AES-NI crypto: ],[$aesnisupport])
|
|
GCRY_MSG_SHOW([Try using Intel SHAEXT: ],[$shaextsupport])
|
|
Index: libgcrypt-1.9.4/src/global.c
|
|
===================================================================
|
|
--- libgcrypt-1.9.4.orig/src/global.c
|
|
+++ libgcrypt-1.9.4/src/global.c
|
|
@@ -379,10 +379,19 @@ print_config (const char *what, gpgrt_st
|
|
{
|
|
/* We use y/n instead of 1/0 for the stupid reason that
|
|
* Emacsen's compile error parser would accidentally flag that
|
|
- * line when printed during "make check" as an error. */
|
|
- gpgrt_fprintf (fp, "fips-mode:%c:%c:\n",
|
|
+ * line when printed during "make check" as an error. The
|
|
+ * second field is obsolete and thus empty (used to be used for
|
|
+ * a so-called enforced-fips-mode). The third field has an
|
|
+ * option static string describing the module versions; this is
|
|
+ * an optional configure option. */
|
|
+ gpgrt_fprintf (fp, "fips-mode:%c::%s:\n",
|
|
fips_mode ()? 'y':'n',
|
|
- _gcry_enforced_fips_mode ()? 'y':'n' );
|
|
+#ifdef FIPS_MODULE_VERSION
|
|
+ fips_mode () ? FIPS_MODULE_VERSION : ""
|
|
+#else
|
|
+ ""
|
|
+#endif /* FIPS_MODULE_VERSION */
|
|
+ );
|
|
}
|
|
|
|
if (!what || !strcmp (what, "rng-type"))
|