rpm/libica
SHA256
1
0
Fork 0
forked from pool/libica
Code Pull Requests Activity
665bdc3334
libica/libica-sles15sp2-Fix-DES-and-TDES-key-length.patch

44 lines
1.3 KiB
Diff
Raw Normal View History

Accepting request 801383 from home:markkp:branches:devel:openSUSE:Factory - Added the following patches for FIPS certification (bsc#1162533) * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch * libica-sles15sp2-FIPS-hmac-key.patch - Added a BuildRequires for the fipscheck package. - Made a couple of changes to the spec file based upon recommendations by spec-cleaner. - Added the following patches for FIPS certification. * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch (bsc#1166071) Although a DES key has only 56 effective bits, all 64 bits must be considered, because the parity bits are spread over all 8 bytes of the key. * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch (bsc#1166210) FIPS tests require the output iv to be the iv resulting from decrypting the last block with a zero iv as input. * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch (bsc#1166224) The output from icainfo never shows 'yes' for RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN, due to the missing ICA_FLAG_SW flag in the icaList. OBS-URL: https://build.opensuse.org/request/show/801383 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/libica?expand=0&rev=42
2020-05-07 21:48:37 +02:00
From db1ad6f64d96c6dba2be5af5a4ecd7ceb8f92cf2 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 18 Mar 2020 16:48:43 +0100
Subject: [PATCH] Fix DES and TDES key length.
Although a DES key has only 56 effective bits, all 64 bits must be
considered, because the parity bits are spread over all 8 bytes of
the key.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/ica_api.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/ica_api.c b/src/ica_api.c
index b80c6e3..eb6b154 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -48,6 +48,8 @@
#define DEFAULT2_CRYPT_DEVICE "/dev/z90crypt"
#define DEFAULT3_CRYPT_DEVICE "/dev/zcrypt"
+#define DES_KEY_LEN64 (64/8)
+
#define MAX_VERSION_LENGTH 16
int ica_fallbacks_enabled = 1;
@@ -125,9 +127,9 @@ static unsigned int check_des_parms(unsigned int mode,
#ifdef ICA_FIPS
static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
- if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LENGTH)
- | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LENGTH)
- | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LENGTH))
+ if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64)
+ | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LEN64)
+ | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LEN64))
return EINVAL;
return 0;
--
2.16.4
Copy Permalink