libgcrypt/libgcrypt-fips_ecdsa.patch

Index: libgcrypt-1.6.1/cipher/ecc-curves.c
===================================================================
--- libgcrypt-1.6.1.orig/cipher/ecc-curves.c    2014-01-29 10:48:38.000000000 +0100
+++ libgcrypt-1.6.1/cipher/ecc-curves.c 2014-09-18 17:48:15.645814378 +0200
@@ -114,7 +114,7 @@ static const ecc_domain_parms_t domain_p
       "0x6666666666666666666666666666666666666666666666666666666666666658"
     },
     {
-      "NIST P-192", 192, 1,
+      "NIST P-192", 192, 0,
       MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
       "0xfffffffffffffffffffffffffffffffeffffffffffffffff",
       "0xfffffffffffffffffffffffffffffffefffffffffffffffc",
Index: libgcrypt-1.6.1/cipher/pubkey-util.c
===================================================================
--- libgcrypt-1.6.1.orig/cipher/pubkey-util.c   2013-12-16 18:44:32.000000000 +0100
+++ libgcrypt-1.6.1/cipher/pubkey-util.c        2014-09-18 18:27:24.928658758 +0200
@@ -593,7 +593,11 @@ _gcry_pk_util_init_encoding_ctx (struct
   ctx->nbits = nbits;
   ctx->encoding = PUBKEY_ENC_UNKNOWN;
   ctx->flags = 0;
-  ctx->hash_algo = GCRY_MD_SHA1;
+  if (fips_mode()) {
+    ctx->hash_algo = GCRY_MD_SHA256;
+  } else {
+    ctx->hash_algo = GCRY_MD_SHA1;
+  }
   ctx->label = NULL;
   ctx->labellen = 0;
   ctx->saltlen = 20;
Accepting request 250747 from home:vitezslav_cizek:branches:devel:libraries:c_c++ - disabled curve P-192 in FIPS mode (bnc#896202) * added libgcrypt-fips_ecdsa.patch - don't use SHA-1 for ECDSA in FIPS mode - also run the fips self tests only in FIPS mode - run the fips self tests at the constructor code * added libgcrypt-fips_run_selftest_at_constructor.patch - rewrite the DSA-2 code to be FIPS 186-4 compliant (bnc#894216) * added libgcrypt-fips-dsa.patch * install fips186_dsa - use 2048 bit keys in selftests_dsa OBS-URL: https://build.opensuse.org/request/show/250747 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=63 2014-09-22 22:11:21 +02:00			`Index: libgcrypt-1.6.1/cipher/ecc-curves.c`
			`===================================================================`
			`--- libgcrypt-1.6.1.orig/cipher/ecc-curves.c 2014-01-29 10:48:38.000000000 +0100`
			`+++ libgcrypt-1.6.1/cipher/ecc-curves.c 2014-09-18 17:48:15.645814378 +0200`
			`@@ -114,7 +114,7 @@ static const ecc_domain_parms_t domain_p`
			`"0x6666666666666666666666666666666666666666666666666666666666666658"`
			`},`
			`{`
			`- "NIST P-192", 192, 1,`
			`+ "NIST P-192", 192, 0,`
			`MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,`
			`"0xfffffffffffffffffffffffffffffffeffffffffffffffff",`
			`"0xfffffffffffffffffffffffffffffffefffffffffffffffc",`
			`Index: libgcrypt-1.6.1/cipher/pubkey-util.c`
			`===================================================================`
			`--- libgcrypt-1.6.1.orig/cipher/pubkey-util.c 2013-12-16 18:44:32.000000000 +0100`
			`+++ libgcrypt-1.6.1/cipher/pubkey-util.c 2014-09-18 18:27:24.928658758 +0200`
			`@@ -593,7 +593,11 @@ _gcry_pk_util_init_encoding_ctx (struct`
			`ctx->nbits = nbits;`
			`ctx->encoding = PUBKEY_ENC_UNKNOWN;`
			`ctx->flags = 0;`
			`- ctx->hash_algo = GCRY_MD_SHA1;`
			`+ if (fips_mode()) {`
			`+ ctx->hash_algo = GCRY_MD_SHA256;`
			`+ } else {`
			`+ ctx->hash_algo = GCRY_MD_SHA1;`
			`+ }`
			`ctx->label = NULL;`
			`ctx->labellen = 0;`
			`ctx->saltlen = 20;`