forked from pool/libgcrypt
Accepting request 1078466 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 1.10.2: * Bug fixes: - Fix Argon2 for the case output > 64. [rC13b5454d26] - Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44] - Fix RSA key generation failure in forced FIPS mode. [T5919] - Fix gcry_pk_hash_verify for explicit hash. [T6066] - Fix a wrong result of gcry_mpi_invm. [T5970] - Allow building with --disable-asm for HPPA. [T5976] - Allow building with -Oz. [T6432] - Enable the fast path to ChaCha20 only when supported. [T6384] - Use size_t to avoid counter overflow in Keccak when directly feeding more than 4GiB. [T6217] * Other: - Do not use secure memory for a DRBG instance. [T5933] - Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918] - Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990] - Allow verification of small RSA signatures in FIPS mode. [T5975] - Allow the use of a shorter salt for KDFs in FIPS mode. [T6039] - Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165] - Add function-name based FIPS indicator function. GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered an ABI changes because the new FIPS features were not yet approved. [rC822ee57f07] - Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397] - Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9] - Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a] - Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219] - Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba] - Prefer gpgrt-config when available. [T5034] - Mark AESWRAP as approved FIPS algorithm. [T5512] OBS-URL: https://build.opensuse.org/request/show/1078466 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=165
This commit is contained in:
parent
7483d2b690
commit
07ae165632
3
libgcrypt-1.10.2.tar.bz2
Normal file
3
libgcrypt-1.10.2.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03
|
||||||
|
size 3795164
|
BIN
libgcrypt-1.10.2.tar.bz2.sig
Normal file
BIN
libgcrypt-1.10.2.tar.bz2.sig
Normal file
Binary file not shown.
@ -1,124 +1,71 @@
|
|||||||
Index: libgcrypt-1.10.0/doc/gcrypt.texi
|
Index: libgcrypt-1.10.2/doc/gcrypt.texi
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi
|
--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
|
||||||
+++ libgcrypt-1.10.0/doc/gcrypt.texi
|
+++ libgcrypt-1.10.2/doc/gcrypt.texi
|
||||||
@@ -980,23 +980,39 @@ is approved under the current FIPS 140-3
|
@@ -985,13 +985,21 @@ certification. If the function is approv
|
||||||
combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
@code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
|
||||||
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
||||||
|
|
||||||
|
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos
|
||||||
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos
|
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos
|
||||||
+
|
|
||||||
|
-Check if the given MAC is approved under the current FIPS 140-3
|
||||||
|
-certification. If the MAC is approved, this function returns
|
||||||
|
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
||||||
+Check if the given HASH is approved under the current FIPS 140-3
|
+Check if the given HASH is approved under the current FIPS 140-3
|
||||||
+certification. If the HASH is approved, this function returns
|
+certification. If the HASH is approved, this function returns
|
||||||
+@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
+@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
||||||
+is returned.
|
is returned.
|
||||||
+
|
|
||||||
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int]
|
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int]
|
||||||
+
|
+
|
||||||
+Check if the given MAC is approved under the current FIPS 140-3
|
+Check if the given MAC is approved under the current FIPS 140-3
|
||||||
+certification. The second parameter provides the keylen (if the
|
+certification. The second parameter provides the keylen (if the
|
||||||
+algorithm supports different key sizes). If the MAC is approved,
|
+algorithm supports different key sizes). If the MAC is approved,
|
||||||
+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise
|
||||||
+is returned.
|
+@code{GPG_ERR_NOT_SUPPORTED} is returned.
|
||||||
+
|
+
|
||||||
@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
|
@item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
|
||||||
|
|
||||||
Check if the given KDF is approved under the current FIPS 140-3
|
Check if the given message digest algorithm is approved under the current
|
||||||
-certification. If the KDF is approved, this function returns
|
Index: libgcrypt-1.10.2/src/fips.c
|
||||||
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
|
||||||
-is returned.
|
|
||||||
+certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
|
||||||
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
||||||
|
|
||||||
@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
|
|
||||||
-[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for
|
|
||||||
-GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
|
|
||||||
+[, constants GCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)]
|
|
||||||
+[, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
|
|
||||||
|
|
||||||
Check if the given asymmetric cipher is approved under the current FIPS
|
|
||||||
-140-3 certification. For GCRY_PK_RSA, an additional parameter for the
|
|
||||||
-operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC,
|
|
||||||
-GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve
|
|
||||||
-name or its alias as @code{const char *}. If the combination is
|
|
||||||
-approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
|
|
||||||
+140-3 certification. For GCRY_PK_RSA, two additional parameter are required:
|
|
||||||
+first describes the purpose of the algorithm through one of the constants
|
|
||||||
+(GCRY_PK_USAGE_ENCR for encryption or decryption operations; GCRY_PK_USAGE_SIGN for
|
|
||||||
+sign or verify operations).
|
|
||||||
+Second one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and GCRY_PK_ECDSA,
|
|
||||||
+only a single parameter is needed: the curve name or its alias as @code{const char *}.
|
|
||||||
+If the combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
|
|
||||||
@code{GPG_ERR_NOT_SUPPORTED} is returned.
|
|
||||||
|
|
||||||
@end table
|
|
||||||
Index: libgcrypt-1.10.0/src/fips.c
|
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/src/fips.c
|
--- libgcrypt-1.10.2.orig/src/fips.c
|
||||||
+++ libgcrypt-1.10.0/src/fips.c
|
+++ libgcrypt-1.10.2/src/fips.c
|
||||||
@@ -357,6 +357,7 @@ _gcry_fips_indicator_cipher (va_list arg
|
@@ -377,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg
|
||||||
mode = va_arg (arg_ptr, enum gcry_cipher_modes);
|
}
|
||||||
switch (mode)
|
}
|
||||||
{
|
|
||||||
+ case GCRY_CIPHER_MODE_AESWRAP:
|
|
||||||
case GCRY_CIPHER_MODE_ECB:
|
|
||||||
case GCRY_CIPHER_MODE_CBC:
|
|
||||||
case GCRY_CIPHER_MODE_CFB:
|
|
||||||
@@ -364,7 +365,6 @@ _gcry_fips_indicator_cipher (va_list arg
|
|
||||||
case GCRY_CIPHER_MODE_OFB:
|
|
||||||
case GCRY_CIPHER_MODE_CTR:
|
|
||||||
case GCRY_CIPHER_MODE_CCM:
|
|
||||||
- case GCRY_CIPHER_MODE_GCM:
|
|
||||||
case GCRY_CIPHER_MODE_XTS:
|
|
||||||
return GPG_ERR_NO_ERROR;
|
|
||||||
default:
|
|
||||||
@@ -422,11 +422,25 @@ static const struct
|
|
||||||
{ NULL, NULL}
|
|
||||||
};
|
|
||||||
|
|
||||||
+enum pk_operation convert_from_pk_usage(unsigned int pk_usage)
|
-int
|
||||||
+{
|
-_gcry_fips_indicator_mac (va_list arg_ptr)
|
||||||
+ switch (pk_usage)
|
-{
|
||||||
+ {
|
- enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
|
||||||
+ case GCRY_PK_USAGE_SIGN:
|
-
|
||||||
+ return PUBKEY_OP_SIGN;
|
- switch (alg)
|
||||||
+ case GCRY_PK_USAGE_ENCR:
|
- {
|
||||||
+ return PUBKEY_OP_ENCRYPT;
|
- case GCRY_MAC_CMAC_AES:
|
||||||
+ default:
|
- case GCRY_MAC_HMAC_SHA1:
|
||||||
+ return PUBKEY_OP_DECRYPT;
|
- case GCRY_MAC_HMAC_SHA224:
|
||||||
+ }
|
- case GCRY_MAC_HMAC_SHA256:
|
||||||
+}
|
- case GCRY_MAC_HMAC_SHA384:
|
||||||
+
|
- case GCRY_MAC_HMAC_SHA512:
|
||||||
int
|
- case GCRY_MAC_HMAC_SHA512_224:
|
||||||
_gcry_fips_indicator_pk (va_list arg_ptr)
|
- case GCRY_MAC_HMAC_SHA512_256:
|
||||||
{
|
- case GCRY_MAC_HMAC_SHA3_224:
|
||||||
enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
|
- case GCRY_MAC_HMAC_SHA3_256:
|
||||||
enum pk_operation oper;
|
- case GCRY_MAC_HMAC_SHA3_384:
|
||||||
+ unsigned int keylen;
|
- case GCRY_MAC_HMAC_SHA3_512:
|
||||||
const char *curve_name;
|
- return GPG_ERR_NO_ERROR;
|
||||||
|
- default:
|
||||||
switch (alg)
|
- return GPG_ERR_NOT_SUPPORTED;
|
||||||
@@ -434,13 +448,17 @@ _gcry_fips_indicator_pk (va_list arg_ptr
|
- }
|
||||||
case GCRY_PK_RSA:
|
-}
|
||||||
case GCRY_PK_RSA_E:
|
-
|
||||||
case GCRY_PK_RSA_S:
|
/* FIPS approved curves, extracted from:
|
||||||
- oper = va_arg (arg_ptr, enum pk_operation);
|
* cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
|
||||||
+ oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int));
|
static const struct
|
||||||
switch (oper)
|
@@ -598,6 +574,62 @@ _gcry_fips_indicator_pk_flags (va_list a
|
||||||
{
|
|
||||||
case PUBKEY_OP_ENCRYPT:
|
|
||||||
case PUBKEY_OP_DECRYPT:
|
|
||||||
return GPG_ERR_NOT_SUPPORTED;
|
return GPG_ERR_NOT_SUPPORTED;
|
||||||
default:
|
|
||||||
+ keylen = va_arg (arg_ptr, unsigned int);
|
|
||||||
+ if (keylen < 2048) {
|
|
||||||
+ return GPG_ERR_NOT_SUPPORTED;
|
|
||||||
+ }
|
|
||||||
return GPG_ERR_NO_ERROR;
|
|
||||||
}
|
|
||||||
case GCRY_PK_ECC:
|
|
||||||
@@ -460,6 +478,62 @@ _gcry_fips_indicator_pk (va_list arg_ptr
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
+int
|
+int
|
||||||
@ -180,40 +127,37 @@ Index: libgcrypt-1.10.0/src/fips.c
|
|||||||
|
|
||||||
/* This is a test on whether the library is in the error or
|
/* This is a test on whether the library is in the error or
|
||||||
operational state. */
|
operational state. */
|
||||||
Index: libgcrypt-1.10.0/src/g10lib.h
|
Index: libgcrypt-1.10.2/src/g10lib.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/src/g10lib.h
|
--- libgcrypt-1.10.2.orig/src/g10lib.h
|
||||||
+++ libgcrypt-1.10.0/src/g10lib.h
|
+++ libgcrypt-1.10.2/src/g10lib.h
|
||||||
@@ -456,7 +456,9 @@ void _gcry_fips_signal_error (const char
|
@@ -456,6 +456,7 @@ void _gcry_fips_signal_error (const char
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int _gcry_fips_indicator_cipher (va_list arg_ptr);
|
int _gcry_fips_indicator_cipher (va_list arg_ptr);
|
||||||
+int _gcry_fips_indicator_hash (va_list arg_ptr);
|
+int _gcry_fips_indicator_hash (va_list arg_ptr);
|
||||||
|
int _gcry_fips_indicator_mac (va_list arg_ptr);
|
||||||
|
int _gcry_fips_indicator_md (va_list arg_ptr);
|
||||||
int _gcry_fips_indicator_kdf (va_list arg_ptr);
|
int _gcry_fips_indicator_kdf (va_list arg_ptr);
|
||||||
+int _gcry_fips_indicator_mac (va_list arg_ptr);
|
Index: libgcrypt-1.10.2/src/gcrypt.h.in
|
||||||
int _gcry_fips_indicator_pk (va_list arg_ptr);
|
|
||||||
|
|
||||||
int _gcry_fips_is_operational (void);
|
|
||||||
Index: libgcrypt-1.10.0/src/gcrypt.h.in
|
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/src/gcrypt.h.in
|
--- libgcrypt-1.10.2.orig/src/gcrypt.h.in
|
||||||
+++ libgcrypt-1.10.0/src/gcrypt.h.in
|
+++ libgcrypt-1.10.2/src/gcrypt.h.in
|
||||||
@@ -331,7 +331,9 @@ enum gcry_ctl_cmds
|
@@ -335,7 +335,8 @@ enum gcry_ctl_cmds
|
||||||
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
|
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
|
||||||
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
|
GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
|
||||||
GCRYCTL_NO_FIPS_MODE = 83,
|
GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
|
||||||
- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84
|
- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
|
||||||
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84,
|
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88,
|
||||||
+ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 85,
|
+ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 89
|
||||||
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 86
|
|
||||||
};
|
};
|
||||||
|
|
||||||
/* Perform various operations defined by CMD. */
|
/* Perform various operations defined by CMD. */
|
||||||
Index: libgcrypt-1.10.0/src/global.c
|
Index: libgcrypt-1.10.2/src/global.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/src/global.c
|
--- libgcrypt-1.10.2.orig/src/global.c
|
||||||
+++ libgcrypt-1.10.0/src/global.c
|
+++ libgcrypt-1.10.2/src/global.c
|
||||||
@@ -791,12 +791,24 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
|
@@ -791,6 +791,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
|
||||||
rc = _gcry_fips_indicator_cipher (arg_ptr);
|
rc = _gcry_fips_indicator_cipher (arg_ptr);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -223,18 +167,6 @@ Index: libgcrypt-1.10.0/src/global.c
|
|||||||
+ rc = _gcry_fips_indicator_hash (arg_ptr);
|
+ rc = _gcry_fips_indicator_hash (arg_ptr);
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF:
|
case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
|
||||||
/* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR
|
/* Get FIPS Service Indicator for a given message authentication code.
|
||||||
* if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
|
* Returns GPG_ERR_NO_ERROR if algorithm is allowed or
|
||||||
rc = _gcry_fips_indicator_kdf (arg_ptr);
|
|
||||||
break;
|
|
||||||
|
|
||||||
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
|
|
||||||
+ /* Get FIPS Service Indicator for a given HMAC. Returns GPG_ERR_NO_ERROR
|
|
||||||
+ * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
|
|
||||||
+ rc = _gcry_fips_indicator_mac (arg_ptr);
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
|
|
||||||
/* Get FIPS Service Indicator for a given asymmetric algorithm. For
|
|
||||||
* GCRY_PK_RSA, an additional parameter for the operation mode is
|
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
Index: libgcrypt-1.10.0/src/fips.c
|
Index: libgcrypt-1.10.2/src/fips.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/src/fips.c
|
--- libgcrypt-1.10.2.orig/src/fips.c
|
||||||
+++ libgcrypt-1.10.0/src/fips.c
|
+++ libgcrypt-1.10.2/src/fips.c
|
||||||
@@ -379,10 +379,15 @@ int
|
@@ -520,10 +520,15 @@ int
|
||||||
_gcry_fips_indicator_kdf (va_list arg_ptr)
|
_gcry_fips_indicator_kdf (va_list arg_ptr)
|
||||||
{
|
{
|
||||||
enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
|
enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
|
||||||
@ -18,22 +18,25 @@ Index: libgcrypt-1.10.0/src/fips.c
|
|||||||
return GPG_ERR_NO_ERROR;
|
return GPG_ERR_NO_ERROR;
|
||||||
default:
|
default:
|
||||||
return GPG_ERR_NOT_SUPPORTED;
|
return GPG_ERR_NOT_SUPPORTED;
|
||||||
Index: libgcrypt-1.10.0/doc/gcrypt.texi
|
Index: libgcrypt-1.10.2/doc/gcrypt.texi
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi
|
--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
|
||||||
+++ libgcrypt-1.10.0/doc/gcrypt.texi
|
+++ libgcrypt-1.10.2/doc/gcrypt.texi
|
||||||
@@ -995,10 +995,12 @@ algorithm supports different key sizes).
|
@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3
|
||||||
this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
||||||
is returned.
|
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
||||||
|
|
||||||
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
|
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
|
||||||
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
|
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
|
||||||
|
|
||||||
Check if the given KDF is approved under the current FIPS 140-3
|
Check if the given KDF is approved under the current FIPS 140-3
|
||||||
-certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
-certification. If the KDF is approved, this function returns
|
||||||
|
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
||||||
|
-is returned.
|
||||||
+certification. The second parameter provides the keylength in bits.
|
+certification. The second parameter provides the keylength in bits.
|
||||||
+Keylength values of less that 112 bits are considered non-approved.
|
+Keylength values of less that 112 bits are considered non-approved.
|
||||||
+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
|
||||||
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
||||||
|
|
||||||
|
@item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
|
||||||
|
|
||||||
@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
|
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
Index: libgcrypt-1.10.0/src/fips.c
|
Index: libgcrypt-1.10.2/src/fips.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/src/fips.c
|
--- libgcrypt-1.10.2.orig/src/fips.c
|
||||||
+++ libgcrypt-1.10.0/src/fips.c
|
+++ libgcrypt-1.10.2/src/fips.c
|
||||||
@@ -36,6 +36,7 @@
|
@@ -38,6 +38,7 @@
|
||||||
|
|
||||||
#include "g10lib.h"
|
#include "g10lib.h"
|
||||||
#include "cipher-proto.h"
|
#include "cipher-proto.h"
|
||||||
@ -10,7 +10,7 @@ Index: libgcrypt-1.10.0/src/fips.c
|
|||||||
#include "../random/random.h"
|
#include "../random/random.h"
|
||||||
|
|
||||||
/* The states of the finite state machine used in fips mode. */
|
/* The states of the finite state machine used in fips mode. */
|
||||||
@@ -386,6 +387,77 @@ _gcry_fips_indicator_kdf (va_list arg_pt
|
@@ -399,6 +400,94 @@ _gcry_fips_indicator_mac (va_list arg_pt
|
||||||
default:
|
default:
|
||||||
return GPG_ERR_NOT_SUPPORTED;
|
return GPG_ERR_NOT_SUPPORTED;
|
||||||
}
|
}
|
||||||
@ -49,11 +49,25 @@ Index: libgcrypt-1.10.0/src/fips.c
|
|||||||
+ { NULL, NULL}
|
+ { NULL, NULL}
|
||||||
+ };
|
+ };
|
||||||
+
|
+
|
||||||
|
+enum pk_operation convert_from_pk_usage(unsigned int pk_usage)
|
||||||
|
+{
|
||||||
|
+ switch (pk_usage)
|
||||||
|
+ {
|
||||||
|
+ case GCRY_PK_USAGE_SIGN:
|
||||||
|
+ return PUBKEY_OP_SIGN;
|
||||||
|
+ case GCRY_PK_USAGE_ENCR:
|
||||||
|
+ return PUBKEY_OP_ENCRYPT;
|
||||||
|
+ default:
|
||||||
|
+ return PUBKEY_OP_DECRYPT;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
+int
|
+int
|
||||||
+_gcry_fips_indicator_pk (va_list arg_ptr)
|
+_gcry_fips_indicator_pk (va_list arg_ptr)
|
||||||
+{
|
+{
|
||||||
+ enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
|
+ enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
|
||||||
+ enum pk_operation oper;
|
+ enum pk_operation oper;
|
||||||
|
+ unsigned int keylen;
|
||||||
+ const char *curve_name;
|
+ const char *curve_name;
|
||||||
+
|
+
|
||||||
+ switch (alg)
|
+ switch (alg)
|
||||||
@ -61,13 +75,16 @@ Index: libgcrypt-1.10.0/src/fips.c
|
|||||||
+ case GCRY_PK_RSA:
|
+ case GCRY_PK_RSA:
|
||||||
+ case GCRY_PK_RSA_E:
|
+ case GCRY_PK_RSA_E:
|
||||||
+ case GCRY_PK_RSA_S:
|
+ case GCRY_PK_RSA_S:
|
||||||
+ oper = va_arg (arg_ptr, enum pk_operation);
|
+ oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int));
|
||||||
+ switch (oper)
|
+ switch (oper)
|
||||||
+ {
|
+ {
|
||||||
+ case PUBKEY_OP_ENCRYPT:
|
+ case PUBKEY_OP_ENCRYPT:
|
||||||
+ case PUBKEY_OP_DECRYPT:
|
+ case PUBKEY_OP_DECRYPT:
|
||||||
+ return GPG_ERR_NOT_SUPPORTED;
|
+ return GPG_ERR_NOT_SUPPORTED;
|
||||||
+ default:
|
+ default:
|
||||||
|
+ keylen = va_arg (arg_ptr, unsigned int);
|
||||||
|
+ if (keylen < 2048)
|
||||||
|
+ return GPG_ERR_NOT_SUPPORTED;
|
||||||
+ return GPG_ERR_NO_ERROR;
|
+ return GPG_ERR_NO_ERROR;
|
||||||
+ }
|
+ }
|
||||||
+ case GCRY_PK_ECC:
|
+ case GCRY_PK_ECC:
|
||||||
@ -87,62 +104,63 @@ Index: libgcrypt-1.10.0/src/fips.c
|
|||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int
|
||||||
Index: libgcrypt-1.10.0/src/gcrypt.h.in
|
Index: libgcrypt-1.10.2/src/gcrypt.h.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/src/gcrypt.h.in
|
--- libgcrypt-1.10.2.orig/src/gcrypt.h.in
|
||||||
+++ libgcrypt-1.10.0/src/gcrypt.h.in
|
+++ libgcrypt-1.10.2/src/gcrypt.h.in
|
||||||
@@ -330,7 +330,8 @@ enum gcry_ctl_cmds
|
@@ -334,7 +334,8 @@ enum gcry_ctl_cmds
|
||||||
GCRYCTL_SET_DECRYPTION_TAG = 80,
|
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
|
||||||
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
|
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
|
||||||
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
|
GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
|
||||||
- GCRYCTL_NO_FIPS_MODE = 83
|
- GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87
|
||||||
+ GCRYCTL_NO_FIPS_MODE = 83,
|
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
|
||||||
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84
|
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
|
||||||
};
|
};
|
||||||
|
|
||||||
/* Perform various operations defined by CMD. */
|
/* Perform various operations defined by CMD. */
|
||||||
Index: libgcrypt-1.10.0/doc/gcrypt.texi
|
Index: libgcrypt-1.10.2/doc/gcrypt.texi
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi
|
--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
|
||||||
+++ libgcrypt-1.10.0/doc/gcrypt.texi
|
+++ libgcrypt-1.10.2/doc/gcrypt.texi
|
||||||
@@ -987,6 +987,18 @@ certification. If the KDF is approved, t
|
@@ -997,6 +997,19 @@ Check if the given message digest algori
|
||||||
@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
|
FIPS 140-3 certification. If the algorithm is approved, this function returns
|
||||||
is returned.
|
@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
|
||||||
|
|
||||||
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
|
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos [, constantsGCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)] [, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
|
||||||
+[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for
|
|
||||||
+GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
|
|
||||||
+
|
+
|
||||||
+Check if the given asymmetric cipher is approved under the current FIPS
|
+Check if the given asymmetric cipher is approved under the current
|
||||||
+140-3 certification. For GCRY_PK_RSA, an additional parameter for the
|
+FIPS 140-3 certification. For GCRY_PK_RSA, two additional parameter
|
||||||
+operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC,
|
+are required: first describes the purpose of the algorithm through one
|
||||||
+GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve
|
+of the constants (GCRY_PK_USAGE_ENCR for encryption or decryption
|
||||||
+name or its alias as @code{const char *}. If the combination is
|
+operations; GCRY_PK_USAGE_SIGN for sign or verify operations). Second
|
||||||
+approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
|
+one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and
|
||||||
|
+GCRY_PK_ECDSA, only a single parameter is needed: the curve name or
|
||||||
|
+its alias as @code{const char *}. If the combination is approved, this
|
||||||
|
+function returns @code{GPG_ERR_NO_ERROR}. Otherwise
|
||||||
+@code{GPG_ERR_NOT_SUPPORTED} is returned.
|
+@code{GPG_ERR_NOT_SUPPORTED} is returned.
|
||||||
+
|
+
|
||||||
@end table
|
@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
|
||||||
|
|
||||||
@end deftypefun
|
Check if the given public key operation flag or s-expression object name is
|
||||||
Index: libgcrypt-1.10.0/src/g10lib.h
|
Index: libgcrypt-1.10.2/src/g10lib.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/src/g10lib.h
|
--- libgcrypt-1.10.2.orig/src/g10lib.h
|
||||||
+++ libgcrypt-1.10.0/src/g10lib.h
|
+++ libgcrypt-1.10.2/src/g10lib.h
|
||||||
@@ -457,6 +457,7 @@ void _gcry_fips_signal_error (const char
|
@@ -460,6 +460,7 @@ int _gcry_fips_indicator_mac (va_list ar
|
||||||
|
int _gcry_fips_indicator_md (va_list arg_ptr);
|
||||||
int _gcry_fips_indicator_cipher (va_list arg_ptr);
|
|
||||||
int _gcry_fips_indicator_kdf (va_list arg_ptr);
|
int _gcry_fips_indicator_kdf (va_list arg_ptr);
|
||||||
|
int _gcry_fips_indicator_function (va_list arg_ptr);
|
||||||
+int _gcry_fips_indicator_pk (va_list arg_ptr);
|
+int _gcry_fips_indicator_pk (va_list arg_ptr);
|
||||||
|
int _gcry_fips_indicator_pk_flags (va_list arg_ptr);
|
||||||
|
|
||||||
int _gcry_fips_is_operational (void);
|
int _gcry_fips_is_operational (void);
|
||||||
|
Index: libgcrypt-1.10.2/src/global.c
|
||||||
Index: libgcrypt-1.10.0/src/global.c
|
|
||||||
===================================================================
|
===================================================================
|
||||||
--- libgcrypt-1.10.0.orig/src/global.c
|
--- libgcrypt-1.10.2.orig/src/global.c
|
||||||
+++ libgcrypt-1.10.0/src/global.c
|
+++ libgcrypt-1.10.2/src/global.c
|
||||||
@@ -797,6 +797,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
|
@@ -825,6 +834,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
|
||||||
rc = _gcry_fips_indicator_kdf (arg_ptr);
|
rc = _gcry_fips_indicator_pk_flags (arg_ptr);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
|
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
|
||||||
|
@ -1,3 +1,46 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- Update to 1.10.2:
|
||||||
|
* Bug fixes:
|
||||||
|
- Fix Argon2 for the case output > 64. [rC13b5454d26]
|
||||||
|
- Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44]
|
||||||
|
- Fix RSA key generation failure in forced FIPS mode. [T5919]
|
||||||
|
- Fix gcry_pk_hash_verify for explicit hash. [T6066]
|
||||||
|
- Fix a wrong result of gcry_mpi_invm. [T5970]
|
||||||
|
- Allow building with --disable-asm for HPPA. [T5976]
|
||||||
|
- Allow building with -Oz. [T6432]
|
||||||
|
- Enable the fast path to ChaCha20 only when supported. [T6384]
|
||||||
|
- Use size_t to avoid counter overflow in Keccak when directly
|
||||||
|
feeding more than 4GiB. [T6217]
|
||||||
|
* Other:
|
||||||
|
- Do not use secure memory for a DRBG instance. [T5933]
|
||||||
|
- Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918]
|
||||||
|
- Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990]
|
||||||
|
- Allow verification of small RSA signatures in FIPS mode. [T5975]
|
||||||
|
- Allow the use of a shorter salt for KDFs in FIPS mode. [T6039]
|
||||||
|
- Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165]
|
||||||
|
- Add function-name based FIPS indicator function.
|
||||||
|
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered
|
||||||
|
an ABI changes because the new FIPS features were not yet
|
||||||
|
approved. [rC822ee57f07]
|
||||||
|
- Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397]
|
||||||
|
- Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9]
|
||||||
|
- Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a]
|
||||||
|
- Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219]
|
||||||
|
- Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba]
|
||||||
|
- Prefer gpgrt-config when available. [T5034]
|
||||||
|
- Mark AESWRAP as approved FIPS algorithm. [T5512]
|
||||||
|
- Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332]
|
||||||
|
- Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25]
|
||||||
|
- Remove GCM mode from the allowed FIPS indicators. [rC1540698389]
|
||||||
|
- Add explicit FIPS indicators for hash and MAC algorithms. [T6376]
|
||||||
|
* Release-info: https://dev.gnupg.org/T5905
|
||||||
|
* Rebase FIPS patches:
|
||||||
|
- libgcrypt-FIPS-SLI-hash-mac.patch
|
||||||
|
- libgcrypt-FIPS-SLI-kdf-leylength.patch
|
||||||
|
- libgcrypt-FIPS-SLI-pk.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Mar 8 10:34:34 UTC 2023 - Martin Pluskal <mpluskal@suse.com>
|
Wed Mar 8 10:34:34 UTC 2023 - Martin Pluskal <mpluskal@suse.com>
|
||||||
|
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
%define libsoname %{name}%{libsover}
|
%define libsoname %{name}%{libsover}
|
||||||
%define hmac_key orboDeJITITejsirpADONivirpUkvarP
|
%define hmac_key orboDeJITITejsirpADONivirpUkvarP
|
||||||
Name: libgcrypt
|
Name: libgcrypt
|
||||||
Version: 1.10.1
|
Version: 1.10.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: The GNU Crypto Library
|
Summary: The GNU Crypto Library
|
||||||
License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
|
License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
|
||||||
@ -36,20 +36,21 @@ Source4: hwf.deny
|
|||||||
Source5: libgcrypt.keyring
|
Source5: libgcrypt.keyring
|
||||||
Source99: libgcrypt.changes
|
Source99: libgcrypt.changes
|
||||||
Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch
|
Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch
|
||||||
#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK
|
|
||||||
Patch2: libgcrypt-FIPS-SLI-pk.patch
|
|
||||||
#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
|
|
||||||
Patch3: libgcrypt-FIPS-SLI-hash-mac.patch
|
|
||||||
#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf()
|
|
||||||
Patch4: libgcrypt-FIPS-SLI-kdf-leylength.patch
|
|
||||||
#PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion
|
#PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion
|
||||||
Patch5: libgcrypt-1.10.0-out-of-core-handler.patch
|
Patch2: libgcrypt-1.10.0-out-of-core-handler.patch
|
||||||
|
# FIPS patches:
|
||||||
|
#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK
|
||||||
|
Patch100: libgcrypt-FIPS-SLI-pk.patch
|
||||||
|
#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf()
|
||||||
|
Patch101: libgcrypt-FIPS-SLI-kdf-leylength.patch
|
||||||
|
#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
|
||||||
|
Patch102: libgcrypt-FIPS-SLI-hash-mac.patch
|
||||||
#PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy
|
#PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy
|
||||||
Patch6: libgcrypt-jitterentropy-3.4.0.patch
|
Patch103: libgcrypt-jitterentropy-3.4.0.patch
|
||||||
#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
|
#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
|
||||||
Patch7: libgcrypt-FIPS-rndjent_poll.patch
|
Patch104: libgcrypt-FIPS-rndjent_poll.patch
|
||||||
#PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips
|
#PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips
|
||||||
Patch8: libgcrypt-1.10.0-use-fipscheck.patch
|
Patch105: libgcrypt-1.10.0-use-fipscheck.patch
|
||||||
BuildRequires: automake >= 1.14
|
BuildRequires: automake >= 1.14
|
||||||
BuildRequires: libgpg-error-devel >= 1.27
|
BuildRequires: libgpg-error-devel >= 1.27
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
|
Loading…
Reference in New Issue
Block a user