3
0
forked from pool/libgcrypt
libgcrypt/libgcrypt-FIPS-SLI-kdf-leylength.patch
Pedro Monreal Gonzalez 07ae165632 Accepting request 1078466 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 1.10.2:
  * Bug fixes:
    - Fix Argon2 for the case output > 64. [rC13b5454d26]
    - Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44]
    - Fix RSA key generation failure in forced FIPS mode. [T5919]
    - Fix gcry_pk_hash_verify for explicit hash. [T6066]
    - Fix a wrong result of gcry_mpi_invm. [T5970]
    - Allow building with --disable-asm for HPPA. [T5976]
    - Allow building with -Oz. [T6432]
    - Enable the fast path to ChaCha20 only when supported. [T6384]
    - Use size_t to avoid counter overflow in Keccak when directly
      feeding more than 4GiB. [T6217]
  * Other:
    - Do not use secure memory for a DRBG instance. [T5933]
    - Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918]
    - Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990]
    - Allow verification of small RSA signatures in FIPS mode. [T5975]
    - Allow the use of a shorter salt for KDFs in FIPS mode. [T6039]
    - Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165]
    - Add function-name based FIPS indicator function.
      GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered
      an ABI changes because the new FIPS features were not yet
      approved. [rC822ee57f07]
    - Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397]
    - Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9]
    - Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a]
    - Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219]
    - Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba]
    - Prefer gpgrt-config when available. [T5034]
    - Mark AESWRAP as approved FIPS algorithm. [T5512]

OBS-URL: https://build.opensuse.org/request/show/1078466
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=165
2023-04-11 14:55:16 +00:00

43 lines
1.6 KiB
Diff

Index: libgcrypt-1.10.2/src/fips.c
===================================================================
--- libgcrypt-1.10.2.orig/src/fips.c
+++ libgcrypt-1.10.2/src/fips.c
@@ -520,10 +520,15 @@ int
_gcry_fips_indicator_kdf (va_list arg_ptr)
{
enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
+ unsigned int keylen = 0;
switch (alg)
{
case GCRY_KDF_PBKDF2:
+ keylen = va_arg (arg_ptr, unsigned int);
+ if (keylen < 112) {
+ return GPG_ERR_NOT_SUPPORTED;
+ }
return GPG_ERR_NO_ERROR;
default:
return GPG_ERR_NOT_SUPPORTED;
Index: libgcrypt-1.10.2/doc/gcrypt.texi
===================================================================
--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.2/doc/gcrypt.texi
@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3
combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
Check if the given KDF is approved under the current FIPS 140-3
-certification. If the KDF is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
-is returned.
+certification. The second parameter provides the keylength in bits.
+Keylength values of less that 112 bits are considered non-approved.
+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
@item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *