Remove useless SHA384 from DRBG

Resolves: rhbz#2176145
2023-03-07 09:20:55 +01:00 · 2023-03-07 09:20:55 +01:00 · 37892dbca7
commit 37892dbca7
parent 828a5f801b
2 changed files with 88 additions and 0 deletions
--- a/libgcrypt-1.10.0-fips-drbg.patch
+++ b/libgcrypt-1.10.0-fips-drbg.patch
@ -0,0 +1,85 @@
+From 45b80678109e5817b7cd15566a9d6c96b064b95f Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 1 Mar 2023 15:39:15 +0100
+Subject: [PATCH] random: Remove unused SHA384 DRBGs.
+
+* random/random-drbg.c (global): Remove unused SHA384-based defines.
+(drbg_cores): Remove SHA384 configurations.
+(drbg_sec_strength): Remove unused SHA384.
+--
+
+These are no longer allowed by FIPS and it looks like they were never
+usable as they do not have any conversion from the string flags.
+
+GnuPG-bug-id: 6393
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ random/random-drbg.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/random/random-drbg.c b/random/random-drbg.c
+index f1cfe286..af49a5a5 100644
+--- a/random/random-drbg.c
+++ b/random/random-drbg.c
+@@ -188,11 +188,9 @@
+ #define DRBG_HASHSHA1		((u32)1<<4)
+ #define DRBG_HASHSHA224		((u32)1<<5)
+ #define DRBG_HASHSHA256		((u32)1<<6)
+-#define DRBG_HASHSHA384		((u32)1<<7)
+ #define DRBG_HASHSHA512		((u32)1<<8)
+ #define DRBG_HASH_MASK		(DRBG_HASHSHA1 | DRBG_HASHSHA224 \
+-				 | DRBG_HASHSHA256 | DRBG_HASHSHA384 \
+-				 | DRBG_HASHSHA512)
+				 | DRBG_HASHSHA256 | DRBG_HASHSHA512)
+ /* type modifiers (A.3)*/
+ #define DRBG_HMAC		((u32)1<<12)
+ #define DRBG_SYM128		((u32)1<<13)
+@@ -211,23 +209,18 @@
+ #define DRBG_NOPR_CTRAES256 (DRBG_CTRAES | DRBG_SYM256)
+ #define DRBG_PR_HASHSHA1     (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1)
+ #define DRBG_PR_HASHSHA256   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256)
+-#define DRBG_PR_HASHSHA384   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384)
+ #define DRBG_PR_HASHSHA512   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512)
+ #define DRBG_NOPR_HASHSHA1   (DRBG_HASHSHA1)
+ #define DRBG_NOPR_HASHSHA256 (DRBG_HASHSHA256)
+-#define DRBG_NOPR_HASHSHA384 (DRBG_HASHSHA384)
+ #define DRBG_NOPR_HASHSHA512 (DRBG_HASHSHA512)
+ #define DRBG_PR_HMACSHA1     (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1 \
+                               | DRBG_HMAC)
+ #define DRBG_PR_HMACSHA256   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256 \
+                               | DRBG_HMAC)
+-#define DRBG_PR_HMACSHA384   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384 \
+-                              | DRBG_HMAC)
+ #define DRBG_PR_HMACSHA512   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512 \
+                               | DRBG_HMAC)
+ #define DRBG_NOPR_HMACSHA1   (DRBG_HASHSHA1 | DRBG_HMAC)
+ #define DRBG_NOPR_HMACSHA256 (DRBG_HASHSHA256 | DRBG_HMAC)
+-#define DRBG_NOPR_HMACSHA384 (DRBG_HASHSHA384 | DRBG_HMAC)
+ #define DRBG_NOPR_HMACSHA512 (DRBG_HASHSHA512 | DRBG_HMAC)
+ 
+ 
+@@ -359,12 +352,10 @@ static const struct drbg_core_s drbg_cores[] = {
+   /* Hash DRBGs */
+   {DRBG_HASHSHA1, 55, 20, GCRY_MD_SHA1},
+   {DRBG_HASHSHA256, 55, 32, GCRY_MD_SHA256},
+-  {DRBG_HASHSHA384, 111, 48, GCRY_MD_SHA384},
+   {DRBG_HASHSHA512, 111, 64, GCRY_MD_SHA512},
+   /* HMAC DRBGs */
+   {DRBG_HASHSHA1   | DRBG_HMAC, 20, 20, GCRY_MD_SHA1},
+   {DRBG_HASHSHA256 | DRBG_HMAC, 32, 32, GCRY_MD_SHA256},
+-  {DRBG_HASHSHA384 | DRBG_HMAC, 48, 48, GCRY_MD_SHA384},
+   {DRBG_HASHSHA512 | DRBG_HMAC, 64, 64, GCRY_MD_SHA512},
+   /* block ciphers */
+   {DRBG_CTRAES | DRBG_SYM128, 32, 16, GCRY_CIPHER_AES128},
+@@ -543,7 +534,7 @@ drbg_sec_strength (u32 flags)
+   else if (flags & DRBG_SYM192)
+     return 24;
+   else if ((flags & DRBG_SYM256) || (flags & DRBG_HASHSHA256) ||
+-	   (flags & DRBG_HASHSHA384) || (flags & DRBG_HASHSHA512))
+	   (flags & DRBG_HASHSHA512))
+     return 32;
+   else
+     return 32;
+-- 
+2.39.2
+
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@ -58,6 +58,8 @@ Patch17: libgcrypt-1.10.0-fips-indicator-md-hmac.patch
 Patch18: libgcrypt-1.10.0-fips-pct.patch
 # https://dev.gnupg.org/T6396
 Patch19: libgcrypt-1.10.0-fips-status-sign-verify.patch
+# https://dev.gnupg.org/T6393
+Patch20: libgcrypt-1.10.0-fips-drbg.patch

 %global gcrylibdir %{_libdir}
 %global gcrysoname libgcrypt.so.20
@ -110,6 +112,7 @@ applications using libgcrypt.
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1

 %build
 # This package has a configure test which uses ASMs, but does not link the