import libgcrypt-1.10.0-7.el9_0

2022-11-16 05:06:06 -05:00 · 2022-11-16 05:06:06 -05:00 · 3a05836646
commit 3a05836646
parent 36be1868d6
3 changed files with 37 additions and 34 deletions
--- a/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch
+++ b/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch
@ -48,30 +48,4 @@ index c98247d8..aee5bffb 100644
 
 -- 
 2.37.1
-commit 02718ade6ab5eee38169c2102097166770a2456d
-Author: Jakub Jelen <jjelen@redhat.com>
-Date:   Thu Oct 20 16:33:11 2022 +0200

-    visiblity: Check the HMAC key length in FIPS mode
-    
-    ---
-    * src/visibility.c (gcry_md_setkey): Check the HMAC key length in FIPS
-      mode also in the md_ API.
-    
-    Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-
-diff --git a/src/visibility.c b/src/visibility.c
-index 150b197d..73db3dea 100644
--- a/src/visibility.c
-+++ b/src/visibility.c
-@@ -1357,6 +1357,10 @@ gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen)
- {
-   if (!fips_is_operational ())
-     return gpg_error (fips_not_operational ());
-+
-+  if (fips_mode () && keylen < 14)
-+    return GPG_ERR_INV_VALUE;
-+
-   return gpg_error (_gcry_md_setkey (hd, key, keylen));
- }
- 
--- a/SOURCES/libgcrypt-1.10.0-fips-kdf.patch
+++ b/SOURCES/libgcrypt-1.10.0-fips-kdf.patch
@ -1,3 +1,36 @@
+From 857e6f467d0fc9fd858a73d84122695425970075 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 27 Sep 2022 13:26:16 +0900
+Subject: [PATCH] kdf:pkdf2: Require longer input when FIPS mode.
+
+* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
+
+--
+
+GnuPG-bug-id: 6039
+Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/kdf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/cipher/kdf.c b/cipher/kdf.c
+index 3e51e115..81523320 100644
+--- a/cipher/kdf.c
+++ b/cipher/kdf.c
+@@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
+     return GPG_ERR_INV_VALUE;
+ #endif
+ 
+  /* HMAC requires longer input for approved use case.  */
+  if (fips_mode () && passphraselen < 14)
+    return GPG_ERR_INV_VALUE;
+ 
+   /* Step 2 */
+   l = ((dklen - 1)/ hlen) + 1;
+-- 
+2.37.3
+
 From 3c04b692de1e7b45b764ff8d66bf84609b012e3a Mon Sep 17 00:00:00 2001
 From: Tobias Heider <tobias.heider@canonical.com>
 Date: Tue, 27 Sep 2022 13:31:05 +0900
@ -25,9 +58,9 @@ index 81523320..67c60df8 100644
 +  if (fips_mode () && dklen < 14)
 +    return GPG_ERR_INV_VALUE;
 +
- 
-   /* Step 2 */
-   l = ((dklen - 1)/ hlen) + 1;
+   /* HMAC requires longer input for approved use case.  */
+   if (fips_mode () && passphraselen < 14)
+     return GPG_ERR_INV_VALUE;
 -- 
 2.37.3
 From e5a5e847b66eb6b80e60a2dffa347268f059aee3 Mon Sep 17 00:00:00 2001
--- a/SPECS/libgcrypt.spec
+++ b/SPECS/libgcrypt.spec
@ -16,7 +16,7 @@ print(string.sub(hash, 0, 16))

 Name: libgcrypt
 Version: 1.10.0
-Release: 8%{?dist}
+Release: 7%{?dist}
 URL: https://www.gnupg.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
 Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
@ -197,10 +197,6 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
 %license COPYING

 %changelog
-* Thu Oct 20 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-8
- Fix unneeded PBKDF2 passphrase length limitation in FIPS mode
- Enforce HMAC key lengths in MD API in FIPS mode
-
 * Thu Oct 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-7
 - Properly enforce KDF limits in FIPS mode (#2130275)
 - Fix memory leak in large digest test (#2129150)