From 3a0583664664b07cbd8720e0a5fd4d927d679cb2 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 16 Nov 2022 05:06:06 -0500 Subject: [PATCH] import libgcrypt-1.10.0-7.el9_0 --- .../libgcrypt-1.10.0-allow-short-salt.patch | 26 ------------- SOURCES/libgcrypt-1.10.0-fips-kdf.patch | 39 +++++++++++++++++-- SPECS/libgcrypt.spec | 6 +-- 3 files changed, 37 insertions(+), 34 deletions(-) diff --git a/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch b/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch index 6800cf6..46054cf 100644 --- a/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch +++ b/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch @@ -48,30 +48,4 @@ index c98247d8..aee5bffb 100644 -- 2.37.1 -commit 02718ade6ab5eee38169c2102097166770a2456d -Author: Jakub Jelen -Date: Thu Oct 20 16:33:11 2022 +0200 - visiblity: Check the HMAC key length in FIPS mode - - --- - * src/visibility.c (gcry_md_setkey): Check the HMAC key length in FIPS - mode also in the md_ API. - - Signed-off-by: Jakub Jelen - -diff --git a/src/visibility.c b/src/visibility.c -index 150b197d..73db3dea 100644 ---- a/src/visibility.c -+++ b/src/visibility.c -@@ -1357,6 +1357,10 @@ gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen) - { - if (!fips_is_operational ()) - return gpg_error (fips_not_operational ()); -+ -+ if (fips_mode () && keylen < 14) -+ return GPG_ERR_INV_VALUE; -+ - return gpg_error (_gcry_md_setkey (hd, key, keylen)); - } - diff --git a/SOURCES/libgcrypt-1.10.0-fips-kdf.patch b/SOURCES/libgcrypt-1.10.0-fips-kdf.patch index 955847e..de2a161 100644 --- a/SOURCES/libgcrypt-1.10.0-fips-kdf.patch +++ b/SOURCES/libgcrypt-1.10.0-fips-kdf.patch @@ -1,3 +1,36 @@ +From 857e6f467d0fc9fd858a73d84122695425970075 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Tue, 27 Sep 2022 13:26:16 +0900 +Subject: [PATCH] kdf:pkdf2: Require longer input when FIPS mode. + +* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check. + +-- + +GnuPG-bug-id: 6039 +Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb +Signed-off-by: NIIBE Yutaka +--- + cipher/kdf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/cipher/kdf.c b/cipher/kdf.c +index 3e51e115..81523320 100644 +--- a/cipher/kdf.c ++++ b/cipher/kdf.c +@@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen, + return GPG_ERR_INV_VALUE; + #endif + ++ /* HMAC requires longer input for approved use case. */ ++ if (fips_mode () && passphraselen < 14) ++ return GPG_ERR_INV_VALUE; + + /* Step 2 */ + l = ((dklen - 1)/ hlen) + 1; +-- +2.37.3 + From 3c04b692de1e7b45b764ff8d66bf84609b012e3a Mon Sep 17 00:00:00 2001 From: Tobias Heider Date: Tue, 27 Sep 2022 13:31:05 +0900 @@ -25,9 +58,9 @@ index 81523320..67c60df8 100644 + if (fips_mode () && dklen < 14) + return GPG_ERR_INV_VALUE; + - - /* Step 2 */ - l = ((dklen - 1)/ hlen) + 1; + /* HMAC requires longer input for approved use case. */ + if (fips_mode () && passphraselen < 14) + return GPG_ERR_INV_VALUE; -- 2.37.3 From e5a5e847b66eb6b80e60a2dffa347268f059aee3 Mon Sep 17 00:00:00 2001 diff --git a/SPECS/libgcrypt.spec b/SPECS/libgcrypt.spec index a7a91e9..a9297bb 100644 --- a/SPECS/libgcrypt.spec +++ b/SPECS/libgcrypt.spec @@ -16,7 +16,7 @@ print(string.sub(hash, 0, 16)) Name: libgcrypt Version: 1.10.0 -Release: 8%{?dist} +Release: 7%{?dist} URL: https://www.gnupg.org/ Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2 Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig @@ -197,10 +197,6 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt %license COPYING %changelog -* Thu Oct 20 2022 Jakub Jelen - 1.10.0-8 -- Fix unneeded PBKDF2 passphrase length limitation in FIPS mode -- Enforce HMAC key lengths in MD API in FIPS mode - * Thu Oct 06 2022 Jakub Jelen - 1.10.0-7 - Properly enforce KDF limits in FIPS mode (#2130275) - Fix memory leak in large digest test (#2129150)