import libgcrypt-1.10.0-7.el9_0

This commit is contained in:
CentOS Sources 2022-11-16 05:06:06 -05:00 committed by Stepan Oksanichenko
parent 36be1868d6
commit 3a05836646
3 changed files with 37 additions and 34 deletions

View File

@ -48,30 +48,4 @@ index c98247d8..aee5bffb 100644
-- --
2.37.1 2.37.1
commit 02718ade6ab5eee38169c2102097166770a2456d
Author: Jakub Jelen <jjelen@redhat.com>
Date: Thu Oct 20 16:33:11 2022 +0200
visiblity: Check the HMAC key length in FIPS mode
---
* src/visibility.c (gcry_md_setkey): Check the HMAC key length in FIPS
mode also in the md_ API.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
diff --git a/src/visibility.c b/src/visibility.c
index 150b197d..73db3dea 100644
--- a/src/visibility.c
+++ b/src/visibility.c
@@ -1357,6 +1357,10 @@ gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen)
{
if (!fips_is_operational ())
return gpg_error (fips_not_operational ());
+
+ if (fips_mode () && keylen < 14)
+ return GPG_ERR_INV_VALUE;
+
return gpg_error (_gcry_md_setkey (hd, key, keylen));
}

View File

@ -1,3 +1,36 @@
From 857e6f467d0fc9fd858a73d84122695425970075 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Tue, 27 Sep 2022 13:26:16 +0900
Subject: [PATCH] kdf:pkdf2: Require longer input when FIPS mode.
* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
--
GnuPG-bug-id: 6039
Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
cipher/kdf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/cipher/kdf.c b/cipher/kdf.c
index 3e51e115..81523320 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
return GPG_ERR_INV_VALUE;
#endif
+ /* HMAC requires longer input for approved use case. */
+ if (fips_mode () && passphraselen < 14)
+ return GPG_ERR_INV_VALUE;
/* Step 2 */
l = ((dklen - 1)/ hlen) + 1;
--
2.37.3
From 3c04b692de1e7b45b764ff8d66bf84609b012e3a Mon Sep 17 00:00:00 2001 From 3c04b692de1e7b45b764ff8d66bf84609b012e3a Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobias.heider@canonical.com> From: Tobias Heider <tobias.heider@canonical.com>
Date: Tue, 27 Sep 2022 13:31:05 +0900 Date: Tue, 27 Sep 2022 13:31:05 +0900
@ -25,9 +58,9 @@ index 81523320..67c60df8 100644
+ if (fips_mode () && dklen < 14) + if (fips_mode () && dklen < 14)
+ return GPG_ERR_INV_VALUE; + return GPG_ERR_INV_VALUE;
+ +
/* HMAC requires longer input for approved use case. */
/* Step 2 */ if (fips_mode () && passphraselen < 14)
l = ((dklen - 1)/ hlen) + 1; return GPG_ERR_INV_VALUE;
-- --
2.37.3 2.37.3
From e5a5e847b66eb6b80e60a2dffa347268f059aee3 Mon Sep 17 00:00:00 2001 From e5a5e847b66eb6b80e60a2dffa347268f059aee3 Mon Sep 17 00:00:00 2001

View File

@ -16,7 +16,7 @@ print(string.sub(hash, 0, 16))
Name: libgcrypt Name: libgcrypt
Version: 1.10.0 Version: 1.10.0
Release: 8%{?dist} Release: 7%{?dist}
URL: https://www.gnupg.org/ URL: https://www.gnupg.org/
Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2 Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
@ -197,10 +197,6 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
%license COPYING %license COPYING
%changelog %changelog
* Thu Oct 20 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-8
- Fix unneeded PBKDF2 passphrase length limitation in FIPS mode
- Enforce HMAC key lengths in MD API in FIPS mode
* Thu Oct 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-7 * Thu Oct 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-7
- Properly enforce KDF limits in FIPS mode (#2130275) - Properly enforce KDF limits in FIPS mode (#2130275)
- Fix memory leak in large digest test (#2129150) - Fix memory leak in large digest test (#2129150)