From 5fda6cb2b09fe3c7fa9f9d13ede1b8c248661c02 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 4 Oct 2022 12:58:52 +0200
Subject: [PATCH] Properly enforce limits to the KDF input and output in FIPS
 mode

Resolves: rhbz#2130275
---
 libgcrypt-1.10.0-fips-kdf.patch | 120 ++++++++++++++++++++++++++++++++
 libgcrypt.spec                  |   3 +
 2 files changed, 123 insertions(+)
 create mode 100644 libgcrypt-1.10.0-fips-kdf.patch

diff --git a/libgcrypt-1.10.0-fips-kdf.patch b/libgcrypt-1.10.0-fips-kdf.patch
new file mode 100644
index 0000000..de2a161
--- /dev/null
+++ b/libgcrypt-1.10.0-fips-kdf.patch
@@ -0,0 +1,120 @@
+From 857e6f467d0fc9fd858a73d84122695425970075 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 27 Sep 2022 13:26:16 +0900
+Subject: [PATCH] kdf:pkdf2: Require longer input when FIPS mode.
+
+* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
+
+--
+
+GnuPG-bug-id: 6039
+Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/kdf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/cipher/kdf.c b/cipher/kdf.c
+index 3e51e115..81523320 100644
+--- a/cipher/kdf.c
++++ b/cipher/kdf.c
+@@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
+     return GPG_ERR_INV_VALUE;
+ #endif
+ 
++  /* HMAC requires longer input for approved use case.  */
++  if (fips_mode () && passphraselen < 14)
++    return GPG_ERR_INV_VALUE;
+ 
+   /* Step 2 */
+   l = ((dklen - 1)/ hlen) + 1;
+-- 
+2.37.3
+
+From 3c04b692de1e7b45b764ff8d66bf84609b012e3a Mon Sep 17 00:00:00 2001
+From: Tobias Heider <tobias.heider@canonical.com>
+Date: Tue, 27 Sep 2022 13:31:05 +0900
+Subject: [PATCH] kdf:pkdf2: Check minimum allowed key size when running in
+ FIPS mode.
+
+* cipher/kdf.c (_gcry_kdf_pkdf2): Add output length check.
+
+--
+
+GnuPG-bug-id: 6219
+---
+ cipher/kdf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/cipher/kdf.c b/cipher/kdf.c
+index 81523320..67c60df8 100644
+--- a/cipher/kdf.c
++++ b/cipher/kdf.c
+@@ -160,6 +160,10 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
+     return GPG_ERR_INV_VALUE;
+ #endif
+ 
++  /* Check minimum key size */
++  if (fips_mode () && dklen < 14)
++    return GPG_ERR_INV_VALUE;
++
+   /* HMAC requires longer input for approved use case.  */
+   if (fips_mode () && passphraselen < 14)
+     return GPG_ERR_INV_VALUE;
+-- 
+2.37.3
+From e5a5e847b66eb6b80e60a2dffa347268f059aee3 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 4 Oct 2022 12:44:54 +0200
+Subject: [PATCH] tests: Reproducer for short dklen in FIPS mode
+
+* tests/t-kdf.c (check_pbkdf2): Add test vector with short dklen and
+  verify it fails in FIPS mode
+--
+
+GnuPG-bug-id: 6219
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tests/t-kdf.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/tests/t-kdf.c b/tests/t-kdf.c
+index c0192d7b..716fb53e 100644
+--- a/tests/t-kdf.c
++++ b/tests/t-kdf.c
+@@ -909,6 +909,14 @@ check_pbkdf2 (void)
+       "\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9"
+       "\xb5\x24\xaf\x60\x12\x06\x2f\xe0\x37\xa6"
+     },
++    {
++      "password", 8,
++      "salt", 4,
++      GCRY_MD_SHA1,
++      1,
++      10, /* too short dklen for FIPS */
++      "\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9"
++    },
+     {
+       "password", 8,
+       "salt", 4,
+@@ -1109,7 +1117,7 @@ check_pbkdf2 (void)
+                              GCRY_KDF_PBKDF2, tv[tvidx].hashalgo,
+                              tv[tvidx].salt, tv[tvidx].saltlen,
+                              tv[tvidx].c, tv[tvidx].dklen, outbuf);
+-      if (in_fips_mode && tvidx > 6)
++      if (in_fips_mode && tvidx > 7)
+         {
+           if (!err)
+             fail ("pbkdf2 test %d unexpectedly passed in FIPS mode: %s\n",
+@@ -1118,7 +1126,7 @@ check_pbkdf2 (void)
+         }
+       if (err)
+         {
+-          if (in_fips_mode && tv[tvidx].plen < 14)
++          if (in_fips_mode && (tv[tvidx].plen < 14 || tv[tvidx].dklen < 14))
+             {
+               if (verbose)
+                 fprintf (stderr,
+-- 
+2.37.3
+
diff --git a/libgcrypt.spec b/libgcrypt.spec
index 20c1c73..b51128d 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -35,6 +35,8 @@ Patch8: libgcrypt-1.10.0-fips-disable-oaep.patch
 Patch9: libgcrypt-1.10.0-sha3-large.patch
 # https://dev.gnupg.org/T5919
 Patch10: libgcrypt-1.10.0-fips-keygen.patch
+# https://dev.gnupg.org/T6219
+Patch11: libgcrypt-1.10.0-fips-kdf.patch
 
 %global gcrylibdir %{_libdir}
 %global gcrysoname libgcrypt.so.20
@@ -80,6 +82,7 @@ applications using libgcrypt.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 %build
 # This package has a configure test which uses ASMs, but does not link the