rpms/libgcrypt
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Check FIPS status during sign/verify_md

Browse Source 
Resolves: rhbz#2176145
This commit is contained in:
Jakub Jelen 2023-03-07 09:15:25 +01:00
parent 80b16e463d
commit 828a5f801b
2 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
libgcrypt-1.10.0-fips-status-sign-verify.patch Normal file
View File

@ -0,0 +1,46 @@
From 654d0dfa04993ebe28c0536d42f4bc6d87c28369 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 1 Mar 2023 17:14:00 +0100
Subject: [PATCH] visibility: Check FIPS operational status for MD+Sign
operation.
* src/visibility.c (gcry_pk_hash_sign): Check fips status before
calling the operation itself.
(gcry_pk_hash_verify): Ditto.
--
GnuPG-bug-id: 6396
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/visibility.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/visibility.c b/src/visibility.c
index 73db3dea..1f17e147 100644
--- a/src/visibility.c
+++ b/src/visibility.c
@@ -1050,6 +1050,11 @@ gcry_error_t
gcry_pk_hash_sign (gcry_sexp_t *result, const char *data_tmpl, gcry_sexp_t skey,
gcry_md_hd_t hd, gcry_ctx_t ctx)
{
+ if (!fips_is_operational ())
+ {
+ *result = NULL;
+ return gpg_error (fips_not_operational ());
+ }
return gpg_error (_gcry_pk_sign_md (result, data_tmpl, hd, skey, ctx));
}
@@ -1065,6 +1070,8 @@ gcry_error_t
gcry_pk_hash_verify (gcry_sexp_t sigval, const char *data_tmpl, gcry_sexp_t pkey,
gcry_md_hd_t hd, gcry_ctx_t ctx)
{
+ if (!fips_is_operational ())
+ return gpg_error (fips_not_operational ());
return gpg_error (_gcry_pk_verify_md (sigval, data_tmpl, hd, pkey, ctx));
}
--
2.39.2

3
libgcrypt.spec
View File

@ -56,6 +56,8 @@ Patch17: libgcrypt-1.10.0-fips-indicator-md-hmac.patch
# https://dev.gnupg.org/T6394 # https://dev.gnupg.org/T6394
# https://dev.gnupg.org/T6397 # https://dev.gnupg.org/T6397
Patch18: libgcrypt-1.10.0-fips-pct.patch Patch18: libgcrypt-1.10.0-fips-pct.patch
# https://dev.gnupg.org/T6396
Patch19: libgcrypt-1.10.0-fips-status-sign-verify.patch
%global gcrylibdir %{_libdir} %global gcrylibdir %{_libdir}
%global gcrysoname libgcrypt.so.20 %global gcrysoname libgcrypt.so.20
@ -107,6 +109,7 @@ applications using libgcrypt.
%patch16 -p1 %patch16 -p1
%patch17 -p1 %patch17 -p1
%patch18 -p1 %patch18 -p1
%patch19 -p1
%build %build
# This package has a configure test which uses ASMs, but does not link the # This package has a configure test which uses ASMs, but does not link the