rpms/libgcrypt
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS libgcrypt-1.10.0-11.el9

Browse Source
This commit is contained in:
eabdullin 2024-09-30 15:51:34 +00:00
parent c45d41ea55
commit bc9f28c134
14 changed files with 5570 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/libgcrypt-1.10.0.tar.bz2
SOURCES/libgcrypt-1.10.0.tar.bz2.sig

1
.libgcrypt.metadata
View File

@ -1 +1,2 @@
363feb8187f6c59b6b10721af6a94558db8ec3af SOURCES/libgcrypt-1.10.0.tar.bz2
061e31906b3f2647ddd30fb60777d66165b70205 SOURCES/libgcrypt-1.10.0.tar.bz2.sig

85
SOURCES/libgcrypt-1.10.0-fips-drbg.patch Normal file
View File

@ -0,0 +1,85 @@
From 45b80678109e5817b7cd15566a9d6c96b064b95f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 1 Mar 2023 15:39:15 +0100
Subject: [PATCH] random: Remove unused SHA384 DRBGs.
* random/random-drbg.c (global): Remove unused SHA384-based defines.
(drbg_cores): Remove SHA384 configurations.
(drbg_sec_strength): Remove unused SHA384.
--
These are no longer allowed by FIPS and it looks like they were never
usable as they do not have any conversion from the string flags.
GnuPG-bug-id: 6393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
random/random-drbg.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/random/random-drbg.c b/random/random-drbg.c
index f1cfe286..af49a5a5 100644
--- a/random/random-drbg.c
+++ b/random/random-drbg.c
@@ -188,11 +188,9 @@
#define DRBG_HASHSHA1 ((u32)1<<4)
#define DRBG_HASHSHA224 ((u32)1<<5)
#define DRBG_HASHSHA256 ((u32)1<<6)
-#define DRBG_HASHSHA384 ((u32)1<<7)
#define DRBG_HASHSHA512 ((u32)1<<8)
#define DRBG_HASH_MASK (DRBG_HASHSHA1 | DRBG_HASHSHA224 \
- | DRBG_HASHSHA256 | DRBG_HASHSHA384 \
- | DRBG_HASHSHA512)
+ | DRBG_HASHSHA256 | DRBG_HASHSHA512)
/* type modifiers (A.3)*/
#define DRBG_HMAC ((u32)1<<12)
#define DRBG_SYM128 ((u32)1<<13)
@@ -211,23 +209,18 @@
#define DRBG_NOPR_CTRAES256 (DRBG_CTRAES | DRBG_SYM256)
#define DRBG_PR_HASHSHA1 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1)
#define DRBG_PR_HASHSHA256 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256)
-#define DRBG_PR_HASHSHA384 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384)
#define DRBG_PR_HASHSHA512 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512)
#define DRBG_NOPR_HASHSHA1 (DRBG_HASHSHA1)
#define DRBG_NOPR_HASHSHA256 (DRBG_HASHSHA256)
-#define DRBG_NOPR_HASHSHA384 (DRBG_HASHSHA384)
#define DRBG_NOPR_HASHSHA512 (DRBG_HASHSHA512)
#define DRBG_PR_HMACSHA1 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1 \
| DRBG_HMAC)
#define DRBG_PR_HMACSHA256 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256 \
| DRBG_HMAC)
-#define DRBG_PR_HMACSHA384 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384 \
- | DRBG_HMAC)
#define DRBG_PR_HMACSHA512 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512 \
| DRBG_HMAC)
#define DRBG_NOPR_HMACSHA1 (DRBG_HASHSHA1 | DRBG_HMAC)
#define DRBG_NOPR_HMACSHA256 (DRBG_HASHSHA256 | DRBG_HMAC)
-#define DRBG_NOPR_HMACSHA384 (DRBG_HASHSHA384 | DRBG_HMAC)
#define DRBG_NOPR_HMACSHA512 (DRBG_HASHSHA512 | DRBG_HMAC)
@@ -359,12 +352,10 @@ static const struct drbg_core_s drbg_cores[] = {
/* Hash DRBGs */
{DRBG_HASHSHA1, 55, 20, GCRY_MD_SHA1},
{DRBG_HASHSHA256, 55, 32, GCRY_MD_SHA256},
- {DRBG_HASHSHA384, 111, 48, GCRY_MD_SHA384},
{DRBG_HASHSHA512, 111, 64, GCRY_MD_SHA512},
/* HMAC DRBGs */
{DRBG_HASHSHA1 | DRBG_HMAC, 20, 20, GCRY_MD_SHA1},
{DRBG_HASHSHA256 | DRBG_HMAC, 32, 32, GCRY_MD_SHA256},
- {DRBG_HASHSHA384 | DRBG_HMAC, 48, 48, GCRY_MD_SHA384},
{DRBG_HASHSHA512 | DRBG_HMAC, 64, 64, GCRY_MD_SHA512},
/* block ciphers */
{DRBG_CTRAES | DRBG_SYM128, 32, 16, GCRY_CIPHER_AES128},
@@ -543,7 +534,7 @@ drbg_sec_strength (u32 flags)
else if (flags & DRBG_SYM192)
return 24;
else if ((flags & DRBG_SYM256) || (flags & DRBG_HASHSHA256) ||
- (flags & DRBG_HASHSHA384) || (flags & DRBG_HASHSHA512))
+ (flags & DRBG_HASHSHA512))
return 32;
else
return 32;
--
2.39.2

277
SOURCES/libgcrypt-1.10.0-fips-indicator-md-hmac.patch Normal file
View File

@ -0,0 +1,277 @@
From fd832687f36c1885d2388c55f7e8569184ba2593 Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobias.heider@canonical.com>
Date: Thu, 16 Feb 2023 03:20:48 +0100
Subject: [PATCH] fips: Add explicit indicators for md and mac algorithms
* src/fips.c (_gcry_fips_indicator_mac): New function indicating
non-approved mac algorithms
(_gcry_fips_indicator_md): new functions indicating non-approved
message digest algorithms
* src/g10lib.h (_gcry_fips_indicator_mac): new function
(_gcry_fips_indicator_md): ditto
* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbols
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC and
GCRYCTL_FIPS_SERVICE_INDICATOR_MD
* src/global.c (_gcry_vcontrol): Handle new FIPS indicators.
* doc/gcrypt.texi: Document the new option.
--
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
---
doc/gcrypt.texi | 13 +++++++++++++
src/fips.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++
src/g10lib.h | 2 ++
src/gcrypt.h.in | 4 +++-
src/global.c | 14 ++++++++++++++
5 files changed, 83 insertions(+), 1 deletion(-)
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index e44c2f2e..462c5931 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -992,6 +992,19 @@ certification. If the function is approved, this function returns
@code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos
+
+Check if the given MAC is approved under the current FIPS 140-3
+certification. If the MAC is approved, this function returns
+@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
+is returned.
+
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
+
+Check if the given message digest algorithm is approved under the current
+FIPS 140-3 certification. If the algorithm is approved, this function returns
+@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+
@end table
@end deftypefun
diff --git a/src/fips.c b/src/fips.c
index 272aabae..8b3b3f04 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -377,6 +377,57 @@ _gcry_fips_indicator_cipher (va_list arg_ptr)
}
}
+int
+_gcry_fips_indicator_mac (va_list arg_ptr)
+{
+ enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
+
+ switch (alg)
+ {
+ case GCRY_MAC_CMAC_AES:
+ case GCRY_MAC_HMAC_SHA1:
+ case GCRY_MAC_HMAC_SHA224:
+ case GCRY_MAC_HMAC_SHA256:
+ case GCRY_MAC_HMAC_SHA384:
+ case GCRY_MAC_HMAC_SHA512:
+ case GCRY_MAC_HMAC_SHA512_224:
+ case GCRY_MAC_HMAC_SHA512_256:
+ case GCRY_MAC_HMAC_SHA3_224:
+ case GCRY_MAC_HMAC_SHA3_256:
+ case GCRY_MAC_HMAC_SHA3_384:
+ case GCRY_MAC_HMAC_SHA3_512:
+ return GPG_ERR_NO_ERROR;
+ default:
+ return GPG_ERR_NOT_SUPPORTED;
+ }
+}
+
+int
+_gcry_fips_indicator_md (va_list arg_ptr)
+{
+ enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
+
+ switch (alg)
+ {
+ case GCRY_MD_SHA1:
+ case GCRY_MD_SHA224:
+ case GCRY_MD_SHA256:
+ case GCRY_MD_SHA384:
+ case GCRY_MD_SHA512:
+ case GCRY_MD_SHA512_224:
+ case GCRY_MD_SHA512_256:
+ case GCRY_MD_SHA3_224:
+ case GCRY_MD_SHA3_256:
+ case GCRY_MD_SHA3_384:
+ case GCRY_MD_SHA3_512:
+ case GCRY_MD_SHAKE128:
+ case GCRY_MD_SHAKE256:
+ return GPG_ERR_NO_ERROR;
+ default:
+ return GPG_ERR_NOT_SUPPORTED;
+ }
+}
+
int
_gcry_fips_indicator_kdf (va_list arg_ptr)
{
diff --git a/src/g10lib.h b/src/g10lib.h
index 6be0ab21..86337eed 100644
--- a/src/g10lib.h
+++ b/src/g10lib.h
@@ -467,6 +467,8 @@ void _gcry_fips_signal_error (const char *srcfile,
#endif
int _gcry_fips_indicator_cipher (va_list arg_ptr);
+int _gcry_fips_indicator_mac (va_list arg_ptr);
+int _gcry_fips_indicator_md (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr);
int _gcry_fips_indicator_function (va_list arg_ptr);
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index aba22bfc..54080d46 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -330,7 +330,9 @@ enum gcry_ctl_cmds
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
GCRYCTL_NO_FIPS_MODE = 83,
- GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84
+ GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86
};
/* Perform various operations defined by CMD. */
diff --git a/src/global.c b/src/global.c
index debf6194..d16d3709 100644
--- a/src/global.c
+++ b/src/global.c
@@ -791,6 +791,20 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
rc = _gcry_fips_indicator_cipher (arg_ptr);
break;
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
+ /* Get FIPS Service Indicator for a given message authentication code.
+ * Returns GPG_ERR_NO_ERROR if algorithm is allowed or
+ * GPG_ERR_NOT_SUPPORTED otherwise */
+ rc = _gcry_fips_indicator_mac (arg_ptr);
+ break;
+
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MD:
+ /* Get FIPS Service Indicator for a given message digest. Returns
+ * GPG_ERR_NO_ERROR if algorithm is allowed or GPG_ERR_NOT_SUPPORTED
+ * otherwise */
+ rc = _gcry_fips_indicator_md (arg_ptr);
+ break;
+
case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF:
/* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR
* if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
--
2.39.2
From 2d193a955d05b4b9caed2895cf25600add3484da Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobias.heider@canonical.com>
Date: Thu, 16 Feb 2023 03:21:26 +0100
Subject: [PATCH] fips: Unblock MD5 in fips mode but mark non-approved in
indicator.
* cipher/mac-hmac.c (_gcry_mac_type_spec_hmac_md5): allow in fips mode
* cipher/md5.c (_gcry_digest_spec_md5): allow in fips mode
--
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
---
cipher/mac-hmac.c | 2 +-
cipher/md5.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/cipher/mac-hmac.c b/cipher/mac-hmac.c
index f1ab568b..9fac77dc 100644
--- a/cipher/mac-hmac.c
+++ b/cipher/mac-hmac.c
@@ -1413,7 +1413,7 @@ const gcry_mac_spec_t _gcry_mac_type_spec_hmac_tiger1 = {
#endif
#if USE_MD5
const gcry_mac_spec_t _gcry_mac_type_spec_hmac_md5 = {
- GCRY_MAC_HMAC_MD5, {0, 0}, "HMAC_MD5",
+ GCRY_MAC_HMAC_MD5, {0, 1}, "HMAC_MD5",
&hmac_ops
};
#endif
diff --git a/cipher/md5.c b/cipher/md5.c
index 5457fc38..744a2cc1 100644
--- a/cipher/md5.c
+++ b/cipher/md5.c
@@ -314,7 +314,7 @@ static const gcry_md_oid_spec_t oid_spec_md5[] =
const gcry_md_spec_t _gcry_digest_spec_md5 =
{
- GCRY_MD_MD5, {0, 0},
+ GCRY_MD_MD5, {0, 1},
"MD5", asn, DIM (asn), oid_spec_md5, 16,
md5_init, _gcry_md_block_write, md5_final, md5_read, NULL,
NULL,
--
2.39.2
From f52f33389da3302f51b6b00451cf9fc7e7a7e277 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 6 Mar 2023 17:26:17 +0100
Subject: [PATCH] tests: Improve test coverage for FIPS service indicators
* tests/basic.c (check_digests): Check the FIPS indicators
(check_mac): Ditto.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/basic.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/tests/basic.c b/tests/basic.c
index 095bdc97..5d5ceac9 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -14086,6 +14086,7 @@ check_mac (void)
"\x13\x46\x76\xfb\x6d\xe0\x44\x60\x65\xc9\x74\x40\xfa\x8c\x6a\x58" },
{ 0 },
};
+ gcry_error_t err;
int i;
if (verbose)
@@ -15370,6 +15370,12 @@ check_digests (void)
{
if (in_fips_mode)
{
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MD, algos[i].md);
+ if (err == GPG_ERR_NO_ERROR)
+ {
+ fail ("algo %d, gcry_md_test_algo failed while it should"
+ " have worked in FIPS mode\n", algos[i].md);
+ }
if (verbose)
fprintf (stderr, " algorithm %d not available in fips mode\n",
algos[i].md);
@@ -16948,6 +16954,7 @@ check_mac (void)
#endif /* USE_GOST28147 */
{ 0 },
};
+ gcry_error_t err;
int i;
if (verbose)
@@ -16961,6 +16968,12 @@ check_mac (void)
{
if (in_fips_mode)
{
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MAC, algos[i].algo);
+ if (err == GPG_ERR_NO_ERROR)
+ {
+ fail ("algo %d, gcry_mac_test_algo failed while it should"
+ " have worked in FIPS mode\n", algos[i].algo);
+ }
if (verbose)
fprintf (stderr, " algorithm %d not available in fips mode\n",
algos[i].algo);
--
2.39.2

277
SOURCES/libgcrypt-1.10.0-fips-indicator-pk-flags.patch Normal file
View File

@ -0,0 +1,277 @@
From 0c0268177666f6ce53c0a61e86c1c5bd2c53c0b0 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 6 Mar 2023 15:57:40 +0100
Subject: [PATCH] fips: Explicitly allow only some PK flags
* src/fips.c (_gcry_fips_indicator_pk_flags): New function for explicit
FIPS indicator for public key algorithm flags
* src/g10lib.h (_gcry_fips_indicator_pk_flags): New.
* src/gcrypt.h.in (GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS): New.
* src/global.c (_gcry_vcontrol): Handle the new option.
* doc/gcrypt.texi: Document new options.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
doc/gcrypt.texi | 6 ++++++
src/fips.c | 15 +++++++++++++++
src/g10lib.h | 1 +
src/gcrypt.h.in | 3 ++-
src/global.c | 7 +++++++
5 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index 462c5931..750b6718 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -1005,6 +1005,12 @@ Check if the given message digest algorithm is approved under the current
FIPS 140-3 certification. If the algorithm is approved, this function returns
@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
+
+Check if the given public key operation flag is approved under the current
+FIPS 140-3 certification. If the flag is approved, this function returns
+@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+
@end table
@end deftypefun
diff --git a/src/fips.c b/src/fips.c
index 974ed833..cb547aa2 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -457,6 +457,21 @@ _gcry_fips_indicator_function (va_list arg_ptr)
}
+int
+_gcry_fips_indicator_pk_flags (va_list arg_ptr)
+{
+ const char *flag = va_arg (arg_ptr, const char *);
+
+ if (strcmp (flag, "param") == 0 ||
+ strcmp (flag, "raw") == 0 ||
+ strcmp (flag, "no-blinding") == 0 ||
+ strcmp (flag, "pss") == 0)
+ return GPG_ERR_NO_ERROR;
+
+ return GPG_ERR_NOT_SUPPORTED;
+}
+
+
/* This is a test on whether the library is in the error or
operational state. */
int
diff --git a/src/g10lib.h b/src/g10lib.h
index 86337eed..acff2d6b 100644
--- a/src/g10lib.h
+++ b/src/g10lib.h
@@ -471,6 +471,7 @@ int _gcry_fips_indicator_mac (va_list arg_ptr);
int _gcry_fips_indicator_md (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr);
int _gcry_fips_indicator_function (va_list arg_ptr);
+int _gcry_fips_indicator_pk_flags (va_list arg_ptr);
int _gcry_fips_is_operational (void);
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index 54080d46..121a2061 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -332,7 +332,8 @@ enum gcry_ctl_cmds
GCRYCTL_NO_FIPS_MODE = 83,
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
- GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87
};
/* Perform various operations defined by CMD. */
diff --git a/src/global.c b/src/global.c
index d16d3709..f39df422 100644
--- a/src/global.c
+++ b/src/global.c
@@ -818,6 +818,13 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
rc = _gcry_fips_indicator_function (arg_ptr);
break;
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS:
+ /* Get FIPS Service Indicator for a public key operation flags.
+ * Returns GPG_ERR_NO_ERROR if the flag is allowed to be used or
+ * GPG_ERR_NOT_SUPPORTED otherwise */
+ rc = _gcry_fips_indicator_pk_flags (arg_ptr);
+ break;
+
case PRIV_CTL_INIT_EXTRNG_TEST: /* Init external random test. */
rc = GPG_ERR_NOT_SUPPORTED;
break;
--
2.39.2
From 22a40df4c0210a671b331932a434f70b50354873 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 6 Mar 2023 16:05:07 +0100
Subject: [PATCH] fips: Explicitly disable overriding random in FIPS mode
* src/fips.c: (_gcry_fips_indicator_function): Mark using random
override non-approved in FIPS mode.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/fips.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/fips.c b/src/fips.c
index cb547aa2..a7342030 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -450,7 +450,8 @@ _gcry_fips_indicator_function (va_list arg_ptr)
if (strcmp (function, "gcry_pk_sign") == 0 ||
strcmp (function, "gcry_pk_verify") == 0 ||
strcmp (function, "gcry_pk_encrypt") == 0 ||
- strcmp (function, "gcry_pk_decrypt") == 0)
+ strcmp (function, "gcry_pk_decrypt") == 0 ||
+ strcmp (function, "gcry_pk_random_override_new") == 0)
return GPG_ERR_NOT_SUPPORTED;
return GPG_ERR_NO_ERROR;
--
2.39.2
From 1c916b8c99ea0e30f1d81d606fd63b0c45657186 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 24 Mar 2023 13:12:56 +0900
Subject: [PATCH] fips: More elaborate way of getting FIPS pk flags indicators.
* src/fips.c (_gcry_fips_indicator_pk_flags): List more allowed string
in the S-expression.
* doc/gcrypt.texi: Add document for the FIPS service indicator
GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS with example.
--
GnuPG-bug-id: 6417
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
doc/gcrypt.texi | 42 +++++++++++++++++++++++++++++++++++++++---
src/fips.c | 41 +++++++++++++++++++++++++++++++++++++----
2 files changed, 76 insertions(+), 7 deletions(-)
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index 750b6718..752f64d6 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -1007,9 +1007,45 @@ FIPS 140-3 certification. If the algorithm is approved, this function returns
@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
-Check if the given public key operation flag is approved under the current
-FIPS 140-3 certification. If the flag is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+Check if the given public key operation flag or s-expression object name is
+approved under the current FIPS 140-3 certification. If the flag is
+approved, this function returns @code{GPG_ERR_NO_ERROR}.
+
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+
+For compound s-expression objects, if the object name is allowed, the user
+is responsible to check also the internal members. For example:
+
+@example
+ gcry_sexp_t s_sig = NULL;
+ gcry_md_hd_t hd = NULL;
+ gcry_sexp_t s_sk = NULL;
+ const char *data_tmpl = "(data(flags pss)(hash %s %b)(salt-length 1:0))";
+
+ if (err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION, "gcry_md_open") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MD, GCRY_MD_SHA512) &&
+ err = gcry_md_open (&hd, GCRY_MD_SHA512, 0))
+ @{
+ printf ("gcry_md_open failed: %s", gpg_strerror (err));
+ return;
+ @}
+ gcry_md_write (hd, buffer, buflen);
+
+ /* initialize the key in s_sk */
+
+ if (err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION, "gcry_pk_hash_sign") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "data") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "flags") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "pss") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "hash") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "salt-length")
+ err = gcry_pk_hash_sign (&s_sig, data_tmpl, s_sk, hd, NULL))
+ @{
+ printf ("gcry_pk_hash_sign failed: %s", gpg_strerror (err));
+ return;
+ @}
+ /* ok */
+@end example
@end table
diff --git a/src/fips.c b/src/fips.c
index a7342030..669cfd0e 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -457,16 +457,49 @@ _gcry_fips_indicator_function (va_list arg_ptr)
return GPG_ERR_NO_ERROR;
}
+/* Note: the array should be sorted. */
+static const char *valid_string_in_sexp[] = {
+ "curve",
+ "d",
+ "data",
+ "e",
+ "ecdsa",
+ "flags",
+ "genkey",
+ "hash",
+ "n",
+ "nbits",
+ "pkcs1",
+ "private-key",
+ "pss",
+ "public-key",
+ "q",
+ "r",
+ "raw",
+ "rsa",
+ "rsa-use-e",
+ "s",
+ "salt-length",
+ "sig-val",
+ "value"
+};
+
+static int
+compare_string (const void *v1, const void *v2)
+{
+ const char * const *p_str1 = v1;
+ const char * const *p_str2 = v2;
+
+ return strcmp (*p_str1, *p_str2);
+}
int
_gcry_fips_indicator_pk_flags (va_list arg_ptr)
{
const char *flag = va_arg (arg_ptr, const char *);
- if (strcmp (flag, "param") == 0 ||
- strcmp (flag, "raw") == 0 ||
- strcmp (flag, "no-blinding") == 0 ||
- strcmp (flag, "pss") == 0)
+ if (bsearch (&flag, valid_string_in_sexp, DIM (valid_string_in_sexp),
+ sizeof (char *), compare_string))
return GPG_ERR_NO_ERROR;
return GPG_ERR_NOT_SUPPORTED;
--
2.39.2

32
SOURCES/libgcrypt-1.10.0-fips-integrity2.patch
View File

@ -156,3 +156,35 @@ index 878d7095..50071bf5 100755
2.39.1
From 3fd3bb31597f80c76a94ea62e42d58d796beabf1 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 20 Feb 2023 16:16:01 +0100
Subject: [PATCH] fips: Check return value from ftell
* src/fips.c (get_file_offset): Check return value of ftell to be able
to detect errors.
--
Originally reported by coverity.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/fips.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/fips.c b/src/fips.c
index 272aabae..0d89b6da 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -681,6 +681,8 @@ get_file_offset (FILE *fp, ElfW (Ehdr) *ehdr_p,
return gpg_error_from_syserror ();
off = ftell (fp);
+ if (off < 0)
+ return gpg_error_from_syserror ();
if (shdr.sh_type == SHT_NOTE && shdr.sh_flags == 0 && shdr.sh_size == 48)
{
const char header_of_the_note[] = {
--
2.39.2

58
SOURCES/libgcrypt-1.10.0-fips-kdf.patch
View File

@ -127,3 +127,61 @@ index d22584da..823c744e 100644
--
2.39.0
From f5fe94810f3099c9ccc2ca3a5891502922ab0576 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 28 Feb 2023 12:53:28 +0100
Subject: [PATCH] kdf: Update tests in regards to the allowed parameters in
FIPS mode.
* cipher/kdf.c (check_one): run selftests for more approved parameters
and check that wrong parameters correctly fail in FIPS mode.
--
Fixes-commit: 535a4d345872aa2cd2ab3a5f9c4411d0a0313328
GnuPG-bug-id: 5512
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/kdf.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/cipher/kdf.c b/cipher/kdf.c
index 823c744e..12beec56 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -2059,17 +2059,25 @@ check_one (int algo, int hash_algo,
{
unsigned char key[512]; /* hardcoded to avoid allocation */
size_t keysize = expectlen;
-
- /* Skip test with shoter passphrase in FIPS mode. */
- if (fips_mode () && passphraselen < 14)
- return NULL;
+ int rv;
if (keysize > sizeof(key))
return "invalid tests data";
- if (_gcry_kdf_derive (passphrase, passphraselen, algo,
- hash_algo, salt, saltlen, iterations,
- keysize, key))
+ rv = _gcry_kdf_derive (passphrase, passphraselen, algo,
+ hash_algo, salt, saltlen, iterations,
+ keysize, key);
+ /* In fips mode we have special requirements for the input and
+ * output parameters */
+ if (fips_mode ())
+ {
+ if (rv && (passphraselen < 8 || saltlen < 16 ||
+ iterations < 1000 || expectlen < 14))
+ return NULL;
+ else if (rv)
+ return "gcry_kdf_derive unexpectedly failed in FIPS Mode";
+ }
+ else if (rv)
return "gcry_kdf_derive failed";
if (memcmp (key, expect, expectlen))
--
2.39.2

145
SOURCES/libgcrypt-1.10.0-fips-pct.patch Normal file
View File

@ -0,0 +1,145 @@
From 2ddeec574bc1ae90bb4242c4ce9ad9e7975a27bd Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 1 Mar 2023 15:42:29 +0100
Subject: [PATCH] ecc: Do not allow skipping tests in FIPS Mode.
* cipher/ecc.c (ecc_generate): Do not allow skipping tests PCT tests
in FIPS mode.
--
The new FIPS specification requires to run the PCT without any
exceptions.
GnuPG-bug-id: 6394
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/ecc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 1e80200e..797f2368 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -677,7 +677,7 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
log_debug ("ecgen result using Ed25519+EdDSA\n");
}
- if (!(flags & PUBKEY_FLAG_NO_KEYTEST) && fips_mode ())
+ if (fips_mode ())
test_keys_fips (*r_skey);
leave:
--
2.39.2
From 23a2d1285e35b2eb91bb422609eb1c965c8a9bf6 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 2 Mar 2023 09:43:44 +0100
Subject: [PATCH] ecc: Make the PCT recoverable in FIPS mode and consistent
with RSA.
* cipher/ecc.c (test_keys_fips): Replace calls to log_fatal with
return code on error.
(ecc_generate): Signal error when PCT fails in FIPS mode.
--
GnuPG-bug-id: 6397
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/ecc.c | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 797f2368..19520db3 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -101,7 +101,7 @@ static void *progress_cb_data;
/* Local prototypes. */
static void test_keys (mpi_ec_t ec, unsigned int nbits);
-static void test_keys_fips (gcry_sexp_t skey);
+static int test_keys_fips (gcry_sexp_t skey);
static void test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags);
static unsigned int ecc_get_nbits (gcry_sexp_t parms);
@@ -308,9 +308,10 @@ test_keys (mpi_ec_t ec, unsigned int nbits)
/* We should get here only with the NIST curves as they are the only ones
* having the fips bit set in ecc_domain_parms_t struct so this is slightly
* simpler than the whole ecc_generate function */
-static void
+static int
test_keys_fips (gcry_sexp_t skey)
{
+ int result = -1; /* Default to failure */
gcry_md_hd_t hd = NULL;
const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
gcry_sexp_t sig = NULL;
@@ -323,18 +324,27 @@ test_keys_fips (gcry_sexp_t skey)
/* Open MD context and feed the random data in */
rc = _gcry_md_open (&hd, GCRY_MD_SHA256, 0);
if (rc)
- log_fatal ("ECDSA operation: failed to initialize MD context: %s\n", gpg_strerror (rc));
+ {
+ log_error ("ECDSA operation: failed to initialize MD context: %s\n", gpg_strerror (rc));
+ goto leave;
+ }
_gcry_md_write (hd, plaintext, sizeof(plaintext));
/* Sign the data */
rc = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
if (rc)
- log_fatal ("ECDSA operation: signing failed: %s\n", gpg_strerror (rc));
+ {
+ log_error ("ECDSA operation: signing failed: %s\n", gpg_strerror (rc));
+ goto leave;
+ }
/* Verify this signature. */
rc = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (rc)
- log_fatal ("ECDSA operation: verification failed: %s\n", gpg_strerror (rc));
+ {
+ log_error ("ECDSA operation: verification failed: %s\n", gpg_strerror (rc));
+ goto leave;
+ }
/* Modify the data and check that the signing fails. */
_gcry_md_reset(hd);
@@ -342,10 +352,16 @@ test_keys_fips (gcry_sexp_t skey)
_gcry_md_write (hd, plaintext, sizeof(plaintext));
rc = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (rc != GPG_ERR_BAD_SIGNATURE)
- log_fatal ("ECDSA operation: signature verification worked on modified data\n");
+ {
+ log_error ("ECDSA operation: signature verification worked on modified data\n");
+ goto leave;
+ }
+ result = 0;
+leave:
_gcry_md_close (hd);
sexp_release (sig);
+ return result;
}
@@ -677,8 +693,12 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
log_debug ("ecgen result using Ed25519+EdDSA\n");
}
- if (fips_mode ())
- test_keys_fips (*r_skey);
+ if (fips_mode () && test_keys_fips (*r_skey))
+ {
+ sexp_release (*r_skey); r_skey = NULL;
+ fips_signal_error ("self-test after key generation failed");
+ rc = GPG_ERR_SELFTEST_FAILED;
+ }
leave:
mpi_free (public);
--
2.39.2

46
SOURCES/libgcrypt-1.10.0-fips-status-sign-verify.patch Normal file
View File

@ -0,0 +1,46 @@
From 654d0dfa04993ebe28c0536d42f4bc6d87c28369 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 1 Mar 2023 17:14:00 +0100
Subject: [PATCH] visibility: Check FIPS operational status for MD+Sign
operation.
* src/visibility.c (gcry_pk_hash_sign): Check fips status before
calling the operation itself.
(gcry_pk_hash_verify): Ditto.
--
GnuPG-bug-id: 6396
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/visibility.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/visibility.c b/src/visibility.c
index 73db3dea..1f17e147 100644
--- a/src/visibility.c
+++ b/src/visibility.c
@@ -1050,6 +1050,11 @@ gcry_error_t
gcry_pk_hash_sign (gcry_sexp_t *result, const char *data_tmpl, gcry_sexp_t skey,
gcry_md_hd_t hd, gcry_ctx_t ctx)
{
+ if (!fips_is_operational ())
+ {
+ *result = NULL;
+ return gpg_error (fips_not_operational ());
+ }
return gpg_error (_gcry_pk_sign_md (result, data_tmpl, hd, skey, ctx));
}
@@ -1065,6 +1070,8 @@ gcry_error_t
gcry_pk_hash_verify (gcry_sexp_t sigval, const char *data_tmpl, gcry_sexp_t pkey,
gcry_md_hd_t hd, gcry_ctx_t ctx)
{
+ if (!fips_is_operational ())
+ return gpg_error (fips_not_operational ());
return gpg_error (_gcry_pk_verify_md (sigval, data_tmpl, hd, pkey, ctx));
}
--
2.39.2

2249
SOURCES/libgcrypt-1.10.0-marvin.patch Normal file
View File

File diff suppressed because it is too large Load Diff

156
SOURCES/libgcrypt-1.10.0-marvin2.patch Normal file
View File

@ -0,0 +1,156 @@
From f490ffd739f713fcf0be35b7fbbb8502dea40a0c Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Sat, 3 Jun 2023 13:20:07 +0300
Subject: [PATCH] addm/subm/mulm: fix case when destination is same MPI as
divider
* mpi/mpi-add.c (_gcry_mpi_addm, _gcry_mpi_subm): Take copy of M when
W and M are the same MPI.
* mpi/mpi-mul.c (_gcry_mpi_mulm): Likewise.
* tests/mpitests.c (test_addm_subm_mulm): New.
(main): Run addm/subm/mulm test.
--
Reported-by: Guido Vranken <guidovranken@gmail.com>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
mpi/mpi-add.c | 22 ++++++++++++++++++++
mpi/mpi-mul.c | 11 ++++++++++
tests/mpitests.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 86 insertions(+)
diff --git a/mpi/mpi-add.c b/mpi/mpi-add.c
index 41dc3900..51dc71b7 100644
--- a/mpi/mpi-add.c
+++ b/mpi/mpi-add.c
@@ -227,13 +227,35 @@ _gcry_mpi_sub(gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v)
void
_gcry_mpi_addm( gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m)
{
+ gcry_mpi_t temp_m = NULL;
+
+ if (w == m)
+ {
+ temp_m = mpi_copy (m);
+ m = temp_m;
+ }
+
mpi_add (w, u, v);
mpi_mod (w, w, m);
+
+ if (temp_m)
+ mpi_free(temp_m);
}
void
_gcry_mpi_subm( gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m)
{
+ gcry_mpi_t temp_m = NULL;
+
+ if (w == m)
+ {
+ temp_m = mpi_copy (m);
+ m = temp_m;
+ }
+
mpi_sub (w, u, v);
mpi_mod (w, w, m);
+
+ if (temp_m)
+ mpi_free(temp_m);
}
diff --git a/mpi/mpi-mul.c b/mpi/mpi-mul.c
index 60f1ca48..e8e57475 100644
--- a/mpi/mpi-mul.c
+++ b/mpi/mpi-mul.c
@@ -207,6 +207,17 @@ _gcry_mpi_mul (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v)
void
_gcry_mpi_mulm (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m)
{
+ gcry_mpi_t temp_m = NULL;
+
+ if (w == m)
+ {
+ temp_m = mpi_copy (m);
+ m = temp_m;
+ }
+
mpi_mul (w, u, v);
_gcry_mpi_tdiv_r (w, w, m);
+
+ if (temp_m)
+ mpi_free(temp_m);
}
diff --git a/tests/mpitests.c b/tests/mpitests.c
index 48ea18b2..2ee08bd3 100644
--- a/tests/mpitests.c
+++ b/tests/mpitests.c
@@ -687,6 +687,58 @@ test_powm (void)
}
+/* What we test here is that using the same mpi for divider and result
+ works. */
+static int
+test_addm_subm_mulm (void)
+{
+ int i;
+
+ for (i = 0; i < 3; i++)
+ {
+ unsigned int expect;
+ const char *func;
+ gcry_mpi_t A;
+ gcry_mpi_t B;
+ gcry_mpi_t C;
+
+ A = gcry_mpi_set_ui (NULL, 2);
+ B = gcry_mpi_set_ui (NULL, 4);
+ C = gcry_mpi_set_ui (NULL, 7);
+
+ if (i == 0)
+ {
+ func = "mpi_addm";
+ expect = 6;
+ gcry_mpi_addm(C, A, B, C);
+ }
+ else if (i == 1)
+ {
+ func = "mpi_subm";
+ expect = 5;
+ gcry_mpi_subm(C, A, B, C);
+ }
+ else if (i == 2)
+ {
+ func = "mpi_mulm";
+ expect = 1;
+ gcry_mpi_mulm(C, A, B, C);
+ }
+
+ if (gcry_mpi_is_neg (C) || gcry_mpi_cmp_ui (C, expect))
+ {
+ die ("test_addm_subm_mulm failed for %s at %d\n", func, __LINE__);
+ }
+
+ gcry_mpi_release(A);
+ gcry_mpi_release(B);
+ gcry_mpi_release(C);
+ }
+
+ return 1;
+}
+
+
int
main (int argc, char* argv[])
{
@@ -710,6 +762,7 @@ main (int argc, char* argv[])
test_sub ();
test_mul ();
test_powm ();
+ test_addm_subm_mulm ();
return !!error_count;
}
--
2.44.0

2187
SOURCES/libgcrypt-1.10.0-marvin3.patch Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
SOURCES/libgcrypt-1.10.0.tar.bz2.sig
View File

Binary file not shown.

57
SPECS/libgcrypt.spec
View File

@ -16,7 +16,7 @@ print(string.sub(hash, 0, 16))
Name: libgcrypt
Version: 1.10.0
Release: 9%{?dist}
Release: 11%{?dist}
URL: https://www.gnupg.org/
Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
@ -46,11 +46,48 @@ Patch12: libgcrypt-1.10.0-fips-indicator.patch
Patch13: libgcrypt-1.10.0-fips-integrity.patch
# 3c8b6c4a9cad59c5e1db5706f6774a3141b60210
# 052c5ef4cea56772b7015e36f231fa0bcbf91410
# 3fd3bb31597f80c76a94ea62e42d58d796beabf1
Patch14: libgcrypt-1.10.0-fips-integrity2.patch
# 06ea5b5332ffdb44a0a394d766be8989bcb6a95c
Patch15: libgcrypt-1.10.0-fips-x931.patch
# bf1e62e59200b2046680d1d3d1599facc88cfe63
Patch16: libgcrypt-1.10.0-fips-rsa-pss.patch
# https://dev.gnupg.org/T6376
Patch17: libgcrypt-1.10.0-fips-indicator-md-hmac.patch
# https://dev.gnupg.org/T6394
# https://dev.gnupg.org/T6397
Patch18: libgcrypt-1.10.0-fips-pct.patch
# https://dev.gnupg.org/T6396
Patch19: libgcrypt-1.10.0-fips-status-sign-verify.patch
# https://dev.gnupg.org/T6393
Patch20: libgcrypt-1.10.0-fips-drbg.patch
# https://dev.gnupg.org/T6417
Patch21: libgcrypt-1.10.0-fips-indicator-pk-flags.patch
# a611e3a25d61505698e2bb38ec2db38bc6a74820
# 34c20427926010d6fa95b1666e4b1b60f60a8742
# c848459e512615c1865a23cf24debb3ad4a1e85b
# c31b70b2660c3d24bd54ee08c255c36d867fdea7
# bd08357436a9559766cd458d25781ee4f94012a2
# 58b62be844549ad3d57c507d834027f1e2756567
# 6d1d50ba3aad1850975f717adbedb4cb8b236fa7
# 1e9ddbd65c4627235611d75c3198c4ec197c9a05
# 137e35ad47ee8734d0f3ffb6af1d1669c4621e0b
# 84f934c09afac18b3f4351646c0fe6f93aede277
# 0c6ec6bbe788b8c4a6982b2128d442b51323c898
# 22dde5150ee2be01651410ed9756601ba6a29c93
# 4d3e0e30b98b2acb90acb2792b8327c26824a66f
# 179df341162c74da312f76363a0ff1f2f303aa78
# d4aee9ace9a904446b987dddc2999119c4d62dae
# aab6a42d5f44724b73a02598546a5e7d8b33298e
# 5c5ba1ec2b505726ee1311339ac9e8b5c62cac4a
# cf757cf90e9ae966b95dcebfd2f31b9212697f0c
# c419a04d529af7b5fb43732ec2b4304166c2579a
# 39d5364a9557d6f423de117601cb1e6414814f47
Patch22: libgcrypt-1.10.0-marvin.patch
# f490ffd739f713fcf0be35b7fbbb8502dea40a0c
Patch23: libgcrypt-1.10.0-marvin2.patch
# https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/19/
Patch24: libgcrypt-1.10.0-marvin3.patch
%global gcrylibdir %{_libdir}
%global gcrysoname libgcrypt.so.20
@ -100,6 +137,14 @@ applications using libgcrypt.
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%build
# This package has a configure test which uses ASMs, but does not link the
@ -129,6 +174,7 @@ autoreconf -f
--disable-jent-support \
--enable-digests="$DIGESTS" \
--enable-ciphers="$CIPHERS" \
--enable-marvin-workaround \
--with-fips-module-version="$FIPS_MODULE_NAME %{version}-%{srpmhash}"
sed -i -e '/^sys_lib_dlsearch_path_spec/s,/lib /usr/lib,/usr/lib /lib64 /usr/lib64 /lib,g' libtool
%make_build
@ -219,6 +265,15 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
%license COPYING
%changelog
* Thu Aug 01 2024 Jakub Jelen <jjelen@redhat.com> - 1.10.0-11
- Fix CVE-2024-2236 (RHEL-34579)
* Mon Mar 20 2023 Jakub Jelen <jjelen@redhat.com> - 1.10.0-10
- Provide FIPS indicators for MD and HMACs
- Improve PCT tests for ECDSA and always run them after key is generated
- Add missing guards for FIPS status in md_sign/verify function
- Provider FIPS indicators for public key operation flags
* Tue Jan 24 2023 Jakub Jelen <jjelen@redhat.com> - 1.10.0-9
- Avoid usage of invalid arguments sizes for PBKDF2 in FIPS mode
- Do not allow large salt lengths with RSA-PSS padding