diff --git a/libgcrypt-1.10.0-fips-kdf.patch b/libgcrypt-1.10.0-fips-kdf.patch index 955847e..021476a 100644 --- a/libgcrypt-1.10.0-fips-kdf.patch +++ b/libgcrypt-1.10.0-fips-kdf.patch @@ -85,3 +85,45 @@ index c0192d7b..716fb53e 100644 -- 2.37.3 +From f4a861f3e5ae82f278284061e4829c03edf9c3a7 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 18 Nov 2022 09:49:50 +0900 +Subject: [PATCH] pkdf2: Add checks for FIPS. + +* cipher/kdf.c (_gcry_kdf_pkdf2): Require 8 chars passphrase for FIPS. +Set bounds for salt length and iteration count in FIPS mode. + +-- + +GnuPG-bug-id: 6039 +Signed-off-by: Jakub Jelen +--- + cipher/kdf.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/cipher/kdf.c b/cipher/kdf.c +index d22584da..823c744e 100644 +--- a/cipher/kdf.c ++++ b/cipher/kdf.c +@@ -160,6 +160,18 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen, + return GPG_ERR_INV_VALUE; + #endif + ++ /* FIPS requires minimum passphrase length, see FIPS 140-3 IG D.N */ ++ if (fips_mode () && passphraselen < 8) ++ return GPG_ERR_INV_VALUE; ++ ++ /* FIPS requires minimum salt length of 128 b (SP 800-132 sec. 5.1, p.6) */ ++ if (fips_mode () && saltlen < 16) ++ return GPG_ERR_INV_VALUE; ++ ++ /* FIPS requires minimum iterations bound (SP 800-132 sec 5.2, p.6) */ ++ if (fips_mode () && iterations < 1000) ++ return GPG_ERR_INV_VALUE; ++ + /* Check minimum key size */ + if (fips_mode () && dklen < 14) + return GPG_ERR_INV_VALUE; +-- +2.39.0 + diff --git a/libgcrypt.spec b/libgcrypt.spec index 7c2eb66..39779fe 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -34,6 +34,7 @@ Patch9: libgcrypt-1.10.0-sha3-large.patch # https://dev.gnupg.org/T5919 Patch10: libgcrypt-1.10.0-fips-keygen.patch # https://dev.gnupg.org/T6219 +# f4a861f3e5ae82f278284061e4829c03edf9c3a7 Patch11: libgcrypt-1.10.0-fips-kdf.patch # c34c9e70055ee43e5ef257384fa15941f064e5a4 # https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/13