Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2022-09-07 11:05:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.2083 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgcrypt"
Wed Sep 7 11:05:09 2022 rev:92 rq:1001249 version:1.9.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-08-04
13:22:45.636379017 +0200
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2083/libgcrypt.changes
2022-09-07 11:05:09.888273563 +0200
@@ -1,0 +2,16 @@
+Tue Aug 23 09:19:00 UTC 2022 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: gpg/gpg2 gets out of core handler in FIPS mode while
+ typing Tab key to Auto-Completion. [bsc#1182983]
+ * Add libgcrypt-out-of-core-handler.patch
+
+-------------------------------------------------------------------
+Mon Aug 8 11:33:03 UTC 2022 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: Port libgcrypt to use jitterentropy [bsc#1202117, jsc#SLE-24941]
+ * Enable the jitter based entropy generator by default in random.conf
+ - Add libgcrypt-jitterentropy-3.3.0.patch
+ * Update the internal jitterentropy to version 3.4.0
+ - Add libgcrypt-jitterentropy-3.4.0.patch
+
+-------------------------------------------------------------------
@@ -6,0 +23,25 @@
+
+-------------------------------------------------------------------
+Thu Apr 14 12:30:36 UTC 2022 - Dennis Knorr <dennis.kn...@suse.com>
+
+- FIPS: extend the service indicator [bsc#1190700]
+ * introduced a pk indicator function
+ * adapted the approved and non approved ciphersuites
+ * Add libgcrypt_indicators_changes.patch
+ * Add libgcrypt-indicate-shake.patch
+
+-------------------------------------------------------------------
+Tue Mar 22 12:32:09 UTC 2022 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: Implement a service indicator for asymmetric ciphers [bsc#1190700]
+ * Mark RSA public key encryption and private key decryption with
+ padding (e.g. OAEP, PKCS) as non-approved since RSA-OAEP lacks
+ peer key assurance validation requirements per SP800-56Brev2.
+ * Mark ECC as approved only for NIST curves P-224, P-256, P-384
+ and P-521 with check for common NIST names and aliases.
+ * Mark DSA, ELG, EDDSA, ECDSA and ECDH as non-approved.
+ * Add libgcrypt-FIPS-SLI-pk.patch
+ * Rebase libgcrypt-FIPS-service-indicators.patch
+- Run the regression tests also in FIPS mode.
+ * Disable tests for non-FIPS approved algos.
+ * Rebase: libgcrypt-FIPS-verify-unsupported-KDF-test.patch
New:
----
libgcrypt-FIPS-SLI-pk.patch
libgcrypt-indicate-shake.patch
libgcrypt-jitterentropy-3.3.0.patch
libgcrypt-jitterentropy-3.4.0.patch
libgcrypt-out-of-core-handler.patch
libgcrypt_indicators_changes.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libgcrypt.spec ++++++
--- /var/tmp/diff_new_pack.SWckUY/_old 2022-09-07 11:05:12.156279327 +0200
+++ /var/tmp/diff_new_pack.SWckUY/_new 2022-09-07 11:05:12.160279338 +0200
@@ -96,6 +96,17 @@
Patch40: libgcrypt-FIPS-service-indicators.patch
#PATCH-FIX-UPSTREAM bsc#1195385 FIPS: Disable DSA in FIPS mode
Patch41: libgcrypt-FIPS-disable-DSA.patch
+#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK
+Patch42: libgcrypt-FIPS-SLI-pk.patch
+#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
+Patch43: libgcrypt_indicators_changes.patch
+#PATCH-FIX-SUSE bsc#1190700 FIPS allow shake
+Patch44: libgcrypt-indicate-shake.patch
+#PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use
jitterentropy
+Patch45: libgcrypt-jitterentropy-3.3.0.patch
+Patch46: libgcrypt-jitterentropy-3.4.0.patch
+#PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode
while typing Tab key to Auto-Completion
+Patch47: libgcrypt-out-of-core-handler.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.27
@@ -213,6 +224,9 @@
fipshmac src/.libs/libgcrypt.so.??
%make_build check
+# run the regression tests also in FIPS mode
+LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check VERBOSE=1 || true
+
%install
%make_install
rm %{buildroot}%{_libdir}/%{name}.la
++++++ libgcrypt-FIPS-SLI-pk.patch ++++++
Index: libgcrypt-1.9.4/src/fips.c
===================================================================
--- libgcrypt-1.9.4.orig/src/fips.c
+++ libgcrypt-1.9.4/src/fips.c
@@ -32,6 +32,7 @@
#include "g10lib.h"
#include "cipher-proto.h"
+#include "cipher.h"
#include "hmac256.h"
@@ -482,6 +483,78 @@ _gcry_fips_indicator_kdf (va_list arg_pt
default:
return GPG_ERR_NOT_SUPPORTED;
}
+}
+
+
+/* FIPS approved curves, extracted from:
+ * cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
+static const struct
+{
+ const char *name; /* Our name. */
+ const char *other; /* Other name. */
+} fips_approved_curve[] =
+ {
+ /* "NIST P-192" is non-approved if FIPS 140-3 */
+ /* { "NIST P-192", "1.2.840.10045.3.1.1" }, /\* X9.62 OID *\/ */
+ /* { "NIST P-192", "prime192v1" }, /\* X9.62 name. *\/ */
+ /* { "NIST P-192", "secp192r1" }, /\* SECP name. *\/ */
+ /* { "NIST P-192", "nistp192" }, /\* rfc5656. *\/ */
+
+ { "NIST P-224", "secp224r1" },
+ { "NIST P-224", "1.3.132.0.33" }, /* SECP OID. */
+ { "NIST P-224", "nistp224" }, /* rfc5656. */
+
+ { "NIST P-256", "1.2.840.10045.3.1.7" }, /* From NIST SP 800-78-1. */
+ { "NIST P-256", "prime256v1" },
+ { "NIST P-256", "secp256r1" },
+ { "NIST P-256", "nistp256" }, /* rfc5656. */
+
+ { "NIST P-384", "secp384r1" },
+ { "NIST P-384", "1.3.132.0.34" },
+ { "NIST P-384", "nistp384" }, /* rfc5656. */
+
+ { "NIST P-521", "secp521r1" },
+ { "NIST P-521", "1.3.132.0.35" },
+ { "NIST P-521", "nistp521" }, /* rfc5656. */
+ { NULL, NULL}
+ };
+
+int
+_gcry_fips_indicator_pk (va_list arg_ptr)
+{
+ enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
+ enum pk_operation oper;
+ const char *curve_name;
+
+ switch (alg)
+ {
+ case GCRY_PK_RSA:
+ case GCRY_PK_RSA_E:
+ case GCRY_PK_RSA_S:
+ oper = va_arg (arg_ptr, enum pk_operation);
+ switch (oper)
+ {
+ case PUBKEY_OP_ENCRYPT:
+ case PUBKEY_OP_DECRYPT:
+ return GPG_ERR_NOT_SUPPORTED;
+ default:
+ return GPG_ERR_NO_ERROR;
+ }
+ case GCRY_PK_ECC:
+ case GCRY_PK_ECDH:
+ case GCRY_PK_ECDSA:
+ curve_name = va_arg (arg_ptr, const char *);
+ for (int idx = 0; fips_approved_curve[idx].name; ++idx)
+ {
+ /* Check for the usual name and an alias. */
+ if (!strcmp (curve_name, fips_approved_curve[idx].name) ||
+ !strcmp (curve_name, fips_approved_curve[idx].other))
+ return GPG_ERR_NO_ERROR;
+ }
+ return GPG_ERR_NOT_SUPPORTED;
+ default:
+ return GPG_ERR_NOT_SUPPORTED;
+ }
}
Index: libgcrypt-1.9.4/src/gcrypt.h.in
===================================================================
--- libgcrypt-1.9.4.orig/src/gcrypt.h.in
+++ libgcrypt-1.9.4/src/gcrypt.h.in
@@ -336,7 +336,8 @@ enum gcry_ctl_cmds
GCRYCTL_AUTO_EXPAND_SECMEM = 78,
GCRYCTL_SET_ALLOW_WEAK_KEY = 79,
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
- GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82
+ GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 83
};
/* Perform various operations defined by CMD. */
Index: libgcrypt-1.9.4/doc/gcrypt.texi
===================================================================
--- libgcrypt-1.9.4.orig/doc/gcrypt.texi
+++ libgcrypt-1.9.4/doc/gcrypt.texi
@@ -975,6 +975,18 @@ certification. If the KDF is approved, t
@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
is returned.
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
+[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for
+GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
+
+Check if the given asymmetric cipher is approved under the current FIPS
+140-3 certification. For GCRY_PK_RSA, an additional parameter for the
+operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC,
+GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve
+name or its alias as @code{const char *}. If the combination is
+approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
+@code{GPG_ERR_NOT_SUPPORTED} is returned.
+
@end table
@end deftypefun
Index: libgcrypt-1.9.4/src/g10lib.h
===================================================================
--- libgcrypt-1.9.4.orig/src/g10lib.h
+++ libgcrypt-1.9.4/src/g10lib.h
@@ -489,6 +489,7 @@ void _gcry_fips_signal_error (const char
int _gcry_fips_indicator_cipher (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr);
+int _gcry_fips_indicator_pk (va_list arg_ptr);
int _gcry_fips_is_operational (void);
Index: libgcrypt-1.9.4/src/global.c
===================================================================
--- libgcrypt-1.9.4.orig/src/global.c
+++ libgcrypt-1.9.4/src/global.c
@@ -768,6 +768,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
rc = _gcry_fips_indicator_kdf (arg_ptr);
break;
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
+ /* Get FIPS Service Indicator for a given asymmetric algorithm. For
+ * GCRY_PK_RSA, an additional parameter for the operation mode is
+ * required. For ECC, ECDH and ECDSA, the additional parameter is the
+ * curve name or its alias. Returns GPG_ERR_NO_ERROR if the
+ * algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise. */
+ rc = _gcry_fips_indicator_pk (arg_ptr);
+ break;
+
case PRIV_CTL_INIT_EXTRNG_TEST: /* Init external random test. */
rc = GPG_ERR_NOT_SUPPORTED;
break;
++++++ libgcrypt-FIPS-service-indicators.patch ++++++
--- /var/tmp/diff_new_pack.SWckUY/_old 2022-09-07 11:05:12.276279633 +0200
+++ /var/tmp/diff_new_pack.SWckUY/_new 2022-09-07 11:05:12.276279633 +0200
@@ -2,7 +2,7 @@
===================================================================
--- libgcrypt-1.9.4.orig/src/fips.c
+++ libgcrypt-1.9.4/src/fips.c
-@@ -437,6 +437,59 @@ _gcry_fips_test_operational (void)
+@@ -437,6 +437,54 @@ _gcry_fips_test_operational (void)
}
@@ -14,11 +14,6 @@
+
+ switch (alg)
+ {
-+ case GCRY_CIPHER_AES:
-+ case GCRY_CIPHER_AES192:
-+ case GCRY_CIPHER_AES256:
-+ mode = va_arg (arg_ptr, enum gcry_cipher_modes);
-+ switch (mode)
+ case GCRY_CIPHER_AES:
+ case GCRY_CIPHER_AES192:
+ case GCRY_CIPHER_AES256:
++++++ libgcrypt-FIPS-verify-unsupported-KDF-test.patch ++++++
--- /var/tmp/diff_new_pack.SWckUY/_old 2022-09-07 11:05:12.288279663 +0200
+++ /var/tmp/diff_new_pack.SWckUY/_new 2022-09-07 11:05:12.292279673 +0200
@@ -12,10 +12,46 @@
tests/t-kdf.c | 7 +++++++
1 file changed, 7 insertions(+)
-diff --git a/tests/t-kdf.c b/tests/t-kdf.c
-index 7a48e98a..48309b9a 100644
---- a/tests/t-kdf.c
-+++ b/tests/t-kdf.c
+Index: libgcrypt-1.9.4/tests/t-kdf.c
+===================================================================
+--- libgcrypt-1.9.4.orig/tests/t-kdf.c
++++ libgcrypt-1.9.4/tests/t-kdf.c
+@@ -998,7 +998,7 @@ check_pbkdf2 (void)
+ "\xa5\x7a\xe5\xa6\x08\x83\x96\xd1\x20\x85\x0c\x5c\x09\xde\x0a\x52"
+ "\x51\x00\x93\x8a\x59\xb1\xb5\xc3\xf7\x81\x09\x10\xd0\x5f\xcd\x97"
+ }, */
+- {
++ /* { -- not FIPS approved
+ "passwordPASSWORDpassword", 24,
+ "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36,
+ GCRY_MD_GOSTR3411_CP,
+@@ -1007,7 +1007,7 @@ check_pbkdf2 (void)
+ "\x78\x83\x58\xc6\x9c\xb2\xdb\xe2\x51\xa7\xbb\x17\xd5\xf4\x24\x1f"
+ "\x26\x5a\x79\x2a\x35\xbe\xcd\xe8\xd5\x6f\x32\x6b\x49\xc8\x50\x47"
+ "\xb7\x63\x8a\xcb\x47\x64\xb1\xfd"
+- },
++ }, */
+ {
+ "pass\0word", 9,
+ "sa\0lt", 5,
+@@ -1061,7 +1061,7 @@ check_pbkdf2 (void)
+ "\x1a\xdb\x60\x1c\x7e\x2a\x31\x4e\x8c\xb7\xb1\xe9\xdf\x84\x0e\x36"
+ "\xab\x56\x15\xbe\x5d\x74\x2b\x6c\xf2\x03\xfb\x55\xfd\xc4\x80\x71"
+ }, */
+- {
++ /* { -- not FIPS approved
+ "passwordPASSWORDpassword", 24,
+ "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36,
+ GCRY_MD_STRIBOG512,
+@@ -1074,7 +1074,7 @@ check_pbkdf2 (void)
+ "\xbd\x24\x21\xee\x9b\xb7\x11\x83\xba\x88\x2c\xee\xbf\xef\x25\x9f"
+ "\x33\xf9\xe2\x7d\xc6\x17\x8c\xb8\x9d\xc3\x74\x28\xcf\x9c\xc5\x2a"
+ "\x2b\xaa\x2d\x3a"
+- },
++ }, */
+ {
+ "pass\0word", 9,
+ "sa\0lt", 5,
@@ -1104,6 +1104,13 @@ check_pbkdf2 (void)
GCRY_KDF_PBKDF2, tv[tvidx].hashalgo,
tv[tvidx].salt, tv[tvidx].saltlen,
@@ -30,7 +66,4 @@
if (err)
fail ("pbkdf2 test %d failed: %s\n", tvidx, gpg_strerror (err));
else if (memcmp (outbuf, tv[tvidx].dk, tv[tvidx].dklen))
---
-2.34.1
-
++++++ libgcrypt-indicate-shake.patch ++++++
Index: libgcrypt-1.9.4/src/fips.c
===================================================================
--- libgcrypt-1.9.4.orig/src/fips.c
+++ libgcrypt-1.9.4/src/fips.c
@@ -593,6 +593,8 @@ _gcry_fips_indicator_hash (va_list arg_p
case GCRY_MD_SHA3_256:
case GCRY_MD_SHA3_384:
case GCRY_MD_SHA3_512:
+ case GCRY_MD_SHAKE128:
+ case GCRY_MD_SHAKE256:
return GPG_ERR_NO_ERROR;
default:
return GPG_ERR_NOT_SUPPORTED;
++++++ libgcrypt-jitterentropy-3.3.0.patch ++++++
++++ 4169 lines (skipped)
++++++ libgcrypt-jitterentropy-3.4.0.patch ++++++
++++ 662 lines (skipped)
++++++ libgcrypt-out-of-core-handler.patch ++++++
Index: libgcrypt-1.9.4/src/global.c
===================================================================
--- libgcrypt-1.9.4.orig/src/global.c
+++ libgcrypt-1.9.4/src/global.c
@@ -951,7 +951,6 @@ _gcry_set_outofcore_handler (int (*f)(vo
if (fips_mode () )
{
- log_info ("out of core handler ignored in FIPS mode\n");
return;
}
++++++ libgcrypt_indicators_changes.patch ++++++
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index afb8a05..c613577 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -968,23 +968,39 @@ is approved under the current FIPS 140-3 certification.
If the
combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos
+
+Check if the given HASH is approved under the current FIPS 140-3
+certification. If the HASH is approved, this function returns
+@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
+is returned.
+
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [,
unsigned int]
+
+Check if the given MAC is approved under the current FIPS 140-3
+certification. The second parameter provides the keylen (if the
+algorithm supports different key sizes). If the MAC is approved,
+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise
@code{GPG_ERR_NOT_SUPPORTED}
+is returned.
+
@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
Check if the given KDF is approved under the current FIPS 140-3
-certification. If the KDF is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
-is returned.
+certification. If the KDF is approved, this function returns
@code{GPG_ERR_NO_ERROR}.
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
-[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for
-GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
+[, constants GCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for
GCRY_PK_RSA)]
+[, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
Check if the given asymmetric cipher is approved under the current FIPS
-140-3 certification. For GCRY_PK_RSA, an additional parameter for the
-operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC,
-GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve
-name or its alias as @code{const char *}. If the combination is
-approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise
+140-3 certification. For GCRY_PK_RSA, two additional parameter are required:
+first describes the purpose of the algorithm through one of the constants
+(GCRY_PK_USAGE_ENCR for encryption or decryption operations;
GCRY_PK_USAGE_SIGN for
+sign or verify operations).
+Second one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and GCRY_PK_ECDSA,
+only a single parameter is needed: the curve name or its alias as @code{const
char *}.
+If the combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
Otherwise
@code{GPG_ERR_NOT_SUPPORTED} is returned.
@end table
diff --git a/src/fips.c b/src/fips.c
index f523e7d..d5ca482 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -452,6 +452,7 @@ _gcry_fips_indicator_cipher (va_list arg_ptr)
mode = va_arg (arg_ptr, enum gcry_cipher_modes);
switch (mode)
{
+ case GCRY_CIPHER_MODE_AESWRAP:
case GCRY_CIPHER_MODE_ECB:
case GCRY_CIPHER_MODE_CBC:
case GCRY_CIPHER_MODE_CFB:
@@ -459,7 +460,6 @@ _gcry_fips_indicator_cipher (va_list arg_ptr)
case GCRY_CIPHER_MODE_OFB:
case GCRY_CIPHER_MODE_CTR:
case GCRY_CIPHER_MODE_CCM:
- case GCRY_CIPHER_MODE_GCM:
case GCRY_CIPHER_MODE_XTS:
return GPG_ERR_NO_ERROR;
default:
@@ -519,11 +519,25 @@ static const struct
{ NULL, NULL}
};
+enum pk_operation convert_from_pk_usage(unsigned int pk_usage)
+{
+ switch (pk_usage)
+ {
+ case GCRY_PK_USAGE_SIGN:
+ return PUBKEY_OP_SIGN;
+ case GCRY_PK_USAGE_ENCR:
+ return PUBKEY_OP_ENCRYPT;
+ default:
+ return PUBKEY_OP_DECRYPT;
+ }
+}
+
int
_gcry_fips_indicator_pk (va_list arg_ptr)
{
enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
enum pk_operation oper;
+ unsigned int keylen;
const char *curve_name;
switch (alg)
@@ -531,13 +545,17 @@ _gcry_fips_indicator_pk (va_list arg_ptr)
case GCRY_PK_RSA:
case GCRY_PK_RSA_E:
case GCRY_PK_RSA_S:
- oper = va_arg (arg_ptr, enum pk_operation);
+ oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int));
switch (oper)
{
case PUBKEY_OP_ENCRYPT:
case PUBKEY_OP_DECRYPT:
return GPG_ERR_NOT_SUPPORTED;
default:
+ keylen = va_arg (arg_ptr, unsigned int);
+ if (keylen < 2048) {
+ return GPG_ERR_NOT_SUPPORTED;
+ }
return GPG_ERR_NO_ERROR;
}
case GCRY_PK_ECC:
@@ -557,6 +575,60 @@ _gcry_fips_indicator_pk (va_list arg_ptr)
}
}
+int
+_gcry_fips_indicator_hash (va_list arg_ptr)
+{
+ enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
+
+ switch (alg)
+ {
+ case GCRY_MD_SHA1:
+ case GCRY_MD_SHA224:
+ case GCRY_MD_SHA256:
+ case GCRY_MD_SHA384:
+ case GCRY_MD_SHA512:
+ case GCRY_MD_SHA512_224:
+ case GCRY_MD_SHA512_256:
+ case GCRY_MD_SHA3_224:
+ case GCRY_MD_SHA3_256:
+ case GCRY_MD_SHA3_384:
+ case GCRY_MD_SHA3_512:
+ return GPG_ERR_NO_ERROR;
+ default:
+ return GPG_ERR_NOT_SUPPORTED;
+ }
+}
+
+int
+_gcry_fips_indicator_mac (va_list arg_ptr)
+{
+ enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
+ unsigned int keylen = va_arg (arg_ptr, unsigned int);
+
+ switch (alg)
+ {
+ case GCRY_MAC_HMAC_SHA1:
+ case GCRY_MAC_HMAC_SHA224:
+ case GCRY_MAC_HMAC_SHA256:
+ case GCRY_MAC_HMAC_SHA384:
+ case GCRY_MAC_HMAC_SHA512:
+ case GCRY_MAC_HMAC_SHA512_224:
+ case GCRY_MAC_HMAC_SHA512_256:
+ case GCRY_MAC_HMAC_SHA3_224:
+ case GCRY_MAC_HMAC_SHA3_256:
+ case GCRY_MAC_HMAC_SHA3_384:
+ case GCRY_MAC_HMAC_SHA3_512:
+ if (keylen >= 112) {
+ return GPG_ERR_NO_ERROR;
+ }
+ case GCRY_MAC_CMAC_AES:
+ if (keylen == 128 || keylen == 192 || keylen == 256) {
+ return GPG_ERR_NO_ERROR;
+ }
+ default:
+ return GPG_ERR_NOT_SUPPORTED;
+ }
+}
/* This is a test on whether the library is in the error or
operational state. */
diff --git a/src/g10lib.h b/src/g10lib.h
index 9fc868b..92c24a5 100644
--- a/src/g10lib.h
+++ b/src/g10lib.h
@@ -488,7 +488,9 @@ void _gcry_fips_signal_error (const char *srcfile,
#endif
int _gcry_fips_indicator_cipher (va_list arg_ptr);
+int _gcry_fips_indicator_hash (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr);
+int _gcry_fips_indicator_mac (va_list arg_ptr);
int _gcry_fips_indicator_pk (va_list arg_ptr);
int _gcry_fips_is_operational (void);
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index 7704d17..344f879 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -337,7 +337,9 @@ enum gcry_ctl_cmds
GCRYCTL_SET_ALLOW_WEAK_KEY = 79,
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 83
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 83,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 84,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85
};
/* Perform various operations defined by CMD. */
diff --git a/src/global.c b/src/global.c
index c01b424..03756ea 100644
--- a/src/global.c
+++ b/src/global.c
@@ -762,12 +762,24 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
rc = _gcry_fips_indicator_cipher (arg_ptr);
break;
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_HASH:
+ /* Get FIPS Service Indicator for a given HASH. Returns GPG_ERR_NO_ERROR
+ * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
+ rc = _gcry_fips_indicator_hash (arg_ptr);
+ break;
+
case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF:
/* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR
* if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
rc = _gcry_fips_indicator_kdf (arg_ptr);
break;
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
+ /* Get FIPS Service Indicator for a given HMAC. Returns GPG_ERR_NO_ERROR
+ * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
+ rc = _gcry_fips_indicator_mac (arg_ptr);
+ break;
+
case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
/* Get FIPS Service Indicator for a given asymmetric algorithm. For
* GCRY_PK_RSA, an additional parameter for the operation mode is
++++++ random.conf ++++++
--- /var/tmp/diff_new_pack.SWckUY/_old 2022-09-07 11:05:12.436280040 +0200
+++ /var/tmp/diff_new_pack.SWckUY/_new 2022-09-07 11:05:12.440280049 +0200
@@ -6,5 +6,5 @@
# only-urandom
# Disable the use of the jitter based entropy generator.
-disable-jent
+# disable-jent
