Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2023-04-14 13:12:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.19717 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgcrypt" Fri Apr 14 13:12:01 2023 rev:96 rq:1078615 version:1.10.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-03-12 16:22:14.580235539 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.19717/libgcrypt.changes 2023-04-14 13:12:03.075211508 +0200 @@ -1,0 +2,43 @@ +Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal <[email protected]> + +- Update to 1.10.2: + * Bug fixes: + - Fix Argon2 for the case output > 64. [rC13b5454d26] + - Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44] + - Fix RSA key generation failure in forced FIPS mode. [T5919] + - Fix gcry_pk_hash_verify for explicit hash. [T6066] + - Fix a wrong result of gcry_mpi_invm. [T5970] + - Allow building with --disable-asm for HPPA. [T5976] + - Allow building with -Oz. [T6432] + - Enable the fast path to ChaCha20 only when supported. [T6384] + - Use size_t to avoid counter overflow in Keccak when directly + feeding more than 4GiB. [T6217] + * Other: + - Do not use secure memory for a DRBG instance. [T5933] + - Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918] + - Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990] + - Allow verification of small RSA signatures in FIPS mode. [T5975] + - Allow the use of a shorter salt for KDFs in FIPS mode. [T6039] + - Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165] + - Add function-name based FIPS indicator function. + GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered + an ABI changes because the new FIPS features were not yet + approved. [rC822ee57f07] + - Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397] + - Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9] + - Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a] + - Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219] + - Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba] + - Prefer gpgrt-config when available. [T5034] + - Mark AESWRAP as approved FIPS algorithm. [T5512] + - Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332] + - Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25] + - Remove GCM mode from the allowed FIPS indicators. [rC1540698389] + - Add explicit FIPS indicators for hash and MAC algorithms. [T6376] + * Release-info: https://dev.gnupg.org/T5905 + * Rebase FIPS patches: + - libgcrypt-FIPS-SLI-hash-mac.patch + - libgcrypt-FIPS-SLI-kdf-leylength.patch + - libgcrypt-FIPS-SLI-pk.patch + +------------------------------------------------------------------- Old: ---- libgcrypt-1.10.1.tar.bz2 libgcrypt-1.10.1.tar.bz2.sig New: ---- libgcrypt-1.10.2.tar.bz2 libgcrypt-1.10.2.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libgcrypt.spec ++++++ --- /var/tmp/diff_new_pack.AHOGvs/_old 2023-04-14 13:12:03.835215854 +0200 +++ /var/tmp/diff_new_pack.AHOGvs/_new 2023-04-14 13:12:03.839215877 +0200 @@ -21,7 +21,7 @@ %define libsoname %{name}%{libsover} %define hmac_key orboDeJITITejsirpADONivirpUkvarP Name: libgcrypt -Version: 1.10.1 +Version: 1.10.2 Release: 0 Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later @@ -36,20 +36,21 @@ Source5: libgcrypt.keyring Source99: libgcrypt.changes Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch -#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK -Patch2: libgcrypt-FIPS-SLI-pk.patch -#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators -Patch3: libgcrypt-FIPS-SLI-hash-mac.patch -#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf() -Patch4: libgcrypt-FIPS-SLI-kdf-leylength.patch #PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion -Patch5: libgcrypt-1.10.0-out-of-core-handler.patch -#PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy -Patch6: libgcrypt-jitterentropy-3.4.0.patch +Patch2: libgcrypt-1.10.0-out-of-core-handler.patch +# FIPS patches: +#PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK +Patch100: libgcrypt-FIPS-SLI-pk.patch +#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf() +Patch101: libgcrypt-FIPS-SLI-kdf-leylength.patch +#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators +Patch102: libgcrypt-FIPS-SLI-hash-mac.patch +#PATCH-FIX-SUSE bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy +Patch103: libgcrypt-jitterentropy-3.4.0.patch #PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll -Patch7: libgcrypt-FIPS-rndjent_poll.patch +Patch104: libgcrypt-FIPS-rndjent_poll.patch #PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips -Patch8: libgcrypt-1.10.0-use-fipscheck.patch +Patch105: libgcrypt-1.10.0-use-fipscheck.patch BuildRequires: automake >= 1.14 BuildRequires: libgpg-error-devel >= 1.27 BuildRequires: libtool ++++++ libgcrypt-1.10.1.tar.bz2 -> libgcrypt-1.10.2.tar.bz2 ++++++ ++++ 6790 lines of diff (skipped) ++++++ libgcrypt-FIPS-SLI-hash-mac.patch ++++++ --- /var/tmp/diff_new_pack.AHOGvs/_old 2023-04-14 13:12:05.887227589 +0200 +++ /var/tmp/diff_new_pack.AHOGvs/_new 2023-04-14 13:12:05.911227726 +0200 @@ -1,126 +1,73 @@ -Index: libgcrypt-1.10.0/doc/gcrypt.texi +Index: libgcrypt-1.10.2/doc/gcrypt.texi =================================================================== ---- libgcrypt-1.10.0.orig/doc/gcrypt.texi -+++ libgcrypt-1.10.0/doc/gcrypt.texi -@@ -980,23 +980,39 @@ is approved under the current FIPS 140-3 - combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. +--- libgcrypt-1.10.2.orig/doc/gcrypt.texi ++++ libgcrypt-1.10.2/doc/gcrypt.texi +@@ -985,13 +985,21 @@ certification. If the function is approv + @code{GPG_ERR_NO_ERROR} (other restrictions might still apply). Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. +-@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos +@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos -+ + +-Check if the given MAC is approved under the current FIPS 140-3 +-certification. If the MAC is approved, this function returns +-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} +Check if the given HASH is approved under the current FIPS 140-3 +certification. If the HASH is approved, this function returns +@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} -+is returned. -+ + is returned. + +@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int] + +Check if the given MAC is approved under the current FIPS 140-3 +certification. The second parameter provides the keylen (if the +algorithm supports different key sizes). If the MAC is approved, -+this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} -+is returned. ++this function returns @code{GPS_ERR_NO_ERROR}. Otherwise ++@code{GPG_ERR_NOT_SUPPORTED} is returned. + - @item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos - - Check if the given KDF is approved under the current FIPS 140-3 --certification. If the KDF is approved, this function returns --@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} --is returned. -+certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. -+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. - - @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos --[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for --GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)] -+[, constants GCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)] -+[, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)] - - Check if the given asymmetric cipher is approved under the current FIPS --140-3 certification. For GCRY_PK_RSA, an additional parameter for the --operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC, --GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve --name or its alias as @code{const char *}. If the combination is --approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise -+140-3 certification. For GCRY_PK_RSA, two additional parameter are required: -+first describes the purpose of the algorithm through one of the constants -+(GCRY_PK_USAGE_ENCR for encryption or decryption operations; GCRY_PK_USAGE_SIGN for -+sign or verify operations). -+Second one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and GCRY_PK_ECDSA, -+only a single parameter is needed: the curve name or its alias as @code{const char *}. -+If the combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise - @code{GPG_ERR_NOT_SUPPORTED} is returned. + @item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos - @end table -Index: libgcrypt-1.10.0/src/fips.c + Check if the given message digest algorithm is approved under the current +Index: libgcrypt-1.10.2/src/fips.c =================================================================== ---- libgcrypt-1.10.0.orig/src/fips.c -+++ libgcrypt-1.10.0/src/fips.c -@@ -357,6 +357,7 @@ _gcry_fips_indicator_cipher (va_list arg - mode = va_arg (arg_ptr, enum gcry_cipher_modes); - switch (mode) - { -+ case GCRY_CIPHER_MODE_AESWRAP: - case GCRY_CIPHER_MODE_ECB: - case GCRY_CIPHER_MODE_CBC: - case GCRY_CIPHER_MODE_CFB: -@@ -364,7 +365,6 @@ _gcry_fips_indicator_cipher (va_list arg - case GCRY_CIPHER_MODE_OFB: - case GCRY_CIPHER_MODE_CTR: - case GCRY_CIPHER_MODE_CCM: -- case GCRY_CIPHER_MODE_GCM: - case GCRY_CIPHER_MODE_XTS: - return GPG_ERR_NO_ERROR; - default: -@@ -422,11 +422,25 @@ static const struct - { NULL, NULL} - }; - -+enum pk_operation convert_from_pk_usage(unsigned int pk_usage) -+{ -+ switch (pk_usage) -+ { -+ case GCRY_PK_USAGE_SIGN: -+ return PUBKEY_OP_SIGN; -+ case GCRY_PK_USAGE_ENCR: -+ return PUBKEY_OP_ENCRYPT; -+ default: -+ return PUBKEY_OP_DECRYPT; -+ } -+} -+ - int - _gcry_fips_indicator_pk (va_list arg_ptr) - { - enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos); - enum pk_operation oper; -+ unsigned int keylen; - const char *curve_name; - - switch (alg) -@@ -434,13 +448,17 @@ _gcry_fips_indicator_pk (va_list arg_ptr - case GCRY_PK_RSA: - case GCRY_PK_RSA_E: - case GCRY_PK_RSA_S: -- oper = va_arg (arg_ptr, enum pk_operation); -+ oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int)); - switch (oper) - { - case PUBKEY_OP_ENCRYPT: - case PUBKEY_OP_DECRYPT: - return GPG_ERR_NOT_SUPPORTED; - default: -+ keylen = va_arg (arg_ptr, unsigned int); -+ if (keylen < 2048) { -+ return GPG_ERR_NOT_SUPPORTED; -+ } - return GPG_ERR_NO_ERROR; - } - case GCRY_PK_ECC: -@@ -460,6 +478,62 @@ _gcry_fips_indicator_pk (va_list arg_ptr +--- libgcrypt-1.10.2.orig/src/fips.c ++++ libgcrypt-1.10.2/src/fips.c +@@ -377,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg } } +-int +-_gcry_fips_indicator_mac (va_list arg_ptr) +-{ +- enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos); +- +- switch (alg) +- { +- case GCRY_MAC_CMAC_AES: +- case GCRY_MAC_HMAC_SHA1: +- case GCRY_MAC_HMAC_SHA224: +- case GCRY_MAC_HMAC_SHA256: +- case GCRY_MAC_HMAC_SHA384: +- case GCRY_MAC_HMAC_SHA512: +- case GCRY_MAC_HMAC_SHA512_224: +- case GCRY_MAC_HMAC_SHA512_256: +- case GCRY_MAC_HMAC_SHA3_224: +- case GCRY_MAC_HMAC_SHA3_256: +- case GCRY_MAC_HMAC_SHA3_384: +- case GCRY_MAC_HMAC_SHA3_512: +- return GPG_ERR_NO_ERROR; +- default: +- return GPG_ERR_NOT_SUPPORTED; +- } +-} +- + /* FIPS approved curves, extracted from: + * cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */ + static const struct +@@ -598,6 +574,62 @@ _gcry_fips_indicator_pk_flags (va_list a + return GPG_ERR_NOT_SUPPORTED; + } + +int +_gcry_fips_indicator_hash (va_list arg_ptr) +{ @@ -180,40 +127,37 @@ /* This is a test on whether the library is in the error or operational state. */ -Index: libgcrypt-1.10.0/src/g10lib.h +Index: libgcrypt-1.10.2/src/g10lib.h =================================================================== ---- libgcrypt-1.10.0.orig/src/g10lib.h -+++ libgcrypt-1.10.0/src/g10lib.h -@@ -456,7 +456,9 @@ void _gcry_fips_signal_error (const char +--- libgcrypt-1.10.2.orig/src/g10lib.h ++++ libgcrypt-1.10.2/src/g10lib.h +@@ -456,6 +456,7 @@ void _gcry_fips_signal_error (const char #endif int _gcry_fips_indicator_cipher (va_list arg_ptr); +int _gcry_fips_indicator_hash (va_list arg_ptr); + int _gcry_fips_indicator_mac (va_list arg_ptr); + int _gcry_fips_indicator_md (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr); -+int _gcry_fips_indicator_mac (va_list arg_ptr); - int _gcry_fips_indicator_pk (va_list arg_ptr); - - int _gcry_fips_is_operational (void); -Index: libgcrypt-1.10.0/src/gcrypt.h.in +Index: libgcrypt-1.10.2/src/gcrypt.h.in =================================================================== ---- libgcrypt-1.10.0.orig/src/gcrypt.h.in -+++ libgcrypt-1.10.0/src/gcrypt.h.in -@@ -331,7 +331,9 @@ enum gcry_ctl_cmds - GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81, - GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82, - GCRYCTL_NO_FIPS_MODE = 83, -- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84 -+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84, -+ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 85, -+ GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 86 +--- libgcrypt-1.10.2.orig/src/gcrypt.h.in ++++ libgcrypt-1.10.2/src/gcrypt.h.in +@@ -335,7 +335,8 @@ enum gcry_ctl_cmds + GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, + GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86, + GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87, +- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88 ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88, ++ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 89 }; /* Perform various operations defined by CMD. */ -Index: libgcrypt-1.10.0/src/global.c +Index: libgcrypt-1.10.2/src/global.c =================================================================== ---- libgcrypt-1.10.0.orig/src/global.c -+++ libgcrypt-1.10.0/src/global.c -@@ -791,12 +791,24 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, +--- libgcrypt-1.10.2.orig/src/global.c ++++ libgcrypt-1.10.2/src/global.c +@@ -791,6 +791,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, rc = _gcry_fips_indicator_cipher (arg_ptr); break; @@ -223,19 +167,7 @@ + rc = _gcry_fips_indicator_hash (arg_ptr); + break; + - case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF: - /* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR - * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */ - rc = _gcry_fips_indicator_kdf (arg_ptr); - break; - -+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC: -+ /* Get FIPS Service Indicator for a given HMAC. Returns GPG_ERR_NO_ERROR -+ * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */ -+ rc = _gcry_fips_indicator_mac (arg_ptr); -+ break; -+ - case GCRYCTL_FIPS_SERVICE_INDICATOR_PK: - /* Get FIPS Service Indicator for a given asymmetric algorithm. For - * GCRY_PK_RSA, an additional parameter for the operation mode is + case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC: + /* Get FIPS Service Indicator for a given message authentication code. + * Returns GPG_ERR_NO_ERROR if algorithm is allowed or ++++++ libgcrypt-FIPS-SLI-kdf-leylength.patch ++++++ --- /var/tmp/diff_new_pack.AHOGvs/_old 2023-04-14 13:12:06.055228550 +0200 +++ /var/tmp/diff_new_pack.AHOGvs/_new 2023-04-14 13:12:06.091228756 +0200 @@ -1,8 +1,8 @@ -Index: libgcrypt-1.10.0/src/fips.c +Index: libgcrypt-1.10.2/src/fips.c =================================================================== ---- libgcrypt-1.10.0.orig/src/fips.c -+++ libgcrypt-1.10.0/src/fips.c -@@ -379,10 +379,15 @@ int +--- libgcrypt-1.10.2.orig/src/fips.c ++++ libgcrypt-1.10.2/src/fips.c +@@ -520,10 +520,15 @@ int _gcry_fips_indicator_kdf (va_list arg_ptr) { enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos); @@ -18,23 +18,26 @@ return GPG_ERR_NO_ERROR; default: return GPG_ERR_NOT_SUPPORTED; -Index: libgcrypt-1.10.0/doc/gcrypt.texi +Index: libgcrypt-1.10.2/doc/gcrypt.texi =================================================================== ---- libgcrypt-1.10.0.orig/doc/gcrypt.texi -+++ libgcrypt-1.10.0/doc/gcrypt.texi -@@ -995,10 +995,12 @@ algorithm supports different key sizes). - this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} - is returned. +--- libgcrypt-1.10.2.orig/doc/gcrypt.texi ++++ libgcrypt-1.10.2/doc/gcrypt.texi +@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3 + combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. + Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. -@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos +@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int] Check if the given KDF is approved under the current FIPS 140-3 --certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. +-certification. If the KDF is approved, this function returns +-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} +-is returned. +certification. The second parameter provides the keylength in bits. +Keylength values of less that 112 bits are considered non-approved. +If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. - Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. ++Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + + @item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char * - @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos ++++++ libgcrypt-FIPS-SLI-pk.patch ++++++ --- /var/tmp/diff_new_pack.AHOGvs/_old 2023-04-14 13:12:06.243229625 +0200 +++ /var/tmp/diff_new_pack.AHOGvs/_new 2023-04-14 13:12:06.279229831 +0200 @@ -1,8 +1,8 @@ -Index: libgcrypt-1.10.0/src/fips.c +Index: libgcrypt-1.10.2/src/fips.c =================================================================== ---- libgcrypt-1.10.0.orig/src/fips.c -+++ libgcrypt-1.10.0/src/fips.c -@@ -36,6 +36,7 @@ +--- libgcrypt-1.10.2.orig/src/fips.c ++++ libgcrypt-1.10.2/src/fips.c +@@ -38,6 +38,7 @@ #include "g10lib.h" #include "cipher-proto.h" @@ -10,7 +10,7 @@ #include "../random/random.h" /* The states of the finite state machine used in fips mode. */ -@@ -386,6 +387,77 @@ _gcry_fips_indicator_kdf (va_list arg_pt +@@ -399,6 +400,94 @@ _gcry_fips_indicator_mac (va_list arg_pt default: return GPG_ERR_NOT_SUPPORTED; } @@ -49,11 +49,25 @@ + { NULL, NULL} + }; + ++enum pk_operation convert_from_pk_usage(unsigned int pk_usage) ++{ ++ switch (pk_usage) ++ { ++ case GCRY_PK_USAGE_SIGN: ++ return PUBKEY_OP_SIGN; ++ case GCRY_PK_USAGE_ENCR: ++ return PUBKEY_OP_ENCRYPT; ++ default: ++ return PUBKEY_OP_DECRYPT; ++ } ++} ++ +int +_gcry_fips_indicator_pk (va_list arg_ptr) +{ + enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos); + enum pk_operation oper; ++ unsigned int keylen; + const char *curve_name; + + switch (alg) @@ -61,13 +75,16 @@ + case GCRY_PK_RSA: + case GCRY_PK_RSA_E: + case GCRY_PK_RSA_S: -+ oper = va_arg (arg_ptr, enum pk_operation); ++ oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int)); + switch (oper) + { + case PUBKEY_OP_ENCRYPT: + case PUBKEY_OP_DECRYPT: + return GPG_ERR_NOT_SUPPORTED; + default: ++ keylen = va_arg (arg_ptr, unsigned int); ++ if (keylen < 2048) ++ return GPG_ERR_NOT_SUPPORTED; + return GPG_ERR_NO_ERROR; + } + case GCRY_PK_ECC: @@ -87,62 +104,63 @@ + } } - -Index: libgcrypt-1.10.0/src/gcrypt.h.in + int +Index: libgcrypt-1.10.2/src/gcrypt.h.in =================================================================== ---- libgcrypt-1.10.0.orig/src/gcrypt.h.in -+++ libgcrypt-1.10.0/src/gcrypt.h.in -@@ -330,7 +330,8 @@ enum gcry_ctl_cmds - GCRYCTL_SET_DECRYPTION_TAG = 80, - GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81, - GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82, -- GCRYCTL_NO_FIPS_MODE = 83 -+ GCRYCTL_NO_FIPS_MODE = 83, -+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 84 +--- libgcrypt-1.10.2.orig/src/gcrypt.h.in ++++ libgcrypt-1.10.2/src/gcrypt.h.in +@@ -334,7 +334,8 @@ enum gcry_ctl_cmds + GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84, + GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, + GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86, +- GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87 ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87, ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88 }; /* Perform various operations defined by CMD. */ -Index: libgcrypt-1.10.0/doc/gcrypt.texi +Index: libgcrypt-1.10.2/doc/gcrypt.texi =================================================================== ---- libgcrypt-1.10.0.orig/doc/gcrypt.texi -+++ libgcrypt-1.10.0/doc/gcrypt.texi -@@ -987,6 +987,18 @@ certification. If the KDF is approved, t - @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} - is returned. - -+@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos -+[, enum pk_operation (only for GCRY_PK_RSA)] [, const char * (only for -+GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)] -+ -+Check if the given asymmetric cipher is approved under the current FIPS -+140-3 certification. For GCRY_PK_RSA, an additional parameter for the -+operation mode @code{enum pk_operation} is required. For GCRY_PK_ECC, -+GCRY_PK_ECDH and GCRY_PK_ECDSA, the additional parameter is the curve -+name or its alias as @code{const char *}. If the combination is -+approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise +--- libgcrypt-1.10.2.orig/doc/gcrypt.texi ++++ libgcrypt-1.10.2/doc/gcrypt.texi +@@ -997,6 +997,19 @@ Check if the given message digest algori + FIPS 140-3 certification. If the algorithm is approved, this function returns + @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + ++@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos [, constantsGCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)] [, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)] ++ ++Check if the given asymmetric cipher is approved under the current ++FIPS 140-3 certification. For GCRY_PK_RSA, two additional parameter ++are required: first describes the purpose of the algorithm through one ++of the constants (GCRY_PK_USAGE_ENCR for encryption or decryption ++operations; GCRY_PK_USAGE_SIGN for sign or verify operations). Second ++one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and ++GCRY_PK_ECDSA, only a single parameter is needed: the curve name or ++its alias as @code{const char *}. If the combination is approved, this ++function returns @code{GPG_ERR_NO_ERROR}. Otherwise +@code{GPG_ERR_NOT_SUPPORTED} is returned. + - @end table + @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char * - @end deftypefun -Index: libgcrypt-1.10.0/src/g10lib.h + Check if the given public key operation flag or s-expression object name is +Index: libgcrypt-1.10.2/src/g10lib.h =================================================================== ---- libgcrypt-1.10.0.orig/src/g10lib.h -+++ libgcrypt-1.10.0/src/g10lib.h -@@ -457,6 +457,7 @@ void _gcry_fips_signal_error (const char - - int _gcry_fips_indicator_cipher (va_list arg_ptr); +--- libgcrypt-1.10.2.orig/src/g10lib.h ++++ libgcrypt-1.10.2/src/g10lib.h +@@ -460,6 +460,7 @@ int _gcry_fips_indicator_mac (va_list ar + int _gcry_fips_indicator_md (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr); + int _gcry_fips_indicator_function (va_list arg_ptr); +int _gcry_fips_indicator_pk (va_list arg_ptr); + int _gcry_fips_indicator_pk_flags (va_list arg_ptr); int _gcry_fips_is_operational (void); - -Index: libgcrypt-1.10.0/src/global.c +Index: libgcrypt-1.10.2/src/global.c =================================================================== ---- libgcrypt-1.10.0.orig/src/global.c -+++ libgcrypt-1.10.0/src/global.c -@@ -797,6 +797,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, - rc = _gcry_fips_indicator_kdf (arg_ptr); +--- libgcrypt-1.10.2.orig/src/global.c ++++ libgcrypt-1.10.2/src/global.c +@@ -825,6 +834,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, + rc = _gcry_fips_indicator_pk_flags (arg_ptr); break; + case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
