Tree - rpms/libgcrypt - CentOS Git server

rpms / libgcrypt

Blame SOURCES/libgcrypt-1.10.0-fips-disable-oaep.patch

Blob History Raw

		7682e8	`From 34d8fc576b3a06dd205f45327a971eb6771e808c Mon Sep 17 00:00:00 2001`
		7682e8	`From: Jakub Jelen <jjelen@redhat.com>`
		7682e8	`Date: Wed, 17 Aug 2022 09:01:44 +0200`
		7682e8	`Subject: [PATCH 1/2] Disable RSA-OAEP padding in FIPS mode`
		7682e8
		7682e8	`* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block OAEP padding`
		7682e8	`in FIPS mode for encryption`
		7682e8	`* cipher/rsa.c (rsa_decrypt): Block OAEP padding in FIPS mode for`
		7682e8	`decryption`
		7682e8	`---`
		7682e8
		7682e8	`Signed-off-by: Jakub Jelen <jjelen@redhat.com>`
		7682e8	`---`
		7682e8	`cipher/pubkey-util.c \| 5 ++++-`
		7682e8	`cipher/rsa.c \| 3 ++-`
		7682e8	`2 files changed, 6 insertions(+), 2 deletions(-)`
		7682e8
		7682e8	`diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c`
		7682e8	`index 4953caf3..244dd5d4 100644`
		7682e8	`--- a/cipher/pubkey-util.c`
		7682e8	`+++ b/cipher/pubkey-util.c`
		7682e8	`@@ -1092,7 +1092,10 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,`
		7682e8	`const void * value;`
		7682e8	`size_t valuelen;`
		7682e8
		7682e8	`- if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) \|\| !valuelen )`
		7682e8	`+ /* The RSA OAEP encryption requires some more assurances in FIPS */`
		7682e8	`+ if (fips_mode ())`
		7682e8	`+ rc = GPG_ERR_INV_FLAG;`
		7682e8	`+ else if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) \|\| !valuelen )`
		7682e8	`rc = GPG_ERR_INV_OBJ;`
		7682e8	`else`
		7682e8	`{`
		7682e8	`diff --git a/cipher/rsa.c b/cipher/rsa.c`
		7682e8	`index 96dba090..87f57b55 100644`
		7682e8	`--- a/cipher/rsa.c`
		7682e8	`+++ b/cipher/rsa.c`
		7682e8	`@@ -1457,7 +1457,8 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)`
		7682e8	`rc = GPG_ERR_INV_DATA;`
		7682e8	`goto leave;`
		7682e8	`}`
		7682e8	`- if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1))`
		7682e8	`+ if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1 \|\|`
		7682e8	`+ ctx.encoding == PUBKEY_ENC_OAEP))`
		7682e8	`{`
		7682e8	`rc = GPG_ERR_INV_FLAG;`
		7682e8	`goto leave;`
		7682e8	`--`
		7682e8	`2.37.1`
		7682e8
		7682e8
		7682e8	`From c6d64e697c2748a49e875060aa753fc568c5f772 Mon Sep 17 00:00:00 2001`
		7682e8	`From: Jakub Jelen <jjelen@redhat.com>`
		7682e8	`Date: Wed, 17 Aug 2022 10:31:19 +0200`
		7682e8	`Subject: [PATCH 2/2] tests: Expect the OEAP tests to fail in FIPS mode`
		7682e8
		7682e8	`* tests/basic.c (check_pubkey_crypt): Expect the OAEP padding encryption`
		7682e8	`to fail in FIPS mode`
		7682e8	`* tests/pkcs1v2.c (check_oaep): Expect the OAEP tests to fail in FIPS`
		7682e8	`mode`
		7682e8	`---`
		7682e8
		7682e8	`Signed-off-by: Jakub Jelen <jjelen@redhat.com>`
		7682e8	`---`
		7682e8	`tests/basic.c \| 14 +++++++++-----`
		7682e8	`tests/pkcs1v2.c \| 13 +++++++++++++`
		7682e8	`2 files changed, 22 insertions(+), 5 deletions(-)`
		7682e8
		7682e8	`diff --git a/tests/basic.c b/tests/basic.c`
		7682e8	`index 26980e15..b4102c9f 100644`
		7682e8	`--- a/tests/basic.c`
		7682e8	`+++ b/tests/basic.c`
		7682e8	`@@ -16892,21 +16892,24 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,`
		7682e8	`"(flags oaep)",`
		7682e8	`1,`
		7682e8	`0,`
		7682e8	`- 0 },`
		7682e8	`+ 0,`
		7682e8	`+ FLAG_NOFIPS },`
		7682e8	`{ GCRY_PK_RSA,`
		7682e8	`"(data\n (flags oaep)\n (hash-algo sha1)\n"`
		7682e8	`" (value #11223344556677889900AA#))\n",`
		7682e8	`"(flags oaep)(hash-algo sha1)",`
		7682e8	`1,`
		7682e8	`0,`
		7682e8	`- 0 },`
		7682e8	`+ 0,`
		7682e8	`+ FLAG_NOFIPS },`
		7682e8	`{ GCRY_PK_RSA,`
		7682e8	`"(data\n (flags oaep)\n (hash-algo sha1)\n (label \"test\")\n"`
		7682e8	`" (value #11223344556677889900AA#))\n",`
		7682e8	`"(flags oaep)(hash-algo sha1)(label \"test\")",`
		7682e8	`1,`
		7682e8	`0,`
		7682e8	`- 0 },`
		7682e8	`+ 0,`
		7682e8	`+ FLAG_NOFIPS },`
		7682e8	`{ GCRY_PK_RSA,`
		7682e8	`"(data\n (flags oaep)\n (hash-algo sha1)\n (label \"test\")\n"`
		7682e8	`" (value #11223344556677889900AA#)\n"`
		7682e8	`@@ -16914,7 +16917,8 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,`
		7682e8	`"(flags oaep)(hash-algo sha1)(label \"test\")",`
		7682e8	`1,`
		7682e8	`0,`
		7682e8	`- 0 },`
		7682e8	`+ 0,`
		7682e8	`+ FLAG_NOFIPS },`
		7682e8	`{ 0,`
		7682e8	`"(data\n (flags )\n" " (value #11223344556677889900AA#))\n",`
		7682e8	`NULL,`
		7682e8	`@@ -16960,7 +16964,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,`
		7682e8	`"(flags pkcs1)",`
		7682e8	`1,`
		7682e8	`0,`
		7682e8	`- GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL },`
		7682e8	`+ GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL \| FLAG_NOFIPS },`
		7682e8	`{ 0,`
		7682e8	`"(data\n (flags pss)\n"`
		7682e8	`" (value #11223344556677889900AA#))\n",`
		7682e8	`diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c`
		7682e8	`index 6c7f3d81..2fd495d5 100644`
		7682e8	`--- a/tests/pkcs1v2.c`
		7682e8	`+++ b/tests/pkcs1v2.c`
		7682e8	`@@ -186,11 +186,24 @@ check_oaep (void)`
		7682e8	`err = gcry_pk_encrypt (&ciph, plain, pub_key);`
		7682e8	`if (err)`
		7682e8	`{`
		7682e8	`+ if (in_fips_mode)`
		7682e8	`+ {`
		7682e8	`+ gcry_sexp_release (plain);`
		7682e8	`+ plain = NULL;`
		7682e8	`+ continue;`
		7682e8	`+ }`
		7682e8	`show_sexp ("plain:\n", ciph);`
		7682e8	`fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (err));`
		7682e8	`}`
		7682e8	`else`
		7682e8	`{`
		7682e8	`+ if (in_fips_mode)`
		7682e8	`+ {`
		7682e8	`+ fail ("The OAEP encryption unexpectedly worked in FIPS mode\n");`
		7682e8	`+ gcry_sexp_release (plain);`
		7682e8	`+ plain = NULL;`
		7682e8	`+ continue;`
		7682e8	`+ }`
		7682e8	`if (extract_cmp_data (ciph, "a", tbl[tno].m[mno].encr,`
		7682e8	`tbl[tno].m[mno].desc))`
		7682e8	`{`
		7682e8	`--`
		7682e8	`2.37.1`
		7682e8

rpms / libgcrypt

Source Code

Blame SOURCES/libgcrypt-1.10.0-fips-disable-oaep.patch