File libgcrypt-fips_pss.patch of Package libgcrypt
Index: libgcrypt-1.6.1/tests/fipsdrv.c
===================================================================
--- libgcrypt-1.6.1.orig/tests/fipsdrv.c 2015-05-07 14:55:35.795474991 +0200
+++ libgcrypt-1.6.1/tests/fipsdrv.c 2015-05-21 20:20:33.307842361 +0200
@@ -1595,7 +1595,7 @@ run_rsa_gen (int keysize, int pubexp)
encoded KEYFILE and the hash algorithm HASHALGO. */
static void
run_rsa_sign (const void *data, size_t datalen,
- int hashalgo, int pkcs1, const char *keyfile)
+ int hashalgo, int pkcs1, int pss, const char *keyfile)
{
gpg_error_t err;
@@ -1619,6 +1619,20 @@ run_rsa_sign (const void *data, size_t d
gcry_md_algo_name (hashalgo),
(int)hashsize, hash);
}
+ else if (pss)
+ {
+ unsigned char hash[64];
+ unsigned int hashsize;
+
+ hashsize = gcry_md_get_algo_dlen (hashalgo);
+ if (!hashsize || hashsize > sizeof hash)
+ die ("digest too long for buffer or unknown hash algorithm\n");
+ gcry_md_hash_buffer (hashalgo, hash, data, datalen);
+ err = gcry_sexp_build (&s_data, NULL,
+ "(data (flags pss)(salt-length #00#)(hash %s %b))",
+ gcry_md_algo_name (hashalgo),
+ (int)hashsize, hash);
+ }
else
{
gcry_mpi_t tmp;
@@ -1686,7 +1700,7 @@ run_rsa_sign (const void *data, size_t d
binary signature in SIGFILE. */
static void
run_rsa_verify (const void *data, size_t datalen, int hashalgo, int pkcs1,
- const char *keyfile, const char *sigfile)
+ int pss, const char *keyfile, const char *sigfile)
{
gpg_error_t err;
@@ -1706,6 +1720,20 @@ run_rsa_verify (const void *data, size_t
gcry_md_algo_name (hashalgo),
(int)hashsize, hash);
}
+ else if (pss)
+ {
+ unsigned char hash[64];
+ unsigned int hashsize;
+
+ hashsize = gcry_md_get_algo_dlen (hashalgo);
+ if (!hashsize || hashsize > sizeof hash)
+ die ("digest too long for buffer or unknown hash algorithm\n");
+ gcry_md_hash_buffer (hashalgo, hash, data, datalen);
+ err = gcry_sexp_build (&s_data, NULL,
+ "(data (flags pss)(salt-length #00#)(hash %s %b))",
+ gcry_md_algo_name (hashalgo),
+ (int)hashsize, hash);
+ }
else
{
gcry_mpi_t tmp;
@@ -2466,6 +2494,7 @@ main (int argc, char **argv)
int no_fips = 0;
int progress = 0;
int use_pkcs1 = 0;
+ int use_pss = 0;
const char *mode_string;
const char *curve_string = NULL;
const char *key_string = NULL;
@@ -2605,6 +2634,11 @@ main (int argc, char **argv)
use_pkcs1 = 1;
argc--; argv++;
}
+ else if (!strcmp (*argv, "--pss"))
+ {
+ use_pss = 1;
+ argc--; argv++;
+ }
else if (!strcmp (*argv, "--mct-server"))
{
mct_server = 1;
@@ -2891,7 +2925,7 @@ main (int argc, char **argv)
if (!data)
die ("no data available (do not use --chunk)\n");
- run_rsa_sign (data, datalen, algo, use_pkcs1, key_string);
+ run_rsa_sign (data, datalen, algo, use_pkcs1, use_pss, key_string);
}
else if (!strcmp (mode_string, "rsa-verify"))
@@ -2914,7 +2948,7 @@ main (int argc, char **argv)
if (access (signature_string, R_OK))
die ("option --signature needs to specify an existing file\n");
- run_rsa_verify (data, datalen, algo, use_pkcs1, key_string,
+ run_rsa_verify (data, datalen, algo, use_pkcs1, use_pss, key_string,
signature_string);
}
Index: libgcrypt-1.6.1/cipher/pubkey-util.c
===================================================================
--- libgcrypt-1.6.1.orig/cipher/pubkey-util.c 2015-05-07 14:55:35.721473959 +0200
+++ libgcrypt-1.6.1/cipher/pubkey-util.c 2015-05-21 20:02:25.204051517 +0200
@@ -1026,6 +1026,21 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t i
rc = GPG_ERR_DIGEST_ALGO;
else
{
+ gcry_sexp_t list;
+ /* Get SALT-LENGTH. */
+ list = sexp_find_token (ldata, "salt-length", 0);
+ if (list)
+ {
+ s = sexp_nth_data (list, 1, &n);
+ if (!s)
+ {
+ rc = GPG_ERR_NO_OBJ;
+ goto leave;
+ }
+ ctx->saltlen = (unsigned int)strtoul (s, NULL, 10);
+ sexp_release (list);
+ }
+
*ret_mpi = sexp_nth_mpi (lhash, 2, GCRYMPI_FMT_USG);
if (!*ret_mpi)
rc = GPG_ERR_INV_OBJ;