File libgcrypt-FIPS-SLI-Reject-use-of-SHAKE-when-its-ECDSA-with-RFC6979.patch of Package libgcrypt.38414

From f65c30d470f581e4df91a5aff8bb202ff0fd56ad Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Wed, 28 Jun 2023 10:29:52 +0900
Subject: [PATCH] cipher:ecc:fips: Reject use of SHAKE when it's ECDSA with
 RFC6979.

* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Check if it's SHAKE.

--

GnuPG-bug-id: 6539
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
---
 cipher/ecc-ecdsa.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
index 3f3ef97b..871b0371 100644
--- a/cipher/ecc-ecdsa.c
+++ b/cipher/ecc-ecdsa.c
@@ -106,6 +106,14 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, gcry_mpi_t k_supplied, mpi_ec_t ec,
               k = NULL;
               if ((flags & PUBKEY_FLAG_RFC6979) && hashalgo)
                 {
+                  if (fips_mode () &&
+                      (hashalgo == GCRY_MD_SHAKE128
+                       || hashalgo == GCRY_MD_SHAKE256))
+                    {
+                      rc = GPG_ERR_DIGEST_ALGO;
+                      goto leave;
+                    }
+
                   /* Use Pornin's method for deterministic DSA.  If this
                      flag is set, it is expected that HASH is an opaque
                      MPI with the to be signed hash.  That hash is also
-- 
2.47.1