Overview

File libgcrypt-FIPS-SLI-kdf-leylength.patch of Package libgcrypt

Index: libgcrypt-1.11.0/src/fips.c
===================================================================
--- libgcrypt-1.11.0.orig/src/fips.c
+++ libgcrypt-1.11.0/src/fips.c
@@ -523,10 +523,15 @@ int
 _gcry_fips_indicator_kdf (va_list arg_ptr)
 {
   enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
+  unsigned int keylen = 0;
 
   switch (alg)
     {
     case GCRY_KDF_PBKDF2:
+      keylen = va_arg (arg_ptr, unsigned int);
+      if (keylen < 112) {
+        return GPG_ERR_NOT_SUPPORTED;
+      }
       return GPG_ERR_NO_ERROR;
     default:
       return GPG_ERR_NOT_SUPPORTED;
Index: libgcrypt-1.11.0/doc/gcrypt.texi
===================================================================
--- libgcrypt-1.11.0.orig/doc/gcrypt.texi
+++ libgcrypt-1.11.0/doc/gcrypt.texi
@@ -983,12 +983,13 @@ is approved under the current FIPS 140-3
 combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
 Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
 
 Check if the given KDF is approved under the current FIPS 140-3
-certification. If the KDF is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
-is returned.
+certification. The second parameter provides the keylength in bits.
+Keylength values of less that 112 bits are considered non-approved.
+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
 @item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
 
Index: libgcrypt-1.11.0/tests/t-kdf.c
===================================================================
--- libgcrypt-1.11.0.orig/tests/t-kdf.c
+++ libgcrypt-1.11.0/tests/t-kdf.c
@@ -1889,7 +1889,12 @@ check_fips_indicators (void)
   for (i = 0; i < sizeof(kdf_algos) / sizeof(*kdf_algos); i++)
     {
       int is_fips_kdf_algo = 0;
-      gcry_error_t err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]);
+      gcry_error_t err;
+      // On SUSE/openSUSE builds PBKDF2 with keysize < 112 is not allowed
+      if (kdf_algos[i] == GCRY_KDF_PBKDF2)
+          err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i], 112);
+      else
+          err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]);
 
       if (verbose)
         fprintf (stderr, "checking FIPS indicator for KDF %d: %s\n",
openSUSE Build Service is sponsored by
Places