File libgcrypt-FIPS-verify-unsupported-KDF-test.patch of Package libgcrypt

From 0ab4e8063729147fb9abd463055785aac831bf5c Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Jul 2021 16:58:54 +0200
Subject: [PATCH 348/500] tests: Verify unsupported KDF tests fail in FIPS mode

* tests/t-kdf.c (check_pbkdf2): Verify tests based on algorithms
  unsupported in FIPS mode fail.
--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
 tests/t-kdf.c | 7 +++++++
 1 file changed, 7 insertions(+)

Index: libgcrypt-1.9.4/tests/t-kdf.c
===================================================================
--- libgcrypt-1.9.4.orig/tests/t-kdf.c
+++ libgcrypt-1.9.4/tests/t-kdf.c
@@ -998,7 +998,7 @@ check_pbkdf2 (void)
       "\xa5\x7a\xe5\xa6\x08\x83\x96\xd1\x20\x85\x0c\x5c\x09\xde\x0a\x52"
       "\x51\x00\x93\x8a\x59\xb1\xb5\xc3\xf7\x81\x09\x10\xd0\x5f\xcd\x97"
     }, */
-    {
+    /* { -- not FIPS approved
       "passwordPASSWORDpassword", 24,
       "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36,
       GCRY_MD_GOSTR3411_CP,
@@ -1007,7 +1007,7 @@ check_pbkdf2 (void)
       "\x78\x83\x58\xc6\x9c\xb2\xdb\xe2\x51\xa7\xbb\x17\xd5\xf4\x24\x1f"
       "\x26\x5a\x79\x2a\x35\xbe\xcd\xe8\xd5\x6f\x32\x6b\x49\xc8\x50\x47"
       "\xb7\x63\x8a\xcb\x47\x64\xb1\xfd"
-    },
+    }, */
     {
       "pass\0word", 9,
       "sa\0lt", 5,
@@ -1061,7 +1061,7 @@ check_pbkdf2 (void)
       "\x1a\xdb\x60\x1c\x7e\x2a\x31\x4e\x8c\xb7\xb1\xe9\xdf\x84\x0e\x36"
       "\xab\x56\x15\xbe\x5d\x74\x2b\x6c\xf2\x03\xfb\x55\xfd\xc4\x80\x71"
     }, */
-    {
+    /* { -- not FIPS approved
       "passwordPASSWORDpassword", 24,
       "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36,
       GCRY_MD_STRIBOG512,
@@ -1074,7 +1074,7 @@ check_pbkdf2 (void)
       "\xbd\x24\x21\xee\x9b\xb7\x11\x83\xba\x88\x2c\xee\xbf\xef\x25\x9f"
       "\x33\xf9\xe2\x7d\xc6\x17\x8c\xb8\x9d\xc3\x74\x28\xcf\x9c\xc5\x2a"
       "\x2b\xaa\x2d\x3a"
-    },
+    }, */
     {
       "pass\0word", 9,
       "sa\0lt", 5,
@@ -1104,6 +1104,13 @@ check_pbkdf2 (void)
                              GCRY_KDF_PBKDF2, tv[tvidx].hashalgo,
                              tv[tvidx].salt, tv[tvidx].saltlen,
                              tv[tvidx].c, tv[tvidx].dklen, outbuf);
+      if (gcry_fips_mode_active() && tvidx > 6)
+        {
+          if (!err)
+            fail ("pbkdf2 test %d unexpectedly passed in FIPS mode: %s\n",
+                  tvidx, gpg_strerror (err));
+          continue;
+        }
       if (err)
         fail ("pbkdf2 test %d failed: %s\n", tvidx, gpg_strerror (err));
       else if (memcmp (outbuf, tv[tvidx].dk, tv[tvidx].dklen))