File libgcrypt-FIPS-pkdf2-Additional-checks.patch of Package libgcrypt

Overview Repositories Revisions Requests Users Attributes Meta

File libgcrypt-FIPS-pkdf2-Additional-checks.patch of Package libgcrypt

Index: libgcrypt-1.9.4/doc/gcrypt.texi
===================================================================
--- libgcrypt-1.9.4.orig/doc/gcrypt.texi
+++ libgcrypt-1.9.4/doc/gcrypt.texi
@@ -983,13 +983,19 @@ algorithm supports different key sizes).
 this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
 is returned.
 
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int, unsigned int, unsigned int, unsigned int]
 
 Check if the given KDF is approved under the current FIPS 140-3
-certification. The second parameter provides the keylength in bits.
-Keylength values of less that 112 bits are considered non-approved.
-If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
-Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+certification. The second parameter provides the keylength in bits,
+values less that 112 bits are considered non-approved. The third
+parameter provides the salt length in bits, values less than 128 bits
+are considered non-approved. The fourth parameter provides the
+iteration count, values less than 1000 are considered
+non-approved. And the fifth parameter provides the passphrase length
+in number of characters, values less than 20 characters are considered
+non-approved. If the KDF is approved, this function returns
+@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is
+returned.
 
 @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos
 [, constants GCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)]
Index: libgcrypt-1.9.4/src/fips.c
===================================================================
--- libgcrypt-1.9.4.orig/src/fips.c
+++ libgcrypt-1.9.4/src/fips.c
@@ -476,14 +476,33 @@ _gcry_fips_indicator_kdf (va_list arg_pt
 {
   enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
   unsigned int keylen = 0;
+  unsigned int saltlen = 0;
+  unsigned int iterations = 0;
+  unsigned int passphraselen = 0;
 
   switch (alg)
     {
     case GCRY_KDF_PBKDF2:
+      /* FIPS requires minimum key length, see FIPS 140-3 IG D.N */
       keylen = va_arg (arg_ptr, unsigned int);
-      if (keylen < 112) {
-        return GPG_ERR_NOT_SUPPORTED;
-      }
+      if (keylen < 112)
+        return GPG_ERR_NOT_SUPPORTED;
+
+      /* FIPS requires minimum salt length of 128 b (SP 800-132 5.1) */
+      saltlen = va_arg (arg_ptr, unsigned int);
+      if (saltlen < 128)
+        return GPG_ERR_NOT_SUPPORTED;
+
+      /* FIPS requires minimum iterations count (SP 800-132 5.2) */
+      iterations = va_arg (arg_ptr, unsigned int);
+      if (iterations < 1000)
+        return GPG_ERR_NOT_SUPPORTED;
+
+      /* FIPS requires minimum passphrase length, see FIPS 140-3 IG D.N */
+      passphraselen = va_arg (arg_ptr, unsigned int);
+      if (passphraselen < 20)
+        return GPG_ERR_NOT_SUPPORTED;
+
       return GPG_ERR_NO_ERROR;
     default:
       return GPG_ERR_NOT_SUPPORTED;

Places

File libgcrypt-FIPS-pkdf2-Additional-checks.patch of Package libgcrypt

Places