Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP6:Update
gnutls.36178
gnutls-FIPS-no-sha1-verify.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gnutls-FIPS-no-sha1-verify.patch of Package gnutls.36178
Index: gnutls-3.8.3/lib/nettle/pk.c =================================================================== --- gnutls-3.8.3.orig/lib/nettle/pk.c +++ gnutls-3.8.3/lib/nettle/pk.c @@ -1642,10 +1642,9 @@ static int _wrap_nettle_pk_verify(gnutls if (hash_len > vdata->size) hash_len = vdata->size; - /* SHA-1 is allowed for SigVer in FIPS 140-3 in legacy + /* SHA-1 is not allowed for SigVer in FIPS 140-3 in legacy * mode */ switch (DIG_TO_MAC(sign_params->dsa_dig)) { - case GNUTLS_MAC_SHA1: case GNUTLS_MAC_SHA256: case GNUTLS_MAC_SHA384: case GNUTLS_MAC_SHA512: @@ -1716,7 +1715,7 @@ static int _wrap_nettle_pk_verify(gnutls * 2048-bit or one of the known lengths (1024, 1280, * 1536, 1792; i.e., multiple of 256-bits). * - * In addition to this, only SHA-1 and SHA-2 are allowed + * In addition to this, SHA-2 is allowed * for SigVer; it is checked in _pkcs1_rsa_verify_sig in * lib/pubkey.c. */ @@ -1724,6 +1723,11 @@ static int _wrap_nettle_pk_verify(gnutls not_approved = true; } + /* Only SHA-2 is allowed in FIPS 140-3 */ + if (DIG_TO_MAC(sign_params->dsa_dig) == GNUTLS_MAC_SHA1) { + not_approved = true; + } + if (signature->size != pub.size) { ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED); goto cleanup; @@ -1762,7 +1766,7 @@ static int _wrap_nettle_pk_verify(gnutls } /* RSA modulus size should be 2048-bit or larger in FIPS - * 140-3. In addition to this, only SHA-1 and SHA-2 are + * 140-3. In addition to this, only SHA-2 are * allowed for SigVer, while Nettle only supports * SHA256, SHA384, and SHA512 for RSA-PSS (see * _rsa_pss_verify_digest in this file for the details). Index: gnutls-3.8.3/tests/fips-test.c =================================================================== --- gnutls-3.8.3.orig/tests/fips-test.c +++ gnutls-3.8.3/tests/fips-test.c @@ -596,7 +596,7 @@ void doit(void) } FIPS_POP_CONTEXT(NOT_APPROVED); - /* Verify a signature created with 2432-bit RSA and SHA-1; approved */ + /* Verify a signature created with 2432-bit RSA and SHA-1; not approved */ FIPS_PUSH_CONTEXT(); ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, @@ -604,7 +604,7 @@ void doit(void) if (ret < 0) { fail("gnutls_pubkey_verify_data2 failed\n"); } - FIPS_POP_CONTEXT(APPROVED); + FIPS_POP_CONTEXT(NOT_APPROVED); gnutls_free(signature.data); gnutls_pubkey_deinit(pubkey); gnutls_privkey_deinit(privkey); @@ -708,7 +708,7 @@ void doit(void) } FIPS_POP_CONTEXT(NOT_APPROVED); - /* Verify a signature created with ECDSA and SHA-1; approved */ + /* Verify a signature created with ECDSA and SHA-1; not approved */ FIPS_PUSH_CONTEXT(); ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_ECDSA_SHA1, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, @@ -716,7 +716,7 @@ void doit(void) if (ret < 0) { fail("gnutls_pubkey_verify_data2 failed\n"); } - FIPS_POP_CONTEXT(APPROVED); + FIPS_POP_CONTEXT(NOT_APPROVED); gnutls_free(signature.data); /* Create a signature with ECDSA and SHA-1 (old API); not approved */ Index: gnutls-3.8.3/lib/pubkey.c =================================================================== --- gnutls-3.8.3.orig/lib/pubkey.c +++ gnutls-3.8.3/lib/pubkey.c @@ -2454,7 +2454,6 @@ static int _pkcs1_rsa_verify_sig(gnutls_ /* SHA-1 is allowed for SigVer in FIPS 140-3 in legacy * mode */ switch (me->id) { - case GNUTLS_MAC_SHA1: case GNUTLS_MAC_SHA256: case GNUTLS_MAC_SHA384: case GNUTLS_MAC_SHA512:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
