|
 |
25c200 |
From 58c92098d053aae7c78cc42bdd7c80c13efc89bb Mon Sep 17 00:00:00 2001
|
|
|
25c200 |
From: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
25c200 |
Date: Fri, 24 Jun 2022 08:59:31 +0900
|
|
|
25c200 |
Subject: [PATCH] hmac,hkdf: Allow use of shorter salt for HKDF.
|
|
|
25c200 |
|
|
|
25c200 |
* cipher/md.c (prepare_macpads): Move the check to...
|
|
|
25c200 |
* src/visibility.c (gcry_mac_setkey): ... here.
|
|
|
25c200 |
* tests/t-kdf.c (check_hkdf): No failure is expected.
|
|
|
25c200 |
|
|
|
25c200 |
--
|
|
|
25c200 |
|
|
|
25c200 |
GnuPG-bug-id: 6039
|
|
|
25c200 |
Fixes-commit: 76aad97dd312e83f2f9b8d086553f2b72ab6546f
|
|
|
25c200 |
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
25c200 |
---
|
|
|
25c200 |
cipher/md.c | 3 ---
|
|
|
25c200 |
src/visibility.c | 3 +++
|
|
|
25c200 |
tests/t-kdf.c | 12 +-----------
|
|
|
25c200 |
3 files changed, 4 insertions(+), 14 deletions(-)
|
|
|
25c200 |
|
|
|
25c200 |
diff --git a/cipher/md.c b/cipher/md.c
|
|
|
25c200 |
index 4f4fc9bf..34336b5c 100644
|
|
|
25c200 |
--- a/cipher/md.c
|
|
|
25c200 |
+++ b/cipher/md.c
|
|
|
25c200 |
@@ -903,9 +903,6 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen)
|
|
|
25c200 |
{
|
|
|
25c200 |
GcryDigestEntry *r;
|
|
|
25c200 |
|
|
|
25c200 |
- if (fips_mode () && keylen < 14)
|
|
|
25c200 |
- return GPG_ERR_INV_VALUE;
|
|
|
25c200 |
-
|
|
|
25c200 |
if (!a->ctx->list)
|
|
|
25c200 |
return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled. */
|
|
|
25c200 |
|
|
|
25c200 |
diff --git a/src/visibility.c b/src/visibility.c
|
|
|
25c200 |
index c98247d8..aee5bffb 100644
|
|
|
25c200 |
--- a/src/visibility.c
|
|
|
25c200 |
+++ b/src/visibility.c
|
|
|
25c200 |
@@ -946,6 +946,9 @@ gcry_mac_setkey (gcry_mac_hd_t hd, const void *key, size_t keylen)
|
|
|
25c200 |
if (!fips_is_operational ())
|
|
|
25c200 |
return gpg_error (fips_not_operational ());
|
|
|
25c200 |
|
|
|
25c200 |
+ if (fips_mode () && keylen < 14)
|
|
|
25c200 |
+ return GPG_ERR_INV_VALUE;
|
|
|
25c200 |
+
|
|
|
25c200 |
return gpg_error (_gcry_mac_setkey (hd, key, keylen));
|
|
|
25c200 |
}
|
|
|
25c200 |
|
|
|
25c200 |
--
|
|
|
25c200 |
2.37.1
|
|
|
ff8b6a |
commit 02718ade6ab5eee38169c2102097166770a2456d
|
|
|
ff8b6a |
Author: Jakub Jelen <jjelen@redhat.com>
|
|
|
ff8b6a |
Date: Thu Oct 20 16:33:11 2022 +0200
|
|
|
25c200 |
|
|
|
ff8b6a |
visiblity: Check the HMAC key length in FIPS mode
|
|
|
ff8b6a |
|
|
|
ff8b6a |
---
|
|
|
ff8b6a |
* src/visibility.c (gcry_md_setkey): Check the HMAC key length in FIPS
|
|
|
ff8b6a |
mode also in the md_ API.
|
|
|
ff8b6a |
|
|
|
ff8b6a |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
ff8b6a |
|
|
|
ff8b6a |
diff --git a/src/visibility.c b/src/visibility.c
|
|
|
ff8b6a |
index 150b197d..73db3dea 100644
|
|
|
ff8b6a |
--- a/src/visibility.c
|
|
|
ff8b6a |
+++ b/src/visibility.c
|
|
|
ff8b6a |
@@ -1357,6 +1357,10 @@ gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen)
|
|
|
ff8b6a |
{
|
|
|
ff8b6a |
if (!fips_is_operational ())
|
|
|
ff8b6a |
return gpg_error (fips_not_operational ());
|
|
|
ff8b6a |
+
|
|
|
ff8b6a |
+ if (fips_mode () && keylen < 14)
|
|
|
ff8b6a |
+ return GPG_ERR_INV_VALUE;
|
|
|
ff8b6a |
+
|
|
|
ff8b6a |
return gpg_error (_gcry_md_setkey (hd, key, keylen));
|
|
|
ff8b6a |
}
|
|
|
ff8b6a |
|