From a7fcec9ecd8a3683d293bb9c686d5fb3f6eedfa1 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jun 28 2022 08:28:26 +0000
Subject: import libgcrypt-1.10.0-4.el9_0


---

diff --git a/SOURCES/libgcrypt-1.10.0-fips-disable-pkcs1.5.patch b/SOURCES/libgcrypt-1.10.0-fips-disable-pkcs1.5.patch
new file mode 100644
index 0000000..325b2fd
--- /dev/null
+++ b/SOURCES/libgcrypt-1.10.0-fips-disable-pkcs1.5.patch
@@ -0,0 +1,219 @@
+From c7709f7b23848abf4ba65cb99cb2a9e9c7ebdefc Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 1 Apr 2022 18:29:08 +0200
+Subject: [PATCH 1/3] Do not allow PKCS #1.5 padding for encryption in FIPS
+
+* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block PKCS #1.5
+  padding for encryption in FIPS mode
+* cipher/rsa.c (rsa_decrypt): Block PKCS #1.5 decryption in FIPS mode
+--
+
+GnuPG-bug-id: 5918
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/pubkey-util.c | 5 ++++-
+ cipher/rsa.c         | 5 +++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c
+index 68defea6..4953caf3 100644
+--- a/cipher/pubkey-util.c
++++ b/cipher/pubkey-util.c
+@@ -957,7 +957,10 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
+       void *random_override = NULL;
+       size_t random_override_len = 0;
+ 
+-      if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen )
++      /* The RSA PKCS#1.5 encryption is no longer supported by FIPS */
++      if (fips_mode ())
++        rc = GPG_ERR_INV_FLAG;
++      else if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen )
+         rc = GPG_ERR_INV_OBJ;
+       else
+         {
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 771413b3..c6319b67 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -1391,6 +1391,11 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
+       rc = GPG_ERR_INV_DATA;
+       goto leave;
+     }
++  if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1))
++    {
++      rc = GPG_ERR_INV_FLAG;
++      goto leave;
++    }
+ 
+   /* Extract the key.  */
+   rc = sexp_extract_param (keyparms, NULL, "nedp?q?u?",
+-- 
+2.34.1
+
+
+From 299e2f93415984919181e0ee651719bbf83bdd2f Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 1 Apr 2022 18:31:05 +0200
+Subject: [PATCH 2/3] tests: Replace custom bit with more generic flags
+
+* tests/basic.c (global): New flag FLAG_SPECIAL
+  (check_pubkey_crypt): Change to use bitfield flags
+
+--
+
+GnuPG-bug-id: 5918
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tests/basic.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/tests/basic.c b/tests/basic.c
+index a0ad33eb..1c6cb40b 100644
+--- a/tests/basic.c
++++ b/tests/basic.c
+@@ -55,11 +55,12 @@ typedef struct test_spec_pubkey
+ }
+ test_spec_pubkey_t;
+ 
+-#define FLAG_CRYPT  (1 << 0)
+-#define FLAG_SIGN   (1 << 1)
+-#define FLAG_GRIP   (1 << 2)
+-#define FLAG_NOFIPS (1 << 3)
+-#define FLAG_CFB8   (1 << 4)
++#define FLAG_CRYPT   (1 << 0)
++#define FLAG_SIGN    (1 << 1)
++#define FLAG_GRIP    (1 << 2)
++#define FLAG_NOFIPS  (1 << 3)
++#define FLAG_CFB8    (1 << 4)
++#define FLAG_SPECIAL (1 << 5)
+ 
+ static int in_fips_mode;
+ 
+@@ -15558,7 +15559,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+     int unpadded;
+     int encrypt_expected_rc;
+     int decrypt_expected_rc;
+-    int special;
++    int flags;
+   } datas[] =
+     {
+       {	GCRY_PK_RSA,
+@@ -15642,14 +15643,14 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	"(flags oaep)",
+ 	1,
+ 	0,
+-	GPG_ERR_ENCODING_PROBLEM, 1 },
++	GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL },
+       { GCRY_PK_RSA,
+         "(data\n (flags oaep)\n"
+ 	" (value #11223344556677889900AA#))\n",
+ 	"(flags pkcs1)",
+ 	1,
+ 	0,
+-	GPG_ERR_ENCODING_PROBLEM, 1 },
++	GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL },
+       {	0,
+         "(data\n (flags pss)\n"
+ 	" (value #11223344556677889900AA#))\n",
+@@ -15725,7 +15726,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	      ciph = list;
+ 	    }
+ 	  rc = gcry_pk_decrypt (&plain, ciph, skey);
+-          if (!rc && datas[dataidx].special == 1)
++          if (!rc && (datas[dataidx].flags & FLAG_SPECIAL))
+             {
+               /* It may happen that OAEP formatted data which is
+                  decrypted as pkcs#1 data returns a valid pkcs#1
+-- 
+2.34.1
+
+
+From f736f3c70182d9c948f9105eb769c47c5578df35 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 1 Apr 2022 18:34:42 +0200
+Subject: [PATCH 3/3] tests: Expect the RSA PKCS #1.5 encryption to fail in
+ FIPS mode
+
+* tests/basic.c (check_pubkey_crypt): Expect RSA PKCS #1.5 encryption to
+  fail in FIPS mode. Expect failure when wrong padding is selected
+* tests/pkcs1v2.c (check_v15crypt): Expect RSA PKCS #1.5 encryption to
+  fail in FIPS mode
+--
+
+GnuPG-bug-id: 5918
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tests/basic.c   | 11 +++++++----
+ tests/pkcs1v2.c | 14 +++++++++++++-
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/tests/basic.c b/tests/basic.c
+index 1c6cb40b..85764591 100644
+--- a/tests/basic.c
++++ b/tests/basic.c
+@@ -15568,14 +15568,16 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	NULL,
+ 	0,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       {	GCRY_PK_RSA,
+         "(data\n (flags pkcs1)\n"
+ 	" (value #11223344556677889900AA#))\n",
+ 	"(flags pkcs1)",
+ 	1,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       { GCRY_PK_RSA,
+         "(data\n (flags oaep)\n"
+ 	" (value #11223344556677889900AA#))\n",
+@@ -15677,7 +15679,8 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	die ("converting data failed: %s\n", gpg_strerror (rc));
+ 
+       rc = gcry_pk_encrypt (&ciph, data, pkey);
+-      if (in_fips_mode && (flags & FLAG_NOFIPS))
++      if (in_fips_mode && ((flags & FLAG_NOFIPS) ||
++                           (datas[dataidx].flags & FLAG_NOFIPS)))
+         {
+           if (!rc)
+             fail ("gcry_pk_encrypt did not fail as expected in FIPS mode\n");
+@@ -15726,7 +15729,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	      ciph = list;
+ 	    }
+ 	  rc = gcry_pk_decrypt (&plain, ciph, skey);
+-          if (!rc && (datas[dataidx].flags & FLAG_SPECIAL))
++          if ((!rc || in_fips_mode) && (datas[dataidx].flags & FLAG_SPECIAL))
+             {
+               /* It may happen that OAEP formatted data which is
+                  decrypted as pkcs#1 data returns a valid pkcs#1
+diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c
+index f26e779b..6c7f3d81 100644
+--- a/tests/pkcs1v2.c
++++ b/tests/pkcs1v2.c
+@@ -454,7 +454,19 @@ check_v15crypt (void)
+           gcry_free (seed);
+ 
+           err = gcry_pk_encrypt (&ciph, plain, pub_key);
+-          if (err)
++          if (in_fips_mode)
++            {
++              if (!err)
++                {
++                  fail ("gcry_pk_encrypt should have failed in FIPS mode:\n");
++                }
++              gcry_sexp_release (plain);
++              plain = NULL;
++              gcry_sexp_release (ciph);
++              ciph = NULL;
++              continue;
++            }
++          else if (err)
+             {
+               show_sexp ("plain:\n", ciph);
+               fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (err));
+-- 
+2.34.1
+
diff --git a/SOURCES/libgcrypt-1.10.0-ppc-hwf.patch b/SOURCES/libgcrypt-1.10.0-ppc-hwf.patch
new file mode 100644
index 0000000..db99240
--- /dev/null
+++ b/SOURCES/libgcrypt-1.10.0-ppc-hwf.patch
@@ -0,0 +1,29 @@
+From 29bfb3ebbc63d7ed18b916c5c6946790fb3d15df Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Fri, 1 Apr 2022 09:49:20 +0300
+Subject: [PATCH] hwf-ppc: fix missing HWF_PPC_ARCH_3_10 in HW feature
+
+* src/hwf-ppc.c (ppc_features): Add HWF_PPC_ARCH_3_10.
+--
+
+GnuPG-bug-id: T5913
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ src/hwf-ppc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/hwf-ppc.c b/src/hwf-ppc.c
+index 7801f8b0..11d14dc1 100644
+--- a/src/hwf-ppc.c
++++ b/src/hwf-ppc.c
+@@ -103,6 +103,7 @@ static const struct feature_map_s ppc_features[] =
+     { 0, PPC_FEATURE2_VEC_CRYPTO, HWF_PPC_VCRYPTO },
+ #endif
+     { 0, PPC_FEATURE2_ARCH_3_00, HWF_PPC_ARCH_3_00 },
++    { 0, PPC_FEATURE2_ARCH_3_10, HWF_PPC_ARCH_3_10 },
+   };
+ #endif
+ 
+-- 
+2.34.1
+
diff --git a/SPECS/libgcrypt.spec b/SPECS/libgcrypt.spec
index 8b97b64..d01d935 100644
--- a/SPECS/libgcrypt.spec
+++ b/SPECS/libgcrypt.spec
@@ -16,12 +16,14 @@ print(string.sub(hash, 0, 16))
 
 Name: libgcrypt
 Version: 1.10.0
-Release: 2%{?dist}
+Release: 4%{?dist}
 URL: https://www.gnupg.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
 Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
 Source2: wk@g10code.com
 Patch1: libgcrypt-1.10.0-disable-brainpool.patch
+Patch2: libgcrypt-1.10.0-fips-disable-pkcs1.5.patch
+Patch3: libgcrypt-1.10.0-ppc-hwf.patch
 
 %global gcrylibdir %{_libdir}
 %global gcrysoname libgcrypt.so.20
@@ -58,6 +60,8 @@ applications using libgcrypt.
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 # This package has a configure test which uses ASMs, but does not link the
@@ -74,7 +78,7 @@ export DIGESTS='crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger wh
 export CIPHERS='arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20'
 
 eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
-export FIPS_MODULE_NAME="$OS_NAME $OS_VERSION_ID %name"
+export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
 
 autoreconf -f
 %configure --disable-static \
@@ -176,6 +180,13 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
 %license COPYING
 
 %changelog
+* Fri May 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-4
+- Backport ppc hardware flags detection (#2051307)
+- Disable PKCS#1.5 encryption in FIPS mode (#2061328)
+
+* Thu Mar 31 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-3
+- Use correct FIPS module name (#2067123)
+
 * Thu Feb 17 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-2
 - Systematic FIPS module name with other FIPS modules