From 4418c5bc3c2ce8079b82ed9001f36ac3081f8bbd Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Wed, 2 Nov 2022 10:05:02 -0400
Subject: [PATCH] import libgcrypt-1.10.0-8.el9_0

---
 .../libgcrypt-1.10.0-allow-short-salt.patch   | 26 +++++++++++++
 SOURCES/libgcrypt-1.10.0-fips-kdf.patch       | 39 ++-----------------
 SPECS/libgcrypt.spec                          |  6 ++-
 3 files changed, 34 insertions(+), 37 deletions(-)

diff --git a/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch b/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch
index 46054cf..6800cf6 100644
--- a/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch
+++ b/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch
@@ -48,4 +48,30 @@ index c98247d8..aee5bffb 100644
  
 -- 
 2.37.1
+commit 02718ade6ab5eee38169c2102097166770a2456d
+Author: Jakub Jelen <jjelen@redhat.com>
+Date:   Thu Oct 20 16:33:11 2022 +0200
 
+    visiblity: Check the HMAC key length in FIPS mode
+    
+    ---
+    * src/visibility.c (gcry_md_setkey): Check the HMAC key length in FIPS
+      mode also in the md_ API.
+    
+    Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+diff --git a/src/visibility.c b/src/visibility.c
+index 150b197d..73db3dea 100644
+--- a/src/visibility.c
++++ b/src/visibility.c
+@@ -1357,6 +1357,10 @@ gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen)
+ {
+   if (!fips_is_operational ())
+     return gpg_error (fips_not_operational ());
++
++  if (fips_mode () && keylen < 14)
++    return GPG_ERR_INV_VALUE;
++
+   return gpg_error (_gcry_md_setkey (hd, key, keylen));
+ }
+ 
diff --git a/SOURCES/libgcrypt-1.10.0-fips-kdf.patch b/SOURCES/libgcrypt-1.10.0-fips-kdf.patch
index de2a161..955847e 100644
--- a/SOURCES/libgcrypt-1.10.0-fips-kdf.patch
+++ b/SOURCES/libgcrypt-1.10.0-fips-kdf.patch
@@ -1,36 +1,3 @@
-From 857e6f467d0fc9fd858a73d84122695425970075 Mon Sep 17 00:00:00 2001
-From: NIIBE Yutaka <gniibe@fsij.org>
-Date: Tue, 27 Sep 2022 13:26:16 +0900
-Subject: [PATCH] kdf:pkdf2: Require longer input when FIPS mode.
-
-* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
-
---
-
-GnuPG-bug-id: 6039
-Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb
-Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
----
- cipher/kdf.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/cipher/kdf.c b/cipher/kdf.c
-index 3e51e115..81523320 100644
---- a/cipher/kdf.c
-+++ b/cipher/kdf.c
-@@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
-     return GPG_ERR_INV_VALUE;
- #endif
- 
-+  /* HMAC requires longer input for approved use case.  */
-+  if (fips_mode () && passphraselen < 14)
-+    return GPG_ERR_INV_VALUE;
- 
-   /* Step 2 */
-   l = ((dklen - 1)/ hlen) + 1;
--- 
-2.37.3
-
 From 3c04b692de1e7b45b764ff8d66bf84609b012e3a Mon Sep 17 00:00:00 2001
 From: Tobias Heider <tobias.heider@canonical.com>
 Date: Tue, 27 Sep 2022 13:31:05 +0900
@@ -58,9 +25,9 @@ index 81523320..67c60df8 100644
 +  if (fips_mode () && dklen < 14)
 +    return GPG_ERR_INV_VALUE;
 +
-   /* HMAC requires longer input for approved use case.  */
-   if (fips_mode () && passphraselen < 14)
-     return GPG_ERR_INV_VALUE;
+ 
+   /* Step 2 */
+   l = ((dklen - 1)/ hlen) + 1;
 -- 
 2.37.3
 From e5a5e847b66eb6b80e60a2dffa347268f059aee3 Mon Sep 17 00:00:00 2001
diff --git a/SPECS/libgcrypt.spec b/SPECS/libgcrypt.spec
index a9297bb..a7a91e9 100644
--- a/SPECS/libgcrypt.spec
+++ b/SPECS/libgcrypt.spec
@@ -16,7 +16,7 @@ print(string.sub(hash, 0, 16))
 
 Name: libgcrypt
 Version: 1.10.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 URL: https://www.gnupg.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
 Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
@@ -197,6 +197,10 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
 %license COPYING
 
 %changelog
+* Thu Oct 20 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-8
+- Fix unneeded PBKDF2 passphrase length limitation in FIPS mode
+- Enforce HMAC key lengths in MD API in FIPS mode
+
 * Thu Oct 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-7
 - Properly enforce KDF limits in FIPS mode (#2130275)
 - Fix memory leak in large digest test (#2129150)