From 12a6020226ee1222538dba7513b074e2eec38e8f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 28 Nov 2012 14:25:58 +0100 Subject: [PATCH] use RSA bit sizes supported by libgcrypt in FIPS mode for security levels (#879643) --- ...ch => gnutls-2.12.21-fips-algorithms.patch | 32 +++++++++++++++---- gnutls.spec | 6 +++- 2 files changed, 31 insertions(+), 7 deletions(-) rename gnutls-2.12.20-fips-algorithms.patch => gnutls-2.12.21-fips-algorithms.patch (81%) diff --git a/gnutls-2.12.20-fips-algorithms.patch b/gnutls-2.12.21-fips-algorithms.patch similarity index 81% rename from gnutls-2.12.20-fips-algorithms.patch rename to gnutls-2.12.21-fips-algorithms.patch index f714bd4..f40af01 100644 --- a/gnutls-2.12.20-fips-algorithms.patch +++ b/gnutls-2.12.21-fips-algorithms.patch @@ -1,6 +1,6 @@ -diff -up gnutls-2.12.20/lib/gcrypt/init.c.fips gnutls-2.12.20/lib/gcrypt/init.c ---- gnutls-2.12.20/lib/gcrypt/init.c.fips 2012-01-06 20:06:23.000000000 +0100 -+++ gnutls-2.12.20/lib/gcrypt/init.c 2012-11-01 11:00:34.954835974 +0100 +diff -up gnutls-2.12.21/lib/gcrypt/init.c.fips gnutls-2.12.21/lib/gcrypt/init.c +--- gnutls-2.12.21/lib/gcrypt/init.c.fips 2012-01-06 20:06:23.000000000 +0100 ++++ gnutls-2.12.21/lib/gcrypt/init.c 2012-11-09 19:57:54.651624659 +0100 @@ -43,6 +43,8 @@ static struct gcry_thread_cbs gct = { .recvmsg = NULL, }; @@ -19,9 +19,29 @@ diff -up gnutls-2.12.20/lib/gcrypt/init.c.fips gnutls-2.12.20/lib/gcrypt/init.c /* for gcrypt in order to be able to allocate memory */ gcry_control (GCRYCTL_DISABLE_SECMEM, NULL, 0); -diff -up gnutls-2.12.20/lib/gnutls_priority.c.fips gnutls-2.12.20/lib/gnutls_priority.c ---- gnutls-2.12.20/lib/gnutls_priority.c.fips 2012-01-06 20:06:23.000000000 +0100 -+++ gnutls-2.12.20/lib/gnutls_priority.c 2012-11-01 11:02:52.505807199 +0100 +diff -up gnutls-2.12.21/lib/gnutls_algorithms.c.fips gnutls-2.12.21/lib/gnutls_algorithms.c +--- gnutls-2.12.21/lib/gnutls_algorithms.c.fips 2012-01-06 20:06:23.000000000 +0100 ++++ gnutls-2.12.21/lib/gnutls_algorithms.c 2012-11-28 14:19:34.507948036 +0100 +@@ -44,11 +44,11 @@ typedef struct + } gnutls_sec_params_entry; + + static const gnutls_sec_params_entry sec_params[] = { +- {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 816, 1024, 128, 128}, +- {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160}, +- {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 3072, 224, 224}, +- {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256}, +- {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15424, 3072, 512, 512}, ++ {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 1024, 1024, 128, 128}, ++ {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1280, 2048, 160, 160}, ++ {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2560, 3072, 224, 224}, ++ {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3328, 3072, 256, 256}, ++ {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15616, 3072, 512, 512}, + {NULL, 0, 0, 0, 0, 0} + }; + +diff -up gnutls-2.12.21/lib/gnutls_priority.c.fips gnutls-2.12.21/lib/gnutls_priority.c +--- gnutls-2.12.21/lib/gnutls_priority.c.fips 2012-11-08 17:11:11.000000000 +0100 ++++ gnutls-2.12.21/lib/gnutls_priority.c 2012-11-09 19:57:54.651624659 +0100 @@ -30,6 +30,7 @@ #include "gnutls_algorithms.h" #include "gnutls_errors.h" diff --git a/gnutls.spec b/gnutls.spec index 3c9bf9b..aafb6cd 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -26,7 +26,7 @@ Patch5: gnutls-2.12.20-build.patch # Fix the gnutls-cli-debug manpage Patch6: gnutls-2.12.20-cli-debug-manpage.patch # Use only FIPS approved ciphers in the FIPS mode -Patch7: gnutls-2.12.20-fips-algorithms.patch +Patch7: gnutls-2.12.21-fips-algorithms.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: libgcrypt >= 1.2.2 @@ -201,6 +201,10 @@ fi %{_datadir}/guile/site/gnutls.scm %changelog +* Wed Nov 28 2012 Tomas Mraz 2.12.21-2 +- use RSA bit sizes supported by libgcrypt in FIPS mode for security + levels (#879643) + * Fri Nov 9 2012 Tomas Mraz 2.12.21-1 - new upstream version