Page MenuHome GnuPG
Create Task
Maniphest T1736

FIPS 186-4 compliance patches
Closed, ResolvedPublic
Actions

Description

There are several changes needed to make libgcrypt code compliant with FIPS 186-4.

Some of the algorithm steps changed since 186-2/3.
According to SP 800-131A, the mod size 1024 and SHA-1 for Digital
Signature Generation, PQG Generation and Key Pair Generation are disallowed
after 2013.

Can you please review the attached patches?

Related Objects

Event Timeline

civ added a subscriber: civ.Oct 8 2014, 2:16 PM

D266: 514_0001-Make-dsa-FIPS-186-4-compliant.patch

civ added projects: Feature Request, libgcrypt.Oct 8 2014, 2:16 PM

D265: 515_0002-Make-ecdsa-FIPS-186-4-compliant.patch

civ added a comment.Oct 8 2014, 2:16 PM

D264: 516_0003-PBKDF-Add-the-omitted-step-from-pksc5v2.1-specificat.patch

civ added a comment.Oct 8 2014, 2:16 PM

D263: 517_0004-Make-rsa-FIPS-186-4-compliant.patch

civ added a subscriber: smueller_chronox.de.Oct 8 2014, 2:30 PM
civ added a subscriber: thomasbiege.Oct 8 2014, 3:05 PM
werner added a subscriber: werner.Sep 7 2015, 6:26 PM

We can consider that for 1.7.
Can you please send a DCO to gcrypt-devel (see doc/HACKING).

civ removed subscribers: thomasbiege, civ.Sep 11 2015, 5:03 PM

Thank you, I'll send the DCO.
Also, I'll rebase the patches against current git master and adjust them to
conform with the doc/HACKING requirements.

civ added a comment.Nov 5 2015, 2:18 PM

D262: 709_0001-DSA-adjustments-to-conform-with-FIPS-186-4.patch

civ added a comment.Nov 5 2015, 2:18 PM

D261: 710_0002-ECDSA-adjustments-for-FIPS-186-4.patch

civ added a comment.Nov 5 2015, 2:18 PM

D260: 711_0003-PBKDF2-add-upper-bound-for-derived-key-length.patch

civ added a comment.Nov 5 2015, 2:18 PM

D259: 712_0004-Disable-non-allowed-algorithms-in-FIPS-mode.patch

civ added a comment.Nov 5 2015, 2:18 PM

D258: 713_0005-Use-2048-bit-RSA-keys-for-selftest.patch

civ added a comment.Nov 5 2015, 2:19 PM

D257: 714_0007-Fixes-for-RSA-testsuite-in-FIPS-mode.patch

civ added a comment.Nov 5 2015, 2:19 PM

D256: 715_0008-fipsdrv-Add-support-for-RSA-keygen-tests.patch

civ added a comment.Nov 5 2015, 2:19 PM

D255: 716_0009-Add-possibility-to-specify-salt-length-for-PSS-verif.patch

civ added a comment.Nov 5 2015, 2:19 PM

D254: 717_0010-Add-new-pss-option-to-fipsdrv.patch

civ added a comment.Nov 5 2015, 2:19 PM

D253: 718_0011-Fix-testsuite-after-the-FIPS-adjustments.patch

civ added a comment.Nov 5 2015, 2:25 PM

The patches are now rebased on top of f7505b550dd591e33d3a3fab9277c43c460f1bad.

In addition to these a modified rsa generator is needed to be FIPS 186-4 compliant.

We ended up using this patch from Fedora:
http://pkgs.fedoraproject.org/cgit/libgcrypt.git/tree/libgcrypt-1.6.3-rsa-fips-keygen.patch

neal assigned this task to werner.Nov 18 2015, 10:00 AM
neal added a subscriber: civ.
werner added a comment.Mar 18 2016, 6:01 PM

Well it took quite some time but I have now commited all 10 patches to master.
I have a fixed a few things (mostly style).

I have not yet added the Fedora patch. I'll ask Tomáš whether he can send me a
signed off patch.

werner added a project: In Progress.Mar 18 2016, 6:01 PM
werner added a subscriber: t8m.
civ added a comment.Mar 18 2016, 9:05 PM

Great! Thank you, Werner.

werner added a comment.Mar 22 2016, 5:58 PM

Meanwhile I also commited the Fedora patch.

werner removed a project: In Progress.Mar 22 2016, 5:58 PM
werner added a project: Restricted Project.
werner removed a project: Restricted Project.May 6 2016, 8:32 PM

Shoul all be done for 1.7.0.

werner closed this task as Resolved.May 6 2016, 8:32 PM