Page MenuHome GnuPG

FIPS 186-4 compliance patches
Closed, ResolvedPublic


There are several changes needed to make libgcrypt code compliant with FIPS 186-4.

Some of the algorithm steps changed since 186-2/3.
According to SP 800-131A, the mod size 1024 and SHA-1 for Digital
Signature Generation, PQG Generation and Key Pair Generation are disallowed
after 2013.

Can you please review the attached patches?

Event Timeline

We can consider that for 1.7.
Can you please send a DCO to gcrypt-devel (see doc/HACKING).

Thank you, I'll send the DCO.
Also, I'll rebase the patches against current git master and adjust them to
conform with the doc/HACKING requirements.

The patches are now rebased on top of f7505b550dd591e33d3a3fab9277c43c460f1bad.

In addition to these a modified rsa generator is needed to be FIPS 186-4 compliant.

We ended up using this patch from Fedora:

neal added a subscriber: civ.

Well it took quite some time but I have now commited all 10 patches to master.
I have a fixed a few things (mostly style).

I have not yet added the Fedora patch. I'll ask Tomáš whether he can send me a
signed off patch.

Meanwhile I also commited the Fedora patch.

werner added a project: Restricted Project.
werner removed a project: Restricted Project.May 6 2016, 8:32 PM

Shoul all be done for 1.7.0.