libgcrypt "check if fips_is_operational and error return if not" patch for FIPS 140
Closed, ResolvedPublic

Description

Red Hat's patch of libgcrypt-1.7.3-fips-reqs.patch:
https://dev.gnupg.org/rC3c9c4647d147d6b5659c1b06f796187abe5e1913

I agree that we should add the check to new function gcry_kdf_derive.

I'm not sure if adding the check to:

  • gcry_mpi_randomize
  • gcry_prime_generate

won't introduce any regression in existing use cases.

I checked Debian source code by https://codesearch.debian.net/
It seems that all use cases are for crypto, so, adding the check makes sense (and it will be welcome).

Besides, if we will add the check to those two functions, why not also to gcry_prime_group_generator?

gniibe created this task.Jan 15 2021, 7:14 AM
gniibe renamed this task from libgcrypt "check if fips_is_operational and error return if not fix" for FIPS 140 to libgcrypt "check if fips_is_operational and error return if not" patch for FIPS 140.Jan 15 2021, 7:46 AM

Okay for 1.9.

gniibe closed this task as Resolved.Jan 19 2021, 6:34 AM
werner changed the status of subtask T5259: Release Libgcrypt 1.9.1 from Open to Testing.