Page MenuHome GnuPG
Create Task
Maniphest T5600

Provide module name/version API for FIPS 140-3
Closed, ResolvedPublic
Actions

Description

One of the requirement that is not handled yet is the module/version API. We need a new api in FIPS mode to get a FIPS-module-version. Fro discussion through emails back in January, we settled on an way to provide a way to pass unique build id during build time (probably through configure switch) and providing an libgcrypt API to query this using gcry_control(something).

At this moment, the FIPS modules are identified by the build date (ex. rhel8.20201215, but we would like to be able to make be able to build more times a day, but having just the timestamp is not that readable so we need something semi-automatic as part of rpm spec file with possible manual override (configure option is ideal).

Revisions and Commits

rC libgcrypt
rC83e58191d3d9 configure: Fix help text for the fips module version

Related Objects

Event Timeline

Jakuje created this task.Sep 15 2021, 4:34 PM
werner triaged this task as Normal priority.Sep 15 2021, 5:24 PM
werner added a subscriber: werner.

We can easily extend the gcry_get_config API. You can give a key or have it to return all infos. For examle
"gpgconf --show-versions" prints this about libgcrypt:

* Libgcrypt 1.9.4-beta1 (8d3db6ad)
version:1.9.4-beta1:10904:1.41-beta2:12900:
cc:80300:gcc:8.3.0:
ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:idea:salsa20:gost28147:chacha20:sm4:
pubkeys:dsa:elgamal:rsa:ecc:
digests:crc:gostr3411-94::md4:md5:rmd160:sha1:sha256:sha512:sha3:tiger:whirlpool:stribog:blake2:sm3:
rnd-mod:linux:
cpu-arch:x86:
mpi-asm:amd64/mpih-add1.S:amd64/mpih-sub1.S:amd64/mpih-mul1.S:amd64/mpih-mul2.S:amd64/mpih-mul3.S:amd64/mpih-lshift.S:amd64/mpih-rshift.S:
hwflist:intel-cpu:intel-fast-shld:intel-ssse3:intel-sse4.1:intel-pclmul:intel-aesni:intel-avx:intel-rdtsc:
fips-mode:n:n:
rng-type:standard:1:2010000:1:
compliance:::
Jakuje added a comment.Sep 17 2021, 6:13 PM

I have a draft, which results in the following "API" of the name-version:

$ ./configure --with-fips-module-version=rhel8.20201215
[...]
        FIPS module version:       rhel8.20201215
[...]
$ make check
[...]
fips-mode:n
[...]
$ LIBGCRYPT_FORCE_FIPS_MODE=1 make check
[...]
fips-mode:y:rhel8.20201215
[...]

The string can be anything, but I used example from our previous certifications.

The patch is based on top of changes from https://dev.gnupg.org/T5244#149752

libgcrypt-fips-name-version.patch3 KBDownload

werner claimed this task.Sep 19 2021, 1:05 PM
werner changed the task status from Open to Testing.Sep 20 2021, 8:51 AM

Thanks. Applied with a minor change: The string is now in a new third field.

werner moved this task from Backlog to Ready for release on the FIPS board.Oct 4 2021, 11:13 AM
Jakuje added a subscriber: pmgdeb.Jan 10 2022, 3:41 PM

Sorry for resurrecting the done task, but I got a message from @pmgdeb who noticed there is mismatch between parenthesis in the --with-fips-module-version help string. The attached patch fixes the issue and add proper help text.

(originally posted to wrong issue T5512)

libgcrypt-fips-module-version-fix.patch1 KBDownload

Jakuje mentioned this in T5512: Implement service indicators.Jan 10 2022, 4:30 PM
gniibe moved this task from Ready for release to Next on the FIPS board.Jan 11 2022, 6:37 AM
gniibe added a subscriber: gniibe.Jan 11 2022, 6:39 AM

Thank you.
Applied.

gniibe added a commit: rC83e58191d3d9: configure: Fix help text for the fips module version.Jan 11 2022, 6:39 AM
werner moved this task from Next to Ready for release on the FIPS board.Jan 11 2022, 11:05 AM
gniibe closed this task as Resolved.Feb 2 2022, 1:25 AM