Page MenuHome GnuPG
Create Task
Maniphest T5710

FIPS: disable DSA for FIPS
Closed, ResolvedPublic
Actions

Description

While DSA support is out of support for our scope of FIPS support (to get certified), I'm not sure if it's good to set .fips = 0 in DSA module.

My concern is that, the possibility, some other party would want to get certified including DSA module.

To track things, I created this ticket.

Revisions and Commits

rC libgcrypt
rCea362090fc11 fips: Disable DSA in FIPS mode.

Related Objects

Event Timeline

gniibe triaged this task as Normal priority.Dec 2 2021, 1:12 AM
gniibe created this task.
gniibe added a subscriber: Jakuje.

This is the patch from @Jakuje

libgcrypt-fips-DSA-disable.patch1 KBDownload

gniibe mentioned this in T5512: Implement service indicators.Dec 2 2021, 1:16 AM
gniibe moved this task from Backlog to Next on the FIPS board.Dec 7 2021, 11:13 AM
gniibe added a commit: rCea362090fc11: fips: Disable DSA in FIPS mode..Dec 8 2021, 1:52 AM
gniibe added a comment.Dec 8 2021, 1:54 AM

I have been convinced disabling DSA makes more sense.

gniibe changed the task status from Open to Testing.Dec 8 2021, 1:54 AM
gniibe added a project: Restricted Project.
Jakuje added a comment.EditedDec 8 2021, 12:39 PM

It turns out together with rCe96980022e5e some tests are failing in FIPS mode. The attached patch should handle the failures.

---removed outdated patch--

Jakuje added a comment.Dec 8 2021, 1:25 PM

Sorry for the noise. There were couple of other places which I missed initially and which are covered in the v2 patch which follows:

libgcrypt-dsa-tests.patch14 KBDownload

gniibe added a comment.Dec 9 2021, 1:53 AM

Thank you, applied.

gniibe moved this task from Next to Ready for release on the FIPS board.Dec 14 2021, 11:20 AM
gniibe closed this task as Resolved.Feb 2 2022, 1:21 AM
gniibe removed a project: Restricted Project.