Page MenuHome GnuPG
Create Task
Maniphest T6127

FIPS 140-3 final review comments
Closed, ResolvedPublic
Actions

Description

We got feedback from the lab with the following findings:

  • for RSA-OAEP to get claimed, we need to run selftest for that during initialization
  • The PCT (Pairwise Consistency Tests) for RSA and ECDSA need to be executed together with the digest step using the new API
    • RSA is easy
    • ECDSA has more complext construction of the key s-expressions -- not done yet.
  • We need a one more FIPS service indicator to mark the functions gcry_sign and gcry_verify not FIPS approved as we do not want to block them hard
  • We might not need to test both decryption & signature in the PCT, but we still wait for confirmation

The current WIP implementation is attached in gitlab MR, early comments welcomed, but it is not yet final

Details

External Link
https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/4
Version
master, 1.10.0

Event Timeline

Jakuje created this task.Aug 9 2022, 11:25 AM
Jakuje added a comment.Aug 18 2022, 8:42 AM

For the record, the changeset in the attached merge request is final and waiting for reviews.

gniibe moved this task from Backlog to Next on the FIPS board.Aug 23 2022, 11:12 AM
werner triaged this task as Normal priority.Aug 24 2022, 6:27 PM
gniibe added a subscriber: gniibe.Aug 30 2022, 7:32 AM

Applied to master and 1.10 branch.

gniibe claimed this task.Aug 30 2022, 7:40 AM
gniibe added a project: Restricted Project.
werner changed the task status from Open to Testing.Sep 22 2022, 10:50 AM
werner removed a project: Restricted Project.
gniibe moved this task from Next to Ready for release on the FIPS board.Nov 18 2022, 2:07 AM
gniibe added a comment.Apr 13 2023, 3:16 AM

Fixed in 1.10.2.

gniibe closed this task as Resolved.Apr 13 2023, 3:17 AM