Page MenuHome GnuPG
Create Task
Maniphest T7338

Revamp the FIPS service indicator
Open, HighPublic
Actions

Description

FIPS updated guidelines may be in conflict with our current indicator implementation. We may want to revamp them.

Details

External Link
https://lists.gnupg.org/pipermail/gcrypt-devel/2024-October/005677.html

Revisions and Commits

rC libgcrypt
rCd060dd58b828 fips: Rejection by GCRYCTL_FIPS_REJECT_NON_FIPS, not by open flags.
rCb4eb23dc01a4 Fix the previous change.
rCe52adf0948c6 fips: Introduce GCRYCTL_FIPS_REJECT_NON_FIPS.
rCedb43bc29004 fips,cipher: Implement FIPS service indicator for gcry_pk_hash_ API.
rC60db2a175d12 fips,md: gcry_md_copy should care about FIPS service indicator.
rCcfd2d2f41ad4 tests,fips: Add gcry_cipher_open tests.
rC132f346232b3 tests,fips: Rename t-fips-service-ind.
rCb59bde31ded9 tests,fips: Move KDF tests to t-fips-service-ind.
rCc4f75014cb8a tests,fips: Add gcry_mac_open tests.
rC69a5d0ed18a3 fips,cipher: Implement new FIPS service indicator for cipher_open.
rCfcb0c7004b0b fips,mac: Implement new FIPS service indicator for gcry_mac_open.
rC9757e280794f fips,md: Implement new FIPS service indicator for gcry_md_open API.
rC917fc6000dfe fips,tests: Add tests for md_open/write/read/close for t-digest.
rC4799914966a7 fips: Change the internal API for new FIPS service indicator.
rC7faf542f1573 fips,tests: Add t-digest.
rC3478caac62c7 fips,md: Implement new FIPS service indicator for gcry_md_hash_*.
rC5cfa1aee5b98 fips,kdf: Implement new FIPS service indicator for gcry_kdf_derive.
rCf51f4e98930e fips: Introduce GCRYCTL_FIPS_SERVICE_INDICATOR and the macro.

Related Objects
Search...

Event Timeline

werner created this task.Oct 15 2024, 11:24 AM
gniibe claimed this task.Oct 15 2024, 11:25 AM
werner triaged this task as High priority.Nov 4 2024, 12:54 PM
gniibe changed the status of subtask T7340: Introduced a context with thread local storage from Open to Testing.Thu, Dec 5, 3:28 AM

New internal API is introduced with T7340 by the commit rCe1cf31232825: fips: Introduce an internal API for FIPS service indicator.

gniibe added a comment.Thu, Dec 5, 3:37 AM

New external API is by GCRYCTL_FIPS_SERVICE_INDICATOR and/or the new macro gcry_get_fips_service_indicator.
This change is pushed by rCf51f4e98930e: fips: Introduce GCRYCTL_FIPS_SERVICE_INDICATOR and the macro.

gniibe added a commit: rCf51f4e98930e: fips: Introduce GCRYCTL_FIPS_SERVICE_INDICATOR and the macro..Thu, Dec 5, 3:37 AM
gniibe added a commit: rC5cfa1aee5b98: fips,kdf: Implement new FIPS service indicator for gcry_kdf_derive..Thu, Dec 5, 6:59 AM
gniibe added a comment.Fri, Dec 6, 6:40 AM

A change for gcry_md_hash_* functions are pushed by rC3478caac62c7: fips,md: Implement new FIPS service indicator for gcry_md_hash_*..
It doesn't have tests with FIPS service indicator yet.

gniibe added a commit: rC3478caac62c7: fips,md: Implement new FIPS service indicator for gcry_md_hash_*..Fri, Dec 6, 6:41 AM
gniibe added a comment.EditedFri, Dec 6, 6:54 AM

It seems that the internal API (as of 2024-12-06) is not enough.
Now, we have _gcry_md_hash_buffer function with the new FIPS service indicator.
It's used for public key crypto, too.
The compliance for hash function is a part of public key crypto, but not all.

Perhaps, something like following would be needed:

  • at function entry (visibility.c): fips_service_indicator(COMPONENT_BITS_TO_BE_MARKED) (like CIPHER_BIT, PK_BIT, MD_BIT, etc.), sets bits
  • inside implementation: fips_service_indicator_mark_sucess(is_compliant, COMPNENT_BIT_FOR_the_function) clears a single bit
  • 0 means all success, !=0 means something goes wrong
gniibe added a comment.Mon, Dec 9, 6:34 AM

Pushed the change for adding hash tests in rC7faf542f1573: fips,tests: Add t-digest.

Next, we fix hmac.
Then, it found that we need to revise the change for: T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt

gniibe added a commit: rC7faf542f1573: fips,tests: Add t-digest..Mon, Dec 9, 6:38 AM
gniibe added a comment.Thu, Dec 12, 3:09 AM

My idea in https://dev.gnupg.org/T7338#195529 doesn't work well when a function call is done multiple times.
Assuming SUCCESS, and marking all non-compliant places in the code works, and it would be good because libgcrypt so far maintains non-compliant path with rejection.

gniibe added a comment.Thu, Dec 12, 6:43 AM

Here are changes for gcry_md_open and its friends.

0001-fips-Change-the-internal-API-for-new-FIPS-service-in.patch4 KBDownload

0002-fips-md-Implement-new-FIPS-service-indicator-for-gcr.patch9 KBDownload

gniibe added a commit: rC4799914966a7: fips: Change the internal API for new FIPS service indicator..Mon, Dec 16, 2:42 AM
gniibe added a commit: rC9757e280794f: fips,md: Implement new FIPS service indicator for gcry_md_open API..
gniibe added a commit: rC917fc6000dfe: fips,tests: Add tests for md_open/write/read/close for t-digest..
gniibe added a commit: rCfcb0c7004b0b: fips,mac: Implement new FIPS service indicator for gcry_mac_open..Tue, Dec 17, 6:01 AM
gniibe added a commit: rC69a5d0ed18a3: fips,cipher: Implement new FIPS service indicator for cipher_open..
gniibe added a commit: rCc4f75014cb8a: tests,fips: Add gcry_mac_open tests..
gniibe added a commit: rCb59bde31ded9: tests,fips: Move KDF tests to t-fips-service-ind..
gniibe added a commit: rC132f346232b3: tests,fips: Rename t-fips-service-ind..
gniibe added a commit: rCcfd2d2f41ad4: tests,fips: Add gcry_cipher_open tests..
gniibe added a commit: rC60db2a175d12: fips,md: gcry_md_copy should care about FIPS service indicator..Thu, Dec 19, 3:42 AM
gniibe added a commit: rCedb43bc29004: fips,cipher: Implement FIPS service indicator for gcry_pk_hash_ API..
gniibe added a commit: rCe52adf0948c6: fips: Introduce GCRYCTL_FIPS_REJECT_NON_FIPS..
gniibe added a commit: rCb4eb23dc01a4: Fix the previous change..Thu, Dec 19, 6:19 AM
gniibe added a commit: rCd060dd58b828: fips: Rejection by GCRYCTL_FIPS_REJECT_NON_FIPS, not by open flags..Fri, Dec 20, 2:50 AM