Page MenuHome GnuPG
Feed Advanced Search

Jul 13 2022

gniibe added a comment to T5933: libgcrypt: Simply use BSS (not secure heap) for DRBG instance.

It will be in 1.10.2.

Jul 13 2022, 4:37 AM · backport, FIPS, libgcrypt
gniibe added a comment to T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime".

It will be in 1.10.2.

Jul 13 2022, 4:36 AM · backport, FIPS, libgcrypt, Bug Report
gniibe added a comment to T5918: Disable RSA PKCS #1.5 encryption in FIPS mode.

It will be in 1.10.2.

Jul 13 2022, 4:36 AM · backport, libgcrypt, FIPS, Bug Report

Jul 12 2022

gniibe moved T6048: Test suite fixes with --enable-pubkey-ciphers=ecc from Backlog to Next on the FIPS board.
Jul 12 2022, 12:18 PM · FIPS, libgcrypt
gniibe added a project to T5975: Allow signature verification using specific RSA keys <2k in FIPS mode: backport.
Jul 12 2022, 10:21 AM · backport, patch, libgcrypt, FIPS, Feature Request

Jul 6 2022

gniibe added a comment to T6048: Test suite fixes with --enable-pubkey-ciphers=ecc.

Thanks. Applied. Also, fixed about a warning for ChaCha20.

Jul 6 2022, 7:56 AM · FIPS, libgcrypt

Jul 5 2022

neverpanic added a comment to T6048: Test suite fixes with --enable-pubkey-ciphers=ecc.

Here's another one related to this: https://lists.gnupg.org/pipermail/gcrypt-devel/2022-July/005344.html

Jul 5 2022, 5:34 PM · FIPS, libgcrypt

Jul 1 2022

gniibe updated subscribers of T6048: Test suite fixes with --enable-pubkey-ciphers=ecc.
Jul 1 2022, 9:16 AM · FIPS, libgcrypt
gniibe added a project to T6048: Test suite fixes with --enable-pubkey-ciphers=ecc: Restricted Project.

Applied and pushed.

Jul 1 2022, 9:16 AM · FIPS, libgcrypt
gniibe added a project to T6048: Test suite fixes with --enable-pubkey-ciphers=ecc: FIPS.

The last patch is related to FIPS, so, I add the FIPS tag.

Jul 1 2022, 9:13 AM · FIPS, libgcrypt

Jun 28 2022

neverpanic added a comment to T6039: FIPS: Allow salt=NULL (or shorter salt) for HKDF.

Key length requirements for KDFs are specified in SP 800-131Ar2 (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf), which is linked from SP 800-140Dr1 (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140Dr1.pdf) in section "6.2.1 Transitions".

Jun 28 2022, 12:44 PM · backport, libgcrypt, FIPS
neverpanic added a comment to T5964: gnupg should use the KDFs implemented in libgcrypt.

FIPS 140-3 (https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-standards) points to SP 800-140Dr1 (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140Dr1.pdf) to list acceptable "Security Parameter Generation and Establishment Methods". From this document, RFC 5869 (i.e., HKDF with the counter at the end) can be reached via two paths:

Jun 28 2022, 12:31 PM · gnupg26, FIPS, Feature Request
gniibe moved T4873: Enable AES GCM in FIPS mode from Backlog to Next on the FIPS board.
Jun 28 2022, 11:19 AM · FIPS, libgcrypt, Feature Request
gniibe moved T6039: FIPS: Allow salt=NULL (or shorter salt) for HKDF from Backlog to Next on the FIPS board.
Jun 28 2022, 10:58 AM · backport, libgcrypt, FIPS

Jun 24 2022

gniibe added a comment to T6039: FIPS: Allow salt=NULL (or shorter salt) for HKDF.

The change allows internal use of HMAC with shorter key.

Jun 24 2022, 2:59 AM · backport, libgcrypt, FIPS
gniibe added a comment to T6039: FIPS: Allow salt=NULL (or shorter salt) for HKDF.

Considering again, I concluded the patch above should be applied.
The use of SALT in HKDF may be not secret and there are valid use cases with no last or shorter salt. It's different to the use case of HMAC, where KEY is secret.

Jun 24 2022, 1:59 AM · backport, libgcrypt, FIPS

Jun 22 2022

gniibe added projects to T6039: FIPS: Allow salt=NULL (or shorter salt) for HKDF: FIPS, libgcrypt.
Jun 22 2022, 3:48 AM · backport, libgcrypt, FIPS

Jun 16 2022

gniibe added a comment to T5964: gnupg should use the KDFs implemented in libgcrypt.

I pushed the change needed for GnuPG to t5964 branch.
See: https://dev.gnupg.org/rGc281bd94349e4f7997a89927aaa2c2f45004b902

Jun 16 2022, 8:47 AM · gnupg26, FIPS, Feature Request
gniibe added a comment to T5964: gnupg should use the KDFs implemented in libgcrypt.

Added HKDF implementation to master.

Jun 16 2022, 8:18 AM · gnupg26, FIPS, Feature Request

Jun 7 2022

gniibe added a comment to T5964: gnupg should use the KDFs implemented in libgcrypt.

I can only find this one: https://github.com/patrickfav/singlestep-kdf/wiki/NIST-SP-800-56C-Rev1:-Non-Official-Test-Vectors

Jun 7 2022, 8:51 AM · gnupg26, FIPS, Feature Request

May 31 2022

gniibe moved T5975: Allow signature verification using specific RSA keys <2k in FIPS mode from Next to Ready for release on the FIPS board.
May 31 2022, 11:16 AM · backport, patch, libgcrypt, FIPS, Feature Request
gniibe added a comment to T5964: gnupg should use the KDFs implemented in libgcrypt.

I learned that it's now called "OneStep KDF" in SP 800-56Cr2.
It's "SSKDF" in OpenSSL (Single Step KDF, perhaps).

May 31 2022, 8:17 AM · gnupg26, FIPS, Feature Request

May 27 2022

sergi added a watcher for FIPS: sergi.
May 27 2022, 10:08 PM

May 23 2022

DemiMarie added a comment to T5975: Allow signature verification using specific RSA keys <2k in FIPS mode.

I can imagine thar there are use cases for this. Thus I see no problems for the first part.

The second part is imho not a good idea. Libgcrypt is a building block for all kind of software and there are for sure legitimate reasons to use rsa512 (MCUs, short living keys, etc). Thus I think that the decision on the key size should be done by the software using libgcrypt.

May 23 2022, 5:56 PM · backport, patch, libgcrypt, FIPS, Feature Request

May 19 2022

gniibe claimed T5975: Allow signature verification using specific RSA keys <2k in FIPS mode.

Pushed the change (master and 1.10).

May 19 2022, 3:50 AM · backport, patch, libgcrypt, FIPS, Feature Request
gniibe added a comment to T5964: gnupg should use the KDFs implemented in libgcrypt.

At first, we need to add/enhance new API for KDF in libgcrypt. Currently, the term "KDF" in libgcrypt is used with narrower focus, that is, only for password->key KDF.

May 19 2022, 3:43 AM · gnupg26, FIPS, Feature Request

May 17 2022

werner moved T5975: Allow signature verification using specific RSA keys <2k in FIPS mode from Backlog to Next on the FIPS board.
May 17 2022, 11:12 AM · backport, patch, libgcrypt, FIPS, Feature Request
werner raised the priority of T4873: Enable AES GCM in FIPS mode from Low to Normal.
May 17 2022, 11:09 AM · FIPS, libgcrypt, Feature Request
werner moved T5964: gnupg should use the KDFs implemented in libgcrypt from Backlog to Next on the FIPS board.
May 17 2022, 11:07 AM · gnupg26, FIPS, Feature Request
werner added a comment to T5964: gnupg should use the KDFs implemented in libgcrypt.

Lets implement it for 2.3

May 17 2022, 11:06 AM · gnupg26, FIPS, Feature Request
werner assigned T5964: gnupg should use the KDFs implemented in libgcrypt to gniibe.
May 17 2022, 11:06 AM · gnupg26, FIPS, Feature Request

May 13 2022

Jakuje added a comment to T5975: Allow signature verification using specific RSA keys <2k in FIPS mode.

Ok. Thank you for the clarification. I will drop the second part and keep only the FIPS change in the patch. Merge request already updated.

May 13 2022, 11:17 AM · backport, patch, libgcrypt, FIPS, Feature Request
werner triaged T5975: Allow signature verification using specific RSA keys <2k in FIPS mode as Normal priority.

I can imagine thar there are use cases for this. Thus I see no problems for the first part.

May 13 2022, 8:00 AM · backport, patch, libgcrypt, FIPS, Feature Request

May 12 2022

Jakuje created T5975: Allow signature verification using specific RSA keys <2k in FIPS mode.
May 12 2022, 2:53 PM · backport, patch, libgcrypt, FIPS, Feature Request

May 6 2022

gniibe moved T5933: libgcrypt: Simply use BSS (not secure heap) for DRBG instance from Next to Ready for release on the FIPS board.
May 6 2022, 2:31 AM · backport, FIPS, libgcrypt
gniibe moved T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime" from Next to Ready for release on the FIPS board.
May 6 2022, 2:31 AM · backport, FIPS, libgcrypt, Bug Report
gniibe moved T5918: Disable RSA PKCS #1.5 encryption in FIPS mode from Next to Ready for release on the FIPS board.
May 6 2022, 2:31 AM · backport, libgcrypt, FIPS, Bug Report
gniibe closed T5929: gnupg fails to add ssh key to control entry in FIPS mode with libgcrypt 1.10.1 as Resolved.
May 6 2022, 2:16 AM · FIPS, gnupg (gpg23), Bug Report

May 5 2022

werner triaged T5964: gnupg should use the KDFs implemented in libgcrypt as Normal priority.

When we implemented this first, Libgcrypt had no appropriate KDF support. I recall that I considered to change this but it turned out the for 2.2 the changes are too large. For 2.3 we will consider such a change.

May 5 2022, 8:40 AM · gnupg26, FIPS, Feature Request

May 4 2022

Jakuje created T5964: gnupg should use the KDFs implemented in libgcrypt.
May 4 2022, 3:16 PM · gnupg26, FIPS, Feature Request

May 3 2022

gniibe added a project to T5933: libgcrypt: Simply use BSS (not secure heap) for DRBG instance: backport.
May 3 2022, 11:22 AM · backport, FIPS, libgcrypt
werner added a project to T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime": backport.
May 3 2022, 11:21 AM · backport, FIPS, libgcrypt, Bug Report
werner added a project to T5918: Disable RSA PKCS #1.5 encryption in FIPS mode: backport.
May 3 2022, 11:17 AM · backport, libgcrypt, FIPS, Bug Report
gniibe moved T5933: libgcrypt: Simply use BSS (not secure heap) for DRBG instance from Backlog to Next on the FIPS board.
May 3 2022, 10:58 AM · backport, FIPS, libgcrypt
gniibe moved T5929: gnupg fails to add ssh key to control entry in FIPS mode with libgcrypt 1.10.1 from Next to Ready for release on the FIPS board.
May 3 2022, 10:58 AM · FIPS, gnupg (gpg23), Bug Report
gniibe removed a project from T5929: gnupg fails to add ssh key to control entry in FIPS mode with libgcrypt 1.10.1: Restricted Project.
May 3 2022, 10:57 AM · FIPS, gnupg (gpg23), Bug Report
gniibe added a comment to T5929: gnupg fails to add ssh key to control entry in FIPS mode with libgcrypt 1.10.1.

Fixed in GnuPG 2.3.5.

May 3 2022, 10:57 AM · FIPS, gnupg (gpg23), Bug Report
gniibe added a project to T5918: Disable RSA PKCS #1.5 encryption in FIPS mode: Restricted Project.
May 3 2022, 10:49 AM · backport, libgcrypt, FIPS, Bug Report
gniibe added a project to T5929: gnupg fails to add ssh key to control entry in FIPS mode with libgcrypt 1.10.1: Restricted Project.
May 3 2022, 10:48 AM · FIPS, gnupg (gpg23), Bug Report
gniibe added a project to T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime": Restricted Project.
May 3 2022, 10:48 AM · backport, FIPS, libgcrypt, Bug Report
gniibe added a project to T5933: libgcrypt: Simply use BSS (not secure heap) for DRBG instance: Restricted Project.
May 3 2022, 10:46 AM · backport, FIPS, libgcrypt

Apr 20 2022

neverpanic added a comment to T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime".

Feedback from the lab is that they'd recommend returning a specific error code that indicates that the prime search failed and then relying on the caller to decide whether to loop or bubble up the error. I'm not sure who we would consider to be the "caller" of the relevant generation function in this case, though.

Apr 20 2022, 12:06 PM · backport, FIPS, libgcrypt, Bug Report
werner triaged T5918: Disable RSA PKCS #1.5 encryption in FIPS mode as High priority.
Apr 20 2022, 8:45 AM · backport, libgcrypt, FIPS, Bug Report
werner triaged T5933: libgcrypt: Simply use BSS (not secure heap) for DRBG instance as Normal priority.

Full ack.

Apr 20 2022, 8:45 AM · backport, FIPS, libgcrypt
gniibe added a comment to T5933: libgcrypt: Simply use BSS (not secure heap) for DRBG instance.

Here is my proposal patch:

diff --git a/random/random-drbg.c b/random/random-drbg.c
index 5a46fd92..f1cfe286 100644
--- a/random/random-drbg.c
+++ b/random/random-drbg.c
@@ -341,6 +341,9 @@ enum drbg_prefixes
  * Global variables
  ***************************************************************/
Apr 20 2022, 2:39 AM · backport, FIPS, libgcrypt
gniibe created T5933: libgcrypt: Simply use BSS (not secure heap) for DRBG instance.
Apr 20 2022, 2:37 AM · backport, FIPS, libgcrypt

Apr 19 2022

gniibe moved T5918: Disable RSA PKCS #1.5 encryption in FIPS mode from Backlog to Next on the FIPS board.
Apr 19 2022, 11:27 AM · backport, libgcrypt, FIPS, Bug Report
gniibe claimed T5918: Disable RSA PKCS #1.5 encryption in FIPS mode.
Apr 19 2022, 11:27 AM · backport, libgcrypt, FIPS, Bug Report
gniibe moved T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime" from Backlog to Next on the FIPS board.
Apr 19 2022, 11:07 AM · backport, FIPS, libgcrypt, Bug Report
gniibe moved T5929: gnupg fails to add ssh key to control entry in FIPS mode with libgcrypt 1.10.1 from Backlog to Next on the FIPS board.
Apr 19 2022, 11:07 AM · FIPS, gnupg (gpg23), Bug Report
gniibe claimed T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime".
Apr 19 2022, 11:01 AM · backport, FIPS, libgcrypt, Bug Report
neverpanic added a comment to T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime".

That sounds reasonable. The FIPS 186-5 draft (https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf) covers this in section A.1.3, although I'm not quite sure why a lower bound for p was chosen compared to q. The comment that seems to have triggered this change is published on page 68 of https://csrc.nist.gov/CSRC/media/Publications/fips/186/4/final/documents/comments-received-fips186-4-december-2015.pdf by Allen Roginsky. It only contains a suggestion of 20, presumably for both numbers.

Apr 19 2022, 9:53 AM · backport, FIPS, libgcrypt, Bug Report

Apr 18 2022

gniibe added a comment to T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime".

I checked FIPS 186-4 (and FIPS 186-5-draft). It is Appendix A 1.3.

Apr 18 2022, 3:35 AM · backport, FIPS, libgcrypt, Bug Report

Apr 14 2022

werner triaged T5930: Use the FIPS-compatible digest&sign API as Normal priority.

Passing fds etc adds complex extra code to gpg-agent. This was not the original design goal, although we violated this anyway by have some OpenPGP specific code there. This needs more thinking. Due to our internal use of OCB we can't make it FIPS compliant without large changes.

Apr 14 2022, 1:42 PM · FIPS, Feature Request
gniibe claimed T5929: gnupg fails to add ssh key to control entry in FIPS mode with libgcrypt 1.10.1.

Patches applied and pushed. For the common/t-ssh-utils, I applied my fix for the use case with key on command line when FIPS mode is enabled (MD5 error is OK, in this case).

Apr 14 2022, 4:45 AM · FIPS, gnupg (gpg23), Bug Report

Apr 13 2022

Jakuje created T5930: Use the FIPS-compatible digest&sign API.
Apr 13 2022, 7:54 PM · FIPS, Feature Request
Jakuje added a project to T5929: gnupg fails to add ssh key to control entry in FIPS mode with libgcrypt 1.10.1: FIPS.
Apr 13 2022, 4:15 PM · FIPS, gnupg (gpg23), Bug Report

Apr 11 2022

Jakuje added a comment to T5835: libgcrypt: More robust/portable integrity check.

I was pointed by Daiki to the following patch in Fedora binutils, which allows listing the fdo packaging metadata, but it does not list any other unknown objects and unfortunately fails hard:

Apr 11 2022, 2:00 PM · Bug Report, libgcrypt, FIPS

Apr 9 2022

gniibe added a comment to T5835: libgcrypt: More robust/portable integrity check.

I just copied the value of 0xcafe2a8e and the name .note.fdo.integrity from Daiki's implementation. No other reason.

Apr 9 2022, 9:16 AM · Bug Report, libgcrypt, FIPS

Apr 8 2022

Jakuje added a comment to T5835: libgcrypt: More robust/portable integrity check.

I have one follow-up is that the readelf chokes on the integrity note for some reason:

$ readelf -n /usr/lib64/libgcrypt.so.20.4.1
Displaying notes found in: .note.fdo.integrity
  Owner                Data size 	Description
  FDO                  0x00000020	Unknown note type: (0x8e2afeca)

I assume this is just because the readelf does not know this type. I see this type was initially proposed by Daiki, but I did not find any other sources for this magic number so before filling bugs for readelf, do we have some doc why the 0xcafe2a8e is used?

Apr 8 2022, 9:33 PM · Bug Report, libgcrypt, FIPS

Apr 7 2022

werner triaged T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime" as Normal priority.

The set_bit is obvious but we should cross check with the specs. In the non-fips mode we also try w/o a limit.

Apr 7 2022, 10:04 AM · backport, FIPS, libgcrypt, Bug Report
gniibe added projects to T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime": libgcrypt, FIPS.

I think that it is OK to loop forever until we find a prime.

Apr 7 2022, 9:19 AM · backport, FIPS, libgcrypt, Bug Report

Apr 5 2022

Jakuje created T5918: Disable RSA PKCS #1.5 encryption in FIPS mode.
Apr 5 2022, 10:31 AM · backport, libgcrypt, FIPS, Bug Report

Mar 29 2022

gniibe closed T5835: libgcrypt: More robust/portable integrity check as Resolved.

Done in 1.10.1.

Mar 29 2022, 1:32 AM · Bug Report, libgcrypt, FIPS

Mar 22 2022

gniibe added a comment to T5870: libgcrypt: AEAD API for FIPS 140 (in future).

I had thought that we need to combine hkdf so that key and iv can generate within libgcrypt internally.
Probably, this assumption of mine may be wrong.

Mar 22 2022, 10:53 AM · Feature Request, FIPS, libgcrypt

Mar 16 2022

gniibe moved T5835: libgcrypt: More robust/portable integrity check from Next to Ready for release on the FIPS board.
Mar 16 2022, 6:16 AM · Bug Report, libgcrypt, FIPS

Mar 9 2022

gniibe added a project to T4873: Enable AES GCM in FIPS mode: FIPS.
Mar 9 2022, 12:58 AM · FIPS, libgcrypt, Feature Request

Mar 8 2022

Jakuje added a comment to T5870: libgcrypt: AEAD API for FIPS 140 (in future).

You are combining two concepts here -- the KDF and the AEAD cipher itself (at least from the FIPS terminology). I would like to avoid mixing these two together in the new API. If you would like to implement the SSH/TLS KDF, I would suggest to use the kdf API you already have. Then we are here left only with a new geniv API to implement. In the T4873 I mentioned example how it is now used in libssh using libgcrypt, which implements the iv increment outside of the libgcrypt:

Mar 8 2022, 3:51 PM · Feature Request, FIPS, libgcrypt
werner closed T5691: Release libgcrypt 1.10.0 as Resolved.
Mar 8 2022, 11:02 AM · FIPS, Release Info, libgcrypt

Mar 7 2022

jukivili added a comment to T5870: libgcrypt: AEAD API for FIPS 140 (in future).

Is large change to cipher API really needed (new open/encrypt with less flexibility)? How that would affect performance? Would following new interfaces to gcry_cipher API work instead?

  • gcry_cipher_setup_geniv(hd, int ivlen, int method): for setting up IV generator with parameters such as IV length, method id (RFC5116, TLS 1.3, SSH, etc), (other parameters?)
  • gcry_cipher_geniv(hd, byte *outiv): for generating new iv: generate IV using select method, set IV internally and output generated IV to 'ivout'.
  • gcry_cipher_genkey(hd, byte *outkey, int keylen, int method): for generating keys, generate key internally with parameters (method id, other?), setup key internally and output generated key to 'outkey'. (how keys from key exchange protocol be handled? using existing setkey?)
Mar 7 2022, 9:04 PM · Feature Request, FIPS, libgcrypt

Mar 3 2022

Jakuje added a comment to T5870: libgcrypt: AEAD API for FIPS 140 (in future).

I think this is not urgent as we are able to FIPS certify libgcrypt without that, but the modern protocols and algorithm use this and if we want to use libgcrypt to implement these in FIPS compliant way, we certainly need something like that.

Mar 3 2022, 2:08 PM · Feature Request, FIPS, libgcrypt
werner lowered the priority of T5870: libgcrypt: AEAD API for FIPS 140 (in future) from Unbreak Now! to Normal.

I don't think it is justified to tag this as "unbreak now" - which we use for severe bugs inhibiting the use of a deployed version.

Mar 3 2022, 9:40 AM · Feature Request, FIPS, libgcrypt
gniibe triaged T5870: libgcrypt: AEAD API for FIPS 140 (in future) as Unbreak Now! priority.
Mar 3 2022, 1:13 AM · Feature Request, FIPS, libgcrypt

Feb 23 2022

gniibe added a member for FIPS: Jakuje.
Feb 23 2022, 12:40 AM
gniibe added a member for FIPS: gniibe.
Feb 23 2022, 12:40 AM
gniibe added a member for FIPS: neverpanic.
Feb 23 2022, 12:40 AM
gniibe moved T5835: libgcrypt: More robust/portable integrity check from Backlog to Next on the FIPS board.
Feb 23 2022, 12:38 AM · Bug Report, libgcrypt, FIPS

Feb 17 2022

gniibe added a comment to T5835: libgcrypt: More robust/portable integrity check.

I simplified the script not to use cmp: rC3c8b6c4a9cad: fips: Fix gen-note-integrity.sh script not to use cmp utility.
And I clarified the semantics of the integrity check.

Feb 17 2022, 3:48 AM · Bug Report, libgcrypt, FIPS
neverpanic added a comment to T5835: libgcrypt: More robust/portable integrity check.

Ah, right, I can get that added to the containers tomorrow.

Feb 17 2022, 1:39 AM · Bug Report, libgcrypt, FIPS
gniibe added a comment to T5835: libgcrypt: More robust/portable integrity check.

I located the cause:

../../src/gen-note-integrity.sh: line 78: cmp: command not found
Feb 17 2022, 1:36 AM · Bug Report, libgcrypt, FIPS

Feb 16 2022

neverpanic added a comment to T5835: libgcrypt: More robust/portable integrity check.

That only seems to work in some configurations: https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/pipelines/472626834

Feb 16 2022, 7:24 PM · Bug Report, libgcrypt, FIPS
gniibe added a comment to T5835: libgcrypt: More robust/portable integrity check.

I pushed the change: rCa340e9803882: fips: More portable integrity check.
It uses .note.fdo.integrity section, not loaded onto memory.
It simplifies the logic, and switches to dladdr (from dladdr1).

Feb 16 2022, 12:36 PM · Bug Report, libgcrypt, FIPS
gniibe added a comment to T5835: libgcrypt: More robust/portable integrity check.

Pushed the change which fixes the build with ld.gold.
rC9dcf9305962b: fips: Integrity check improvement, with only loadable segments.

Feb 16 2022, 6:29 AM · Bug Report, libgcrypt, FIPS
gniibe added a comment to T5835: libgcrypt: More robust/portable integrity check.

Thank you for your suggestions, @werner.
I agree that we should not put much effort to develop our own methodology here; Too much effort may introduce possibility of unmaintainable code, which should be avoided for the particular purpose of "integrity".

Feb 16 2022, 3:07 AM · Bug Report, libgcrypt, FIPS

Feb 15 2022

werner added a comment to T5835: libgcrypt: More robust/portable integrity check.

Folks, you are opening a can of worms. The only secure why to sign a file is to have a detached signature. That is often non-practical and thus putting the signature/MAC at one certain position and exempt just this one position from hashing is the next best alternative. Any more complicated rules will inevitably introduce security flaws. If a binary is stripped, it is a different binary than a non-stripped one, if it is linked with another linker, it is a different one. And that binary will even be able to figure this out and change behavior. Please keep it simple.

Feb 15 2022, 1:51 PM · Bug Report, libgcrypt, FIPS
neverpanic added a comment to T5835: libgcrypt: More robust/portable integrity check.

Thanks! Maybe it would be simpler to use dl_iterate_phdr(3) for this. I wasn't aware of the function, but a colleague just implemented a proof-of-concept of what you're proposing in https://gitlab.com/dueno/integrity-notes.

Feb 15 2022, 11:58 AM · Bug Report, libgcrypt, FIPS
gniibe added a comment to T5835: libgcrypt: More robust/portable integrity check.

I am going to apply https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/commit/64ccc25c4b4a2c8c4e13e7e37ff1c8c60a3d8401
And consider adding the code to limit hashing content (from start of the file to end of data section).

Feb 15 2022, 7:40 AM · Bug Report, libgcrypt, FIPS
gniibe updated the task description for T5835: libgcrypt: More robust/portable integrity check.
Feb 15 2022, 3:39 AM · Bug Report, libgcrypt, FIPS
gniibe triaged T5835: libgcrypt: More robust/portable integrity check as High priority.
Feb 15 2022, 3:38 AM · Bug Report, libgcrypt, FIPS

Feb 2 2022

werner added a comment to T5691: Release libgcrypt 1.10.0.

it will be but we first prefer to do some final tests with that version. Feel free to also test. Either this or the next micro version will eventually be announced.

Feb 2 2022, 8:16 PM · FIPS, Release Info, libgcrypt