Page MenuHome GnuPG
Feed Advanced Search

Yesterday

gniibe added a comment to T5797: New API for modern password hash function.

Pushed {rC254b140}

Fri, Jan 28, 9:08 AM · libgcrypt

Thu, Jan 27

gniibe added a comment to T5797: New API for modern password hash function.

@jukivili , thank you for your comment.

Thu, Jan 27, 1:36 AM · libgcrypt

Wed, Jan 26

jukivili added a comment to T5797: New API for modern password hash function.

I planned to reply to your email on mailing-list, but I just have too little time.

Wed, Jan 26, 7:45 PM · libgcrypt

Tue, Jan 25

werner updated the task description for T5305: Release Libgcrypt 1.9.3.
Tue, Jan 25, 11:03 PM · Release Info, libgcrypt
Jakuje added a comment to T5692: New entropy gatherer using the genentropy system call..

For the record, there is a new report on the mailing list about this module on MacOS:

Tue, Jan 25, 10:43 AM · Testing, libgcrypt, FIPS
gniibe added a comment to T5512: Implement service indicators.

Thank you, applied both of two patches.

Tue, Jan 25, 1:20 AM · Testing, Feature Request, FIPS, libgcrypt

Mon, Jan 24

Jakuje added a comment to T5512: Implement service indicators.

Thanks. Looks good to me.

Mon, Jan 24, 1:38 PM · Testing, Feature Request, FIPS, libgcrypt
gniibe updated the task description for T5797: New API for modern password hash function.
Mon, Jan 24, 10:54 AM · libgcrypt
gniibe added a comment to T5797: New API for modern password hash function.
struct thread_creation {
  void (*compute) (void *arg);
  void *arg;
  void (*create_done) (gcry_kdf_handle_t *hd, void *tid);
};
Mon, Jan 24, 10:54 AM · libgcrypt
gniibe updated the task description for T5797: New API for modern password hash function.
Mon, Jan 24, 10:53 AM · libgcrypt
gniibe triaged T5797: New API for modern password hash function as Normal priority.
Mon, Jan 24, 10:52 AM · libgcrypt

Sat, Jan 22

werner triaged T5796: libgcrypt-1.9.4 build failure on ARM without NEON as Normal priority.
Sat, Jan 22, 6:15 PM · arm, libgcrypt, Gentoo, Bug Report
werner added projects to T5796: libgcrypt-1.9.4 build failure on ARM without NEON: libgcrypt, arm.
Sat, Jan 22, 6:15 PM · arm, libgcrypt, Gentoo, Bug Report

Thu, Jan 20

gniibe added a comment to T5512: Implement service indicators.

Test cases are recovered in rC535a4d345872: fips: Recover test cases for selftest, add skipping in FIPS mode..

Thu, Jan 20, 3:07 AM · Testing, Feature Request, FIPS, libgcrypt

Wed, Jan 19

gniibe added a comment to T5512: Implement service indicators.

Sorry, _gcry_fips_run_selftest can be run by GCRYCTL_SELFTEST.

Wed, Jan 19, 12:47 PM · Testing, Feature Request, FIPS, libgcrypt
gniibe added a comment to T5512: Implement service indicators.

@werner Those removed tests are selftests which are only invoked by FIPS mode for its requirement of selftests.

Wed, Jan 19, 12:43 PM · Testing, Feature Request, FIPS, libgcrypt
werner added a comment to T5512: Implement service indicators.

AFAICS, the last commit removes some tests. We should never remove a test just because FIPS does not allow it. The old tests need to be run in non-fips mode.

Wed, Jan 19, 9:43 AM · Testing, Feature Request, FIPS, libgcrypt
pmgdeb added a comment to T5512: Implement service indicators.

Hi, @gniibe and @Jakuje. That fulfills the requirement and all the regression tests pass in FIPS mode. Thanks!

Wed, Jan 19, 8:41 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe added a comment to T5512: Implement service indicators.

Pushed the change in rC76aad97dd312: fips: Reject shorter key for HMAC in FIPS mode..

Wed, Jan 19, 3:53 AM · Testing, Feature Request, FIPS, libgcrypt

Tue, Jan 18

gniibe added a comment to T5512: Implement service indicators.

And we need to fix selftest for shorter keys.

Tue, Jan 18, 4:12 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe added a comment to T5512: Implement service indicators.

@pmgdeb : IIUC, what we need is:

diff --git a/cipher/md.c b/cipher/md.c
index 34336b5c..4f4fc9bf 100644
--- a/cipher/md.c
+++ b/cipher/md.c
@@ -903,6 +903,9 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen)
 {
   GcryDigestEntry *r;
Tue, Jan 18, 4:05 AM · Testing, Feature Request, FIPS, libgcrypt

Mon, Jan 17

Jakuje added a comment to T5512: Implement service indicators.

This is my draft for the FIPS indicator KDF. I think we do not need to keep the original GCRYCTL_FIPS_SERVICE_INDICATOR if we replace it also in the tests. This will also need some tests and documentation update.

Mon, Jan 17, 7:01 PM · Testing, Feature Request, FIPS, libgcrypt
pmgdeb added a comment to T5512: Implement service indicators.

I'm not completely sure but it might be convenient to mark HMAC keys with lengths less that 112 as non-approved in FIPS mode for both generation and verification. It could be easily implemented by adding a check using cipher/mac-hmac.c:hmac_get_keylen() or at the algo level. What do you think?

Mon, Jan 17, 10:56 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe added a comment to T5512: Implement service indicators.

Thank you, applied.
Also, add another change.

Mon, Jan 17, 6:51 AM · Testing, Feature Request, FIPS, libgcrypt

Wed, Jan 12

gniibe added a project to T5747: Provide a way to request non-FIPS service in FIPS mode: Testing.
Wed, Jan 12, 1:45 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe added a project to T5759: Rename rndlinux module to rndoldlinux: Testing.
Wed, Jan 12, 1:44 AM · Testing, libgcrypt, FIPS

Tue, Jan 11

Jakuje added a comment to T5512: Implement service indicators.

I went through the documentation related to FIPS and updated some wording to match reality. It will probably require still some more work.

Tue, Jan 11, 7:10 PM · Testing, Feature Request, FIPS, libgcrypt
Jakuje added a comment to T5512: Implement service indicators.

This is my draft for the FIPS indicator KDF. I think we do not need to keep the original GCRYCTL_FIPS_SERVICE_INDICATOR if we replace it also in the tests. This will also need some tests and documentation update.

Tue, Jan 11, 3:46 PM · Testing, Feature Request, FIPS, libgcrypt
werner moved T5691: Release libgcrypt 1.10.0 from Backlog to Next on the FIPS board.
Tue, Jan 11, 11:06 AM · FIPS, Release Info, libgcrypt
werner moved T5759: Rename rndlinux module to rndoldlinux from Next to Done on the FIPS board.
Tue, Jan 11, 11:06 AM · Testing, libgcrypt, FIPS
werner moved T5747: Provide a way to request non-FIPS service in FIPS mode from Next to Done on the FIPS board.
Tue, Jan 11, 11:06 AM · Testing, Feature Request, FIPS, libgcrypt
werner moved T5600: Provide module name/version API for FIPS 140-3 from Next to Done on the FIPS board.
Tue, Jan 11, 11:05 AM · libgcrypt, FIPS, Bug Report
werner added a comment to T5512: Implement service indicators.

Yes, we should introduce an INDICATOR_KDF thing.

Tue, Jan 11, 10:57 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe added a comment to T5600: Provide module name/version API for FIPS 140-3.

Thank you.
Applied.

Tue, Jan 11, 6:39 AM · libgcrypt, FIPS, Bug Report
gniibe moved T5512: Implement service indicators from Done to Next on the FIPS board.
Tue, Jan 11, 6:37 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe moved T5600: Provide module name/version API for FIPS 140-3 from Done to Next on the FIPS board.
Tue, Jan 11, 6:37 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T5747: Provide a way to request non-FIPS service in FIPS mode.

Patch applied, doc updated.
No change of FSM diagram.

Tue, Jan 11, 6:34 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe added a comment to T5752: libgcrypt: Adding aes-wrap-pad (RFC5649) support.

I pushed the change: rC383866f014f2: cipher: Keep original behavior of Key Unwrap when not extended.

Tue, Jan 11, 5:39 AM · Testing, libgcrypt

Mon, Jan 10

Jakuje added a comment to T5512: Implement service indicators.

The previous comment should have come to the T5600. Sorry for the noise.

Mon, Jan 10, 4:30 PM · Testing, Feature Request, FIPS, libgcrypt
Jakuje updated subscribers of T5600: Provide module name/version API for FIPS 140-3.

Sorry for resurrecting the done task, but I got a message from @pmgdeb who noticed there is mismatch between parenthesis in the --with-fips-module-version help string. The attached patch fixes the issue and add proper help text.

Mon, Jan 10, 3:41 PM · libgcrypt, FIPS, Bug Report
Jakuje added a comment to T5512: Implement service indicators.

Sorry for resurrecting the done task, but I got a message from @pmgdeb who noticed there is mismatch between parenthesis in the --with-fips-module-version help string. The attached patch fixes the issue and add proper help text.

Mon, Jan 10, 9:34 AM · Testing, Feature Request, FIPS, libgcrypt

Sun, Jan 9

werner closed T5734: web,libgcrypt: Publish our stance what kind of attacks are **not** under our scope as Resolved.
Sun, Jan 9, 6:55 PM · www.gnupg.org, libgcrypt

Sat, Jan 8

werner triaged T5761: Libgcrypt: salt-length for RSA-PSS is not documented as Normal priority.
Sat, Jan 8, 8:20 PM · Bug Report, Documentation, libgcrypt

Fri, Jan 7

MikhailRyazanov created T5761: Libgcrypt: salt-length for RSA-PSS is not documented.
Fri, Jan 7, 4:50 PM · Bug Report, Documentation, libgcrypt

Thu, Jan 6

gniibe added a comment to T5752: libgcrypt: Adding aes-wrap-pad (RFC5649) support.

Now, unwrapping supports both cases (KW and KWP).

Thu, Jan 6, 1:09 AM · Testing, libgcrypt

Wed, Jan 5

werner triaged T5747: Provide a way to request non-FIPS service in FIPS mode as Normal priority.
Wed, Jan 5, 11:50 AM · Testing, Feature Request, FIPS, libgcrypt

Tue, Jan 4

gniibe added a comment to T5752: libgcrypt: Adding aes-wrap-pad (RFC5649) support.

For unwrapping, it is good if we can support "automatic" unwrapping, apply W^-1 and check the first 8 octets to see if it's KW or KWP.

Tue, Jan 4, 1:01 PM · Testing, libgcrypt
Jakuje added a comment to T5747: Provide a way to request non-FIPS service in FIPS mode.

Thanks. Looks good to me (both merged changes and the above proposal). In addition to the changes proposed above, we certainly need to update the documentation about this, probably also the FSM diagram.

Tue, Jan 4, 12:47 PM · Testing, Feature Request, FIPS, libgcrypt
gniibe claimed T5541: Envvar LIBGCRYPT_FORCE_FIPS_MODE.
Tue, Jan 4, 11:17 AM · Feature Request, Testing, FIPS, libgcrypt
gniibe edited projects for T5747: Provide a way to request non-FIPS service in FIPS mode, added: Feature Request; removed Bug Report.
Tue, Jan 4, 11:17 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe claimed T5747: Provide a way to request non-FIPS service in FIPS mode.
Tue, Jan 4, 11:16 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe moved T5747: Provide a way to request non-FIPS service in FIPS mode from Backlog to Next on the FIPS board.
Tue, Jan 4, 11:16 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe moved T5636: Run integrity checks + selftests from library constructor in FIPS from Next to Done on the FIPS board.
Tue, Jan 4, 11:16 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe moved T5512: Implement service indicators from Next to Done on the FIPS board.
Tue, Jan 4, 11:16 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe moved T5692: New entropy gatherer using the genentropy system call. from Next to Done on the FIPS board.
Tue, Jan 4, 11:15 AM · Testing, libgcrypt, FIPS
gniibe moved T5759: Rename rndlinux module to rndoldlinux from Backlog to Next on the FIPS board.
Tue, Jan 4, 11:07 AM · Testing, libgcrypt, FIPS
gniibe removed a project from T5759: Rename rndlinux module to rndoldlinux: Testing.
Tue, Jan 4, 10:56 AM · Testing, libgcrypt, FIPS
gniibe triaged T5759: Rename rndlinux module to rndoldlinux as Normal priority.
Tue, Jan 4, 10:55 AM · Testing, libgcrypt, FIPS
gniibe added a comment to T5747: Provide a way to request non-FIPS service in FIPS mode.

And I'm testing following:

Tue, Jan 4, 6:40 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe added a comment to T5747: Provide a way to request non-FIPS service in FIPS mode.

The "at first" change done.

Tue, Jan 4, 6:40 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe added a comment to T5747: Provide a way to request non-FIPS service in FIPS mode.

At first, I think that we need to change the way how libgcrypt rejects non-approved cipher/md/mac/pk.

Tue, Jan 4, 3:30 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe added a project to T5752: libgcrypt: Adding aes-wrap-pad (RFC5649) support: Testing.
Tue, Jan 4, 12:56 AM · Testing, libgcrypt

Dec 24 2021

gniibe added a project to T5752: libgcrypt: Adding aes-wrap-pad (RFC5649) support: libgcrypt.
Dec 24 2021, 9:20 AM · Testing, libgcrypt

Dec 21 2021

werner added a comment to T5747: Provide a way to request non-FIPS service in FIPS mode.

FWIW, We have a similar mechanism for the secure memory

Dec 21 2021, 6:12 PM · Testing, Feature Request, FIPS, libgcrypt
Jakuje added a comment to T5692: New entropy gatherer using the genentropy system call..

We talked today about the renaming the current "linux" entropy module to "oldlinux" would make sense.

Dec 21 2021, 5:13 PM · Testing, libgcrypt, FIPS
Jakuje created T5747: Provide a way to request non-FIPS service in FIPS mode.
Dec 21 2021, 4:58 PM · Testing, Feature Request, FIPS, libgcrypt
jukivili added a comment to T5700: libgcrypt: bulk AES-GCM acceleration for ppc64le.

Ok, I'll add.

Dec 21 2021, 4:03 PM · patch, ppc, libgcrypt, Feature Request
werner added a comment to T5700: libgcrypt: bulk AES-GCM acceleration for ppc64le.

Seen. @jukivili can you please add it to the AUTHORS file?

Dec 21 2021, 10:13 AM · patch, ppc, libgcrypt, Feature Request

Dec 17 2021

gniibe added a comment to T5731: libgcrypt,w32: Possible API change for include file(s).

GnuPG needs to be fixed. Done by rGe08225030dfb: w32: Prepare for the case gcrypt.h will not include winsock2.h..

Dec 17 2021, 5:41 AM · libgcrypt
gniibe added a comment to T5692: New entropy gatherer using the genentropy system call..

Thank you for comments on random/rndlinux.c.

Dec 17 2021, 2:12 AM · Testing, libgcrypt, FIPS
gniibe added a comment to T5706: libgcrypt: random: Remove the feature getting randomness from random daemon.

Pushed another patch to clarify the semantics of --enable-random-daemon;
It's only for building gcryptrnd and the test program getrandom.

Dec 17 2021, 1:46 AM · Testing, libgcrypt
gniibe added a comment to T5706: libgcrypt: random: Remove the feature getting randomness from random daemon.

Good catch. I pushed the change to remove use of random daemon remained.

Dec 17 2021, 1:36 AM · Testing, libgcrypt
gniibe added a comment to T5636: Run integrity checks + selftests from library constructor in FIPS.

Thank you for your quick testing.

Dec 17 2021, 1:09 AM · Testing, FIPS, libgcrypt, Bug Report

Dec 16 2021

Jakuje added a comment to T5636: Run integrity checks + selftests from library constructor in FIPS.

Thank you. Tested locally that it does what it is supposed to do and all tests passed for me as expected.

Dec 16 2021, 6:43 PM · Testing, FIPS, libgcrypt, Bug Report
Jakuje added a comment to T5692: New entropy gatherer using the genentropy system call..

Reading through the changes, the content and usage of the getentropy looks good.

Dec 16 2021, 3:58 PM · Testing, libgcrypt, FIPS
Jakuje added a comment to T5706: libgcrypt: random: Remove the feature getting randomness from random daemon.

the random daemon is still part of the configure.ac and the undefined _gcry_daemon_initialize_basics() and _gcry_daemon_randomize() is still used under the USE_RANDOM_DAEMON guard in several places. I think at least the following cases should be removed too (or the configure check to be modified to throw error or warning):

Dec 16 2021, 1:38 PM · Testing, libgcrypt
gniibe added a comment to T5636: Run integrity checks + selftests from library constructor in FIPS.

Dec 16 2021, 5:20 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe added a comment to T5636: Run integrity checks + selftests from library constructor in FIPS.

Here is the change remained:

diff --git a/src/fips.c b/src/fips.c
index bcadc5f2..5499aee8 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -82,6 +82,12 @@ static void fips_new_state (enum module_states new_state);
Dec 16 2021, 5:19 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe added a comment to T5636: Run integrity checks + selftests from library constructor in FIPS.

Before rebasing, I pushed a change to simplify access to no_secure_memory variable by rC209d98dcf66b: Simplify the logic for no_secure_memory..

Dec 16 2021, 5:13 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe added a project to T5512: Implement service indicators: Testing.
Dec 16 2021, 1:18 AM · Testing, Feature Request, FIPS, libgcrypt

Dec 14 2021

dannytsen added a comment to T5700: libgcrypt: bulk AES-GCM acceleration for ppc64le.

Ok, I have subscribed to the mailing list. I have resent the DCO.

Dec 14 2021, 9:09 PM · patch, ppc, libgcrypt, Feature Request
jukivili added a comment to T5700: libgcrypt: bulk AES-GCM acceleration for ppc64le.

DCO has not appeared on mailing-list. You can this from check list archives, https://lists.gnupg.org/pipermail/gcrypt-devel/2021-December/thread.html

Dec 14 2021, 8:58 PM · patch, ppc, libgcrypt, Feature Request
dannytsen added a comment to T5700: libgcrypt: bulk AES-GCM acceleration for ppc64le.

Thanks Jussi, I did not receive the list moderator's email so I am not sure if the it has been posted on gcrypt-devel@gnupg.org. If not, I can resend the DCO. Thanks.

Dec 14 2021, 7:58 PM · patch, ppc, libgcrypt, Feature Request
jukivili added a comment to T5700: libgcrypt: bulk AES-GCM acceleration for ppc64le.

I did some finishing touches on coding style:

Dec 14 2021, 7:39 PM · patch, ppc, libgcrypt, Feature Request
gniibe moved T4894: FIPS: RSA/DSA/ECDSA are missing hashing operation from Next to Done on the FIPS board.
Dec 14 2021, 11:20 AM · Testing, FIPS, libgcrypt, Feature Request
gniibe moved T5710: FIPS: disable DSA for FIPS from Next to Done on the FIPS board.
Dec 14 2021, 11:20 AM · Testing, FIPS, libgcrypt
gniibe moved T5723: libgcrypt: Remove random-fips.c from Next to Done on the FIPS board.
Dec 14 2021, 11:19 AM · Testing, FIPS, libgcrypt
gniibe moved T5523: jitter entropy RNG update from Next to Done on the FIPS board.
Dec 14 2021, 11:19 AM · Testing, FIPS, libgcrypt
gniibe removed a project from T5576: New set of API for public key cryptography: FIPS.
Dec 14 2021, 11:18 AM · libgcrypt, Feature Request
gniibe updated the task description for T5734: web,libgcrypt: Publish our stance what kind of attacks are **not** under our scope.
Dec 14 2021, 7:49 AM · www.gnupg.org, libgcrypt
gniibe updated the task description for T5734: web,libgcrypt: Publish our stance what kind of attacks are **not** under our scope.
Dec 14 2021, 7:47 AM · www.gnupg.org, libgcrypt
gniibe renamed T5734: web,libgcrypt: Publish our stance what kind of attacks are **not** under our scope from web,libgcrypt: Publish our stance what kind of attacks are under our scope to web,libgcrypt: Publish our stance what kind of attacks are **not** under our scope.
Dec 14 2021, 7:42 AM · www.gnupg.org, libgcrypt
gniibe created T5734: web,libgcrypt: Publish our stance what kind of attacks are **not** under our scope.
Dec 14 2021, 7:41 AM · www.gnupg.org, libgcrypt

Dec 13 2021

dannytsen added a comment to T5700: libgcrypt: bulk AES-GCM acceleration for ppc64le.

Hi Jussi,

Dec 13 2021, 7:54 PM · patch, ppc, libgcrypt, Feature Request
gniibe updated the task description for T5731: libgcrypt,w32: Possible API change for include file(s).
Dec 13 2021, 5:28 AM · libgcrypt
gniibe triaged T5731: libgcrypt,w32: Possible API change for include file(s) as Normal priority.
Dec 13 2021, 5:27 AM · libgcrypt

Dec 12 2021

jukivili added a comment to T5700: libgcrypt: bulk AES-GCM acceleration for ppc64le.

Few comments on new patch:

Dec 12 2021, 7:18 PM · patch, ppc, libgcrypt, Feature Request

Dec 10 2021

dannytsen added a comment to T5700: libgcrypt: bulk AES-GCM acceleration for ppc64le.

Hi jukivili,

Dec 10 2021, 3:21 PM · patch, ppc, libgcrypt, Feature Request
werner closed T5726: Setting "compliance de-vs" in gpg.conf with libgcrypt 1.9.0 and newer causes confusing error messages as Resolved.

The first is a warning and the other error codes are exactly what we want.

Dec 10 2021, 1:53 PM · Not A Bug, libgcrypt, gnupg
gniibe added a comment to T4894: FIPS: RSA/DSA/ECDSA are missing hashing operation.

Thank you, applied.

Dec 10 2021, 6:55 AM · Testing, FIPS, libgcrypt, Feature Request