The patch has been applied.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Dec 8 2021
Dec 7 2021
Thank you, applied.
Dec 6 2021
Dec 3 2021
Thanks. I did some git archeology and found the first mention of this in the following commit in 2011 without much details:
Adding the case for == 0 only might be problematic, because I don't think it's an alias for a secure value; I think that == 0 means that it's up to libgcrypt to select the value (just like other generate_* functions).
Thank you, applied.
Dec 2 2021
Let me get back to this once more as one of the parts for RSA was initially missed:
diff -up libgcrypt-1.8.4/cipher/rsa.c.fips-keygen libgcrypt-1.8.4/cipher/rsa.c --- libgcrypt-1.8.4/cipher/rsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100 +++ libgcrypt-1.8.4/cipher/rsa.c 2019-02-12 14:29:25.630513971 +0100 @@ -696,7 +696,7 @@ generate_x931 (RSA_secret_key *sk, unsig
I went through some more testing and noticed one missing file in the release tarball, that prevents building libgcrypt now. Should be fixed with the attached patch.
Nov 30 2021
Nov 25 2021
Nov 23 2021
Nov 18 2021
Fixed, with using normal memory for ->mem.
->mem is just used to measure the difference of memory access.
It found that newer jitterentropy uses larger mem (128KiB), while older uses 2KiB.
Nov 17 2021
Pushed to master.
Nov 16 2021
Nov 15 2021
Nov 12 2021
Nov 3 2021
Oct 29 2021
Oct 18 2021
( No need to certify the DSA things)
Oct 15 2021
For completeness here's a screenshot that shows the situation on a TERM=sun-console text console with the latest code :
The typo is fixed now and after pulling the latest sources from the repo and configure --disable-ncurses :
Thanks for testing. I pushed a fix for my typo: rPb713f31c5b04: curses: Fix the previous commit.
Oct 14 2021
My previous patch is not perfect as the screenshot in attach shows. The clear() is not really sufficient as it only redraws the portion below the frame in the new background color (black instead of white).
In the patch in attach I do a clear screen in the non-ncurses case.
Hello Tim and Yukata Iibe (gniibe),
Oct 13 2021
Fixed in GnuPG 2.3.3.
Oct 12 2021
Now configure with
--enable-hmac-binary-check="I know engineers. They love to change things." works.
Oct 6 2021
Sep 29 2021
Use of version 5 format for Ed448/X448 was pushed by rG86cb04a23d2b: gpg: Ed448 and X448 are only for v5 (for subkey)..
Sep 27 2021
Sep 17 2021
I had in my mind something like this:
Sep 16 2021
Thanks. I think we are good here. If we will decide to pursuate the brainpool switch, I will open a new issue.
Two third patches are applied to master. (@werner those parts are typo fix and tests improvement, which we agreed to push.)
Sep 15 2021
If a configure switch to disable Brainpool curves will be added, we also need to add a switch to disable NIST curves.
Oh, my bad. I probably used wrong git command. Uploaded now the patches themselves:
disable-brainpool.patch is a text of list of patches.
I think the first two could be applied.
@Jakuje Could you please upload them?
Sep 13 2021
I have one more patch set to improve FIPS testing in test/curves.c. In the past, it was basically skipped altogether in FIPS mode. This implements more fine-grained selection of what is being tested. This is the first part.
Sep 10 2021
The fix works for me (using bash on openSUSE Tumbleweed).
Sep 6 2021
looks good to me. Tested now with master 47e425e07995454573e28c13c08229d2f8a75642 and all tests pass for me in and out of FIPS mode as well as in the "soft" one.
Aug 25 2021
Fixed in 2.3.2.
Aug 24 2021
Aug 23 2021
From Stephan I got the following response to the allocation handler use case
Aug 18 2021
Right. The clarification is that SHA1 itself (for non-security and non-signature use) is still allowed in FIPS mode. But it is not allowed to be used as part of signature schemes of the new API in FIPS mode. The old API, which allows raw signatures without digests, should just fail in FIPS mode too. And the FIPS-compatible gnupg should use the new API too (it would be good to think about this when putting it together).
For use of SHA-1:
Aug 17 2021
(can't access that bug with my account)
For tests with FIPS mode enabled, I manually create the file .libgcrypt.so.20.hmac under src/.libs.
Aug 16 2021
I went a bit back to the history to figure out what is the enforced and soft fips mode as it was initially not completely clear to me. For the record, I used the following bug from 9 years ago:
Since I think there is no reason why checking _gcry_enforced_fips_mode () here, I remove the check.
Aug 6 2021
Jul 29 2021
Jul 22 2021
Jun 23 2021
Jun 2 2021
May 27 2021
May 7 2021
Ah, great. Thanks!