Sorry, I didn't test for non-FIPS mode when I committed rC347817438990: fips: Fix tests in fips mode..
Tweaking the value for memory allocation is needed for FIPS mode, because it uses some secure memory by DRBG.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Aug 17 2021
Aug 16 2021
Since I think there is no reason why checking _gcry_enforced_fips_mode () here, I remove the check.
There are two things here.
(1) Use of [] (FLEXIBLE_ARRAY_MEMBER)
(2) Use of offsetof (instead of sizeof) for computation of size of allocation.
Aug 13 2021
Aug 6 2021
Here is the documentation of the new way of single-threaded execution:
https://www.gnu.org/software/libc/manual/html_node/Single_002dThreaded.html
Aug 5 2021
We also need to update m4/threadlib.m4.
Now, it's maintained in gnulib.
See the changes in:
https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=12b5b00f93c6433c3df8176fc9674d7600f8b268
Aug 4 2021
Ah, I understand the point (at least, partially); My understanding is: With FIPS mode, at the module boundary (== libgcrypt), it ensures that all cipher/digest/etc. operations are done under the standard compliance, and it is considered wrong (violation) when non-FIPS mode operation (such as SHA-1) and FIPS mode operation are mixed.
Aug 3 2021
SUSE has patches and version 3235 of cavs_driver.pl, bud it seems that it doesn't support DSA with Q+HASHALGO yet.
Aug 2 2021
Thank you for the information.
I checked with my OpenPGP card v3.4.
It works for me with GnuPG 2.2.x and 2.3.x.
My setting is for RSA-2048 key.
Jul 29 2021
As a start, I applied your patches.
Jul 23 2021
Jul 22 2021
Jul 21 2021
Jul 16 2021
And... as long as I read the PCT patches, it is not needed to export those API to users.
It is only needed internally for PCT tests (at most).
I am considering API enhancement, for this task.
This rwlock guarantees access with ctrl->card_ctx is always valid.
Jul 15 2021
Jul 12 2021
(OpenSSL for FIPS support is a bit tricky, which is described in README-FIPS.md in their distribution. It offers OpenSSL FIPS provider as shared library fips.so.)
Jul 9 2021
Just FYI, NSS offers following API:
Jul 8 2021
With `/etc/gcrypt/fips_enabled/', make check fails by:
If I understand correctly, to conform FIPS, we need to ensure Key/IV pair uniqueness (See "Implementation Guidance for FIPS 140-3", Annex C. "C.H Key/IV Pair Uniqueness Requirements from SP 800-38D").
Use of the API to set IV by any value may be considered bad.
Update: still ./basic --fips fails (for me), because of GCM (18 errors).
Need to fix T4873: Enable AES GCM in FIPS mode.
Jul 7 2021
I applied rC297d31294333: tests: Fix messages to STDERR when FIPS mode is enabled.. Please note that your intention to change check_digests is right, but your patch actually didn't; When a MD algo is not supported, gcry_md_test_algo returns != 0 (an error code), and it "continues" to next entry (before the change).
Thank you for your report.
Jul 6 2021
In agent_write_private_key of agent/findkey.c, when file is available, it returns GPG_ERR_EEXIST error. Thus, private (stub) key will be kept.
Jul 5 2021
Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program:
https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
Jun 25 2021
There are multiple issues here.
Jun 23 2021
For KDF setup (00F9), setting it to '' (null, to reset the DO) doesn't work, but it raises 6a80.
Once KDF is enabled, only factory-reset can reset the feature.