Page MenuHome GnuPG

libgcryptProject
ActivePublic

Recent Activity

Thu, Dec 12

gniibe added a comment to T7338: Revamp the FIPS service indicator.

Here are changes for gcry_md_open and its friends.

Thu, Dec 12, 6:43 AM · libgcrypt, FIPS, Feature Request
gniibe added a comment to T7338: Revamp the FIPS service indicator.

My idea in https://dev.gnupg.org/T7338#195529 doesn't work well when a function call is done multiple times.
Assuming SUCCESS, and marking all non-compliant places in the code works, and it would be good because libgcrypt so far maintains non-compliant path with rejection.

Thu, Dec 12, 3:09 AM · libgcrypt, FIPS, Feature Request

Mon, Dec 9

gniibe added a comment to T7338: Revamp the FIPS service indicator.

Pushed the change for adding hash tests in rC7faf542f1573: fips,tests: Add t-digest.

Mon, Dec 9, 6:34 AM · libgcrypt, FIPS, Feature Request

Fri, Dec 6

gniibe added a comment to T7338: Revamp the FIPS service indicator.

It seems that the internal API is not enough.
Now, we have _gcry_md_hash_buffer function with the new FIPS service indicator.
It's used for public key crypto, too.
The compliance for hash function is a part of public key crypto, but not all.

Fri, Dec 6, 6:54 AM · libgcrypt, FIPS, Feature Request
gniibe added a comment to T7338: Revamp the FIPS service indicator.

A change for gcry_md_hash_* functions are pushed by rC3478caac62c7: fips,md: Implement new FIPS service indicator for gcry_md_hash_*..
It doesn't have tests with FIPS service indicator yet.

Fri, Dec 6, 6:40 AM · libgcrypt, FIPS, Feature Request

Thu, Dec 5

gniibe added a comment to T7338: Revamp the FIPS service indicator.

New external API is by GCRYCTL_FIPS_SERVICE_INDICATOR and/or the new macro gcry_get_fips_service_indicator.
This change is pushed by rCf51f4e98930e: fips: Introduce GCRYCTL_FIPS_SERVICE_INDICATOR and the macro.

Thu, Dec 5, 3:37 AM · libgcrypt, FIPS, Feature Request
gniibe added a comment to T7338: Revamp the FIPS service indicator.

New internal API is introduced with T7340 by the commit rCe1cf31232825: fips: Introduce an internal API for FIPS service indicator.

Thu, Dec 5, 3:30 AM · libgcrypt, FIPS, Feature Request
gniibe changed the status of T7340: Introduced a context with thread local storage, a subtask of T7338: Revamp the FIPS service indicator, from Open to Testing.
Thu, Dec 5, 3:28 AM · libgcrypt, FIPS, Feature Request
gniibe changed the status of T7340: Introduced a context with thread local storage from Open to Testing.

Change is pushed by rCe1cf31232825: fips: Introduce an internal API for FIPS service indicator.

Thu, Dec 5, 3:28 AM · libgcrypt, FIPS, Feature Request

Wed, Dec 4

werner closed T7397: Kleopatra: Support Kyber generation, a subtask of T6636: PQC Implementation, as Resolved.
Wed, Dec 4, 2:46 PM · PQC, gnupg, libgcrypt

Nov 14 2024

ikloecker changed the status of T7397: Kleopatra: Support Kyber generation, a subtask of T6636: PQC Implementation, from Open to Testing.
Nov 14 2024, 4:39 PM · PQC, gnupg, libgcrypt

Nov 4 2024

werner triaged T7338: Revamp the FIPS service indicator as High priority.
Nov 4 2024, 12:54 PM · libgcrypt, FIPS, Feature Request

Oct 24 2024

gniibe added a comment to T7340: Introduced a context with thread local storage.

I created a branch: https://dev.gnupg.org/source/libgcrypt/history/gniibe%252Ft7340/

Oct 24 2024, 3:27 AM · libgcrypt, FIPS, Feature Request

Oct 16 2024

gniibe added a comment to T7340: Introduced a context with thread local storage.

Autoconf archive has AX_TLS: https://www.gnu.org/software/autoconf-archive/ax_tls.html
Also, AX_GCC_VAR_ATTRIBUTE(tls_model) could be used: https://www.gnu.org/software/autoconf-archive/ax_gcc_var_attribute.html

Oct 16 2024, 7:31 AM · libgcrypt, FIPS, Feature Request
gniibe updated the task description for T7340: Introduced a context with thread local storage.
Oct 16 2024, 7:28 AM · libgcrypt, FIPS, Feature Request
gniibe updated the task description for T7340: Introduced a context with thread local storage.
Oct 16 2024, 7:22 AM · libgcrypt, FIPS, Feature Request
gniibe triaged T7340: Introduced a context with thread local storage as Normal priority.
Oct 16 2024, 7:21 AM · libgcrypt, FIPS, Feature Request

Oct 15 2024

gniibe claimed T7338: Revamp the FIPS service indicator.
Oct 15 2024, 11:25 AM · libgcrypt, FIPS, Feature Request
werner created T7338: Revamp the FIPS service indicator.
Oct 15 2024, 11:24 AM · libgcrypt, FIPS, Feature Request

Sep 17 2024

gniibe changed the status of T7277: libgcrypt: Adding Known Answer Tests for KEM from Open to Testing.

Pushed the change in: rC38742196c04c: cipher:kyber: Add gcry_kem_genkey to support deterministic op.
rC4876a1a45c25: tests:kyber: Add genkey and encap KAT tests.

Sep 17 2024, 9:39 AM · PQC, libgcrypt

Sep 12 2024

gniibe changed the status of T7220: The CF protection not enabled in libgcrypt from Open to Testing.
Sep 12 2024, 7:17 AM · libgcrypt, Bug Report
gniibe changed the status of T7226: libgcrypt 1.11.0 buid error on armhf with gcc-14 from Open to Testing.
Sep 12 2024, 7:17 AM · FTBFS, arm, libgcrypt, Bug Report

Sep 6 2024

gniibe added a project to T7277: libgcrypt: Adding Known Answer Tests for KEM: PQC.
Sep 6 2024, 8:50 AM · PQC, libgcrypt

Sep 4 2024

gniibe added a project to T7277: libgcrypt: Adding Known Answer Tests for KEM: libgcrypt.
Sep 4 2024, 7:13 AM · PQC, libgcrypt

Sep 2 2024

werner closed T7282: Omitted check-test operations while building from source as Resolved.

Use --enable-large-data-tests with configure and go out for a real long lunch

Sep 2 2024, 10:38 AM · Support, libgcrypt
Rycky_Tigg created T7282: Omitted check-test operations while building from source.
Sep 2 2024, 10:03 AM · Support, libgcrypt

Aug 30 2024

ikloecker closed T7279: libgpg-error installation not detected while building libgcrypt from source as Invalid.

As far as I know the practice to have separate -dev packages is very common among Linux distributions.

Aug 30 2024, 1:28 PM · libgcrypt, Bug Report
Rycky_Tigg added a comment to T7279: libgpg-error installation not detected while building libgcrypt from source.

I wonder how common this practice of splitting development material into a separate file might be? It is in place at Alpine, since the file libgpg-error-dev exists. Once the related component is instaled, these messages/strings are printed:; output filtered:

checking for GPG Error - version >= 1.49... expr: warning: '^x-L': using '^' as the first character of a basic regular expression is not portable; it is ignored  yes (1.49)
Aug 30 2024, 12:35 PM · libgcrypt, Bug Report

Aug 29 2024

ikloecker added a comment to T7279: libgpg-error installation not detected while building libgcrypt from source.

Does alpine split the development files of libgpg-error into a separate *-devel (or similar) package like most other distros? If yes, then you need to install this development package.

Aug 29 2024, 5:14 PM · libgcrypt, Bug Report
Rycky_Tigg created T7279: libgpg-error installation not detected while building libgcrypt from source.
Aug 29 2024, 2:53 PM · libgcrypt, Bug Report

Aug 28 2024

jukivili closed T7264: libgcrypt `tests/pkcs1v2` test fails in FIPS mode as Resolved.
Aug 28 2024, 6:04 PM · libgcrypt, Bug Report
jukivili added a comment to T7264: libgcrypt `tests/pkcs1v2` test fails in FIPS mode.

Thanks. Test works in my nightly builds now.

Aug 28 2024, 6:04 PM · libgcrypt, Bug Report

Aug 26 2024

gniibe claimed T7264: libgcrypt `tests/pkcs1v2` test fails in FIPS mode.

That's my badness.
I noticed by the CI at https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror

Aug 26 2024, 10:17 AM · libgcrypt, Bug Report

Aug 22 2024

jukivili created T7264: libgcrypt `tests/pkcs1v2` test fails in FIPS mode.
Aug 22 2024, 6:41 AM · libgcrypt, Bug Report

Aug 7 2024

Jakuje added a comment to T7220: The CF protection not enabled in libgcrypt.

I do not have Aarch64 machine at hand so what I did was building the package with changes on the build system with previous patches and checking the correct flag are in place (previously in RHEL10, but now in Fedora):

Aug 7 2024, 10:09 AM · libgcrypt, Bug Report
jukivili added a comment to T7220: The CF protection not enabled in libgcrypt.

Do you have any way to test PAC/BTI on actual HW that support these extensions?

Aug 7 2024, 8:16 AM · libgcrypt, Bug Report

Aug 6 2024

werner triaged T7226: libgcrypt 1.11.0 buid error on armhf with gcc-14 as Normal priority.
Aug 6 2024, 9:17 AM · FTBFS, arm, libgcrypt, Bug Report

Aug 5 2024

Jakuje added a comment to T7220: The CF protection not enabled in libgcrypt.

Thanks! Verified this builds on aarch64 correctly and generates the right flags on the output:

Hardened: /builddir/build/BUILDROOT/libgcrypt-1.11.0-3.el10.aarch64/usr/lib64/libgcrypt.so.20.5.0: Overall: PASS.
Aug 5 2024, 9:40 PM · libgcrypt, Bug Report
jukivili added a comment to T7220: The CF protection not enabled in libgcrypt.

This excludes 32-bit ARM assembly from Aarch64 builds:

Aug 5 2024, 7:23 PM · libgcrypt, Bug Report
ametzler1 added a comment to T7226: libgcrypt 1.11.0 buid error on armhf with gcc-14.

This patch should fix the issue:

Aug 5 2024, 6:14 PM · FTBFS, arm, libgcrypt, Bug Report
Jakuje added a comment to T7220: The CF protection not enabled in libgcrypt.

Tested in our build environment and indeed, just this patch does not solve the issue for aarch64.

Aug 5 2024, 11:50 AM · libgcrypt, Bug Report

Aug 4 2024

jukivili added a comment to T7220: The CF protection not enabled in libgcrypt.

Here's patch:

Aug 4 2024, 5:58 PM · libgcrypt, Bug Report
jukivili added a comment to T7226: libgcrypt 1.11.0 buid error on armhf with gcc-14.

This patch should fix the issue:

Aug 4 2024, 5:20 PM · FTBFS, arm, libgcrypt, Bug Report
jukivili added a comment to T7220: The CF protection not enabled in libgcrypt.

Ok, so aarch64 assembly would need PAC and BTI support. As far as I have understood these, is that PAC instructions are not needed with current assembly as none of those is storing/loading LR register (all aarch64 assembly functions are leaf functions). So only BTI is needed and that is basically same modification as CET on x86.

Aug 4 2024, 4:36 PM · libgcrypt, Bug Report
ametzler1 added a comment to T7226: libgcrypt 1.11.0 buid error on armhf with gcc-14.

This already shows with 9d909cb67e70fd792926ac1e2ab305b2cc96bc27 which initially added ec-inline.h. (Reproducing with old versions like this one requires cherry-picking 693ffa145378682229473b0e811a9cea7c4d307a since otherwise NEON support is disabled at configure time due to implicit functions.)

Aug 4 2024, 11:17 AM · FTBFS, arm, libgcrypt, Bug Report

Jul 29 2024

Jakuje added a comment to T7220: The CF protection not enabled in libgcrypt.

Recent changes fixed the issue for the x86_64 builds, but I see similar symptoms in the aarch64 build now. Annocheck reports the following failures:

Hardened: /usr/lib64/libgcrypt.so.20.5.0: FAIL: dynamic-tags test because the BTI_PLT flag is missing from the dynamic tags 
Hardened: /usr/lib64/libgcrypt.so.20.5.0: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-dynamic-tags.html
Hardened: /usr/lib64/libgcrypt.so.20.5.0: FAIL: property-note test because properly formatted .note.gnu.property not found (it is needed for branch protection support) 
Hardened: /usr/lib64/libgcrypt.so.20.5.0: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-property-note.html

I do not have aarch64 machine at hand now to investigate this further, but this sounds like orthogonal functionality to the CET on Intel.

Jul 29 2024, 3:18 PM · libgcrypt, Bug Report
werner added projects to T7226: libgcrypt 1.11.0 buid error on armhf with gcc-14: arm, FTBFS.
Jul 29 2024, 10:16 AM · FTBFS, arm, libgcrypt, Bug Report

Jul 28 2024

ametzler1 created T7226: libgcrypt 1.11.0 buid error on armhf with gcc-14.
Jul 28 2024, 6:20 PM · FTBFS, arm, libgcrypt, Bug Report

Jul 27 2024

Jakuje added a comment to T7220: The CF protection not enabled in libgcrypt.

Thank you. With this patch the IBT flags are present on the shared object and CF protection test passes.

Jul 27 2024, 8:40 AM · libgcrypt, Bug Report
jukivili added a comment to T7220: The CF protection not enabled in libgcrypt.

"rijndael-vaes-avx2-i386.S" should not be build for x86-64 but until now that has not had any affect as #ifdefs in that source file result empty object file on x86-64.

Jul 27 2024, 7:23 AM · libgcrypt, Bug Report