Page MenuHome GnuPG
Projects FIPS

FIPSTag
ActivePublic
Watch Project

Members (3)

Watchers (3)

Details

Description

FIPS related

Recent Activity
View All

Yesterday

werner triaged T6507: SCRYPT does not work in FIPS mode as Normal priority.
Tue, May 30, 1:42 PM · libgcrypt, FIPS, Bug Report
Jakuje created T6507: SCRYPT does not work in FIPS mode.
Tue, May 30, 11:33 AM · libgcrypt, FIPS, Bug Report
werner edited projects for T5964: gnupg should use the KDFs implemented in libgcrypt, added: gnupg26; removed gnupg24.

Let's schedule that for 2.6

Tue, May 30, 10:57 AM · gnupg26, FIPS, libgcrypt, Feature Request

Thu, May 25

werner removed a project from T5930: Use the FIPS-compatible digest&sign API: gnupg24.
Thu, May 25, 12:41 PM · FIPS, Feature Request

Mon, May 15

werner closed T6489: GPG 2.4.0 encrypted files in FIPS mode is non-compliant as Resolved.

GnuPG is and can't be FIPS-140-3 compliant due to the way it is implemented. We may eventually employ the new hash-and-sign API of Libgcrypt to move into this direction but that has not yet been done. However, this also requires the use of the new indicator API and the, well, a RedHat kernel.

Mon, May 15, 8:51 PM · Not A Bug, gnupg, FIPS

Fri, May 5

werner added a comment to T5691: Release libgcrypt 1.10.0.

If you experience build problems on macOS see T6442

Fri, May 5, 10:47 AM · FIPS, Release Info, libgcrypt

Apr 13 2023

gniibe closed T6417: FIPS service indicator regarding the public key algorithm flags and objects as Resolved.
Apr 13 2023, 3:33 AM · libgcrypt, FIPS
gniibe closed T6219: Ensure minimum key length for KDF in FIPS mode as Resolved.

Fixed in 1.10.2.

Apr 13 2023, 3:31 AM · libgcrypt, FIPS, Bug Report
gniibe closed T6039: FIPS: Allow salt=NULL (or shorter salt) for HKDF as Resolved.
Apr 13 2023, 3:31 AM · backport, libgcrypt, FIPS
gniibe closed T5512: Implement service indicators as Resolved.
Apr 13 2023, 3:22 AM · Feature Request, FIPS, libgcrypt
gniibe closed T6048: Test suite fixes with --enable-pubkey-ciphers=ecc as Resolved.
Apr 13 2023, 3:21 AM · FIPS, libgcrypt
gniibe closed T5975: Allow signature verification using specific RSA keys <2k in FIPS mode as Resolved.

Fixed in 1.10.2.

Apr 13 2023, 3:20 AM · backport, patch, libgcrypt, FIPS, Feature Request
gniibe closed T5933: libgcrypt: Simply use BSS (not secure heap) for DRBG instance as Resolved.

Fixed in 1.10.2.

Apr 13 2023, 3:20 AM · backport, FIPS, libgcrypt
gniibe closed T5919: libgcrypt tests/basic.c and tests/keygen.c occasionally fail with "error generating RSA key: Number is not prime" as Resolved.

Fixed in 1.10.2.

Apr 13 2023, 3:19 AM · backport, FIPS, libgcrypt, Bug Report
gniibe closed T6127: FIPS 140-3 final review comments as Resolved.
Apr 13 2023, 3:17 AM · FIPS, libgcrypt, Bug Report
gniibe closed T6394: FIPS requires running PCT tests unconditionally as Resolved.
Apr 13 2023, 3:17 AM · FIPS, libgcrypt, Bug Report
gniibe added a comment to T6127: FIPS 140-3 final review comments.

Fixed in 1.10.2.

Apr 13 2023, 3:16 AM · FIPS, libgcrypt, Bug Report
gniibe closed T6393: DRBG with SHA384 is no longer allowed in FIPS mode (and looks like impossible to enable anyway) as Resolved.

Fixed in 1.10.2.

Apr 13 2023, 3:16 AM · FIPS, libgcrypt, Bug Report
gniibe added a comment to T6394: FIPS requires running PCT tests unconditionally.

Fixed in 1.10.2.

Apr 13 2023, 3:15 AM · FIPS, libgcrypt, Bug Report
gniibe closed T6396: the gcry_pk_hash_sign/verify operates in FIPS non-operational mode as Resolved.

Fixed in 1.10.2.

Apr 13 2023, 3:15 AM · libgcrypt, FIPS, Bug Report
gniibe closed T6397: PCT failures inconsistency in regards to the FIPS error state as Resolved.

Fixed in 1.10.2.

Apr 13 2023, 3:15 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T6417: FIPS service indicator regarding the public key algorithm flags and objects.

Fixed in 1.10.2.

Apr 13 2023, 3:14 AM · libgcrypt, FIPS
gniibe closed T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt as Resolved.

Fixed in 1.10.2.

Apr 13 2023, 3:13 AM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
gniibe closed T5918: Disable RSA PKCS #1.5 encryption in FIPS mode as Resolved.
Apr 13 2023, 3:12 AM · backport, libgcrypt, FIPS, Bug Report

Mar 24 2023

gniibe changed the status of T6417: FIPS service indicator regarding the public key algorithm flags and objects from Open to Testing.

Pushed the change.

Mar 24 2023, 5:17 AM · libgcrypt, FIPS

Mar 21 2023

gniibe claimed T6417: FIPS service indicator regarding the public key algorithm flags and objects.
Mar 21 2023, 11:25 AM · libgcrypt, FIPS

Mar 20 2023

Jakuje created T6417: FIPS service indicator regarding the public key algorithm flags and objects.
Mar 20 2023, 3:41 PM · libgcrypt, FIPS

Mar 8 2023

gniibe moved T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt from Backlog to Next on the FIPS board.
Mar 8 2023, 2:39 AM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
gniibe changed the status of T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt from Open to Testing.

Thank you.
Applied to both (master and 1.10).

Mar 8 2023, 2:39 AM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
gniibe changed the status of T6397: PCT failures inconsistency in regards to the FIPS error state from Open to Testing.
Mar 8 2023, 1:49 AM · libgcrypt, FIPS, Bug Report
gniibe changed the status of T6396: the gcry_pk_hash_sign/verify operates in FIPS non-operational mode from Open to Testing.
Mar 8 2023, 1:48 AM · libgcrypt, FIPS, Bug Report
gniibe changed the status of T6394: FIPS requires running PCT tests unconditionally from Open to Testing.
Mar 8 2023, 1:48 AM · FIPS, libgcrypt, Bug Report
gniibe changed the status of T6393: DRBG with SHA384 is no longer allowed in FIPS mode (and looks like impossible to enable anyway) from Open to Testing.
Mar 8 2023, 1:48 AM · FIPS, libgcrypt, Bug Report
gniibe moved T6397: PCT failures inconsistency in regards to the FIPS error state from Next to Ready for release on the FIPS board.
Mar 8 2023, 1:47 AM · libgcrypt, FIPS, Bug Report
gniibe moved T6396: the gcry_pk_hash_sign/verify operates in FIPS non-operational mode from Next to Ready for release on the FIPS board.
Mar 8 2023, 1:47 AM · libgcrypt, FIPS, Bug Report
gniibe moved T6394: FIPS requires running PCT tests unconditionally from Next to Ready for release on the FIPS board.
Mar 8 2023, 1:47 AM · FIPS, libgcrypt, Bug Report
gniibe moved T6393: DRBG with SHA384 is no longer allowed in FIPS mode (and looks like impossible to enable anyway) from Next to Ready for release on the FIPS board.
Mar 8 2023, 1:47 AM · FIPS, libgcrypt, Bug Report

Mar 7 2023

gniibe moved T6393: DRBG with SHA384 is no longer allowed in FIPS mode (and looks like impossible to enable anyway) from Backlog to Next on the FIPS board.
Mar 7 2023, 7:34 AM · FIPS, libgcrypt, Bug Report
gniibe claimed T6393: DRBG with SHA384 is no longer allowed in FIPS mode (and looks like impossible to enable anyway).

Applied your patch (from gitlab) to both (master and 1.10).

Mar 7 2023, 7:34 AM · FIPS, libgcrypt, Bug Report
gniibe moved T6396: the gcry_pk_hash_sign/verify operates in FIPS non-operational mode from Backlog to Next on the FIPS board.
Mar 7 2023, 7:12 AM · libgcrypt, FIPS, Bug Report
gniibe claimed T6396: the gcry_pk_hash_sign/verify operates in FIPS non-operational mode.

Applied to both (1.10 and master).

Mar 7 2023, 7:11 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T6393: DRBG with SHA384 is no longer allowed in FIPS mode (and looks like impossible to enable anyway).

You are right, there is no way to use DRBG with SHA384 by libgcrypt.

Mar 7 2023, 3:53 AM · FIPS, libgcrypt, Bug Report
gniibe moved T6397: PCT failures inconsistency in regards to the FIPS error state from Backlog to Next on the FIPS board.
Mar 7 2023, 3:43 AM · libgcrypt, FIPS, Bug Report
gniibe moved T6394: FIPS requires running PCT tests unconditionally from Backlog to Next on the FIPS board.
Mar 7 2023, 3:43 AM · FIPS, libgcrypt, Bug Report
gniibe claimed T6397: PCT failures inconsistency in regards to the FIPS error state.

Applied to both (1.10 and master).

Mar 7 2023, 3:42 AM · libgcrypt, FIPS, Bug Report
gniibe claimed T6394: FIPS requires running PCT tests unconditionally.

Applied to both (of 1.10 and master).

Mar 7 2023, 3:42 AM · FIPS, libgcrypt, Bug Report

Mar 6 2023

tobhe added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

Right, thanks for the review! Updated patches below.

Mar 6 2023, 5:11 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
Jakuje added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

Actually, the same issue is in the mac case, which I missed on first couple of reviews:

-  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_cipher_algos);
+  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
Mar 6 2023, 5:01 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
Jakuje added a comment to T6394: FIPS requires running PCT tests unconditionally.

We discussed this further with the lab and there are more problematic flags that we need to "cut" and we can not do that always in the code as for example the RFC6979 (deterministic ECDSA signatures) are not allowed in the current version of the FIPS documents, but it is used in the selftests (which is weirdly enough allowed) so we just need to mark it unapproved. Lets discuss this further tomorrow.

Mar 6 2023, 4:49 PM · FIPS, libgcrypt, Bug Report
Jakuje added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

Going through the code once more, there is one typo to be fixed:

+_gcry_fips_indicator_md (va_list arg_ptr)
+{
+  enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_cipher_algos);

should say

+_gcry_fips_indicator_md (va_list arg_ptr)
+{
+  enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);

otherwise ack.

Mar 6 2023, 4:46 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS