Page MenuHome GnuPG

FIPSTag
ActivePublic

Details

Description

FIPS related

Recent Activity

Fri, Feb 9

gniibe changed the status of T6976: RSA PKCS#1v1.5 signatures with SHA3 use invalid encoding from Open to Testing.

Applied the change. I write the ChangeLog entry by commit message.

Fri, Feb 9, 8:32 AM · FIPS, libgcrypt, Bug Report

Wed, Feb 7

werner triaged T6976: RSA PKCS#1v1.5 signatures with SHA3 use invalid encoding as Normal priority.
Wed, Feb 7, 9:20 AM · FIPS, libgcrypt, Bug Report
werner added projects to T6976: RSA PKCS#1v1.5 signatures with SHA3 use invalid encoding: libgcrypt, FIPS.
Wed, Feb 7, 9:17 AM · FIPS, libgcrypt, Bug Report

Nov 15 2023

gniibe closed T6539: The digest&sign/verify API with SHAKE-class digests does not work as Resolved.

The fix is in 1.10.3.

Nov 15 2023, 1:02 AM · libgcrypt, FIPS, Bug Report
gniibe closed T6507: SCRYPT does not work in FIPS mode as Resolved.

Fix is in 1.10.3.

Nov 15 2023, 12:54 AM · libgcrypt, FIPS, Bug Report

Nov 14 2023

werner closed T6217: sha3: wrong results for large inputs as Resolved.
Nov 14 2023, 1:18 PM · libgcrypt, FIPS, Bug Report
werner closed T4873: Enable AES GCM in FIPS mode as Resolved.
Nov 14 2023, 1:17 PM · FIPS, libgcrypt, Feature Request
werner closed T4873: Enable AES GCM in FIPS mode, a subtask of T5870: libgcrypt: AEAD API for FIPS 140 (in future), as Resolved.
Nov 14 2023, 1:17 PM · Feature Request, FIPS, libgcrypt
werner moved T6217: sha3: wrong results for large inputs from Backlog to For 1.10 on the libgcrypt board.
Nov 14 2023, 1:14 PM · libgcrypt, FIPS, Bug Report

Aug 8 2023

werner moved T6515: GPG in FIPS mode spits out useless "out of core handler ignored in FIPS mode" message on every execution from Backlog to Ready for release on the FIPS board.
Aug 8 2023, 11:08 AM · FIPS, Bug Report

Jun 28 2023

gniibe changed the status of T6539: The digest&sign/verify API with SHAKE-class digests does not work from Open to Testing.

Add the check of digest algorithm for EdDSA in: rCd15fe6aac10b: cipher:ecc:fips: Only allow defined digest algo for EdDSA.

Jun 28 2023, 7:23 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

No, there are use cases in GnuPG, where we specify the hash algo for signing, and our own tests/benchmark.c.

Jun 28 2023, 3:54 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

For the first issue, I added a check in: rCf65c30d470f5: cipher:ecc:fips: Reject use of SHAKE when it's ECDSA with RFC6979.

Jun 28 2023, 3:52 AM · libgcrypt, FIPS, Bug Report

Jun 27 2023

Jakuje added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

From the FIPS 186-5 there are some limitations to use the SHAKE in FIPS Mode that we will have to reflect:

Jun 27 2023, 5:22 PM · libgcrypt, FIPS, Bug Report

Jun 23 2023

gniibe added a comment to T6557: Support of SHAKE in MGF function of RSA.

Pushed a change in master.

Jun 23 2023, 6:00 AM · libgcrypt, FIPS, Bug Report
gniibe changed the status of T6557: Support of SHAKE in MGF function of RSA, a subtask of T6539: The digest&sign/verify API with SHAKE-class digests does not work, from Open to Testing.
Jun 23 2023, 6:00 AM · libgcrypt, FIPS, Bug Report
gniibe changed the status of T6557: Support of SHAKE in MGF function of RSA from Open to Testing.
Jun 23 2023, 6:00 AM · libgcrypt, FIPS, Bug Report
gniibe updated the task description for T6557: Support of SHAKE in MGF function of RSA.
Jun 23 2023, 3:28 AM · libgcrypt, FIPS, Bug Report
gniibe renamed T6557: Support of SHAKE in MGF function of RSA from Support of SHAKE in MGF1 function of RSA to Support of SHAKE in MGF function of RSA.
Jun 23 2023, 3:27 AM · libgcrypt, FIPS, Bug Report
gniibe triaged T6557: Support of SHAKE in MGF function of RSA as Normal priority.
Jun 23 2023, 2:41 AM · libgcrypt, FIPS, Bug Report

Jun 22 2023

gniibe added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

I found the case of X.509, which also uses fixed length output for RSA-PSS and ECDSA: https://www.rfc-editor.org/rfc/rfc8692.html

Jun 22 2023, 7:29 AM · libgcrypt, FIPS, Bug Report

Jun 20 2023

Jakuje added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

Thank you for having a look into that! The proposed patch looks good. Should we have this change also in master?

Jun 20 2023, 1:58 PM · libgcrypt, FIPS, Bug Report

Jun 19 2023

gniibe added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

Here is a possible change (... to master, assuming it's good to support use case of RFC 8702):

diff --git a/cipher/keccak.c b/cipher/keccak.c
index 22c40302..76e08cb5 100644
--- a/cipher/keccak.c
+++ b/cipher/keccak.c
@@ -1630,8 +1630,8 @@ const gcry_md_spec_t _gcry_digest_spec_sha3_512 =
 const gcry_md_spec_t _gcry_digest_spec_shake128 =
   {
     GCRY_MD_SHAKE128, {0, 1},
-    "SHAKE128", shake128_asn, DIM (shake128_asn), oid_spec_shake128, 0,
-    shake128_init, keccak_write, keccak_final, NULL, keccak_extract,
+    "SHAKE128", shake128_asn, DIM (shake128_asn), oid_spec_shake128, 32,
+    shake128_init, keccak_write, keccak_final, keccak_read, keccak_extract,
     _gcry_shake128_hash_buffers,
     sizeof (KECCAK_CONTEXT),
     run_selftests
@@ -1639,8 +1639,8 @@ const gcry_md_spec_t _gcry_digest_spec_shake128 =
 const gcry_md_spec_t _gcry_digest_spec_shake256 =
   {
     GCRY_MD_SHAKE256, {0, 1},
-    "SHAKE256", shake256_asn, DIM (shake256_asn), oid_spec_shake256, 0,
-    shake256_init, keccak_write, keccak_final, NULL, keccak_extract,
+    "SHAKE256", shake256_asn, DIM (shake256_asn), oid_spec_shake256, 64,
+    shake256_init, keccak_write, keccak_final, keccak_read, keccak_extract,
     _gcry_shake256_hash_buffers,
     sizeof (KECCAK_CONTEXT),
     run_selftests
Jun 19 2023, 4:53 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

Reading RFC 8702, I realized that it defines the hash size in the use of CMS as: SHAKE128 : 32-byte SHAKE256 : 64-byte.

Jun 19 2023, 4:47 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

Applied rC8cdd0d353e19: cipher:pubkey: Check digest size which should not be zero. for 1.10.

Jun 19 2023, 4:36 AM · libgcrypt, FIPS, Bug Report

Jun 16 2023

gniibe claimed T6539: The digest&sign/verify API with SHAKE-class digests does not work.
Jun 16 2023, 9:36 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

I found this use case: RFC 8702
"Use of the SHAKE One-Way Hash Functions in the Cryptographic Message Syntax (CMS)": https://www.rfc-editor.org/rfc/rfc8702.html

Jun 16 2023, 9:35 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

Another possibility for digest&sign API: it is possible to determine the length of required hash function by the underlining field Fp of the curve in use. Then, use this length instead. It's better than to (try to) get the length by _gcry_md_get_algo_dlen (for SHAKE, it's undefined).

Jun 16 2023, 9:16 AM · libgcrypt, FIPS, Bug Report
gniibe changed the status of T6507: SCRYPT does not work in FIPS mode from Open to Testing.

Fixed in both of master and 1.10 branch.

Jun 16 2023, 8:11 AM · libgcrypt, FIPS, Bug Report
gniibe changed the status of T6515: GPG in FIPS mode spits out useless "out of core handler ignored in FIPS mode" message on every execution from Open to Testing.
Jun 16 2023, 7:28 AM · FIPS, Bug Report
gniibe claimed T6515: GPG in FIPS mode spits out useless "out of core handler ignored in FIPS mode" message on every execution.

For libgcrypt, initially when the code was put, it made some sense.
Now, it's useless, so, let's simply remove the message.

Jun 16 2023, 7:28 AM · FIPS, Bug Report
gniibe changed the status of T6511: EdDSA support in FIPS mode from Open to Testing.

Added: rC547dfb5aecc1: cipher:ecc: Add selftests for EdDSA.
Added: rC3ac2bba4a4b1: cipher:ecc: Implement PCT for EdDSA.

Jun 16 2023, 7:12 AM · FIPS, libgcrypt, Bug Report

Jun 15 2023

Jakuje created T6539: The digest&sign/verify API with SHAKE-class digests does not work.
Jun 15 2023, 5:34 PM · libgcrypt, FIPS, Bug Report

Jun 14 2023

gniibe added a comment to T6511: EdDSA support in FIPS mode.

I found that for EdDSA other than pure Ed25519, it can supply context.
I changed the semantics and API for adding context and input data, as we need to support both simultaneously.

Jun 14 2023, 7:49 AM · FIPS, libgcrypt, Bug Report
gniibe added a comment to T6511: EdDSA support in FIPS mode.

I changed the lg-input-data.diff patch not to break the ABI, reusing the published symbol of gcry_pk_random_override_new.
With this approach, if/when needed, backporting may be easier.
Drawback is debugging internal of libgcrypt will be a bit confusing.

Jun 14 2023, 4:50 AM · FIPS, libgcrypt, Bug Report

Jun 13 2023

werner added a comment to T6515: GPG in FIPS mode spits out useless "out of core handler ignored in FIPS mode" message on every execution.

Let's fix this in Libgcrypt (ignore setting of the handler)

Jun 13 2023, 11:19 AM · FIPS, Bug Report
Jakuje added a comment to T6511: EdDSA support in FIPS mode.

Another approach would be having "non-hash" algo for gcry_md_open.

Jun 13 2023, 9:53 AM · FIPS, libgcrypt, Bug Report
gniibe added a comment to T6511: EdDSA support in FIPS mode.

Before adding FIPS support flag and tests, we need to modify implementation:

  • Adding PCT check for EdDSA
  • Adding support of gcry_pk_hash_sign/verify API for EdDSA
Jun 13 2023, 6:33 AM · FIPS, libgcrypt, Bug Report

Jun 8 2023

gniibe added a comment to T6511: EdDSA support in FIPS mode.

I'm going to add selftest of EdDSA with test vectors from RFC 8032.

Jun 8 2023, 8:32 AM · FIPS, libgcrypt, Bug Report

Jun 5 2023

werner triaged T6515: GPG in FIPS mode spits out useless "out of core handler ignored in FIPS mode" message on every execution as Normal priority.
Jun 5 2023, 12:49 PM · FIPS, Bug Report

Jun 1 2023

SineSwiper created T6515: GPG in FIPS mode spits out useless "out of core handler ignored in FIPS mode" message on every execution.
Jun 1 2023, 5:48 PM · FIPS, Bug Report
gniibe claimed T6511: EdDSA support in FIPS mode.
Jun 1 2023, 9:46 AM · FIPS, libgcrypt, Bug Report
werner raised the priority of T6511: EdDSA support in FIPS mode from Normal to High.

They re-used the same file name for the update from March and no history section. Anyway that looks promising and may solve the problem of having different algorithms allowed for restricted communication in the EU and the US.

Jun 1 2023, 9:26 AM · FIPS, libgcrypt, Bug Report
Jakuje added a comment to T6511: EdDSA support in FIPS mode.

Correct, but the last revision of FIPS 140-3 lists the EdDSA already. The same for the IG for FIPS 140-3:

Jun 1 2023, 9:08 AM · FIPS, libgcrypt, Bug Report
werner triaged T6511: EdDSA support in FIPS mode as Normal priority.

My understanding is that FIPS 186-x lists more algorithms than approved for FIPS 140-y; the approved algorithms for 140-y are in the latest revisions of SP800-140. I have not checked the latter document, though.

Jun 1 2023, 9:05 AM · FIPS, libgcrypt, Bug Report

May 31 2023

Jakuje created T6511: EdDSA support in FIPS mode.
May 31 2023, 4:51 PM · FIPS, libgcrypt, Bug Report

May 30 2023

werner triaged T6507: SCRYPT does not work in FIPS mode as Normal priority.
May 30 2023, 1:42 PM · libgcrypt, FIPS, Bug Report
Jakuje created T6507: SCRYPT does not work in FIPS mode.
May 30 2023, 11:33 AM · libgcrypt, FIPS, Bug Report
werner edited projects for T5964: gnupg should use the KDFs implemented in libgcrypt, added: gnupg26; removed gnupg24.

Let's schedule that for 2.6

May 30 2023, 10:57 AM · gnupg26, FIPS, libgcrypt, Feature Request

May 25 2023

werner removed a project from T5930: Use the FIPS-compatible digest&sign API: gnupg24.
May 25 2023, 12:41 PM · FIPS, Feature Request