Fri, Sep 17
I had in my mind something like this:
Thu, Sep 16
Thanks. I think we are good here. If we will decide to pursuate the brainpool switch, I will open a new issue.
Two third patches are applied to master. (@werner those parts are typo fix and tests improvement, which we agreed to push.)
Wed, Sep 15
If a configure switch to disable Brainpool curves will be added, we also need to add a switch to disable NIST curves.
Oh, my bad. I probably used wrong git command. Uploaded now the patches themselves:
disable-brainpool.patch is a text of list of patches.
I think the first two could be applied.
@Jakuje Could you please upload them?
Mon, Sep 13
I have one more patch set to improve FIPS testing in test/curves.c. In the past, it was basically skipped altogether in FIPS mode. This implements more fine-grained selection of what is being tested. This is the first part.
Fri, Sep 10
The fix works for me (using bash on openSUSE Tumbleweed).
Mon, Sep 6
looks good to me. Tested now with master 47e425e07995454573e28c13c08229d2f8a75642 and all tests pass for me in and out of FIPS mode as well as in the "soft" one.
Wed, Aug 25
Fixed in 2.3.2.
Tue, Aug 24
Mon, Aug 23
From Stephan I got the following response to the allocation handler use case
Aug 18 2021
Right. The clarification is that SHA1 itself (for non-security and non-signature use) is still allowed in FIPS mode. But it is not allowed to be used as part of signature schemes of the new API in FIPS mode. The old API, which allows raw signatures without digests, should just fail in FIPS mode too. And the FIPS-compatible gnupg should use the new API too (it would be good to think about this when putting it together).
For use of SHA-1:
Aug 17 2021
(can't access that bug with my account)
For tests with FIPS mode enabled, I manually create the file .libgcrypt.so.20.hmac under src/.libs.
Aug 16 2021
I went a bit back to the history to figure out what is the enforced and soft fips mode as it was initially not completely clear to me. For the record, I used the following bug from 9 years ago:
Since I think there is no reason why checking _gcry_enforced_fips_mode () here, I remove the check.
Aug 6 2021
Jul 29 2021
Jul 22 2021
Jun 23 2021
Jun 2 2021
May 27 2021
May 7 2021
Ah, great. Thanks!
May 3 2021
Apr 21 2021
Apr 19 2021
Has been released with 2.3.0 and we better open a new task if problems show up with v5 key. I am pretty sure that there will be a few v5 key problems after they get in real use.
Apr 15 2021
Making this task up to HIGH priority, so that people can easily find this change in 2.3.0.