Maniphest T5710

FIPS: disable DSA for FIPS
Closed, ResolvedPublic
Actions

Assigned To
gniibe
Authored By
gniibe
Dec 2 2021, 1:12 AM
Tags
Subscribers
gniibe
Jakuje

Description

While DSA support is out of support for our scope of FIPS support (to get certified), I'm not sure if it's good to set .fips = 0 in DSA module.

My concern is that, the possibility, some other party would want to get certified including DSA module.

To track things, I created this ticket.

Revisions and Commits

rC libgcrypt
rCea362090fc11 fips: Disable DSA in FIPS mode.

Related Objects

Event Timeline

gniibe triaged this task as Normal priority.Dec 2 2021, 1:12 AM
gniibe created this task.
gniibe added a subscriber: Jakuje.

This is the patch from @Jakuje

libgcrypt-fips-DSA-disable.patch1 KBDownload

gniibe mentioned this in T5512: Implement service indicators.Dec 2 2021, 1:16 AM
gniibe moved this task from Backlog to Next on the FIPS board.Dec 7 2021, 11:13 AM
gniibe added a commit: rCea362090fc11: fips: Disable DSA in FIPS mode..Dec 8 2021, 1:52 AM
gniibe added a comment.Dec 8 2021, 1:54 AM

I have been convinced disabling DSA makes more sense.

gniibe changed the task status from Open to Testing.Dec 8 2021, 1:54 AM
gniibe added a project: Restricted Project.
Jakuje added a comment.EditedDec 8 2021, 12:39 PM

It turns out together with rCe96980022e5e some tests are failing in FIPS mode. The attached patch should handle the failures.

---removed outdated patch--

Jakuje added a comment.Dec 8 2021, 1:25 PM

Sorry for the noise. There were couple of other places which I missed initially and which are covered in the v2 patch which follows:

libgcrypt-dsa-tests.patch14 KBDownload

gniibe added a comment.Dec 9 2021, 1:53 AM

Thank you, applied.

gniibe moved this task from Next to Ready for release on the FIPS board.Dec 14 2021, 11:20 AM
gniibe closed this task as Resolved.Feb 2 2022, 1:21 AM
gniibe removed a project: Restricted Project.