T7338: Make SHA1 non-FIPS and differentiate in the SLI
NIIBE Yutaka
gniibe at fsij.org
Tue Feb 25 08:46:37 CET 2025
NIIBE Yutaka <gniibe at fsij.org> wrote:
>> (1) Fixing the behaviour of gcry_pk_sign and gcry_pk_verify.
>
> Here is a patch fixing gcry_pk_sign and gcry_pk_verify.
Here is another fix for gcry_md_algo_info.
Applying two patches for gcry_pk_sign and gcry_pk_verify and then
gcry_md_algo_info, we can go SHA1 deprecation changes.
BTW, I realized that I misunderstood about
GCRY_FIPS_FLAG_REJECT_MD_SHA1. IIUC, it's similar to
GCRY_FIPS_FLAG_REJECT_MD_MD5 (MD5 is deprecated, but allow non-rejection
behavior).
SHA1 deprecation changes includes:
* Fixes of tests/*
* Introduction of GCRY_FIPS_FLAG_REJECT_MD_SHA1
* Change to cipher/sha1.c
=========================
@@ -759,7 +759,7 @@ static const gcry_md_oid_spec_t oid_spec_sha1[] =
const gcry_md_spec_t _gcry_digest_spec_sha1 =
{
- GCRY_MD_SHA1, {0, 1},
+ GCRY_MD_SHA1, {0, 0},
"SHA1", asn, DIM (asn), oid_spec_sha1, 20,
sha1_init, _gcry_md_block_write, sha1_final, sha1_read, NULL,
_gcry_sha1_hash_buffers,
=========================
Let me try fixing tests/*, firstly.
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-md-Fix-gcry_md_algo_info-to-mark-reject-under-FIPS-m.patch
Type: text/x-diff
Size: 2029 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250225/359b7b60/attachment.patch>
More information about the Gcrypt-devel
mailing list