T7338: Make SHA1 non-FIPS and differentiate in the SLI
Lucas Mulling
lucas.mulling at suse.com
Thu Feb 27 21:09:13 CET 2025
Hello,
Sorry for the delay, I've tested the patches everything seems to be in order. The only thing
I had to change was:
diff --git a/tests/basic.c b/tests/basic.c
index f32e41db..5e1f94b5 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -17268,8 +17268,9 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
rc = gcry_pk_sign (&sig, hash, skey);
if (in_fips_mode && (flags & FLAG_NOFIPS || datas[dataidx].flags & FLAG_NOFIPS))
{
- if (!rc)
- fail ("gcry_pk_sign did not fail as expected in FIPS mode\n");
+ if ((datas[dataidx].expected_rc && !rc))
+ fail ("gcry_pk_sign (%d) did not fail as expected in FIPS mode\n",
+ dataidx);
goto next;
}
if (gcry_err_code (rc) != datas[dataidx].expected_rc)
Or maybe GCRY_FIPS_FLAG_REJECT_PK_MD should be enabled by default?
More information about the Gcrypt-devel
mailing list