FIPS-mode keygen fails to include preferences subpackets
NIIBE Yutaka
gniibe at fsij.org
Tue Mar 18 06:26:06 CET 2025
Hello,
Ahern, William wrote:
> When libgcrypt is in FIPS mode GnuPG g10/keygen.c:keygen_set_std_prefs
> fails entirely in the absence of an explicit preference list,
> resulting in the symmetric cipher preference list and similar
> subpackets being omitted from the generated public key.
Well, I'd suggest posting this question to gnupg-devel. This is not a
problem of libgcrypt.
In my opinion... this use case is not (yet) supported by GnuPG. With
libgcrypt API of 1.12, a program can use the libgcrypt under FIPS mode
in non-rejecting way, so that crypt computations can be done in
non-approved ways. Possibly, GnuPG could be run using this feature.
Or, we need to modify GnuPG so that it can run under FIPS mode.
--
More information about the Gcrypt-devel
mailing list