Re: T7338: Make SHA1 non-FIPS and differentiate in the SLI

Lucas Mulling via Gcrypt-devel Thu, 27 Feb 2025 13:31:37 -0800

Hello,

Sorry for the delay, I've tested the patches everything seems to be in order. 
The only thing
I had to change was:


diff --git a/tests/basic.c b/tests/basic.c
index f32e41db..5e1f94b5 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -17268,8 +17268,9 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t 
pkey, int algo,
       rc = gcry_pk_sign (&sig, hash, skey);
       if (in_fips_mode && (flags & FLAG_NOFIPS || datas[dataidx].flags & 
FLAG_NOFIPS))
         {
-          if (!rc)
-            fail ("gcry_pk_sign did not fail as expected in FIPS mode\n");
+          if ((datas[dataidx].expected_rc && !rc))
+            fail ("gcry_pk_sign (%d) did not fail as expected in FIPS mode\n",
+                  dataidx);
           goto next;
         }
       if (gcry_err_code (rc) != datas[dataidx].expected_rc)

Or maybe GCRY_FIPS_FLAG_REJECT_PK_MD should be enabled by default?

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Re: T7338: Make SHA1 non-FIPS and differentiate in the SLI

Reply via email to