Bug 2019728

Summary: German VS-NfD mode broken
Product: [Fedora] Fedora Reporter: Stephan Mueller <smueller>
Component: gnupg2Assignee: Jakub Jelen <jjelen>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: low    
Version: 35CC: bcl, crypto-team, jjelen, tm
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-13 11:34:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephan Mueller 2021-11-03 09:03:37 UTC 
Description of problem:

When configuring "compliance de-vs" in gpg.conf, the GnuPG operation fails with "gpg: RNG is nicht konform mit dem --compliance=de-vs Modus" - the RNG is not conformant with the de-vs mode.

If I see that correctly, the Jitter RNG is not enabled.


Version-Release number of selected component (if applicable):

gnupg2-2.3.3-1.fc35.x86_64

How reproducible:

always

Steps to Reproduce:
1. configure mentioned mode
2. encrypt data
3. observe error
Comment 1 Jakub Jelen 2021-12-09 16:33:42 UTC 
Thank you for the report.

This is the same result I get for the current master version of libgcrypt, which I am working on for the FIPS certification after upstreaming all of our patches so I assume this will be also an issue with the upstream libgcrypt.

But looking through the code, it looks like the libgcrypt 1.9.0 and newer was not validated with de-vs so it can not be used in this compliance mode, according to the code comments:

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=common/compliance.c;h=33a19fe06be2227239c2c5f4215b9de5889cff9d;hb=refs/heads/master#l590

The libgcrypt source comments confirms this -- no certificate for 1.9.0 version yet so this compliance can not be claimed:

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/global.c;h=58873372cabccf1fe49feb43b62370483d3b43ac;hb=HEAD#l410

But I agree that the error message should be more descriptive. I filled the following upstream issue: https://dev.gnupg.org/T5726
Comment 2 Jakub Jelen 2021-12-13 11:34:35 UTC 
Given the upstream does not consider this a bug, closing this one too as this is not a compliance mode we would support in Fedora.

If you see a space for improvement, please follow-up in the upstream bug.