Cipher FIPS flag enforcement
smueller at chronox.de
Mon Aug 25 12:37:20 CEST 2014
all of the the cipher definitions contain and define the flag
unsigned int fips:1;
in their _spec_t types.
Up to 1.4.x, that field was enforced in the cipher init functions (i.e.
if the FIPS mode is set, only fips=1 ciphers are allowed).
The random/ code still contains such logic. But all other fips flag
enforcement code is gone.
Is this intentional? Note, FIPS can live without such restrictions, but
then why keep the fips flag lingering?
More information about the Gcrypt-devel