Cipher FIPS flag enforcement

Stephan Mueller smueller at chronox.de
Mon Aug 25 12:37:20 CEST 2014


Hi,

all of the the cipher definitions contain and define the flag

	unsigned int fips:1;

in their _spec_t types.

Up to 1.4.x, that field was enforced in the cipher init functions (i.e. 
if the FIPS mode is set, only fips=1 ciphers are allowed).

The random/ code still contains such logic. But all other fips flag 
enforcement code is gone.

Is this intentional? Note, FIPS can live without such restrictions, but 
then why keep the fips flag lingering?

Ciao
Stephan




More information about the Gcrypt-devel mailing list