FIPS 140 service indicator revamp
NIIBE Yutaka
gniibe at fsij.org
Wed Nov 20 08:23:30 CET 2024
Hello,
Using the function gcry_kdf_derive as an example (as David Sugar kindly
suggested), here are my patches against master, as of today.
I didn't touch the code for the rejection by argument with an error
GPG_ERR_INV_VALUE, where it does not compute the value under FIPS mode.
(If computation should be done, we need to change the _gcry_kdf_derive
function not to reject by GPG_ERR_INV_VALUE, but let it continue the
computing, setting the service indicator.)
In t-kdf.c, I'm not sure if checking the computed value makes sense in
check_fips_gcry_kdf_derive for GCRY_KDF_SCRYPT. (I modified the case of
GCRY_KDF_SCRYPT, so that checking goes well.)
Please tell us your comments/opinions/whatever.
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fips-140-service-indicator-revamp-gniibe-00.patch
Type: text/x-diff
Size: 9253 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20241120/cad4045d/attachment-0001.patch>
More information about the Gcrypt-devel
mailing list