[PATCH] cipher: Check and mark non-compliant cipher modes in the SLI
Werner Koch
wk at gnupg.org
Tue Jan 28 17:40:17 CET 2025
Hi!
On Fri, 24 Jan 2025 10:19, Lucas Mulling said:
> +int
> +_gcry_cipher_is_mode_fips_compliant(int mode)
Given that this function returns an error code it should also be
declared as to do this. However, the name of the function indicates
that this returns a boolean status and one would expect true for FIPS
comliance. But the logic is invers. This is fine but the function
should then for example be named _gcry_cipher_mode_fips_compliance.
MODE is not an int but enum gcry_cipher_modes and thus it is better to
use that. Also put all modes into the switch so that the compiler can
check its completeness and we do not miss to check whether new modes may
be FIPS compliant.
> @@ -1988,6 +1988,7 @@ char *gcry_get_config (int mode, const char *what);
> #define GCRY_FIPS_FLAG_REJECT_PK (1 << 5)
> #define GCRY_FIPS_FLAG_REJECT_PK_MD (1 << 6)
> #define GCRY_FIPS_FLAG_REJECT_PK_GOST_SM2 (1 << 7)
> +#define GCRY_FIPS_FLAG_REJECT_CIPHER_MODE (1 << 8)
Do we already have a documentation for these new constants? In any case
it should be put into the NEWS file.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250128/997c99f3/attachment.sig>
More information about the Gcrypt-devel
mailing list