[PATCH] cipher: Check and mark non-compliant cipher modes in the SLI

Lucas Mulling lucas.mulling at suse.com
Tue Jan 28 20:12:15 CET 2025 

Hi,

Fixed in the attached patch (included a small typo fix from the other
patch, sorry about that).

> MODE is not an int but enum gcry_cipher_modes and thus it is better to
> use that.  Also put all modes into the switch so that the compiler can
> check its completeness and we do not miss to check whether new modes may
> be FIPS compliant.

Not sure if _gcry_cipher_open_internal should also use gcry_cipher_modes.
Let me know
if this is something you want changed since it checks mode as an int as
well.

Best,
Lucas Mülling


On Tue, Jan 28, 2025 at 1:39 PM Werner Koch <wk at gnupg.org> wrote:

> Hi!
>
> On Fri, 24 Jan 2025 10:19, Lucas Mulling said:
>
> > +int
> > +_gcry_cipher_is_mode_fips_compliant(int mode)
>
> Given that this function returns an error code it should also be
> declared as to do this.  However, the name of the function indicates
> that this returns a boolean status and one would expect true for FIPS
> comliance.  But the logic is invers.  This is fine but the function
> should then for example be named _gcry_cipher_mode_fips_compliance.
>
> MODE is not an int but enum gcry_cipher_modes and thus it is better to
> use that.  Also put all modes into the switch so that the compiler can
> check its completeness and we do not miss to check whether new modes may
> be FIPS compliant.
>
> > @@ -1988,6 +1988,7 @@ char *gcry_get_config (int mode, const char *what);
> >  #define GCRY_FIPS_FLAG_REJECT_PK            (1 << 5)
> >  #define GCRY_FIPS_FLAG_REJECT_PK_MD         (1 << 6)
> >  #define GCRY_FIPS_FLAG_REJECT_PK_GOST_SM2   (1 << 7)
> > +#define GCRY_FIPS_FLAG_REJECT_CIPHER_MODE   (1 << 8)
>
> Do we already have a documentation for these new constants?  In any case
> it should be put into the NEWS file.
>
>
>
> Shalom-Salam,
>
>    Werner
>
>
> --
> The pioneers of a warless world are the youth that
> refuse military service.             - A. Einstein
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250128/f26b2132/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-chiper-Rename-_gcry_cipher_is_mode_fips_compliant.patch
Type: text/x-patch
Size: 1992 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250128/f26b2132/attachment-0001.bin>

More information about the Gcrypt-devel mailing list