[gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue May 19 10:29:05 CEST 2020

Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 was reviewed by Alexander Sosedkin

Alexander Sosedkin commented on a discussion on doc/cha-internals.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_344975618

> - at item Only approved by FIPS140-2 algorithms are enabled
> - at item Only approved by FIPS140-2 key lengths are allowed for key generation
>  @item The random generator used switches to DRBG-AES

I believe that the first point is addressed in b48f7fa7, will extract the second concern into a separate comment.

Alexander Sosedkin started a new discussion on lib/crypto-selftests.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_344975620

>  #define FIPS_STARTUP_ONLY_TEST_CASE(x, func, vectors) case x: \
> -			if (_gnutls_fips_mode_enabled() != 1) { \
> +			if (_gnutls_fips_mode_enabled() != 1 && \

Sorry, I'm thoroughly lost here. What's the intended meaning of `FIPS_STARTUP_ONLY_TEST_CASE`?

* only in FIPS?
* only in FIPS and only during selftests?
* when in FIPS, then it's selftests-time only; when in non-FIPS, always?
* something else?

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200519/f9a57259/attachment.html>

More information about the Gnutls-devel mailing list