[gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue May 19 19:28:33 CEST 2020




Alexander Sosedkin commented on a discussion on doc/cha-internals.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_345393863

> +as follows.
>  
>  @itemize
> - at item FIPS140-2 mode is enabled when @code{/proc/sys/crypto/fips_enabled} contains '1' and @code{/etc/system-fips} is present.
> - at item Only approved by FIPS140-2 algorithms are enabled
> - at item Only approved by FIPS140-2 key lengths are allowed for key generation
>  @item The random generator used switches to DRBG-AES
>  @item The integrity of the GnuTLS and dependent libraries is checked on startup
>  @item Algorithm self-tests are run on library load
> + at end itemize
> +
> +When the FIPS140-2 mode is enabled, The operation of the library is in addition
> +modified as follows.
> +
> + at itemize
> + at item Only approved by FIPS140-2 algorithms are enabled

Or maybe state that just some of the unapproved algorithms are restricted.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_345393863
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200519/4687a2dd/attachment-0001.html>


More information about the Gnutls-devel mailing list