[gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon May 25 22:19:33 CEST 2020

Daiki Ueno commented on a discussion on doc/cha-internals.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_348586056

> +as follows.
>  @itemize
> - at item FIPS140-2 mode is enabled when @code{/proc/sys/crypto/fips_enabled} contains '1' and @code{/etc/system-fips} is present.
> - at item Only approved by FIPS140-2 algorithms are enabled
> - at item Only approved by FIPS140-2 key lengths are allowed for key generation
>  @item The random generator used switches to DRBG-AES
>  @item The integrity of the GnuTLS and dependent libraries is checked on startup
>  @item Algorithm self-tests are run on library load
> + at end itemize
> +
> +When the FIPS140-2 mode is enabled, The operation of the library is in addition
> +modified as follows.
> +
> + at itemize
> + at item Only approved by FIPS140-2 algorithms are enabled

I'd rather keep the documentation as-is, because some part of the restriction is now being moved to the configuration (crypto-policies). If we explicitly mention the default behavior, it might be an obstacle when we support FIPS140-3 in the future. Or I could be wrong.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_348586056
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200525/0ff005de/attachment-0001.html>

More information about the Gnutls-devel mailing list