[gnutls-devel] GnuTLS | Mark HKDF and AES-GCM as approved when used in TLS (!1568)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Apr 5 13:00:46 CEST 2022
Daiki Ueno started a new discussion on lib/constate.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1568#note_900932037
> key.data = state->key;
> key.size = state->key_size;
>
> - ret = _gnutls_aead_cipher_init(&state->ctx.aead,
> - algo, &key);
> - if (ret < 0)
> + ret = _gnutls_aead_cipher_init(&state->ctx.aead, algo, &key);
> + if (ret < 0) {
> + _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
> return gnutls_assert_val(ret);
> + }
> +
> + if (is_cipher_algo_allowed(algo))
I'd make it more explicit, like:
```c
/* AES-GCM is only approved in TLS */
if (is_cipher_algo_approved_in_fips(algo) || algo == GNUTLS_CIPHER_AES_128_GCM ...)
```
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1568#note_900932037
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220405/bdb7dfa4/attachment.html>
More information about the Gnutls-devel
mailing list