FIPS 140 service indicator revamp
NIIBE Yutaka
gniibe at fsij.org
Thu Dec 5 08:11:14 CET 2024
NIIBE Yutaka <gniibe at fsij.org> wrote:
> Here are ongoing changes:
>
> * Change 1: use of a new internal API for the FIPS service indicator.
> Current proposal is using thread local storage, with compiler support
> (__thread), to be conservative (not by modern C11 _Thread_local or C23
> thread_local).
>
> * Change 2: new libgcrypt API for the FIPS service indicator (by macro
> and gcry_control with new number), for applications.
These parts are pushed to master.
Also, for gcry_kdf_derive function, following was done.
> * Change 3: using the new internal API, modify libgcrypt; put
> initialization (of false), put update (of true) in a success path, for
> all relevant functions.
>
> * Change 4 (possibly, some parts would be optional): modify libgcrypt so
> that it doesn't reject computation under FIPS mode for parameters, but
> continue to finish the computation. After this change, it won't
> return an error for parameters issue (if it's not fatal), only setting
> a failure with the FIPS service indicator.
It's tracked by:
https://dev.gnupg.org/T7338
I'm going to try #3 and #4 for gcry_md_buffer function.
--
More information about the Gcrypt-devel
mailing list