FIPS 140 service indicator revamp
NIIBE Yutaka
gniibe at fsij.org
Thu Dec 26 07:34:47 CET 2024
Hello,
NIIBE Yutaka <gniibe at fsij.org> wrote:
> Here is a patch which add the behavior of finishing the computation
> marking non-compliant if it is the case (instead of rejecting).
>
> We need tests for this. And there might be other places where we need
> to mark non-compliant in public key crypto code.
Here are more patches for adding tests and rejecting/marking
non-compliant things.
I don't know how gcry_pk_encrypt/gcry_pk_decrypt API should be changed.
Possibly, for new applications, KEM API will be used. So, it would make
sense consider KEM API for FIPS compliance.
This may be the last email with "FIPS 140 service indicator revamp" from
me. I will continue with specific subject. I mean, initial work has
been done for the revamp. More changes will be needed, perhaps. Also,
we will consider backporting the changes to 1.10.
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-fips-ecc-Add-rejecting-or-marking-for-gcry_pk_get_cu.patch
Type: text/x-diff
Size: 1048 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20241226/17b00c14/attachment-0003.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-tests-Add-more-tests-to-tests-t-fips-service-ind.patch
Type: text/x-diff
Size: 12176 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20241226/17b00c14/attachment-0004.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-fips-ecc-Check-DATA-in-gcry_pk_sign-verify-in-FIPS-m.patch
Type: text/x-diff
Size: 9217 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20241226/17b00c14/attachment-0005.patch>
More information about the Gcrypt-devel
mailing list