[PATCH 0/4] Differentiate use of non-compliant flags in the SLI

NIIBE Yutaka gniibe at fsij.org
Thu Mar 6 02:20:58 CET 2025 

NIIBE Yutaka <gniibe at fsij.org> wrote:
> Let me apply and push the first two patches firstly.  I'll push these
> two.

Done.

> For the third, it changes the behavior of gcry_pk_random_override_new
> (adding rejection) to require major changes in tests (of the fourth).  I
> wonder if this is appropriate in 1.11.  Let me consider for this.

I would like to apply the patch attached to introduce
GCRY_FIPS_FLAG_REJECT_PK_FLAGS.  The intention is keeping the behavior
of 1.10, so that forthcoming 1.11.1 release won't break things with
existing applications.

Then, let me apply yours of:

	[PATCH 3/4] cipher, visibility: Differentiate use of random-override in the SLI

After that, let me fix it with GCRY_FIPS_FLAG_REJECT_PK_FLAGS, so that
your fourth patch is not needed for 1.11.

The idea here is that:

  * For existing FIPS conscious applications with libgcrypt, it assumes
    old API of static indicator; That is, use of
    GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER,
    GCRYCTL_FIPS_SERVICE_INDICATOR_MAC,
    GCRYCTL_FIPS_SERVICE_INDICATOR_MD,
    GCRYCTL_FIPS_SERVICE_INDICATOR_KDF,
    GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION, and
    GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS.  It has the behaviors of
    rejecting non-compliant use in some places in supported functions,
    but not for other places.  It is OK with old API, non-supported
    functions don't reject (like MD5 can be used).

  * For new FIPS conscious applications, there are new API to check the
    indicator.  We are now introducing new API for 1.12, and
    forward-compatible implementation in 1.11.

  * Existing tests in tests/ are basically with old API (except
    t-fips-service-ind).  Update will be done in master for 1.12 after
    1.11 branch will be created.
-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-fips-cipher-Add-GCRY_FIPS_FLAG_REJECT_PK_FLAGS.patch
Type: text/x-diff
Size: 2672 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250306/aa10daa1/attachment.patch>

More information about the Gcrypt-devel mailing list