[gnutls-devel] GnuTLS | Mark HKDF and AES-GCM as approved when used in TLS (!1568)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Apr 5 13:00:46 CEST 2022




Daiki Ueno started a new discussion on lib/constate.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1568#note_900932037

>  	key.data = state->key;
>  	key.size = state->key_size;
>  
> -	ret = _gnutls_aead_cipher_init(&state->ctx.aead,
> -				       algo, &key);
> -	if (ret < 0)
> +	ret = _gnutls_aead_cipher_init(&state->ctx.aead, algo, &key);
> +	if (ret < 0) {
> +		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
>  		return gnutls_assert_val(ret);
> +	}
> +
> +	if (is_cipher_algo_allowed(algo))

I'd make it more explicit, like:
```c
/* AES-GCM is only approved in TLS */
if (is_cipher_algo_approved_in_fips(algo) || algo == GNUTLS_CIPHER_AES_128_GCM ...)
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1568#note_900932037
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220405/bdb7dfa4/attachment.html>


More information about the Gnutls-devel mailing list