[gnutls-devel] GnuTLS | fips: replace fipshmac usage with internal program (!1390)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[gnutls-devel] GnuTLS | fips: replace fipshmac usage with internal program (!1390)

Read-only notification of GnuTLS library development activities
GitLab

Daiki Ueno created a merge request:

Project:Branches: dueno/gnutls:wip/dueno/nofipshmac to gnutls/gnutls:master
Author: Daiki Ueno
Assignees:

This introduces a non-installed program "fipshmac" and uses it for generating HMAC files required in FIPS 140-2. The generated files are installed along with the main library.

Fixes: #1101

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • Code modified for feature
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated / NEWS entry present (for non-trivial changes)
  • CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | fips: replace fipshmac usage with internal program (!1390)

Read-only notification of GnuTLS library development activities
GitLab

Daiki Ueno commented:

I'm a bit concerned with a chicken-and-egg problem: the helper program (fipshmac) needs to explicitly disable FIPS enablement when generating the HMAC files. @smuellerDD do you think this is an acceptable approach?


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | fips: replace fipshmac usage with internal program (!1390)

Read-only notification of GnuTLS library development activities
In reply to this post by Read-only notification of GnuTLS library development activities
GitLab

Stephan Mueller commented:

This is fully acceptable - the generation of the HMAC control value does not need to be performed by a FIPS-validated product nor does the product be in compliance with FIPS rules.

Ciao Stephan


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | fips: replace fipshmac usage with internal program (!1390)

Read-only notification of GnuTLS library development activities
In reply to this post by Read-only notification of GnuTLS library development activities
GitLab

Daiki Ueno commented on a discussion:

Thank you for the confirmation. One less dependency then; thanks @The-Mule for doing this! :-)


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | fips: replace fipshmac usage with internal program (!1390)

Read-only notification of GnuTLS library development activities
In reply to this post by Read-only notification of GnuTLS library development activities
GitLab

All discussions on Merge Request !1390 were resolved by Daiki Ueno


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | fips: replace fipshmac usage with internal program (!1390)

Read-only notification of GnuTLS library development activities
In reply to this post by Read-only notification of GnuTLS library development activities
GitLab

Merge Request !1390 was merged


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel