Page MenuHome GnuPG

libgcrypt "check if fips_is_operational and error return if not" patch for FIPS 140
Closed, ResolvedPublic


Red Hat's patch of libgcrypt-1.7.3-fips-reqs.patch:

I agree that we should add the check to new function gcry_kdf_derive.

I'm not sure if adding the check to:

  • gcry_mpi_randomize
  • gcry_prime_generate

won't introduce any regression in existing use cases.

I checked Debian source code by
It seems that all use cases are for crypto, so, adding the check makes sense (and it will be welcome).

Besides, if we will add the check to those two functions, why not also to gcry_prime_group_generator?