Hello, Nicolas Mora <[email protected]> writes:
> I'd like to use ECDH key agreement with GnuTLS. As far as I can see, > there is no public function to generate a shared secret with ECC keys. I think this is a long wanted feature: https://gitlab.com/gnutls/gnutls/-/issues/894 > In lib/nettle/pk.c [1], the ECDH functions are defined if > ENABLE_FIPS140 is defined. > > According to thee documentation [2], FIPS140-2 mode is not available > without adding configure option –enable-fips140-mode. > > In an old message on this ML [3], it was offered these functions to be > exported in the normal API, but this message wasn't answered, and the > ecdh functions are still private and available only with FIPS140-2 > mode. > > I'd like to make a feature request for the ECDH functions to be > available in the normal API, even in non FIPS140-2 mode. Would it be > possible in a future version? Yes, that would be very useful. What I am concerned with this is how it would affect FIPS140-2 validation. Once they become part of the public API, we may need to add checks to meet the SP800-56A requirements when they are called under FIPS140-2 mode. Having said that, I guess the implementation of such checks wouldn't be that hard. Stephan (Cc'ed) might have some opinion on that. Regards, -- Daiki Ueno _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
