On 06/11/2015 07:42 PM, Herbert Xu wrote: >> The testmgr code can mark an entire cipher implementation as fips_allowed=1 >> as >> > already done for RSA. However, unlike with the other ciphers, that flag >> > must >> > go in conjunction with the used key sizes. >> > >> > For FIPS mode, the following restrictions apply: >> > >> > - RSA: 2048/3072 >> > >> > - DSA: L 2048 / N 224; L 2048 / N 256; L 3072 / N 256 >> > >> > - ECDSA: only the NIST curves >> > >> > Any other key sizes for the given ciphers is not allowed in FIPS mode. >> > >> > Should that constraint be considered here? > Yes. However it should be placed into a helper that everybody > can call so that future hardware implementations can also make > the same checks.
I will make the algorithm marked as fips allowed always and then fail in setkey if fips is enabled and the given key doesn't meet the fips requirement. Thanks -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
