Hi! On Fri, 24 Jan 2025 10:19, Lucas Mulling said:
> +int > +_gcry_cipher_is_mode_fips_compliant(int mode) Given that this function returns an error code it should also be declared as to do this. However, the name of the function indicates that this returns a boolean status and one would expect true for FIPS comliance. But the logic is invers. This is fine but the function should then for example be named _gcry_cipher_mode_fips_compliance. MODE is not an int but enum gcry_cipher_modes and thus it is better to use that. Also put all modes into the switch so that the compiler can check its completeness and we do not miss to check whether new modes may be FIPS compliant. > @@ -1988,6 +1988,7 @@ char *gcry_get_config (int mode, const char *what); > #define GCRY_FIPS_FLAG_REJECT_PK (1 << 5) > #define GCRY_FIPS_FLAG_REJECT_PK_MD (1 << 6) > #define GCRY_FIPS_FLAG_REJECT_PK_GOST_SM2 (1 << 7) > +#define GCRY_FIPS_FLAG_REJECT_CIPHER_MODE (1 << 8) Do we already have a documentation for these new constants? In any case it should be put into the NEWS file. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gcrypt-devel mailing list Gcrypt-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
