FIPS: remove algorithms that are not being validated. #11602
Conversation
Several MACs and one KDF are included in the FIPS provider with the property "fips=yes" set but are not listed as being part of the OpenSSL validation. This removes them from the FIPS provider.
|
I've amended this to also include KMAC. |
|
Hmm SSKDF supports hash, HMAC or KMAC.. (Guess it is ok to only do a subset) |
|
I don't see much point including KMAC for SSKDF in the FIPS provider unless it (KMAC) is validated. |
|
Can you explain why "fips=no" doesn't work? And how does just editing the table remove things from the provider? I'm not questioning that this is a way to do it, but I think that eventually we will need the kind of documentation that I am seeking here. Thanks. |
|
"fips=no" might work but it increases the size of the FIPS provider. The ecx are only in because the sponsors' expected and insisted it was. Taking them out of the table removes them because of |
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
Several MACs and one KDF are included in the FIPS provider with the property "fips=yes" set but are not listed as being part of the OpenSSL validation. This removes them from the FIPS provider. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #11602)
|
Pushed! |
Several MACs and one KDF are included in the FIPS provider with the property
"fips=yes" set but are not listed as being part of the OpenSSL validation.
This removes them from the FIPS provider.