fips: make service indicator logging louder

Previously, the only way to monitor the FIPS context transtion was to
increase logging level to debug (2), which produces unrelated output.

This changes the minimum logging level to audit (1) for when the
transition happens.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

2 files changed, 58 insertions, 36 deletions

diff --git a/lib/fips.c b/lib/fips.c
index 656d43e74a..31a52a990f 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -743,6 +743,9 @@ gnutls_fips140_get_operation_state(gnutls_fips140_context_t context)
  * The operation state of @context will be reset to
  * %GNUTLS_FIPS140_OP_INITIAL.
  *
+ * This function is no-op if FIPS140 is not compiled in nor enabled
+ * at run-time.
+ *
  * Returns: 0 upon success, a negative error code otherwise
  *
  * Since: 3.7.3
@@ -751,10 +754,12 @@ int
 gnutls_fips140_push_context(gnutls_fips140_context_t context)
 {
 #ifdef ENABLE_FIPS140
-	context->next = _tfips_context;
-	_tfips_context = context;
+	if (_gnutls_fips_mode_enabled() != GNUTLS_FIPS140_DISABLED) {
+		context->next = _tfips_context;
+		_tfips_context = context;
 
-	context->state = GNUTLS_FIPS140_OP_INITIAL;
+		context->state = GNUTLS_FIPS140_OP_INITIAL;
+	}
 	return 0;
 #else
 	return GNUTLS_E_INVALID_REQUEST;
@@ -771,6 +776,9 @@ gnutls_fips140_push_context(gnutls_fips140_context_t context)
  * gnutls_aead_cipher_deinit() is not yet called, it returns an error
  * %GNUTLS_E_INVALID_REQUEST.
  *
+ * This function is no-op if FIPS140 is not compiled in nor enabled
+ * at run-time.
+ *
  * Returns: 0 upon success, a negative error code otherwise
  *
  * Since: 3.7.3
@@ -779,17 +787,21 @@ int
 gnutls_fips140_pop_context(void)
 {
 #ifdef ENABLE_FIPS140
-	if (!_tfips_context) {
-		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-	}
+	if (_gnutls_fips_mode_enabled() != GNUTLS_FIPS140_DISABLED) {
+		if (!_tfips_context) {
+			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		}
 
-	_tfips_context = _tfips_context->next;
+		_tfips_context = _tfips_context->next;
+	}
 	return 0;
 #else
 	return GNUTLS_E_INVALID_REQUEST;
 #endif
 }
 
+#ifdef ENABLE_FIPS140
+
 static inline const char *
 operation_state_to_string(gnutls_fips140_operation_state_t state)
 {
@@ -809,50 +821,64 @@ operation_state_to_string(gnutls_fips140_operation_state_t state)
 	}
 }
 
-gnutls_fips140_operation_state_t
-_gnutls_transit_fips_state(gnutls_fips140_operation_state_t current,
-			   gnutls_fips140_operation_state_t next)
+void
+_gnutls_switch_fips_state(gnutls_fips140_operation_state_t state)
 {
-	switch (current) {
+	gnutls_fips_mode_t mode = _gnutls_fips_mode_enabled();
+	if (mode == GNUTLS_FIPS140_DISABLED) {
+		return;
+	}
+
+	if (!_tfips_context) {
+		_gnutls_debug_log("FIPS140-2 context is not set\n");
+		return;
+	}
+
+	if (_tfips_context->state == state) {
+		return;
+	}
+
+	switch (_tfips_context->state) {
 	case GNUTLS_FIPS140_OP_INITIAL:
 		/* initial can be transitioned to any state */
-		_gnutls_debug_log("FIPS140-2 operation mode switched from initial to %s\n",
-				  operation_state_to_string(next));
-		return next;
+		if (mode != GNUTLS_FIPS140_LAX) {
+			_gnutls_audit_log(NULL, "FIPS140-2 operation mode switched from initial to %s\n",
+					  operation_state_to_string(state));
+		}
+		_tfips_context->state = state;
+		break;
 	case GNUTLS_FIPS140_OP_APPROVED:
 		/* approved can only be transitioned to not-approved */
-		if (next == GNUTLS_FIPS140_OP_NOT_APPROVED) {
-			_gnutls_debug_log("FIPS140-2 operation mode switched from approved to %s\n",
-					  operation_state_to_string(next));
-			return next;
+		if (likely(state == GNUTLS_FIPS140_OP_NOT_APPROVED)) {
+			if (mode != GNUTLS_FIPS140_LAX) {
+				_gnutls_audit_log(NULL, "FIPS140-2 operation mode switched from approved to %s\n",
+						  operation_state_to_string(state));
+			}
+			_tfips_context->state = state;
+			return;
 		}
 		FALLTHROUGH;
 	default:
 		/* other transitions are prohibited */
-		if (next != current) {
-			_gnutls_debug_log("FIPS140-2 operation mode cannot be switched from %s to %s\n",
-					  operation_state_to_string(current),
-					  operation_state_to_string(next));
+		if (mode != GNUTLS_FIPS140_LAX) {
+			_gnutls_audit_log(NULL, "FIPS140-2 operation mode cannot be switched from %s to %s\n",
+					  operation_state_to_string(_tfips_context->state),
+					  operation_state_to_string(state));
 		}
-		return current;
+		break;
 	}
 }
 
+#else
+
 void
 _gnutls_switch_fips_state(gnutls_fips140_operation_state_t state)
 {
-#ifdef ENABLE_FIPS140
-	if (!_tfips_context) {
-		_gnutls_debug_log("FIPS140-2 context is not set\n");
-		return;
-	}
-	_tfips_context->state =
-		_gnutls_transit_fips_state(_tfips_context->state, state);
-#else
 	(void)state;
-#endif
 }
 
+#endif
+
 /**
  * gnutls_fips140_run_self_tests:
  *
diff --git a/lib/fips.h b/lib/fips.h
index 49ad1d9611..3a74f254e7 100644
--- a/lib/fips.h
+++ b/lib/fips.h
@@ -41,10 +41,6 @@ typedef enum {
 extern unsigned int _gnutls_lib_state;
 extern gnutls_crypto_rnd_st _gnutls_fips_rnd_ops;
 
-gnutls_fips140_operation_state_t
-_gnutls_transit_fips_state(gnutls_fips140_operation_state_t current,
-			   gnutls_fips140_operation_state_t next);
-
 void _gnutls_switch_fips_state(gnutls_fips140_operation_state_t state);
 
 inline static