diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-10-23 15:20:45 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-10-23 20:41:51 +0200 |
commit | aba099092f95cda473bd7a3301c8af2ce3d27c2e (patch) | |
tree | c0d2866afdf33ae43bd30a5bdf14bce772c05ead | |
parent | 1d5e93dbd69358fe7d66a3a6dd461d7fbb0738ee (diff) | |
download | gnutls-aba099092f95cda473bd7a3301c8af2ce3d27c2e.tar.gz |
fips140: aligned code with documentationtmp-fix-fips-mode
That is, we introduce the documented but unimplemented macros
GNUTLS_FIPS140_SET_LAX_MODE() and GNUTLS_FIPS140_SET_STRICT_MODE().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | doc/cha-internals.texi | 16 | ||||
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 10 | ||||
-rw-r--r-- | tests/fips-override-test.c | 8 |
3 files changed, 27 insertions, 7 deletions
diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi index 9d8fa6788b..50601bb69f 100644 --- a/doc/cha-internals.texi +++ b/doc/cha-internals.texi @@ -704,37 +704,39 @@ which can switch to alternative modes as in @ref{gnutls_fips_mode_t}. @showenumdesc{gnutls_fips_mode_t,The @code{gnutls_@-fips_@-mode_t} enumeration.} -The intention of this API is to be used by applications which need to run in +The intention of this API is to be used by applications which may run in FIPS140-2 mode, while they utilize few algorithms not in the allowed set, e.g., for non-security related purposes. In these cases applications should wrap the non-compliant code within blocks like the following. @example -GNUTLS_FIPS140_SET_RELAX_MODE(); +GNUTLS_FIPS140_SET_LAX_MODE(); _gnutls_hash_fast(GNUTLS_DIG_MD5, buffer, sizeof(buffer), output); GNUTLS_FIPS140_SET_STRICT_MODE(); @end example -The @code{GNUTLS_FIPS140_SET_RELAX_MODE} and +The @code{GNUTLS_FIPS140_SET_LAX_MODE} and @code{GNUTLS_FIPS140_SET_STRICT_MODE} are macros to simplify the following sequence of calls. @example if (gnutls_fips140_mode_enabled()) - gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); _gnutls_hash_fast(GNUTLS_DIG_MD5, buffer, sizeof(buffer), output); if (gnutls_fips140_mode_enabled()) - gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD); + gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD); @end example The reason of the @code{GNUTLS_FIPS140_SET_MODE_THREAD} flag in the -previous calls is to localize the change in the mode. +previous calls is to localize the change in the mode. Note also, that +such a block has no effect when the library is not operating +under FIPS140-2 mode, and thus it can be considered a no-op. Applications could also switch FIPS140-2 mode explicitly off, by calling @example -gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_LAX, 0); +gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); @end example diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index b4903bb97c..a5439cce56 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -2996,6 +2996,16 @@ typedef enum gnutls_fips_mode_t { void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags); +#define GNUTLS_FIPS140_SET_LAX_MODE() do { \ + if (gnutls_fips140_mode_enabled()) \ + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); \ + } while(0) + +#define GNUTLS_FIPS140_SET_STRICT_MODE() do { \ + if (gnutls_fips140_mode_enabled()) \ + gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD); \ + } while(0) + /* Gnutls error codes. The mapping to a TLS alert is also shown in * comments. */ diff --git a/tests/fips-override-test.c b/tests/fips-override-test.c index 8e0be9d462..5b92a1d485 100644 --- a/tests/fips-override-test.c +++ b/tests/fips-override-test.c @@ -128,6 +128,14 @@ void doit(void) if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_STRICT) fail("switching to unknown mode didn't switch the lib to the expected mode\n"); + GNUTLS_FIPS140_SET_LAX_MODE(); + if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_LAX) + fail("switching to lax mode did not succeed!\n"); + + GNUTLS_FIPS140_SET_STRICT_MODE(); + if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_STRICT) + fail("switching to strict mode did not succeed!\n"); + gnutls_global_deinit(); return; } |