diff options
author | Dmitry Baryshkov <dbaryshkov@gmail.com> | 2020-05-27 21:11:41 +0000 |
---|---|---|
committer | Dmitry Baryshkov <dbaryshkov@gmail.com> | 2020-05-27 21:11:41 +0000 |
commit | dca9dcdecd448b75ccae83b99f6a18b607ff694f (patch) | |
tree | 0abc8c2e328740f26821d14d5f1b2df314889df1 /doc | |
parent | 6753e6f093708ba89071124ab0cb4da83c948634 (diff) | |
parent | a53007d1986bcec8b042cabdcecef7e95de68b93 (diff) | |
download | gnutls-dca9dcdecd448b75ccae83b99f6a18b607ff694f.tar.gz |
Merge branch 'tmp-fips-redefinition' into 'master'
fips: make FIPS140-2 mode enablement logic simpler
See merge request gnutls/gnutls!1253
Diffstat (limited to 'doc')
-rw-r--r-- | doc/cha-internals.texi | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi index 2a9bc1a45b..f188caecc9 100644 --- a/doc/cha-internals.texi +++ b/doc/cha-internals.texi @@ -667,15 +667,29 @@ is for the conformance to NIST's FIPS140-2 publication, which consists of polici for cryptographic modules (such as software libraries). Its implementation in GnuTLS is designed for Red Hat Enterprise Linux, and can only be enabled when the library is explicitly compiled with the '--enable-fips140-mode' -configure option. The operation of the library is then modified, as follows. +configure option. + +There are two distinct library states with regard to FIPS140-2: the FIPS140-2 +mode is @emph{installed} if @code{/etc/system-fips} is present, and the +FIPS140-2 mode is @emph{enabled} if @code{/proc/sys/crypto/fips_enabled} +contains '1', which is typically set with the ``fips=1'' kernel command line +option. + +When the FIPS140-2 mode is installed, the operation of the library is modified +as follows. @itemize -@item FIPS140-2 mode is enabled when @code{/proc/sys/crypto/fips_enabled} contains '1' and @code{/etc/system-fips} is present. -@item Only approved by FIPS140-2 algorithms are enabled -@item Only approved by FIPS140-2 key lengths are allowed for key generation @item The random generator used switches to DRBG-AES @item The integrity of the GnuTLS and dependent libraries is checked on startup @item Algorithm self-tests are run on library load +@end itemize + +When the FIPS140-2 mode is enabled, The operation of the library is in addition +modified as follows. + +@itemize +@item Only approved by FIPS140-2 algorithms are enabled +@item Only approved by FIPS140-2 key lengths are allowed for key generation @item Any cryptographic operation will be refused if any of the self-tests failed @end itemize |