Disable the NULL cipher on runtime when FIPS140 mode is enabled instead of statically

That way the NULL cipher can be used when not in FIPS140 mode.
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-10-15 21:16:52 +0200
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-10-15 21:16:55 +0200
commit: d949314986061044dd0c298e1d64315e2b5555ca (patch)
tree: 113c69b174a4da4275a831015c7dacc837006f64 /lib/cipher_int.c
parent: 500af2badafb991ff580acd747630ed62902da29 (diff)
download: gnutls-d949314986061044dd0c298e1d64315e2b5555ca.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/cipher_int.c b/lib/cipher_int.c
index 052d559330..c2113767e0 100644
--- a/lib/cipher_int.c
+++ b/lib/cipher_int.c
@@ -55,6 +55,17 @@ int _gnutls_cipher_exists(gnutls_cipher_algorithm_t cipher)
 	const gnutls_crypto_cipher_st *cc;
 	int ret;
 
+	/* All the other ciphers are disabled on the back-end library.
+	 * The NULL needs to be detected here as it is merely a placeholder
+	 * rather than an actual cipher.
+	 */
+	if (cipher == GNUTLS_CIPHER_NULL) {
+		if (_gnutls_fips_mode_enabled() == 0)
+			return 1;
+		else
+			return 0;
+	}
+
 	cc = _gnutls_get_crypto_cipher(cipher);
 	if (cc != NULL)
 		return 1;
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2015-10-15 21:16:52 +0200
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2015-10-15 21:16:55 +0200
commit	d949314986061044dd0c298e1d64315e2b5555ca (patch)
tree	113c69b174a4da4275a831015c7dacc837006f64 /lib/cipher_int.c
parent	500af2badafb991ff580acd747630ed62902da29 (diff)
download	gnutls-d949314986061044dd0c298e1d64315e2b5555ca.tar.gz