the FIPS140-2 testing mode is disabled after self-checks

1 files changed, 17 insertions, 13 deletions

diff --git a/lib/fips.c b/lib/fips.c
index dd68ba0d39..8688aec1fb 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -37,6 +37,8 @@ unsigned int _gnutls_lib_mode = LIB_STATE_POWERON;
 #define FIPS_KERNEL_FILE "/proc/sys/crypto/fips_enabled"
 #define FIPS_SYSTEM_FILE "/etc/system-fips"
 
+static int _fips_mode = -1;
+
 /* Returns:
  * 0 - FIPS mode disabled
  * 1 - FIPS mode enabled and enforced
@@ -46,21 +48,20 @@ unsigned _gnutls_fips_mode_enabled(void)
 {
 unsigned f1p = 0, f2p;
 FILE* fd;
-static int fips_mode = -1;
 const char *p;
 
-	if (fips_mode != -1)
-		return fips_mode;
+	if (_fips_mode != -1)
+		return _fips_mode;
 
 	p = getenv("GNUTLS_FORCE_FIPS_MODE");
 	if (p) {
 		if (p[0] == '1')
-			fips_mode = 1;
+			_fips_mode = 1;
 		else if (p[0] == '2')
-			fips_mode = 2;
+			_fips_mode = 2;
 		else
-			fips_mode = 0;
-		return fips_mode;
+			_fips_mode = 0;
+		return _fips_mode;
 	}
 
 	fd = fopen(FIPS_KERNEL_FILE, "r");
@@ -76,20 +77,20 @@ const char *p;
 
 	if (f1p != 0 && f2p != 0) {
 		_gnutls_debug_log("FIPS140-2 mode enabled\n");
-		fips_mode = 1;
-		return fips_mode;
+		_fips_mode = 1;
+		return _fips_mode;
 	}
 
 	if (f2p != 0) {
 		/* a funny state where self tests are performed
 		 * and ignored */
 		_gnutls_debug_log("FIPS140-2 ZOMBIE mode enabled\n");
-		fips_mode = 2;
-		return fips_mode;
+		_fips_mode = 2;
+		return _fips_mode;
 	}
 
-	fips_mode = 0;
-	return fips_mode;
+	_fips_mode = 0;
+	return _fips_mode;
 }
 
 #define GNUTLS_LIBRARY_NAME "libgnutls.so.28"
@@ -367,6 +368,9 @@ int _gnutls_fips_perform_self_checks2(void)
 		goto error;
 	}
 	
+	if (_fips_mode == 2)
+		_fips_mode = 0;
+
 	return 0;
 
 error: