fips: make FIPS140-2 mode enablement logic simpler

Previously, to enable the FIPS140-2 mode, both /etc/system-fips and the fips=1 kernel command line need to be set. While this was designed to be consistent, the convention is not well followed by the other crypto libraries and the former tends to be ignored. This aligns the behavior to the latter, i.e. if fips=1 is set, the library enables the FIPS140-2 mode regardless of the existence of /etc/system-fips. Suggested by Alexander Sosedkin. Signed-off-by: Daiki Ueno <dueno@redhat.com>
author: Daiki Ueno <dueno@redhat.com> 2020-05-18 12:25:42 +0200
committer: Daiki Ueno <ueno@gnu.org> 2020-05-20 07:00:13 +0200
commit: 27c29e341656252c9e52bdb581d9c36c16035fc4 (patch)
tree: 572d2d22ceb23cdc4e25129aaad4c7d366a9f204 /lib/fips.c
parent: a9f907be146be0df2cc756c19543ec1d10ccdef9 (diff)
download: gnutls-27c29e341656252c9e52bdb581d9c36c16035fc4.tar.gz
1 files changed, 2 insertions, 3 deletions
diff --git a/lib/fips.c b/lib/fips.c
index 3c43250aaf..75f26f629e 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -102,14 +102,13 @@ unsigned _gnutls_fips_mode_enabled(void)
 		else f1p = 0;
 	}
 
-	f2p = !access(FIPS_SYSTEM_FILE, F_OK);
-
-	if (f1p != 0 && f2p != 0) {
+	if (f1p != 0) {
 		_gnutls_debug_log("FIPS140-2 mode enabled\n");
 		ret = GNUTLS_FIPS140_STRICT;
 		goto exit;
 	}
 
+	f2p = !access(FIPS_SYSTEM_FILE, F_OK);
 	if (f2p != 0) {
 		/* a funny state where self tests are performed
 		 * and ignored */
author	Daiki Ueno <dueno@redhat.com>	2020-05-18 12:25:42 +0200
committer	Daiki Ueno <ueno@gnu.org>	2020-05-20 07:00:13 +0200
commit	27c29e341656252c9e52bdb581d9c36c16035fc4 (patch)
tree	572d2d22ceb23cdc4e25129aaad4c7d366a9f204 /lib/fips.c
parent	a9f907be146be0df2cc756c19543ec1d10ccdef9 (diff)
download	gnutls-27c29e341656252c9e52bdb581d9c36c16035fc4.tar.gz