From aba099092f95cda473bd7a3301c8af2ce3d27c2e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 23 Oct 2018 15:20:45 +0200 Subject: fips140: aligned code with documentation That is, we introduce the documented but unimplemented macros GNUTLS_FIPS140_SET_LAX_MODE() and GNUTLS_FIPS140_SET_STRICT_MODE(). Signed-off-by: Nikos Mavrogiannopoulos --- doc/cha-internals.texi | 16 +++++++++------- lib/includes/gnutls/gnutls.h.in | 10 ++++++++++ tests/fips-override-test.c | 8 ++++++++ 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi index 9d8fa6788b..50601bb69f 100644 --- a/doc/cha-internals.texi +++ b/doc/cha-internals.texi @@ -704,37 +704,39 @@ which can switch to alternative modes as in @ref{gnutls_fips_mode_t}. @showenumdesc{gnutls_fips_mode_t,The @code{gnutls_@-fips_@-mode_t} enumeration.} -The intention of this API is to be used by applications which need to run in +The intention of this API is to be used by applications which may run in FIPS140-2 mode, while they utilize few algorithms not in the allowed set, e.g., for non-security related purposes. In these cases applications should wrap the non-compliant code within blocks like the following. @example -GNUTLS_FIPS140_SET_RELAX_MODE(); +GNUTLS_FIPS140_SET_LAX_MODE(); _gnutls_hash_fast(GNUTLS_DIG_MD5, buffer, sizeof(buffer), output); GNUTLS_FIPS140_SET_STRICT_MODE(); @end example -The @code{GNUTLS_FIPS140_SET_RELAX_MODE} and +The @code{GNUTLS_FIPS140_SET_LAX_MODE} and @code{GNUTLS_FIPS140_SET_STRICT_MODE} are macros to simplify the following sequence of calls. @example if (gnutls_fips140_mode_enabled()) - gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); _gnutls_hash_fast(GNUTLS_DIG_MD5, buffer, sizeof(buffer), output); if (gnutls_fips140_mode_enabled()) - gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD); + gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD); @end example The reason of the @code{GNUTLS_FIPS140_SET_MODE_THREAD} flag in the -previous calls is to localize the change in the mode. +previous calls is to localize the change in the mode. Note also, that +such a block has no effect when the library is not operating +under FIPS140-2 mode, and thus it can be considered a no-op. Applications could also switch FIPS140-2 mode explicitly off, by calling @example -gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_LAX, 0); +gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); @end example diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index b4903bb97c..a5439cce56 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -2996,6 +2996,16 @@ typedef enum gnutls_fips_mode_t { void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags); +#define GNUTLS_FIPS140_SET_LAX_MODE() do { \ + if (gnutls_fips140_mode_enabled()) \ + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); \ + } while(0) + +#define GNUTLS_FIPS140_SET_STRICT_MODE() do { \ + if (gnutls_fips140_mode_enabled()) \ + gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD); \ + } while(0) + /* Gnutls error codes. The mapping to a TLS alert is also shown in * comments. */ diff --git a/tests/fips-override-test.c b/tests/fips-override-test.c index 8e0be9d462..5b92a1d485 100644 --- a/tests/fips-override-test.c +++ b/tests/fips-override-test.c @@ -128,6 +128,14 @@ void doit(void) if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_STRICT) fail("switching to unknown mode didn't switch the lib to the expected mode\n"); + GNUTLS_FIPS140_SET_LAX_MODE(); + if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_LAX) + fail("switching to lax mode did not succeed!\n"); + + GNUTLS_FIPS140_SET_STRICT_MODE(); + if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_STRICT) + fail("switching to strict mode did not succeed!\n"); + gnutls_global_deinit(); return; } -- cgit v1.2.1