From dc3aa56779581b661311f1c4603f3383f252b3b3 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sun, 21 Jan 2018 15:07:00 +0100
Subject: fips140: added function for applications to switch the FIPS140-2 mode

That would allow FIPS140-2 compliant applications to use forbidden
algorithms by switching to a lax FIPS140-2 mode.

Resolves #352
Resolves #353

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 lib/nettle/cipher.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'lib/nettle/cipher.c')

diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c
index 68215c50cf..4bcbe42269 100644
--- a/lib/nettle/cipher.c
+++ b/lib/nettle/cipher.c
@@ -562,8 +562,7 @@ wrap_nettle_cipher_setiv(void *_ctx, const void *iv, size_t iv_size)
 	switch (ctx->cipher->algo) {
 	case GNUTLS_CIPHER_AES_128_GCM:
 	case GNUTLS_CIPHER_AES_256_GCM:
-		if (_gnutls_fips_mode_enabled() != 0 && iv_size < GCM_IV_SIZE)
-			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		FIPS_RULE(iv_size < GCM_IV_SIZE, GNUTLS_E_INVALID_REQUEST, "access to short GCM nonce size\n");
 		break;
 	case GNUTLS_CIPHER_SALSA20_256:
 	case GNUTLS_CIPHER_ESTREAM_SALSA20_256:
-- 
cgit v1.2.1