rpms / gnutls

Clone
Source Code
GIT

Blame SOURCES/gnutls-3.6.14-fips-mode-check.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   90a1d9b3d85a95a7d0b1afb36a016bd9f944b43f
  2.   SOURCES
  3.   gnutls-3.6.14-fips-mode-check.patch
Blob History Raw
d3e931 
From d1dc655cd2c8ae417381e5f966941c75cfe287ee Mon Sep 17 00:00:00 2001
d3e931 
From: Daiki Ueno <ueno@gnu.org>
d3e931 
Date: Thu, 4 Jun 2020 16:42:07 +0200
d3e931 
Subject: [PATCH] _gnutls_fips_mode_enabled: treat selftest failure as FIPS
d3e931 
 disabled
d3e931
d3e931 
Previously gnutls_fips140_mode_enabled() returned true, even after
d3e931 
selftests have failed and the library state has switched to error.
d3e931 
While later calls to crypto operations fails, it would be more
d3e931 
convenient to have a function to detect that state.
d3e931
d3e931 
Signed-off-by: Daiki Ueno <ueno@gnu.org>
d3e931 
---
d3e931 
 lib/fips.c | 11 ++++++++++-
d3e931 
 1 file changed, 10 insertions(+), 1 deletion(-)
d3e931
d3e931 
diff --git a/lib/fips.c b/lib/fips.c
d3e931 
index acdd2ec23..f8b10f750 100644
d3e931 
--- a/lib/fips.c
d3e931 
+++ b/lib/fips.c
d3e931 
@@ -491,8 +491,17 @@ unsigned gnutls_fips140_mode_enabled(void)
d3e931 
 #ifdef ENABLE_FIPS140
d3e931 
 	unsigned ret = _gnutls_fips_mode_enabled();
d3e931
d3e931 
-	if (ret > GNUTLS_FIPS140_DISABLED)
d3e931 
+	if (ret > GNUTLS_FIPS140_DISABLED) {
d3e931 
+		/* If the previous run of selftests has failed, return as if
d3e931 
+		 * the FIPS mode is disabled. We could use HAVE_LIB_ERROR, if
d3e931 
+		 * we can assume that all the selftests run atomically from
d3e931 
+		 * the ELF constructor.
d3e931 
+		 */
d3e931 
+		if (_gnutls_get_lib_state() == LIB_STATE_ERROR)
d3e931 
+			return 0;
d3e931 
+
d3e931 
 		return ret;
d3e931 
+	}
d3e931 
 #endif
d3e931 
 	return 0;
d3e931 
 }
d3e931 
--
d3e931 
2.26.2
d3e931

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation