[gnutls-devel] GnuTLS | Expose a public interface for executing FIPS integrity tests on-demand (#1364)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Jun 2 11:08:10 CEST 2022

Stephan Mueller commented:

The issue NIST brought up is that the power-cycle operation is not under control of the module, i.e. GnuTLS. Therefore, relying on the "power-cycle" operation is not possible. Even deinitializing and initializing the library is not possible because it involves operations outside of the module (at one time I was suggesting to simply document that one could do a dlopen() of the library and check the result to avoid any changes to the code base of GnuTLS, but this was not considered sufficient because dlopen is not part of the module).

Thus, we need an API that allows performing the same self tests as during power up:

- integrity check as outlined in the snipped above

- crypto algo known-answer tests

If the self test fails, the module shall enter the error state (considering that we do not have a degraded mode in GnuTLS). The problem with the functions in `self-test.h` is that they provide the basic test call, but do not (a) have the actual test vector, and (b) do not set the module into error state in case of a failure.

Thus, exporting _gnutls_fips_perform_self_checks2 should be the right course of action IMHO.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1364#note_968977732
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220602/a74f3293/attachment.html>

More information about the Gnutls-devel mailing list