[gnutls-devel] GnuTLS | Expose a public interface for executing FIPS integrity tests on-demand (#1364)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu May 12 18:26:46 CEST 2022 


Richard Costa created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1364



## Description of the feature:
One of the FIPS-140-3 requirements is the ability of a crypto module to execute integrity tests on-demand.
This can be done through a function which sets the FIPS state machine to the `LIB_STATE_SELFTEST`, executes the integrity tests on the appropriated modules and then sets the state to `LIB_STATE_OPERATIONAL` or `LIB_STATE_ERROR` based on the result.

The function `_gnutls_fips_perform_self_checks2` can be used as an example on how to execute the procedure described above.

The snippet below shows the interesting part:

```
 if (_skip_integrity_checks == 0) {
                ret = check_binary_integrity(GNUTLS_LIBRARY_NAME, "gnutls_global_init");
                if (ret == 0) {
                        gnutls_assert();
                        goto error;
                }

                ret = check_binary_integrity(NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key");
                if (ret == 0) {
                        gnutls_assert();
                        goto error;
                }

                ret = check_binary_integrity(HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u");
                if (ret == 0) {
                        gnutls_assert();
                        goto error;
                }

                ret = check_binary_integrity(GMP_LIBRARY_NAME, "__gmpz_init");
                if (ret == 0) {
                        gnutls_assert();
                        goto error;
                }
        }

        return 0;

error:
        _gnutls_switch_lib_state(LIB_STATE_ERROR);
```

## Applications that this feature may be relevant to:
Any application which requires a FIPS-140-3 compliant library.

## Is this feature implemented in other libraries (and which)
libgcrypt and openssl

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1364
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220512/cf27127f/attachment-0001.html>

More information about the Gnutls-devel mailing list