[gnutls-devel] GnuTLS | _gnutls_priority_update_fips is called when the fips mode is off (#1485)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu Jun 8 04:44:52 CEST 2023
wang cheng commented: https://gitlab.com/gnutls/gnutls/-/issues/1485#note_1422909155
I'm sorry I didn't describe the problem clearly.
`_gnutls_fips_mode_reset_zombie` is called in `_gnutls_global_init`.
```
/* This _fips_mode == 2 is a strange mode where checks are being
* performed, but its output is ignored. */
void _gnutls_fips_mode_reset_zombie(void)
{
if (_global_fips_mode == GNUTLS_FIPS140_SELFTESTS) {
_global_fips_mode = GNUTLS_FIPS140_DISABLED;
}
}
```
In the above, `_global_fips_mode` is set to `GNUTLS_FIPS140_DISABLED`. There is a state transition here. This is the reason for description:
> A transient state during library initialization. **That state cannot be set or seen by applications**.
After initialization, applications can get the fips state(`GNUTLS_FIPS140_DISABLED`) from `gnutls_fips140_mode_enabled` api.
But guntls has already called `_gnutls_priority_update_fips` when `/etc/system-fips` has been generated, making certain algorithm suites unusable. Therefore, the `GNUTLS_FIPS140_DISABLED` fips state is different from the actual initialization operation.
The best way to solve this problem is to add `if (res != GNUTLS_FIPS140_SELFTESTS)` before the `_gnutls_priority_update_fips` calling.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1485#note_1422909155
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230608/bb8ed973/attachment-0001.html>
More information about the Gnutls-devel
mailing list