[gnutls-devel] GnuTLS | _gnutls_priority_update_fips is called when the fips mode is off (#1485)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Jun 8 04:44:52 CEST 2023

wang cheng commented: https://gitlab.com/gnutls/gnutls/-/issues/1485#note_1422909155

I'm sorry I didn't describe the problem clearly.

`_gnutls_fips_mode_reset_zombie` is called in `_gnutls_global_init`.

/* This _fips_mode == 2 is a strange mode where checks are being
 * performed, but its output is ignored. */
void _gnutls_fips_mode_reset_zombie(void)
	if (_global_fips_mode == GNUTLS_FIPS140_SELFTESTS) {
		_global_fips_mode = GNUTLS_FIPS140_DISABLED;

In the above, `_global_fips_mode` is set to `GNUTLS_FIPS140_DISABLED`. There is a state transition here. This is the reason for description:
> A transient state during library initialization. **That state cannot be set or seen by applications**.

After initialization, applications can get the fips state(`GNUTLS_FIPS140_DISABLED`) from `gnutls_fips140_mode_enabled` api.

But guntls has already called `_gnutls_priority_update_fips` when `/etc/system-fips` has been generated, making certain algorithm suites unusable. Therefore, the `GNUTLS_FIPS140_DISABLED` fips state is different from the actual initialization operation.

The best way to solve this problem is to add `if (res != GNUTLS_FIPS140_SELFTESTS)` before the `_gnutls_priority_update_fips` calling.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1485#note_1422909155
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230608/bb8ed973/attachment-0001.html>

More information about the Gnutls-devel mailing list