rpms / gnutls

Clone
Source Code
GIT

Blame SOURCES/gnutls-3.6.14-fips-mode-check.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   60bd2ed243ad38ea32843315eb7d670ff0d77074
  2.   SOURCES
  3.   gnutls-3.6.14-fips-mode-check.patch
Blob History Raw
60bd2e 
From d1dc655cd2c8ae417381e5f966941c75cfe287ee Mon Sep 17 00:00:00 2001
60bd2e 
From: Daiki Ueno <ueno@gnu.org>
60bd2e 
Date: Thu, 4 Jun 2020 16:42:07 +0200
60bd2e 
Subject: [PATCH] _gnutls_fips_mode_enabled: treat selftest failure as FIPS
60bd2e 
 disabled
60bd2e
60bd2e 
Previously gnutls_fips140_mode_enabled() returned true, even after
60bd2e 
selftests have failed and the library state has switched to error.
60bd2e 
While later calls to crypto operations fails, it would be more
60bd2e 
convenient to have a function to detect that state.
60bd2e
60bd2e 
Signed-off-by: Daiki Ueno <ueno@gnu.org>
60bd2e 
---
60bd2e 
 lib/fips.c | 11 ++++++++++-
60bd2e 
 1 file changed, 10 insertions(+), 1 deletion(-)
60bd2e
60bd2e 
diff --git a/lib/fips.c b/lib/fips.c
60bd2e 
index acdd2ec23..f8b10f750 100644
60bd2e 
--- a/lib/fips.c
60bd2e 
+++ b/lib/fips.c
60bd2e 
@@ -491,8 +491,17 @@ unsigned gnutls_fips140_mode_enabled(void)
60bd2e 
 #ifdef ENABLE_FIPS140
60bd2e 
 	unsigned ret = _gnutls_fips_mode_enabled();
60bd2e
60bd2e 
-	if (ret > GNUTLS_FIPS140_DISABLED)
60bd2e 
+	if (ret > GNUTLS_FIPS140_DISABLED) {
60bd2e 
+		/* If the previous run of selftests has failed, return as if
60bd2e 
+		 * the FIPS mode is disabled. We could use HAVE_LIB_ERROR, if
60bd2e 
+		 * we can assume that all the selftests run atomically from
60bd2e 
+		 * the ELF constructor.
60bd2e 
+		 */
60bd2e 
+		if (_gnutls_get_lib_state() == LIB_STATE_ERROR)
60bd2e 
+			return 0;
60bd2e 
+
60bd2e 
 		return ret;
60bd2e 
+	}
60bd2e 
 #endif
60bd2e 
 	return 0;
60bd2e 
 }
60bd2e 
--
60bd2e 
2.26.2
60bd2e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation