diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-06-03 15:42:42 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-06-04 13:41:18 +0200 |
| commit | e93f699bfc56153818d792fd10c32c6f29a6ee4d (patch) | |
| tree | 61cf62869052030375c791617a12a79d90842638 | |
| parent | 90cb64ea21d0d1cbf3ad9997309bd697579e5200 (diff) | |
| download | gnutls-e93f699bfc56153818d792fd10c32c6f29a6ee4d.tar.gz | |
fips140: when GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS is setup do not perform integrity tests
| -rw-r--r-- | lib/fips.c | 46 |
1 files changed, 27 insertions, 19 deletions
diff --git a/lib/fips.c b/lib/fips.c index ac74533ce0..7c4b4b994b 100644 --- a/lib/fips.c +++ b/lib/fips.c @@ -38,6 +38,7 @@ unsigned int _gnutls_lib_mode = LIB_STATE_POWERON; #define FIPS_SYSTEM_FILE "/etc/system-fips" static int _fips_mode = -1; +static int _skip_integrity_checks = 0; /* Returns: * 0 - FIPS mode disabled @@ -53,6 +54,11 @@ const char *p; if (_fips_mode != -1) return _fips_mode; + p = getenv("GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS"); + if (p && p[0] == '1') { + _skip_integrity_checks = 1; + } + p = getenv("GNUTLS_FORCE_FIPS_MODE"); if (p) { if (p[0] == '1') @@ -353,28 +359,30 @@ int _gnutls_fips_perform_self_checks2(void) goto error; } - ret = check_binary_integrity(GNUTLS_LIBRARY_NAME, "gnutls_global_init"); - if (ret == 0) { - gnutls_assert(); - goto error; - } + if (_skip_integrity_checks == 0) { + ret = check_binary_integrity(GNUTLS_LIBRARY_NAME, "gnutls_global_init"); + if (ret == 0) { + gnutls_assert(); + goto error; + } - ret = check_binary_integrity(NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key"); - if (ret == 0) { - gnutls_assert(); - goto error; - } + ret = check_binary_integrity(NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key"); + if (ret == 0) { + gnutls_assert(); + goto error; + } - ret = check_binary_integrity(HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u"); - if (ret == 0) { - gnutls_assert(); - goto error; - } + ret = check_binary_integrity(HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u"); + if (ret == 0) { + gnutls_assert(); + goto error; + } - ret = check_binary_integrity(GMP_LIBRARY_NAME, "__gmpz_init"); - if (ret == 0) { - gnutls_assert(); - goto error; + ret = check_binary_integrity(GMP_LIBRARY_NAME, "__gmpz_init"); + if (ret == 0) { + gnutls_assert(); + goto error; + } } return 0; |