fips140: aligned code with documentationtmp-fix-fips-mode

That is, we introduce the documented but unimplemented macros
GNUTLS_FIPS140_SET_LAX_MODE() and GNUTLS_FIPS140_SET_STRICT_MODE().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

3 files changed, 27 insertions, 7 deletions

diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
index 9d8fa6788b..50601bb69f 100644
--- a/doc/cha-internals.texi
+++ b/doc/cha-internals.texi
@@ -704,37 +704,39 @@ which can switch to alternative modes as in @ref{gnutls_fips_mode_t}.
 
 @showenumdesc{gnutls_fips_mode_t,The @code{gnutls_@-fips_@-mode_t} enumeration.}
 
-The intention of this API is to be used by applications which need to run in
+The intention of this API is to be used by applications which may run in
 FIPS140-2 mode, while they utilize few algorithms not in the allowed set,
 e.g., for non-security related purposes. In these cases applications should
 wrap the non-compliant code within blocks like the following.
 
 @example
-GNUTLS_FIPS140_SET_RELAX_MODE();
+GNUTLS_FIPS140_SET_LAX_MODE();
 
 _gnutls_hash_fast(GNUTLS_DIG_MD5, buffer, sizeof(buffer), output);
 
 GNUTLS_FIPS140_SET_STRICT_MODE();
 @end example
 
-The @code{GNUTLS_FIPS140_SET_RELAX_MODE} and
+The @code{GNUTLS_FIPS140_SET_LAX_MODE} and
 @code{GNUTLS_FIPS140_SET_STRICT_MODE} are macros to simplify the following
 sequence of calls.
 
 @example
 if (gnutls_fips140_mode_enabled())
-  gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+  gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
 
 _gnutls_hash_fast(GNUTLS_DIG_MD5, buffer, sizeof(buffer), output);
 
 if (gnutls_fips140_mode_enabled())
-  gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD);
+  gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD);
 @end example
 
 The reason of the @code{GNUTLS_FIPS140_SET_MODE_THREAD} flag in the
-previous calls is to localize the change in the mode.
+previous calls is to localize the change in the mode. Note also, that
+such a block has no effect when the library is not operating
+under FIPS140-2 mode, and thus it can be considered a no-op.
 
 Applications could also switch FIPS140-2 mode explicitly off, by calling
 @example
-gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_LAX, 0);
+gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
 @end example
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index b4903bb97c..a5439cce56 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2996,6 +2996,16 @@ typedef enum gnutls_fips_mode_t {
 
 void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags);
 
+#define GNUTLS_FIPS140_SET_LAX_MODE() do { \
+	if (gnutls_fips140_mode_enabled()) \
+		gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); \
+	} while(0)
+
+#define GNUTLS_FIPS140_SET_STRICT_MODE() do { \
+	if (gnutls_fips140_mode_enabled()) \
+		gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD); \
+	} while(0)
+
   /* Gnutls error codes. The mapping to a TLS alert is also shown in
    * comments.
    */
diff --git a/tests/fips-override-test.c b/tests/fips-override-test.c
index 8e0be9d462..5b92a1d485 100644
--- a/tests/fips-override-test.c
+++ b/tests/fips-override-test.c
@@ -128,6 +128,14 @@ void doit(void)
 	if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_STRICT)
 		fail("switching to unknown mode didn't switch the lib to the expected mode\n");
 
+	GNUTLS_FIPS140_SET_LAX_MODE();
+	if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_LAX)
+		fail("switching to lax mode did not succeed!\n");
+
+	GNUTLS_FIPS140_SET_STRICT_MODE();
+	if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_STRICT)
+		fail("switching to strict mode did not succeed!\n");
+
 	gnutls_global_deinit();
 	return;
 }