diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-10-23 15:20:45 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-10-23 20:41:51 +0200 |
commit | aba099092f95cda473bd7a3301c8af2ce3d27c2e (patch) | |
tree | c0d2866afdf33ae43bd30a5bdf14bce772c05ead /doc | |
parent | 1d5e93dbd69358fe7d66a3a6dd461d7fbb0738ee (diff) | |
download | gnutls-aba099092f95cda473bd7a3301c8af2ce3d27c2e.tar.gz |
fips140: aligned code with documentationtmp-fix-fips-mode
That is, we introduce the documented but unimplemented macros
GNUTLS_FIPS140_SET_LAX_MODE() and GNUTLS_FIPS140_SET_STRICT_MODE().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/cha-internals.texi | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi index 9d8fa6788b..50601bb69f 100644 --- a/doc/cha-internals.texi +++ b/doc/cha-internals.texi @@ -704,37 +704,39 @@ which can switch to alternative modes as in @ref{gnutls_fips_mode_t}. @showenumdesc{gnutls_fips_mode_t,The @code{gnutls_@-fips_@-mode_t} enumeration.} -The intention of this API is to be used by applications which need to run in +The intention of this API is to be used by applications which may run in FIPS140-2 mode, while they utilize few algorithms not in the allowed set, e.g., for non-security related purposes. In these cases applications should wrap the non-compliant code within blocks like the following. @example -GNUTLS_FIPS140_SET_RELAX_MODE(); +GNUTLS_FIPS140_SET_LAX_MODE(); _gnutls_hash_fast(GNUTLS_DIG_MD5, buffer, sizeof(buffer), output); GNUTLS_FIPS140_SET_STRICT_MODE(); @end example -The @code{GNUTLS_FIPS140_SET_RELAX_MODE} and +The @code{GNUTLS_FIPS140_SET_LAX_MODE} and @code{GNUTLS_FIPS140_SET_STRICT_MODE} are macros to simplify the following sequence of calls. @example if (gnutls_fips140_mode_enabled()) - gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); _gnutls_hash_fast(GNUTLS_DIG_MD5, buffer, sizeof(buffer), output); if (gnutls_fips140_mode_enabled()) - gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD); + gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD); @end example The reason of the @code{GNUTLS_FIPS140_SET_MODE_THREAD} flag in the -previous calls is to localize the change in the mode. +previous calls is to localize the change in the mode. Note also, that +such a block has no effect when the library is not operating +under FIPS140-2 mode, and thus it can be considered a no-op. Applications could also switch FIPS140-2 mode explicitly off, by calling @example -gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_LAX, 0); +gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); @end example |