fips: make FIPS140-2 mode enablement logic simpler

Previously, to enable the FIPS140-2 mode, both /etc/system-fips and
the fips=1 kernel command line need to be set.  While this was
designed to be consistent, the convention is not well followed by the
other crypto libraries and the former tends to be ignored.  This
aligns the behavior to the latter, i.e. if fips=1 is set, the library
enables the FIPS140-2 mode regardless of the existence of
/etc/system-fips.

Suggested by Alexander Sosedkin.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

2 files changed, 4 insertions, 5 deletions

diff --git a/lib/fips.c b/lib/fips.c
index 3c43250aaf..75f26f629e 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -102,14 +102,13 @@ unsigned _gnutls_fips_mode_enabled(void)
 		else f1p = 0;
 	}
 
-	f2p = !access(FIPS_SYSTEM_FILE, F_OK);
-
-	if (f1p != 0 && f2p != 0) {
+	if (f1p != 0) {
 		_gnutls_debug_log("FIPS140-2 mode enabled\n");
 		ret = GNUTLS_FIPS140_STRICT;
 		goto exit;
 	}
 
+	f2p = !access(FIPS_SYSTEM_FILE, F_OK);
 	if (f2p != 0) {
 		/* a funny state where self tests are performed
 		 * and ignored */
diff --git a/lib/random.c b/lib/random.c
index 6462738416..605fc8d51a 100644
--- a/lib/random.c
+++ b/lib/random.c
@@ -105,9 +105,9 @@ int _gnutls_rnd_preinit(void)
 
 #elif defined(ENABLE_FIPS140)
 	/* The FIPS140 random generator is only enabled when we are compiled
-	 * with FIPS support, _and_ the system requires FIPS140.
+	 * with FIPS support, _and_ the system is in FIPS installed state.
 	 */
-	if (_gnutls_fips_mode_enabled() == 1) {
+	if (_gnutls_fips_mode_enabled() != 0) {
 		ret = gnutls_crypto_rnd_register(100, &_gnutls_fips_rnd_ops);
 		if (ret < 0)
 			return ret;