s3:profile: Allow profile subsystem to use SHA1 in FIPS mode

This is non-cryptographic use.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul  9 13:31:46 UTC 2019 on sn-devel-184

diff --git a/source3/profile/profile.c b/source3/profile/profile.c
index 90a30f01f58f7fdbbe56192d29354057931d50fe..7e17d065d757a9699cdf897f4bdda3d1992ad127 100644 (file)
--- a/source3/profile/profile.c
+++ b/source3/profile/profile.c
@@ -35,6 +35,7 @@
 
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
+#include "lib/crypto/gnutls_helpers.h"
 
 struct profile_stats *profile_p;
 struct smbprofile_global_state smbprofile_state;
@@ -154,6 +155,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
                                   reqprofile_message);
        }
 
+       GNUTLS_FIPS140_SET_LAX_MODE();
+
        rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1);
        if (rc < 0) {
                goto out;
@@ -212,6 +215,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
 
        gnutls_hash_deinit(hash_hnd, digest);
 
+       GNUTLS_FIPS140_SET_STRICT_MODE();
+
        profile_p = &smbprofile_state.stats.global;
 
        profile_p->magic = BVAL(digest, 0);
@@ -221,6 +226,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
 
        ok = true;
 out:
+       GNUTLS_FIPS140_SET_STRICT_MODE();
+
        return ok;
 }