fips: make FIPS140-2 mode enablement logic simpler

Previously, to enable the FIPS140-2 mode, both /etc/system-fips and
the fips=1 kernel command line need to be set.  While this was
designed to be consistent, the convention is not well followed by the
other crypto libraries and the former tends to be ignored.  This
aligns the behavior to the latter, i.e. if fips=1 is set, the library
enables the FIPS140-2 mode regardless of the existence of
/etc/system-fips.

Suggested by Alexander Sosedkin.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
index 2a9bc1a45b64c494f8c142c5349b6b6f96396b49..f188caecc93fc4b1557efa9871db11b086a24901 100644 (file)
--- a/doc/cha-internals.texi
+++ b/doc/cha-internals.texi
@@ -667,15 +667,29 @@ is for the conformance to NIST's FIPS140-2 publication, which consists of polici
 for cryptographic modules (such as software libraries). Its implementation in
 GnuTLS is designed for Red Hat Enterprise Linux, and can only be enabled
 when the library is explicitly compiled with the '--enable-fips140-mode'
-configure option. The operation of the library is then modified, as follows.
+configure option.
+
+There are two distinct library states with regard to FIPS140-2: the FIPS140-2
+mode is @emph{installed} if @code{/etc/system-fips} is present, and the
+FIPS140-2 mode is @emph{enabled} if @code{/proc/sys/crypto/fips_enabled}
+contains '1', which is typically set with the ``fips=1'' kernel command line
+option.
+
+When the FIPS140-2 mode is installed, the operation of the library is modified
+as follows.
 
 @itemize
-@item FIPS140-2 mode is enabled when @code{/proc/sys/crypto/fips_enabled} contains '1' and @code{/etc/system-fips} is present.
-@item Only approved by FIPS140-2 algorithms are enabled
-@item Only approved by FIPS140-2 key lengths are allowed for key generation
 @item The random generator used switches to DRBG-AES
 @item The integrity of the GnuTLS and dependent libraries is checked on startup
 @item Algorithm self-tests are run on library load
+@end itemize
+
+When the FIPS140-2 mode is enabled, The operation of the library is in addition
+modified as follows.
+
+@itemize
+@item Only approved by FIPS140-2 algorithms are enabled
+@item Only approved by FIPS140-2 key lengths are allowed for key generation
 @item Any cryptographic operation will be refused if any of the self-tests failed
 @end itemize
 

diff --git a/lib/fips.c b/lib/fips.c
index 3c43250aaf8fb40ecd33dc2ee16a594ac478c359..75f26f629ed2581d41d9e2b9e8a6e4b3a835df83 100644 (file)
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -102,14 +102,13 @@ unsigned _gnutls_fips_mode_enabled(void)
                else f1p = 0;
        }
 
-       f2p = !access(FIPS_SYSTEM_FILE, F_OK);
-
-       if (f1p != 0 && f2p != 0) {
+       if (f1p != 0) {
                _gnutls_debug_log("FIPS140-2 mode enabled\n");
                ret = GNUTLS_FIPS140_STRICT;
                goto exit;
        }
 
+       f2p = !access(FIPS_SYSTEM_FILE, F_OK);
        if (f2p != 0) {
                /* a funny state where self tests are performed
                 * and ignored */

diff --git a/lib/random.c b/lib/random.c
index 6462738416a4eb2acf0652fddd9227255b9dcac8..605fc8d51afdfc4e1d0b329f0390e46b0760f3c5 100644 (file)
--- a/lib/random.c
+++ b/lib/random.c
@@ -105,9 +105,9 @@ int _gnutls_rnd_preinit(void)
 
 #elif defined(ENABLE_FIPS140)
        /* The FIPS140 random generator is only enabled when we are compiled
-        * with FIPS support, _and_ the system requires FIPS140.
+        * with FIPS support, _and_ the system is in FIPS installed state.
         */
-       if (_gnutls_fips_mode_enabled() == 1) {
+       if (_gnutls_fips_mode_enabled() != 0) {
                ret = gnutls_crypto_rnd_register(100, &_gnutls_fips_rnd_ops);
                if (ret < 0)
                        return ret;