fips: Mark gnutls_hash_fast as approved in FIPS SLI

There is no reason for gnutls_hash_fast to not
be approved unde the SLI as part of the approved service
Message Digest (same as gnutls_hash_init, gnutls_hash , gnutls_hash_output ).

Add a transition to state approved when using gnutls_hash_fast.

Signed-off-by: Angel Yankov <angel.yankov@suse.com>

diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index 5a16978d63f9e31d8bb13e9f5b46a5b2d6aa5b55..0abbd7f69d135d68bfefe0568dd0ce4303aaacdd 100644 (file)
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -970,6 +970,8 @@ int gnutls_hash_fast(gnutls_digest_algorithm_t algorithm, const void *ptext,
                _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
        } else if (not_approved) {
                _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+       } else {
+               _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
        }
 
        return ret;

diff --git a/tests/fips-test.c b/tests/fips-test.c
index 180da05d879920b65d4002fa7402df7b507977df..4051d798ef5bb01184de64ba08ba6e13d673d6ba 100644 (file)
--- a/tests/fips-test.c
+++ b/tests/fips-test.c
@@ -668,8 +668,7 @@ void doit(void)
        }
        FIPS_POP_CONTEXT(APPROVED);
 
-       /* Create a SHA256 hashed data for 2-pass signature API; not a
-        * crypto operation */
+       /* Create a SHA256 hashed data for 2-pass signature API; approved */
        FIPS_PUSH_CONTEXT();
        ret = gnutls_hash_fast(GNUTLS_DIG_SHA256, data.data, data.size, hash);
        if (ret < 0) {
@@ -677,7 +676,7 @@ void doit(void)
        }
        hashed_data.data = hash;
        hashed_data.size = 32;
-       FIPS_POP_CONTEXT(INITIAL);
+       FIPS_POP_CONTEXT(APPROVED);
 
        /* Create a signature with ECDSA and SHA256 (2-pass API); not-approved */
        FIPS_PUSH_CONTEXT();
@@ -729,8 +728,7 @@ void doit(void)
        FIPS_POP_CONTEXT(NOT_APPROVED);
        gnutls_free(signature.data);
 
-       /* Create a SHA1 hashed data for 2-pass signature API; not a
-        * crypto operation */
+       /* Create a SHA1 hashed data for 2-pass signature API; approved */
        FIPS_PUSH_CONTEXT();
        ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, data.data, data.size, hash);
        if (ret < 0) {
@@ -738,7 +736,7 @@ void doit(void)
        }
        hashed_data.data = hash;
        hashed_data.size = 20;
-       FIPS_POP_CONTEXT(INITIAL);
+       FIPS_POP_CONTEXT(APPROVED);
 
        /* Create a signature with ECDSA and SHA1 (2-pass API); not-approved */
        FIPS_PUSH_CONTEXT();