_gnutls_fips_mode_enabled: treat selftest failure as FIPS disabled

Previously gnutls_fips140_mode_enabled() returned true, even after
selftests have failed and the library state has switched to error.
While later calls to crypto operations fails, it would be more
convenient to have a function to detect that state.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/lib/fips.c b/lib/fips.c
index acdd2ec23e2e657722f39e83c9ae76cd3cad919a..f8b10f7502ed40dd8c48230c93daa3f2a04e4f19 100644 (file)
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -491,8 +491,17 @@ unsigned gnutls_fips140_mode_enabled(void)
 #ifdef ENABLE_FIPS140
        unsigned ret = _gnutls_fips_mode_enabled();
 
-       if (ret > GNUTLS_FIPS140_DISABLED)
+       if (ret > GNUTLS_FIPS140_DISABLED) {
+               /* If the previous run of selftests has failed, return as if
+                * the FIPS mode is disabled. We could use HAVE_LIB_ERROR, if
+                * we can assume that all the selftests run atomically from
+                * the ELF constructor.
+                */
+               if (_gnutls_get_lib_state() == LIB_STATE_ERROR)
+                       return 0;
+
                return ret;
+       }
 #endif
        return 0;
 }