Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2013 Red Hat |
3 | | * |
4 | | * Author: Nikos Mavrogiannopoulos |
5 | | * |
6 | | * This file is part of GnuTLS. |
7 | | * |
8 | | * The GnuTLS is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | #ifndef GNUTLS_LIB_FIPS_H |
24 | | # define GNUTLS_LIB_FIPS_H |
25 | | |
26 | | # include "gnutls_int.h" |
27 | | # include <gnutls/gnutls.h> |
28 | | |
29 | | # define FIPS140_RND_KEY_SIZE 32 |
30 | | |
31 | | typedef enum { |
32 | | LIB_STATE_POWERON, |
33 | | LIB_STATE_INIT, |
34 | | LIB_STATE_SELFTEST, |
35 | | LIB_STATE_OPERATIONAL, |
36 | | LIB_STATE_ERROR, |
37 | | LIB_STATE_SHUTDOWN |
38 | | } gnutls_lib_state_t; |
39 | | |
40 | | /* do not access directly */ |
41 | | extern unsigned int _gnutls_lib_state; |
42 | | extern gnutls_crypto_rnd_st _gnutls_fips_rnd_ops; |
43 | | |
44 | | void _gnutls_switch_fips_state(gnutls_fips140_operation_state_t state); |
45 | | |
46 | | inline static |
47 | | void _gnutls_switch_lib_state(gnutls_lib_state_t state) |
48 | 0 | { |
49 | | /* Once into zombie state no errors can change us */ |
50 | 0 | _gnutls_lib_state = state; |
51 | 0 | } Unexecuted instantiation: common.c:_gnutls_switch_lib_state Unexecuted instantiation: crl.c:_gnutls_switch_lib_state Unexecuted instantiation: crq.c:_gnutls_switch_lib_state Unexecuted instantiation: dn.c:_gnutls_switch_lib_state Unexecuted instantiation: extensions.c:_gnutls_switch_lib_state Unexecuted instantiation: hostname-verify.c:_gnutls_switch_lib_state Unexecuted instantiation: key_decode.c:_gnutls_switch_lib_state Unexecuted instantiation: key_encode.c:_gnutls_switch_lib_state Unexecuted instantiation: mpi.c:_gnutls_switch_lib_state Unexecuted instantiation: ocsp.c:_gnutls_switch_lib_state Unexecuted instantiation: output.c:_gnutls_switch_lib_state Unexecuted instantiation: pkcs12.c:_gnutls_switch_lib_state Unexecuted instantiation: pkcs12_bag.c:_gnutls_switch_lib_state Unexecuted instantiation: pkcs7-crypt.c:_gnutls_switch_lib_state Unexecuted instantiation: privkey_openssl.c:_gnutls_switch_lib_state Unexecuted instantiation: privkey_pkcs8.c:_gnutls_switch_lib_state Unexecuted instantiation: privkey_pkcs8_pbes1.c:_gnutls_switch_lib_state Unexecuted instantiation: prov-seed.c:_gnutls_switch_lib_state Unexecuted instantiation: sign.c:_gnutls_switch_lib_state Unexecuted instantiation: time.c:_gnutls_switch_lib_state Unexecuted instantiation: tls_features.c:_gnutls_switch_lib_state Unexecuted instantiation: verify-high.c:_gnutls_switch_lib_state Unexecuted instantiation: verify-high2.c:_gnutls_switch_lib_state Unexecuted instantiation: verify.c:_gnutls_switch_lib_state Unexecuted instantiation: virt-san.c:_gnutls_switch_lib_state Unexecuted instantiation: x509.c:_gnutls_switch_lib_state Unexecuted instantiation: x509_dn.c:_gnutls_switch_lib_state Unexecuted instantiation: x509_ext.c:_gnutls_switch_lib_state Unexecuted instantiation: x509_write.c:_gnutls_switch_lib_state Unexecuted instantiation: attributes.c:_gnutls_switch_lib_state Unexecuted instantiation: email-verify.c:_gnutls_switch_lib_state Unexecuted instantiation: krb5.c:_gnutls_switch_lib_state Unexecuted instantiation: name_constraints.c:_gnutls_switch_lib_state |
52 | | |
53 | | inline static gnutls_lib_state_t _gnutls_get_lib_state(void) |
54 | 0 | { |
55 | 0 | return _gnutls_lib_state; |
56 | 0 | } Unexecuted instantiation: common.c:_gnutls_get_lib_state Unexecuted instantiation: crl.c:_gnutls_get_lib_state Unexecuted instantiation: crq.c:_gnutls_get_lib_state Unexecuted instantiation: dn.c:_gnutls_get_lib_state Unexecuted instantiation: extensions.c:_gnutls_get_lib_state Unexecuted instantiation: hostname-verify.c:_gnutls_get_lib_state Unexecuted instantiation: key_decode.c:_gnutls_get_lib_state Unexecuted instantiation: key_encode.c:_gnutls_get_lib_state Unexecuted instantiation: mpi.c:_gnutls_get_lib_state Unexecuted instantiation: ocsp.c:_gnutls_get_lib_state Unexecuted instantiation: output.c:_gnutls_get_lib_state Unexecuted instantiation: pkcs12.c:_gnutls_get_lib_state Unexecuted instantiation: pkcs12_bag.c:_gnutls_get_lib_state Unexecuted instantiation: pkcs7-crypt.c:_gnutls_get_lib_state Unexecuted instantiation: privkey_openssl.c:_gnutls_get_lib_state Unexecuted instantiation: privkey_pkcs8.c:_gnutls_get_lib_state Unexecuted instantiation: privkey_pkcs8_pbes1.c:_gnutls_get_lib_state Unexecuted instantiation: prov-seed.c:_gnutls_get_lib_state Unexecuted instantiation: sign.c:_gnutls_get_lib_state Unexecuted instantiation: time.c:_gnutls_get_lib_state Unexecuted instantiation: tls_features.c:_gnutls_get_lib_state Unexecuted instantiation: verify-high.c:_gnutls_get_lib_state Unexecuted instantiation: verify-high2.c:_gnutls_get_lib_state Unexecuted instantiation: verify.c:_gnutls_get_lib_state Unexecuted instantiation: virt-san.c:_gnutls_get_lib_state Unexecuted instantiation: x509.c:_gnutls_get_lib_state Unexecuted instantiation: x509_dn.c:_gnutls_get_lib_state Unexecuted instantiation: x509_ext.c:_gnutls_get_lib_state Unexecuted instantiation: x509_write.c:_gnutls_get_lib_state Unexecuted instantiation: attributes.c:_gnutls_get_lib_state Unexecuted instantiation: email-verify.c:_gnutls_get_lib_state Unexecuted instantiation: krb5.c:_gnutls_get_lib_state Unexecuted instantiation: name_constraints.c:_gnutls_get_lib_state |
57 | | |
58 | | int _gnutls_fips_perform_self_checks1(void); |
59 | | int _gnutls_fips_perform_self_checks2(void); |
60 | | void _gnutls_fips_mode_reset_zombie(void); |
61 | | |
62 | | # ifdef ENABLE_FIPS140 |
63 | | unsigned _gnutls_fips_mode_enabled(void); |
64 | | # else |
65 | | # define _gnutls_fips_mode_enabled() 0 |
66 | | # endif |
67 | | |
68 | 0 | # define HAVE_LIB_ERROR() unlikely(_gnutls_get_lib_state() != LIB_STATE_OPERATIONAL && _gnutls_get_lib_state() != LIB_STATE_SELFTEST) |
69 | | |
70 | | # define FAIL_IF_LIB_ERROR \ |
71 | 0 | if (HAVE_LIB_ERROR()) return GNUTLS_E_LIB_IN_ERROR_STATE |
72 | | |
73 | | void _gnutls_switch_lib_state(gnutls_lib_state_t state); |
74 | | |
75 | | void _gnutls_lib_simulate_error(void); |
76 | | void _gnutls_lib_force_operational(void); |
77 | | |
78 | | inline static bool |
79 | | is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo) |
80 | 0 | { |
81 | 0 | switch (algo) { |
82 | 0 | case GNUTLS_MAC_SHA1: |
83 | 0 | case GNUTLS_MAC_SHA256: |
84 | 0 | case GNUTLS_MAC_SHA384: |
85 | 0 | case GNUTLS_MAC_SHA512: |
86 | 0 | case GNUTLS_MAC_SHA224: |
87 | 0 | case GNUTLS_MAC_SHA3_224: |
88 | 0 | case GNUTLS_MAC_SHA3_256: |
89 | 0 | case GNUTLS_MAC_SHA3_384: |
90 | 0 | case GNUTLS_MAC_SHA3_512: |
91 | 0 | return true; |
92 | 0 | default: |
93 | 0 | return false; |
94 | 0 | } |
95 | 0 | } Unexecuted instantiation: common.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: crl.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: crq.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: dn.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: extensions.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: hostname-verify.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: key_decode.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: key_encode.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: mpi.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: ocsp.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: output.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: pkcs12.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: pkcs12_bag.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: pkcs7-crypt.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: privkey_openssl.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: privkey_pkcs8.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: privkey_pkcs8_pbes1.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: prov-seed.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: sign.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: time.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: tls_features.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: verify-high.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: verify-high2.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: verify.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: virt-san.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: x509.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: x509_dn.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: x509_ext.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: x509_write.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: attributes.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: email-verify.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: krb5.c:is_mac_algo_hmac_approved_in_fips Unexecuted instantiation: name_constraints.c:is_mac_algo_hmac_approved_in_fips |
96 | | |
97 | | inline static bool is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo) |
98 | 0 | { |
99 | 0 | if (is_mac_algo_hmac_approved_in_fips(algo)) { |
100 | 0 | return true; |
101 | 0 | } |
102 | 0 |
|
103 | 0 | switch (algo) { |
104 | 0 | case GNUTLS_MAC_AES_CMAC_128: |
105 | 0 | case GNUTLS_MAC_AES_CMAC_256: |
106 | 0 | case GNUTLS_MAC_AES_GMAC_128: |
107 | 0 | case GNUTLS_MAC_AES_GMAC_192: |
108 | 0 | case GNUTLS_MAC_AES_GMAC_256: |
109 | 0 | return true; |
110 | 0 | default: |
111 | 0 | return false; |
112 | 0 | } |
113 | 0 | } Unexecuted instantiation: common.c:is_mac_algo_approved_in_fips Unexecuted instantiation: crl.c:is_mac_algo_approved_in_fips Unexecuted instantiation: crq.c:is_mac_algo_approved_in_fips Unexecuted instantiation: dn.c:is_mac_algo_approved_in_fips Unexecuted instantiation: extensions.c:is_mac_algo_approved_in_fips Unexecuted instantiation: hostname-verify.c:is_mac_algo_approved_in_fips Unexecuted instantiation: key_decode.c:is_mac_algo_approved_in_fips Unexecuted instantiation: key_encode.c:is_mac_algo_approved_in_fips Unexecuted instantiation: mpi.c:is_mac_algo_approved_in_fips Unexecuted instantiation: ocsp.c:is_mac_algo_approved_in_fips Unexecuted instantiation: output.c:is_mac_algo_approved_in_fips Unexecuted instantiation: pkcs12.c:is_mac_algo_approved_in_fips Unexecuted instantiation: pkcs12_bag.c:is_mac_algo_approved_in_fips Unexecuted instantiation: pkcs7-crypt.c:is_mac_algo_approved_in_fips Unexecuted instantiation: privkey_openssl.c:is_mac_algo_approved_in_fips Unexecuted instantiation: privkey_pkcs8.c:is_mac_algo_approved_in_fips Unexecuted instantiation: privkey_pkcs8_pbes1.c:is_mac_algo_approved_in_fips Unexecuted instantiation: prov-seed.c:is_mac_algo_approved_in_fips Unexecuted instantiation: sign.c:is_mac_algo_approved_in_fips Unexecuted instantiation: time.c:is_mac_algo_approved_in_fips Unexecuted instantiation: tls_features.c:is_mac_algo_approved_in_fips Unexecuted instantiation: verify-high.c:is_mac_algo_approved_in_fips Unexecuted instantiation: verify-high2.c:is_mac_algo_approved_in_fips Unexecuted instantiation: verify.c:is_mac_algo_approved_in_fips Unexecuted instantiation: virt-san.c:is_mac_algo_approved_in_fips Unexecuted instantiation: x509.c:is_mac_algo_approved_in_fips Unexecuted instantiation: x509_dn.c:is_mac_algo_approved_in_fips Unexecuted instantiation: x509_ext.c:is_mac_algo_approved_in_fips Unexecuted instantiation: x509_write.c:is_mac_algo_approved_in_fips Unexecuted instantiation: attributes.c:is_mac_algo_approved_in_fips Unexecuted instantiation: email-verify.c:is_mac_algo_approved_in_fips Unexecuted instantiation: krb5.c:is_mac_algo_approved_in_fips Unexecuted instantiation: name_constraints.c:is_mac_algo_approved_in_fips |
114 | | |
115 | | inline static bool is_mac_algo_allowed_in_fips(gnutls_mac_algorithm_t algo) |
116 | 0 | { |
117 | 0 | return is_mac_algo_approved_in_fips(algo); |
118 | 0 | } Unexecuted instantiation: common.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: crl.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: crq.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: dn.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: extensions.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: hostname-verify.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: key_decode.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: key_encode.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: mpi.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: ocsp.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: output.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: pkcs12.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: pkcs12_bag.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: pkcs7-crypt.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: privkey_openssl.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: privkey_pkcs8.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: privkey_pkcs8_pbes1.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: prov-seed.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: sign.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: time.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: tls_features.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: verify-high.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: verify-high2.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: verify.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: virt-san.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: x509.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: x509_dn.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: x509_ext.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: x509_write.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: attributes.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: email-verify.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: krb5.c:is_mac_algo_allowed_in_fips Unexecuted instantiation: name_constraints.c:is_mac_algo_allowed_in_fips |
119 | | |
120 | | inline static bool |
121 | | is_cipher_algo_approved_in_fips(gnutls_cipher_algorithm_t algo) |
122 | 0 | { |
123 | 0 | switch (algo) { |
124 | 0 | case GNUTLS_CIPHER_AES_128_CBC: |
125 | 0 | case GNUTLS_CIPHER_AES_256_CBC: |
126 | 0 | case GNUTLS_CIPHER_AES_192_CBC: |
127 | 0 | case GNUTLS_CIPHER_AES_128_CCM: |
128 | 0 | case GNUTLS_CIPHER_AES_256_CCM: |
129 | 0 | case GNUTLS_CIPHER_AES_128_CCM_8: |
130 | 0 | case GNUTLS_CIPHER_AES_256_CCM_8: |
131 | 0 | case GNUTLS_CIPHER_AES_128_CFB8: |
132 | 0 | case GNUTLS_CIPHER_AES_192_CFB8: |
133 | 0 | case GNUTLS_CIPHER_AES_256_CFB8: |
134 | 0 | case GNUTLS_CIPHER_AES_128_XTS: |
135 | 0 | case GNUTLS_CIPHER_AES_256_XTS: |
136 | 0 | return true; |
137 | 0 | default: |
138 | 0 | return false; |
139 | 0 | } |
140 | 0 | } Unexecuted instantiation: common.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: crl.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: crq.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: dn.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: extensions.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: hostname-verify.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: key_decode.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: key_encode.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: mpi.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: ocsp.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: output.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: pkcs12.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: pkcs12_bag.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: pkcs7-crypt.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: privkey_openssl.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: privkey_pkcs8.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: privkey_pkcs8_pbes1.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: prov-seed.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: sign.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: time.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: tls_features.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: verify-high.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: verify-high2.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: verify.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: virt-san.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: x509.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: x509_dn.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: x509_ext.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: x509_write.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: attributes.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: email-verify.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: krb5.c:is_cipher_algo_approved_in_fips Unexecuted instantiation: name_constraints.c:is_cipher_algo_approved_in_fips |
141 | | |
142 | | inline static bool |
143 | | is_cipher_algo_allowed_in_fips(gnutls_cipher_algorithm_t algo) |
144 | 0 | { |
145 | 0 | if (is_cipher_algo_approved_in_fips(algo)) { |
146 | 0 | return true; |
147 | 0 | } |
148 | 0 |
|
149 | 0 | /* GCM is only approved in TLS */ |
150 | 0 | switch (algo) { |
151 | 0 | case GNUTLS_CIPHER_AES_128_GCM: |
152 | 0 | case GNUTLS_CIPHER_AES_192_GCM: |
153 | 0 | case GNUTLS_CIPHER_AES_256_GCM: |
154 | 0 | return true; |
155 | 0 | default: |
156 | 0 | return false; |
157 | 0 | } |
158 | 0 | } Unexecuted instantiation: common.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: crl.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: crq.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: dn.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: extensions.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: hostname-verify.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: key_decode.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: key_encode.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: mpi.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: ocsp.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: output.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: pkcs12.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: pkcs12_bag.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: pkcs7-crypt.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: privkey_openssl.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: privkey_pkcs8.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: privkey_pkcs8_pbes1.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: prov-seed.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: sign.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: time.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: tls_features.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: verify-high.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: verify-high2.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: verify.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: virt-san.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: x509.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: x509_dn.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: x509_ext.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: x509_write.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: attributes.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: email-verify.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: krb5.c:is_cipher_algo_allowed_in_fips Unexecuted instantiation: name_constraints.c:is_cipher_algo_allowed_in_fips |
159 | | |
160 | | # ifdef ENABLE_FIPS140 |
161 | | /* This will test the condition when in FIPS140-2 mode |
162 | | * and return an error if necessary or ignore */ |
163 | | # define FIPS_RULE(condition, ret_error, ...) { \ |
164 | | gnutls_fips_mode_t _mode = _gnutls_fips_mode_enabled(); \ |
165 | | if (_mode != GNUTLS_FIPS140_DISABLED) { \ |
166 | | if (condition) { \ |
167 | | if (_mode == GNUTLS_FIPS140_LOG) { \ |
168 | | _gnutls_audit_log(NULL, "fips140-2: allowing "__VA_ARGS__); \ |
169 | | } else if (_mode != GNUTLS_FIPS140_LAX) { \ |
170 | | _gnutls_debug_log("fips140-2: disallowing "__VA_ARGS__); \ |
171 | | return ret_error; \ |
172 | | } \ |
173 | | } \ |
174 | | }} |
175 | | |
176 | | inline static bool is_mac_algo_allowed(gnutls_mac_algorithm_t algo) |
177 | | { |
178 | | gnutls_fips_mode_t mode = _gnutls_fips_mode_enabled(); |
179 | | if (_gnutls_get_lib_state() != LIB_STATE_SELFTEST && |
180 | | !is_mac_algo_allowed_in_fips(algo)) { |
181 | | switch (mode) { |
182 | | case GNUTLS_FIPS140_LOG: |
183 | | _gnutls_audit_log(NULL, |
184 | | "fips140-2: allowing access to %s\n", |
185 | | gnutls_mac_get_name(algo)); |
186 | | FALLTHROUGH; |
187 | | case GNUTLS_FIPS140_DISABLED: |
188 | | case GNUTLS_FIPS140_LAX: |
189 | | return true; |
190 | | default: |
191 | | return false; |
192 | | } |
193 | | } |
194 | | |
195 | | return true; |
196 | | } |
197 | | |
198 | | inline static bool is_cipher_algo_allowed(gnutls_cipher_algorithm_t algo) |
199 | | { |
200 | | gnutls_fips_mode_t mode = _gnutls_fips_mode_enabled(); |
201 | | if (_gnutls_get_lib_state() != LIB_STATE_SELFTEST && |
202 | | !is_cipher_algo_allowed_in_fips(algo)) { |
203 | | switch (mode) { |
204 | | case GNUTLS_FIPS140_LOG: |
205 | | _gnutls_audit_log(NULL, |
206 | | "fips140-2: allowing access to %s\n", |
207 | | gnutls_cipher_get_name(algo)); |
208 | | FALLTHROUGH; |
209 | | case GNUTLS_FIPS140_DISABLED: |
210 | | case GNUTLS_FIPS140_LAX: |
211 | | return true; |
212 | | default: |
213 | | return false; |
214 | | } |
215 | | } |
216 | | |
217 | | return true; |
218 | | } |
219 | | # else |
220 | | # define is_mac_algo_allowed(x) true |
221 | | # define is_cipher_algo_allowed(x) true |
222 | | # define FIPS_RULE(condition, ret_error, ...) |
223 | | # endif |
224 | | |
225 | | #endif /* GNUTLS_LIB_FIPS_H */ |