[gnutls-devel] GnuTLS | Add self-test code inside a FIPS context (!1607)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Jul 6 10:29:24 CEST 2022 



Daiki Ueno started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1607#note_1017257958

>  gnutls_fips140_run_self_tests(void)
>  {
>  #ifdef ENABLE_FIPS140
> -	int ret;
> +	int ret, fips_ctx_ret = -1;
>  	unsigned prev_lib_state;
> +	gnutls_fips140_context_t fips_context;
> +
> +	/* Save the FIPS context, because self tests change it */
> +	if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED) {
> +	    fips_ctx_ret = gnutls_fips140_context_init(&fips_context);

`fips_context` needs to be released with `gnutls_fips140_context_deinit`. Having that in mind, maybe a simpler logic would be:
```c
gnutls_fips140_context_t fips_context = NULL;

/* Save the FIPS context, because self tests change it */
if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED) {
  if (gnutls_fips140_context_init(&fips_context) < 0) {
    /* some error handling */
    goto error;
  }
  if (gnutls_fips140_push_context(fips_context) < 0) {
    /* some error handling */
    goto error;
  }
}
...
if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED) {
  if (gnutls_fips140_pop_context() < 0) {
    /* some error handling */
    goto error;
  }
}

error:
  gnutls_fips140_context_deinit(fips_context);
```
Or, if we don't want to treat those errors hard:
```c
gnutls_fips140_context_t fips_context = NULL;

/* Save the FIPS context, because self tests change it */
if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED) {
  if (gnutls_fips140_context_init(&fips_context) < 0 ||
      gnutls_fips140_push_context(fips_context) < 0) {
      gnutls_fips140_context_deinit(fips_context);
      fips_context = NULL;
  }
}
...
if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED && fips_context) {
  if (gnutls_fips140_pop_context() < 0) {
    /* some error handling */
  }
  gnutls_fips140_context_deinit(fips_context);
}
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1607#note_1017257958
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220706/c9b3e534/attachment-0001.html>

More information about the Gnutls-devel mailing list