[gnutls-devel] GnuTLS | _gnutls_priority_update_fips is called when the fips mode is off (#1485)

[Read-only notification of GnuTLS library development activities]

wang cheng commented: https://gitlab.com/gnutls/gnutls/-/issues/1485#note_1421539327

Thank you for your reply. But your description is a bit different from my understanding.
I know from the `gnutls_fips_mode_t` in the `gnutls.h` that the return value is 2 corresponding to the `GNUTLS_FIPS140_SELFTESTS` state:
> A transient state during library initialization. That state cannot be set or seen by applications.
```
typedef enum gnutls_fips_mode_t {
  GNUTLS_FIPS140_DISABLED = 0,
  GNUTLS_FIPS140_STRICT = 1,
  GNUTLS_FIPS140_SELFTESTS = 2,
  GNUTLS_FIPS140_LAX = 3,
  GNUTLS_FIPS140_LOG = 4
} gnutls_fips_mode_t;
```
When the system fips mode is turned off (but `/etc/system-fips` has been generated), and the environment variable GNUTLS_FORCE_FIPS_MODE is not set, gnutls will enter the GNUTLS_FIPS140_SELFTESTS state. As described above, the application in its current state should not perceive a difference compared to GNUTLS_FIPS140_DISABLED mode. Maybe the call to the `_gnutls_priority_update_fips` function needs tweaking?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1485#note_1421539327
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230607/8bdd65e6/attachment.html>