1199 lines
58 KiB
Diff
1199 lines
58 KiB
Diff
|
Index: gnutls-3.8.3/configure.ac
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/configure.ac
|
|||
|
+++ gnutls-3.8.3/configure.ac
|
|||
|
@@ -623,19 +623,19 @@ LT_INIT([disable-static,win32-dll,shared
|
|||
|
AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
|
|||
|
|
|||
|
AC_ARG_ENABLE(fips140-mode,
|
|||
|
- AS_HELP_STRING([--enable-fips140-mode], [enable FIPS140-2 mode]),
|
|||
|
+ AS_HELP_STRING([--enable-fips140-mode], [enable FIPS140-3 mode]),
|
|||
|
enable_fips=$enableval, enable_fips=no)
|
|||
|
AM_CONDITIONAL(ENABLE_FIPS140, test "$enable_fips" = "yes")
|
|||
|
if [ test "$enable_fips" = "yes" ];then
|
|||
|
if test "x$HAVE_LIBDL" = "xyes";then
|
|||
|
- AC_DEFINE([ENABLE_FIPS140], 1, [Enable FIPS140-2 mode])
|
|||
|
+ AC_DEFINE([ENABLE_FIPS140], 1, [Enable FIPS140-3 mode])
|
|||
|
AC_SUBST([FIPS140_LIBS], $LIBDL)
|
|||
|
AC_ARG_WITH(fips140-key, AS_HELP_STRING([--with-fips140-key],
|
|||
|
[specify the FIPS140 HMAC key for integrity]),
|
|||
|
fips_key="$withval",
|
|||
|
fips_key="orboDeJITITejsirpADONivirpUkvarP")
|
|||
|
|
|||
|
- AC_DEFINE_UNQUOTED([FIPS_KEY], ["$fips_key"], [The FIPS140-2 integrity key])
|
|||
|
+ AC_DEFINE_UNQUOTED([FIPS_KEY], ["$fips_key"], [The FIPS140-3 integrity key])
|
|||
|
|
|||
|
AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
|
|||
|
[specify the FIPS140 module name]),
|
|||
|
Index: gnutls-3.8.3/doc/cha-gtls-app.texi
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/cha-gtls-app.texi
|
|||
|
+++ gnutls-3.8.3/doc/cha-gtls-app.texi
|
|||
|
@@ -222,7 +222,7 @@ CPU. The currently available options are
|
|||
|
@end itemize
|
|||
|
|
|||
|
@item @code{GNUTLS_FORCE_FIPS_MODE}
|
|||
|
-@tab In setups where GnuTLS is compiled with support for FIPS140-2 (see @ref{FIPS140-2 mode})
|
|||
|
+@tab In setups where GnuTLS is compiled with support for FIPS140-3 (see @ref{FIPS140-3 mode})
|
|||
|
if set to one it will force the FIPS mode enablement.
|
|||
|
|
|||
|
@end multitable
|
|||
|
Index: gnutls-3.8.3/doc/cha-internals.texi
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/cha-internals.texi
|
|||
|
+++ gnutls-3.8.3/doc/cha-internals.texi
|
|||
|
@@ -14,7 +14,7 @@ happens inside the black box.
|
|||
|
* TLS Hello Extension Handling::
|
|||
|
* Cryptographic Backend::
|
|||
|
* Random Number Generators-internals::
|
|||
|
-* FIPS140-2 mode::
|
|||
|
+* FIPS140-3 mode::
|
|||
|
@end menu
|
|||
|
|
|||
|
@node The TLS Protocol
|
|||
|
@@ -529,7 +529,7 @@ For more information see @ref{Hardware s
|
|||
|
|
|||
|
GnuTLS provides two random generators. The default, and the AES-DRBG random
|
|||
|
generator which is only used when the library is compiled with support for
|
|||
|
-FIPS140-2 and the system is in FIPS140-2 mode.
|
|||
|
+FIPS140-3 and the system is in FIPS140-3 mode.
|
|||
|
|
|||
|
@subheading The default generator - inner workings
|
|||
|
|
|||
|
@@ -659,23 +659,23 @@ two distinct times, and being able to re
|
|||
|
after observing the output of the PRNG. Given the approach described
|
|||
|
on the above paragraph, all levels are immune to such attack.
|
|||
|
|
|||
|
-@node FIPS140-2 mode
|
|||
|
-@section FIPS140-2 mode
|
|||
|
+@node FIPS140-3 mode
|
|||
|
+@section FIPS140-3 mode
|
|||
|
|
|||
|
-GnuTLS can operate in a special mode for FIPS140-2. That mode of operation
|
|||
|
-is for the conformance to NIST's FIPS140-2 publication, which consists of policies
|
|||
|
+GnuTLS can operate in a special mode for FIPS140-3. That mode of operation
|
|||
|
+is for the conformance to NIST's FIPS140-3 publication, which consists of policies
|
|||
|
for cryptographic modules (such as software libraries). Its implementation in
|
|||
|
GnuTLS is designed for Red Hat Enterprise Linux, and can only be enabled
|
|||
|
when the library is explicitly compiled with the '--enable-fips140-mode'
|
|||
|
configure option.
|
|||
|
|
|||
|
-There are two distinct library states with regard to FIPS140-2: the FIPS140-2
|
|||
|
+There are two distinct library states with regard to FIPS140-3: the FIPS140-3
|
|||
|
mode is @emph{installed} if @code{/etc/system-fips} is present, and the
|
|||
|
-FIPS140-2 mode is @emph{enabled} if @code{/proc/sys/crypto/fips_enabled}
|
|||
|
+FIPS140-3 mode is @emph{enabled} if @code{/proc/sys/crypto/fips_enabled}
|
|||
|
contains '1', which is typically set with the ``fips=1'' kernel command line
|
|||
|
option.
|
|||
|
|
|||
|
-When the FIPS140-2 mode is installed, the operation of the library is modified
|
|||
|
+When the FIPS140-3 mode is installed, the operation of the library is modified
|
|||
|
as follows.
|
|||
|
|
|||
|
@itemize
|
|||
|
@@ -684,12 +684,12 @@ as follows.
|
|||
|
@item Algorithm self-tests are run on library load
|
|||
|
@end itemize
|
|||
|
|
|||
|
-When the FIPS140-2 mode is enabled, The operation of the library is in addition
|
|||
|
+When the FIPS140-3 mode is enabled, The operation of the library is in addition
|
|||
|
modified as follows.
|
|||
|
|
|||
|
@itemize
|
|||
|
-@item Only approved by FIPS140-2 algorithms are enabled
|
|||
|
-@item Only approved by FIPS140-2 key lengths are allowed for key generation
|
|||
|
+@item Only approved by FIPS140-3 algorithms are enabled
|
|||
|
+@item Only approved by FIPS140-3 key lengths are allowed for key generation
|
|||
|
@item Any cryptographic operation will be refused if any of the self-tests failed
|
|||
|
@end itemize
|
|||
|
|
|||
|
@@ -698,7 +698,7 @@ There are also few environment variables
|
|||
|
environment variable @code{GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS} will disable
|
|||
|
the library integrity tests on startup, and the variable
|
|||
|
@code{GNUTLS_FORCE_FIPS_MODE} can be set to force a value from
|
|||
|
-@ref{gnutls_fips_mode_t}, i.e., '1' will enable the FIPS140-2
|
|||
|
+@ref{gnutls_fips_mode_t}, i.e., '1' will enable the FIPS140-3
|
|||
|
mode, while '0' will disable it.
|
|||
|
|
|||
|
The integrity checks for the dependent libraries and GnuTLS are performed
|
|||
|
@@ -706,20 +706,20 @@ using '.hmac' files which are present at
|
|||
|
key for the operations can be provided on compile-time with the configure
|
|||
|
option '--with-fips140-key'. The MAC algorithm used is HMAC-SHA256.
|
|||
|
|
|||
|
-On runtime an application can verify whether the library is in FIPS140-2
|
|||
|
+On runtime an application can verify whether the library is in FIPS140-3
|
|||
|
mode using the @funcref{gnutls_fips140_mode_enabled} function.
|
|||
|
|
|||
|
-@subheading Relaxing FIPS140-2 requirements
|
|||
|
+@subheading Relaxing FIPS140-3 requirements
|
|||
|
|
|||
|
The library by default operates in a strict enforcing mode, ensuring that
|
|||
|
-all constraints imposed by the FIPS140-2 specification are enforced. However
|
|||
|
+all constraints imposed by the FIPS140-3 specification are enforced. However
|
|||
|
the application can relax these requirements via @funcref{gnutls_fips140_set_mode}
|
|||
|
which can switch to alternative modes as in @ref{gnutls_fips_mode_t}.
|
|||
|
|
|||
|
@showenumdesc{gnutls_fips_mode_t,The @code{gnutls_@-fips_@-mode_t} enumeration.}
|
|||
|
|
|||
|
The intention of this API is to be used by applications which may run in
|
|||
|
-FIPS140-2 mode, while they utilize few algorithms not in the allowed set,
|
|||
|
+FIPS140-3 mode, while they utilize few algorithms not in the allowed set,
|
|||
|
e.g., for non-security related purposes. In these cases applications should
|
|||
|
wrap the non-compliant code within blocks like the following.
|
|||
|
|
|||
|
@@ -748,9 +748,9 @@ if (gnutls_fips140_mode_enabled())
|
|||
|
The reason of the @code{GNUTLS_FIPS140_SET_MODE_THREAD} flag in the
|
|||
|
previous calls is to localize the change in the mode. Note also, that
|
|||
|
such a block has no effect when the library is not operating
|
|||
|
-under FIPS140-2 mode, and thus it can be considered a no-op.
|
|||
|
+under FIPS140-3 mode, and thus it can be considered a no-op.
|
|||
|
|
|||
|
-Applications could also switch FIPS140-2 mode explicitly off, by calling
|
|||
|
+Applications could also switch FIPS140-3 mode explicitly off, by calling
|
|||
|
@example
|
|||
|
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
|
|||
|
@end example
|
|||
|
@@ -768,7 +768,7 @@ performed within a given context.
|
|||
|
|
|||
|
@showfuncD{gnutls_fips140_context_init,gnutls_fips140_context_deinit,gnutls_fips140_push_context,gnutls_fips140_pop_context}
|
|||
|
|
|||
|
-The @code{gnutls_fips140_context_t} represents the FIPS140-2 mode of
|
|||
|
+The @code{gnutls_fips140_context_t} represents the FIPS140-3 mode of
|
|||
|
operation. It can be attached to the current execution thread with
|
|||
|
@funcref{gnutls_fips140_push_context} and its internal state will be
|
|||
|
updated until it is detached with
|
|||
|
Index: gnutls-3.8.3/doc/enums.texi
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/enums.texi
|
|||
|
+++ gnutls-3.8.3/doc/enums.texi
|
|||
|
@@ -1188,7 +1188,7 @@ application traffic secret is installed
|
|||
|
@c gnutls_fips_mode_t
|
|||
|
@table @code
|
|||
|
@item GNUTLS_@-FIPS140_@-DISABLED
|
|||
|
-The FIPS140-2 mode is disabled.
|
|||
|
+The FIPS140-3 mode is disabled.
|
|||
|
@item GNUTLS_@-FIPS140_@-STRICT
|
|||
|
The default mode; all forbidden operations will cause an
|
|||
|
operation failure via error code.
|
|||
|
@@ -1196,8 +1196,8 @@ operation failure via error code.
|
|||
|
A transient state during library initialization. That state
|
|||
|
cannot be set or seen by applications.
|
|||
|
@item GNUTLS_@-FIPS140_@-LAX
|
|||
|
-The library still uses the FIPS140-2 relevant algorithms but all
|
|||
|
-forbidden by FIPS140-2 operations are allowed; this is useful when the
|
|||
|
+The library still uses the FIPS140-3 relevant algorithms but all
|
|||
|
+forbidden by FIPS140-3 operations are allowed; this is useful when the
|
|||
|
application is aware of the followed security policy, and needs
|
|||
|
to utilize disallowed operations for other reasons (e.g., compatibility).
|
|||
|
@item GNUTLS_@-FIPS140_@-LOG
|
|||
|
Index: gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/functions/gnutls_fips140_set_mode
|
|||
|
+++ gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode
|
|||
|
@@ -3,7 +3,7 @@
|
|||
|
|
|||
|
|
|||
|
@deftypefun {void} {gnutls_fips140_set_mode} (gnutls_fips_mode_t @var{mode}, unsigned @var{flags})
|
|||
|
-@var{mode}: the FIPS140-2 mode to switch to
|
|||
|
+@var{mode}: the FIPS140-3 mode to switch to
|
|||
|
|
|||
|
@var{flags}: should be zero or @code{GNUTLS_FIPS140_SET_MODE_THREAD}
|
|||
|
|
|||
|
@@ -12,13 +12,13 @@ That function is not thread-safe when ch
|
|||
|
behavior with no flags after threads are created is undefined.
|
|||
|
|
|||
|
When the flag @code{GNUTLS_FIPS140_SET_MODE_THREAD} is specified
|
|||
|
-then this call will change the FIPS140-2 mode for this particular
|
|||
|
+then this call will change the FIPS140-3 mode for this particular
|
|||
|
thread and not for the whole process. That way an application
|
|||
|
can utilize this function to set and reset mode for specific
|
|||
|
operations.
|
|||
|
|
|||
|
This function never fails but will be a no-op if used when
|
|||
|
-the library is not in FIPS140-2 mode. When asked to switch to unknown
|
|||
|
+the library is not in FIPS140-3 mode. When asked to switch to unknown
|
|||
|
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
|
|||
|
switches to @code{GNUTLS_FIPS140_STRICT} mode.
|
|||
|
|
|||
|
Index: gnutls-3.8.3/doc/gnutls.html
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/gnutls.html
|
|||
|
+++ gnutls-3.8.3/doc/gnutls.html
|
|||
|
@@ -484,7 +484,7 @@ Documentation License”.
|
|||
|
<li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
|
|||
|
<li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
|
|||
|
<li><a id="toc-Random-Number-Generators" href="#Random-Number-Generators_002dinternals">11.6 Random Number Generators</a></li>
|
|||
|
- <li><a id="toc-FIPS140_002d2-mode-1" href="#FIPS140_002d2-mode">11.7 FIPS140-2 mode</a></li>
|
|||
|
+ <li><a id="toc-FIPS140_002d2-mode-1" href="#FIPS140_002d2-mode">11.7 FIPS140-3 mode</a></li>
|
|||
|
</ul></li>
|
|||
|
<li><a id="toc-Upgrading-from-previous-versions-1" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li>
|
|||
|
<li><a id="toc-Support-1" href="#Support">Appendix B Support</a>
|
|||
|
@@ -9035,7 +9035,7 @@ CPU. The currently available options are
|
|||
|
</li><li>0x200000: Enable VIA PHE
|
|||
|
</li><li>0x400000: Enable VIA PHE SHA512
|
|||
|
</li></ul></td></tr>
|
|||
|
-<tr><td width="30%"><code class="code">GNUTLS_FORCE_FIPS_MODE</code></td><td width="70%">In setups where GnuTLS is compiled with support for FIPS140-2 (see <a class="ref" href="#FIPS140_002d2-mode">FIPS140-2 mode</a>)
|
|||
|
+<tr><td width="30%"><code class="code">GNUTLS_FORCE_FIPS_MODE</code></td><td width="70%">In setups where GnuTLS is compiled with support for FIPS140-3 (see <a class="ref" href="#FIPS140_002d2-mode">FIPS140-3 mode</a>)
|
|||
|
if set to one it will force the FIPS mode enablement.</td></tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
@@ -18446,7 +18446,7 @@ None:
|
|||
|
--inline-commands-prefix=str Change the default delimiter for inline commands
|
|||
|
--provider=file Specify the PKCS #11 provider library
|
|||
|
- file must pre-exist
|
|||
|
- --fips140-mode Reports the status of the FIPS140-2 mode in gnutls library
|
|||
|
+ --fips140-mode Reports the status of the FIPS140-3 mode in gnutls library
|
|||
|
--list-config Reports the configuration of the library
|
|||
|
--logfile=str Redirect informational messages to a specific file
|
|||
|
--keymatexport=str Label used for exporting keying material
|
|||
|
@@ -19468,7 +19468,7 @@ happens inside the black box.
|
|||
|
<li><a href="#TLS-Hello-Extension-Handling" accesskey="4">TLS Extension Handling</a></li>
|
|||
|
<li><a href="#Cryptographic-Backend" accesskey="5">Cryptographic Backend</a></li>
|
|||
|
<li><a href="#Random-Number-Generators_002dinternals" accesskey="6">Random Number Generators</a></li>
|
|||
|
-<li><a href="#FIPS140_002d2-mode" accesskey="7">FIPS140-2 mode</a></li>
|
|||
|
+<li><a href="#FIPS140_002d2-mode" accesskey="7">FIPS140-3 mode</a></li>
|
|||
|
</ul>
|
|||
|
<hr>
|
|||
|
<div class="section-level-extent" id="The-TLS-Protocol">
|
|||
|
@@ -19997,7 +19997,7 @@ For more information see <a class="ref"
|
|||
|
<div class="section-level-extent" id="Random-Number-Generators_002dinternals">
|
|||
|
<div class="nav-panel">
|
|||
|
<p>
|
|||
|
-Next: <a href="#FIPS140_002d2-mode" accesskey="n" rel="next">FIPS140-2 mode</a>, Previous: <a href="#Cryptographic-Backend" accesskey="p" rel="prev">Cryptographic Backend</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
|
|||
|
+Next: <a href="#FIPS140_002d2-mode" accesskey="n" rel="next">FIPS140-3 mode</a>, Previous: <a href="#Cryptographic-Backend" accesskey="p" rel="prev">Cryptographic Backend</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
|
|||
|
</div>
|
|||
|
<h3 class="section" id="Random-Number-Generators">11.6 Random Number Generators</h3>
|
|||
|
|
|||
|
@@ -20005,7 +20005,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
|
|||
|
|
|||
|
<p>GnuTLS provides two random generators. The default, and the AES-DRBG random
|
|||
|
generator which is only used when the library is compiled with support for
|
|||
|
-FIPS140-2 and the system is in FIPS140-2 mode.
|
|||
|
+FIPS140-3 and the system is in FIPS140-3 mode.
|
|||
|
</p>
|
|||
|
<h4 class="subheading" id="The-default-generator-_002d-inner-workings">The default generator - inner workings</h4>
|
|||
|
|
|||
|
@@ -20142,22 +20142,22 @@ on the above paragraph, all levels are i
|
|||
|
<p>
|
|||
|
Previous: <a href="#Random-Number-Generators_002dinternals" accesskey="p" rel="prev">Random Number Generators</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
|
|||
|
</div>
|
|||
|
-<h3 class="section" id="FIPS140_002d2-mode-1">11.7 FIPS140-2 mode</h3>
|
|||
|
+<h3 class="section" id="FIPS140_002d2-mode-1">11.7 FIPS140-3 mode</h3>
|
|||
|
|
|||
|
-<p>GnuTLS can operate in a special mode for FIPS140-2. That mode of operation
|
|||
|
-is for the conformance to NIST’s FIPS140-2 publication, which consists of policies
|
|||
|
+<p>GnuTLS can operate in a special mode for FIPS140-3. That mode of operation
|
|||
|
+is for the conformance to NIST’s FIPS140-3 publication, which consists of policies
|
|||
|
for cryptographic modules (such as software libraries). Its implementation in
|
|||
|
GnuTLS is designed for Red Hat Enterprise Linux, and can only be enabled
|
|||
|
when the library is explicitly compiled with the ’–enable-fips140-mode’
|
|||
|
configure option.
|
|||
|
</p>
|
|||
|
-<p>There are two distinct library states with regard to FIPS140-2: the FIPS140-2
|
|||
|
+<p>There are two distinct library states with regard to FIPS140-3: the FIPS140-3
|
|||
|
mode is <em class="emph">installed</em> if <code class="code">/etc/system-fips</code> is present, and the
|
|||
|
-FIPS140-2 mode is <em class="emph">enabled</em> if <code class="code">/proc/sys/crypto/fips_enabled</code>
|
|||
|
+FIPS140-3 mode is <em class="emph">enabled</em> if <code class="code">/proc/sys/crypto/fips_enabled</code>
|
|||
|
contains ’1’, which is typically set with the “fips=1” kernel command line
|
|||
|
option.
|
|||
|
</p>
|
|||
|
-<p>When the FIPS140-2 mode is installed, the operation of the library is modified
|
|||
|
+<p>When the FIPS140-3 mode is installed, the operation of the library is modified
|
|||
|
as follows.
|
|||
|
</p>
|
|||
|
<ul class="itemize mark-bullet">
|
|||
|
@@ -20166,12 +20166,12 @@ as follows.
|
|||
|
</li><li>Algorithm self-tests are run on library load
|
|||
|
</li></ul>
|
|||
|
|
|||
|
-<p>When the FIPS140-2 mode is enabled, The operation of the library is in addition
|
|||
|
+<p>When the FIPS140-3 mode is enabled, The operation of the library is in addition
|
|||
|
modified as follows.
|
|||
|
</p>
|
|||
|
<ul class="itemize mark-bullet">
|
|||
|
-<li>Only approved by FIPS140-2 algorithms are enabled
|
|||
|
-</li><li>Only approved by FIPS140-2 key lengths are allowed for key generation
|
|||
|
+<li>Only approved by FIPS140-3 algorithms are enabled
|
|||
|
+</li><li>Only approved by FIPS140-3 key lengths are allowed for key generation
|
|||
|
</li><li>Any cryptographic operation will be refused if any of the self-tests failed
|
|||
|
</li></ul>
|
|||
|
|
|||
|
@@ -20180,7 +20180,7 @@ modified as follows.
|
|||
|
environment variable <code class="code">GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS</code> will disable
|
|||
|
the library integrity tests on startup, and the variable
|
|||
|
<code class="code">GNUTLS_FORCE_FIPS_MODE</code> can be set to force a value from
|
|||
|
-<a class="ref" href="#gnutls_005ffips_005fmode_005ft">Figure 11.5</a>, i.e., ’1’ will enable the FIPS140-2
|
|||
|
+<a class="ref" href="#gnutls_005ffips_005fmode_005ft">Figure 11.5</a>, i.e., ’1’ will enable the FIPS140-3
|
|||
|
mode, while ’0’ will disable it.
|
|||
|
</p>
|
|||
|
<p>The integrity checks for the dependent libraries and GnuTLS are performed
|
|||
|
@@ -20188,13 +20188,13 @@ using ’.hmac’ files which ar
|
|||
|
key for the operations can be provided on compile-time with the configure
|
|||
|
option ’–with-fips140-key’. The MAC algorithm used is HMAC-SHA256.
|
|||
|
</p>
|
|||
|
-<p>On runtime an application can verify whether the library is in FIPS140-2
|
|||
|
+<p>On runtime an application can verify whether the library is in FIPS140-3
|
|||
|
mode using the <a class="ref" href="#gnutls_005ffips140_005fmode_005fenabled">gnutls_fips140_mode_enabled</a> function.
|
|||
|
</p>
|
|||
|
-<h4 class="subheading" id="Relaxing-FIPS140_002d2-requirements">Relaxing FIPS140-2 requirements</h4>
|
|||
|
+<h4 class="subheading" id="Relaxing-FIPS140_002d2-requirements">Relaxing FIPS140-3 requirements</h4>
|
|||
|
|
|||
|
<p>The library by default operates in a strict enforcing mode, ensuring that
|
|||
|
-all constraints imposed by the FIPS140-2 specification are enforced. However
|
|||
|
+all constraints imposed by the FIPS140-3 specification are enforced. However
|
|||
|
the application can relax these requirements via <a class="ref" href="#gnutls_005ffips140_005fset_005fmode">gnutls_fips140_set_mode</a>
|
|||
|
which can switch to alternative modes as in <a class="ref" href="#gnutls_005ffips_005fmode_005ft">Figure 11.5</a>.
|
|||
|
</p>
|
|||
|
@@ -20203,7 +20203,7 @@ which can switch to alternative modes as
|
|||
|
|
|||
|
<dl class="table">
|
|||
|
<dt><code class="code">GNUTLS_FIPS140_DISABLED</code></dt>
|
|||
|
-<dd><p>The FIPS140-2 mode is disabled.
|
|||
|
+<dd><p>The FIPS140-3 mode is disabled.
|
|||
|
</p></dd>
|
|||
|
<dt><code class="code">GNUTLS_FIPS140_STRICT</code></dt>
|
|||
|
<dd><p>The default mode; all forbidden operations will cause an
|
|||
|
@@ -20214,8 +20214,8 @@ operation failure via error code.
|
|||
|
cannot be set or seen by applications.
|
|||
|
</p></dd>
|
|||
|
<dt><code class="code">GNUTLS_FIPS140_LAX</code></dt>
|
|||
|
-<dd><p>The library still uses the FIPS140-2 relevant algorithms but all
|
|||
|
-forbidden by FIPS140-2 operations are allowed; this is useful when the
|
|||
|
+<dd><p>The library still uses the FIPS140-3 relevant algorithms but all
|
|||
|
+forbidden by FIPS140-3 operations are allowed; this is useful when the
|
|||
|
application is aware of the followed security policy, and needs
|
|||
|
to utilize disallowed operations for other reasons (e.g., compatibility).
|
|||
|
</p></dd>
|
|||
|
@@ -20227,7 +20227,7 @@ to a message to the audit callback funct
|
|||
|
|
|||
|
<div class="caption"><p><strong class="strong">Figure 11.5: </strong>The <code class="code">gnutls_fips_mode_t</code> enumeration.</p></div></div>
|
|||
|
<p>The intention of this API is to be used by applications which may run in
|
|||
|
-FIPS140-2 mode, while they utilize few algorithms not in the allowed set,
|
|||
|
+FIPS140-3 mode, while they utilize few algorithms not in the allowed set,
|
|||
|
e.g., for non-security related purposes. In these cases applications should
|
|||
|
wrap the non-compliant code within blocks like the following.
|
|||
|
</p>
|
|||
|
@@ -20256,9 +20256,9 @@ if (gnutls_fips140_mode_enabled())
|
|||
|
<p>The reason of the <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> flag in the
|
|||
|
previous calls is to localize the change in the mode. Note also, that
|
|||
|
such a block has no effect when the library is not operating
|
|||
|
-under FIPS140-2 mode, and thus it can be considered a no-op.
|
|||
|
+under FIPS140-3 mode, and thus it can be considered a no-op.
|
|||
|
</p>
|
|||
|
-<p>Applications could also switch FIPS140-2 mode explicitly off, by calling
|
|||
|
+<p>Applications could also switch FIPS140-3 mode explicitly off, by calling
|
|||
|
</p><div class="example">
|
|||
|
<pre class="example-preformatted">gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
|
|||
|
</pre></div>
|
|||
|
@@ -20281,7 +20281,7 @@ performed within a given context.
|
|||
|
<dt><code class="code"><var class="var">int</var> <a class="ref" href="#gnutls_005ffips140_005fpop_005fcontext">gnutls_fips140_pop_context</a> ( <var class="var">void</var>)</code></dt>
|
|||
|
</dl>
|
|||
|
|
|||
|
-<p>The <code class="code">gnutls_fips140_context_t</code> represents the FIPS140-2 mode of
|
|||
|
+<p>The <code class="code">gnutls_fips140_context_t</code> represents the FIPS140-3 mode of
|
|||
|
operation. It can be attached to the current execution thread with
|
|||
|
<a class="ref" href="#gnutls_005ffips140_005fpush_005fcontext">gnutls_fips140_push_context</a> and its internal state will be
|
|||
|
updated until it is detached with
|
|||
|
@@ -20654,8 +20654,8 @@ Previous: <a href="#Contributing" access
|
|||
|
to an auditor that the crypto component follows some best practices, such
|
|||
|
as unit testing and reliance on well known crypto primitives.
|
|||
|
</p>
|
|||
|
-<p>GnuTLS has support for the FIPS 140-2 certification under Red Hat Enterprise Linux.
|
|||
|
-See <a class="ref" href="#FIPS140_002d2-mode">FIPS140-2 mode</a> for more information.
|
|||
|
+<p>GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
|
|||
|
+See <a class="ref" href="#FIPS140_002d2-mode">FIPS140-3 mode</a> for more information.
|
|||
|
</p>
|
|||
|
<hr>
|
|||
|
</div>
|
|||
|
@@ -24569,7 +24569,7 @@ unusable. This function is not thread-s
|
|||
|
<h4 class="subheading" id="gnutls_005ffips140_005fset_005fmode-1">gnutls_fips140_set_mode</h4>
|
|||
|
<a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn">
|
|||
|
<dt class="deftypefn deftypefun-alias-deftypefn" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href='#index-gnutls_005ffips140_005fset_005fmode'> ¶</a></span></dt>
|
|||
|
-<dd><p><var class="var">mode</var>: the FIPS140-2 mode to switch to
|
|||
|
+<dd><p><var class="var">mode</var>: the FIPS140-3 mode to switch to
|
|||
|
</p>
|
|||
|
<p><var class="var">flags</var>: should be zero or <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code>
|
|||
|
</p>
|
|||
|
@@ -24578,13 +24578,13 @@ unusable. This function is not thread-s
|
|||
|
behavior with no flags after threads are created is undefined.
|
|||
|
</p>
|
|||
|
<p>When the flag <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> is specified
|
|||
|
-then this call will change the FIPS140-2 mode for this particular
|
|||
|
+then this call will change the FIPS140-3 mode for this particular
|
|||
|
thread and not for the whole process. That way an application
|
|||
|
can utilize this function to set and reset mode for specific
|
|||
|
operations.
|
|||
|
</p>
|
|||
|
<p>This function never fails but will be a no-op if used when
|
|||
|
-the library is not in FIPS140-2 mode. When asked to switch to unknown
|
|||
|
+the library is not in FIPS140-3 mode. When asked to switch to unknown
|
|||
|
values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library
|
|||
|
switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode.
|
|||
|
</p>
|
|||
|
@@ -46927,7 +46927,7 @@ Next: <a href="#Concept-Index" accesskey
|
|||
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
|||
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
|||
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
|||
|
-<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate"><code>gnutls_fips140_get_operation_state</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#FIPS140_002d2-mode">FIPS140-2 mode</a></td></tr>
|
|||
|
+<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate"><code>gnutls_fips140_get_operation_state</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#FIPS140_002d2-mode">FIPS140-3 mode</a></td></tr>
|
|||
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
|||
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
|||
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
|||
|
Index: gnutls-3.8.3/doc/gnutls.info-3
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/gnutls.info-3
|
|||
|
+++ gnutls-3.8.3/doc/gnutls.info-3
|
|||
|
@@ -2247,7 +2247,7 @@ to ‘more’. Both will exit with a st
|
|||
|
--inline-commands-prefix=str Change the default delimiter for inline commands
|
|||
|
--provider=file Specify the PKCS #11 provider library
|
|||
|
- file must pre-exist
|
|||
|
- --fips140-mode Reports the status of the FIPS140-2 mode in gnutls library
|
|||
|
+ --fips140-mode Reports the status of the FIPS140-3 mode in gnutls library
|
|||
|
--list-config Reports the configuration of the library
|
|||
|
--logfile=str Redirect informational messages to a specific file
|
|||
|
--keymatexport=str Label used for exporting keying material
|
|||
|
@@ -3400,7 +3400,7 @@ to know what happens inside the black bo
|
|||
|
* TLS Hello Extension Handling::
|
|||
|
* Cryptographic Backend::
|
|||
|
* Random Number Generators-internals::
|
|||
|
-* FIPS140-2 mode::
|
|||
|
+* FIPS140-3 mode::
|
|||
|
|
|||
|
|
|||
|
File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS
|
|||
|
@@ -3932,7 +3932,7 @@ and abstract key types::.
|
|||
|
kernel implementation of ‘/dev/crypto’.
|
|||
|
|
|||
|
|
|||
|
-File: gnutls.info, Node: Random Number Generators-internals, Next: FIPS140-2 mode, Prev: Cryptographic Backend, Up: Internal architecture of GnuTLS
|
|||
|
+File: gnutls.info, Node: Random Number Generators-internals, Next: FIPS140-3 mode, Prev: Cryptographic Backend, Up: Internal architecture of GnuTLS
|
|||
|
|
|||
|
11.6 Random Number Generators
|
|||
|
=============================
|
|||
|
@@ -3942,7 +3942,7 @@ About the generators
|
|||
|
|
|||
|
GnuTLS provides two random generators. The default, and the AES-DRBG
|
|||
|
random generator which is only used when the library is compiled with
|
|||
|
-support for FIPS140-2 and the system is in FIPS140-2 mode.
|
|||
|
+support for FIPS140-3 and the system is in FIPS140-3 mode.
|
|||
|
|
|||
|
The default generator - inner workings
|
|||
|
--------------------------------------
|
|||
|
@@ -4174,7 +4174,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
|
|||
|
Figure 11.5: The ‘gnutls_fips_mode_t’ enumeration.
|
|||
|
|
|||
|
The intention of this API is to be used by applications which may run in
|
|||
|
-FIPS140-2 mode, while they utilize few algorithms not in the allowed
|
|||
|
+FIPS140-3 mode, while they utilize few algorithms not in the allowed
|
|||
|
set, e.g., for non-security related purposes. In these cases
|
|||
|
applications should wrap the non-compliant code within blocks like the
|
|||
|
following.
|
|||
|
@@ -4198,10 +4198,10 @@ are macros to simplify the following seq
|
|||
|
|
|||
|
The reason of the ‘GNUTLS_FIPS140_SET_MODE_THREAD’ flag in the previous
|
|||
|
calls is to localize the change in the mode. Note also, that such a
|
|||
|
-block has no effect when the library is not operating under FIPS140-2
|
|||
|
+block has no effect when the library is not operating under FIPS140-3
|
|||
|
mode, and thus it can be considered a no-op.
|
|||
|
|
|||
|
-Applications could also switch FIPS140-2 mode explicitly off, by calling
|
|||
|
+Applications could also switch FIPS140-3 mode explicitly off, by calling
|
|||
|
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
|
|||
|
|
|||
|
Service indicator
|
|||
|
@@ -4683,8 +4683,8 @@ There are certifications from national o
|
|||
|
practices, such as unit testing and reliance on well known crypto
|
|||
|
primitives.
|
|||
|
|
|||
|
-GnuTLS has support for the FIPS 140-2 certification under Red Hat
|
|||
|
-Enterprise Linux. See *note FIPS140-2 mode:: for more information.
|
|||
|
+GnuTLS has support for the FIPS 140-3 certification under Red Hat
|
|||
|
+Enterprise Linux. See *note FIPS140-3 mode:: for more information.
|
|||
|
|
|||
|
|
|||
|
File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top
|
|||
|
@@ -9151,7 +9151,7 @@ gnutls_fips140_set_mode
|
|||
|
|
|||
|
-- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE,
|
|||
|
unsigned FLAGS)
|
|||
|
- MODE: the FIPS140-2 mode to switch to
|
|||
|
+ MODE: the FIPS140-3 mode to switch to
|
|||
|
|
|||
|
FLAGS: should be zero or ‘GNUTLS_FIPS140_SET_MODE_THREAD’
|
|||
|
|
|||
|
Index: gnutls-3.8.3/doc/invoke-gnutls-cli.texi
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/invoke-gnutls-cli.texi
|
|||
|
+++ gnutls-3.8.3/doc/invoke-gnutls-cli.texi
|
|||
|
@@ -102,7 +102,7 @@ None:
|
|||
|
--inline-commands-prefix=str Change the default delimiter for inline commands
|
|||
|
--provider=file Specify the PKCS #11 provider library
|
|||
|
- file must pre-exist
|
|||
|
- --fips140-mode Reports the status of the FIPS140-2 mode in gnutls library
|
|||
|
+ --fips140-mode Reports the status of the FIPS140-3 mode in gnutls library
|
|||
|
--list-config Reports the configuration of the library
|
|||
|
--logfile=str Redirect informational messages to a specific file
|
|||
|
--keymatexport=str Label used for exporting keying material
|
|||
|
Index: gnutls-3.8.3/doc/manpages/gnutls-cli.1
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/manpages/gnutls-cli.1
|
|||
|
+++ gnutls-3.8.3/doc/manpages/gnutls-cli.1
|
|||
|
@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
|
|||
|
This will override the default options in /etc/gnutls/pkcs11.conf
|
|||
|
.TP
|
|||
|
.NOP \f\*[B-Font]\-\-fips140\-mode\f[]
|
|||
|
-Reports the status of the FIPS140-2 mode in gnutls library.
|
|||
|
+Reports the status of the FIPS140-3 mode in gnutls library.
|
|||
|
.sp
|
|||
|
.TP
|
|||
|
.NOP \f\*[B-Font]\-\-list\-config\f[]
|
|||
|
Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/reference/html/gnutls-gnutls.html
|
|||
|
+++ gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
|
|||
|
@@ -20866,12 +20866,12 @@ gnutls_fips140_set_mode (<em class="para
|
|||
|
(globally), and should be called prior to creating any threads. Its
|
|||
|
behavior with no flags after threads are created is undefined.</p>
|
|||
|
<p>When the flag <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SET-MODE-THREAD:CAPS" title="GNUTLS_FIPS140_SET_MODE_THREAD"><code class="literal">GNUTLS_FIPS140_SET_MODE_THREAD</code></a> is specified
|
|||
|
-then this call will change the FIPS140-2 mode for this particular
|
|||
|
+then this call will change the FIPS140-3 mode for this particular
|
|||
|
thread and not for the whole process. That way an application
|
|||
|
can utilize this function to set and reset mode for specific
|
|||
|
operations.</p>
|
|||
|
<p>This function never fails but will be a no-op if used when
|
|||
|
-the library is not in FIPS140-2 mode. When asked to switch to unknown
|
|||
|
+the library is not in FIPS140-3 mode. When asked to switch to unknown
|
|||
|
values for <em class="parameter"><code>mode</code></em>
|
|||
|
or to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SELFTESTS:CAPS"><code class="literal">GNUTLS_FIPS140_SELFTESTS</code></a> mode, the library
|
|||
|
switches to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-STRICT:CAPS"><code class="literal">GNUTLS_FIPS140_STRICT</code></a> mode.</p>
|
|||
|
@@ -20886,7 +20886,7 @@ switches to <a class="link" href="gnutls
|
|||
|
<tbody>
|
|||
|
<tr>
|
|||
|
<td class="parameter_name"><p>mode</p></td>
|
|||
|
-<td class="parameter_description"><p>the FIPS140-2 mode to switch to</p></td>
|
|||
|
+<td class="parameter_description"><p>the FIPS140-3 mode to switch to</p></td>
|
|||
|
<td class="parameter_annotations"> </td>
|
|||
|
</tr>
|
|||
|
<tr>
|
|||
|
@@ -25904,7 +25904,7 @@ encryption</p>
|
|||
|
<hr>
|
|||
|
<div class="refsect2">
|
|||
|
<a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3>
|
|||
|
-<p>Enumeration of different operational modes under FIPS140-2.</p>
|
|||
|
+<p>Enumeration of different operational modes under FIPS140-3.</p>
|
|||
|
<div class="refsect3">
|
|||
|
<a name="gnutls-fips-mode-t.members"></a><h4>Members</h4>
|
|||
|
<div class="informaltable"><table class="informaltable" width="100%" border="0">
|
|||
|
@@ -25917,7 +25917,7 @@ encryption</p>
|
|||
|
<tr>
|
|||
|
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td>
|
|||
|
<td class="enum_member_description">
|
|||
|
-<p>The FIPS140-2 mode is disabled.</p>
|
|||
|
+<p>The FIPS140-3 mode is disabled.</p>
|
|||
|
</td>
|
|||
|
<td class="enum_member_annotations"> </td>
|
|||
|
</tr>
|
|||
|
@@ -25940,8 +25940,8 @@ operation failure via error code.</p>
|
|||
|
<tr>
|
|||
|
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td>
|
|||
|
<td class="enum_member_description">
|
|||
|
-<p>The library still uses the FIPS140-2 relevant algorithms but all
|
|||
|
-forbidden by FIPS140-2 operations are allowed; this is useful when the
|
|||
|
+<p>The library still uses the FIPS140-3 relevant algorithms but all
|
|||
|
+forbidden by FIPS140-3 operations are allowed; this is useful when the
|
|||
|
application is aware of the followed security policy, and needs
|
|||
|
to utilize disallowed operations for other reasons (e.g., compatibility).</p>
|
|||
|
</td>
|
|||
|
@@ -27575,4 +27575,4 @@ This is used by <a class="link" href="gn
|
|||
|
<div class="footer">
|
|||
|
<hr>Generated by GTK-Doc V1.33.1</div>
|
|||
|
</body>
|
|||
|
-</html>
|
|||
|
\ No newline at end of file
|
|||
|
+</html>
|
|||
|
Index: gnutls-3.8.3/lib/fips.c
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/lib/fips.c
|
|||
|
+++ gnutls-3.8.3/lib/fips.c
|
|||
|
@@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
|
|||
|
}
|
|||
|
|
|||
|
if (f1p != 0) {
|
|||
|
- _gnutls_debug_log("FIPS140-2 mode enabled\n");
|
|||
|
+ _gnutls_debug_log("FIPS140-3 mode enabled\n");
|
|||
|
ret = GNUTLS_FIPS140_STRICT;
|
|||
|
goto exit;
|
|||
|
}
|
|||
|
@@ -130,7 +130,7 @@ unsigned _gnutls_fips_mode_enabled(void)
|
|||
|
if (f2p != 0) {
|
|||
|
/* a funny state where self tests are performed
|
|||
|
* and ignored */
|
|||
|
- _gnutls_debug_log("FIPS140-2 ZOMBIE mode enabled\n");
|
|||
|
+ _gnutls_debug_log("FIPS140-3 ZOMBIE mode enabled\n");
|
|||
|
ret = GNUTLS_FIPS140_SELFTESTS;
|
|||
|
goto exit;
|
|||
|
}
|
|||
|
@@ -694,7 +694,7 @@ unsigned gnutls_fips140_mode_enabled(voi
|
|||
|
|
|||
|
/**
|
|||
|
* gnutls_fips140_set_mode:
|
|||
|
- * @mode: the FIPS140-2 mode to switch to
|
|||
|
+ * @mode: the FIPS140-3 mode to switch to
|
|||
|
* @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
|
|||
|
*
|
|||
|
* That function is not thread-safe when changing the mode with no flags
|
|||
|
@@ -702,13 +702,13 @@ unsigned gnutls_fips140_mode_enabled(voi
|
|||
|
* behavior with no flags after threads are created is undefined.
|
|||
|
*
|
|||
|
* When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
|
|||
|
- * then this call will change the FIPS140-2 mode for this particular
|
|||
|
+ * then this call will change the FIPS140-3 mode for this particular
|
|||
|
* thread and not for the whole process. That way an application
|
|||
|
* can utilize this function to set and reset mode for specific
|
|||
|
* operations.
|
|||
|
*
|
|||
|
* This function never fails but will be a no-op if used when
|
|||
|
- * the library is not in FIPS140-2 mode. When asked to switch to unknown
|
|||
|
+ * the library is not in FIPS140-3 mode. When asked to switch to unknown
|
|||
|
* values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
|
|||
|
* switches to %GNUTLS_FIPS140_STRICT mode.
|
|||
|
*
|
|||
|
@@ -720,10 +720,10 @@ void gnutls_fips140_set_mode(gnutls_fips
|
|||
|
gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
|
|||
|
if (prev == GNUTLS_FIPS140_DISABLED ||
|
|||
|
prev == GNUTLS_FIPS140_SELFTESTS) {
|
|||
|
- /* we need to run self-tests first to be in FIPS140-2 mode */
|
|||
|
+ /* we need to run self-tests first to be in FIPS140-3 mode */
|
|||
|
_gnutls_audit_log(
|
|||
|
NULL,
|
|||
|
- "The library should be initialized in FIPS140-2 mode to do that operation\n");
|
|||
|
+ "The library should be initialized in FIPS140-3 mode to do that operation\n");
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
@@ -736,7 +736,7 @@ void gnutls_fips140_set_mode(gnutls_fips
|
|||
|
case GNUTLS_FIPS140_SELFTESTS:
|
|||
|
_gnutls_audit_log(
|
|||
|
NULL,
|
|||
|
- "Cannot switch library to FIPS140-2 self-tests mode; defaulting to strict\n");
|
|||
|
+ "Cannot switch library to FIPS140-3 self-tests mode; defaulting to strict\n");
|
|||
|
mode = GNUTLS_FIPS140_STRICT;
|
|||
|
break;
|
|||
|
default:
|
|||
|
@@ -912,7 +912,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
|||
|
}
|
|||
|
|
|||
|
if (!_tfips_context) {
|
|||
|
- _gnutls_debug_log("FIPS140-2 context is not set\n");
|
|||
|
+ _gnutls_debug_log("FIPS140-3 context is not set\n");
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
@@ -926,7 +926,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
|||
|
if (mode != GNUTLS_FIPS140_LAX) {
|
|||
|
_gnutls_audit_log(
|
|||
|
NULL,
|
|||
|
- "FIPS140-2 operation mode switched from initial to %s\n",
|
|||
|
+ "FIPS140-3 operation mode switched from initial to %s\n",
|
|||
|
operation_state_to_string(state));
|
|||
|
}
|
|||
|
_tfips_context->state = state;
|
|||
|
@@ -937,7 +937,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
|||
|
if (mode != GNUTLS_FIPS140_LAX) {
|
|||
|
_gnutls_audit_log(
|
|||
|
NULL,
|
|||
|
- "FIPS140-2 operation mode switched from approved to %s\n",
|
|||
|
+ "FIPS140-3 operation mode switched from approved to %s\n",
|
|||
|
operation_state_to_string(state));
|
|||
|
}
|
|||
|
_tfips_context->state = state;
|
|||
|
@@ -949,7 +949,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
|||
|
if (mode != GNUTLS_FIPS140_LAX) {
|
|||
|
_gnutls_audit_log(
|
|||
|
NULL,
|
|||
|
- "FIPS140-2 operation mode cannot be switched from %s to %s\n",
|
|||
|
+ "FIPS140-3 operation mode cannot be switched from %s to %s\n",
|
|||
|
operation_state_to_string(
|
|||
|
_tfips_context->state),
|
|||
|
operation_state_to_string(state));
|
|||
|
@@ -1011,7 +1011,7 @@ int gnutls_fips140_run_self_tests(void)
|
|||
|
ret < 0) {
|
|||
|
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
|||
|
_gnutls_audit_log(NULL,
|
|||
|
- "FIPS140-2 self testing part 2 failed\n");
|
|||
|
+ "FIPS140-3 self testing part 2 failed\n");
|
|||
|
} else {
|
|||
|
/* Restore the previous library state */
|
|||
|
_gnutls_switch_lib_state(prev_lib_state);
|
|||
|
@@ -1023,7 +1023,7 @@ int gnutls_fips140_run_self_tests(void)
|
|||
|
if (gnutls_fips140_pop_context() < 0) {
|
|||
|
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
|||
|
_gnutls_audit_log(
|
|||
|
- NULL, "FIPS140-2 context restoration failed\n");
|
|||
|
+ NULL, "FIPS140-3 context restoration failed\n");
|
|||
|
}
|
|||
|
gnutls_fips140_context_deinit(fips_context);
|
|||
|
}
|
|||
|
Index: gnutls-3.8.3/lib/fips.h
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/lib/fips.h
|
|||
|
+++ gnutls-3.8.3/lib/fips.h
|
|||
|
@@ -160,7 +160,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
|
|||
|
}
|
|||
|
|
|||
|
#ifdef ENABLE_FIPS140
|
|||
|
-/* This will test the condition when in FIPS140-2 mode
|
|||
|
+/* This will test the condition when in FIPS140-3 mode
|
|||
|
* and return an error if necessary or ignore */
|
|||
|
#define FIPS_RULE(condition, ret_error, ...) \
|
|||
|
{ \
|
|||
|
@@ -170,10 +170,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
|
|||
|
if (_mode == GNUTLS_FIPS140_LOG) { \
|
|||
|
_gnutls_audit_log( \
|
|||
|
NULL, \
|
|||
|
- "fips140-2: allowing " __VA_ARGS__); \
|
|||
|
+ "fips140-3: allowing " __VA_ARGS__); \
|
|||
|
} else if (_mode != GNUTLS_FIPS140_LAX) { \
|
|||
|
_gnutls_debug_log( \
|
|||
|
- "fips140-2: disallowing " __VA_ARGS__); \
|
|||
|
+ "fips140-3: disallowing " __VA_ARGS__); \
|
|||
|
return ret_error; \
|
|||
|
} \
|
|||
|
} \
|
|||
|
@@ -188,7 +188,7 @@ inline static bool is_mac_algo_allowed(g
|
|||
|
switch (mode) {
|
|||
|
case GNUTLS_FIPS140_LOG:
|
|||
|
_gnutls_audit_log(NULL,
|
|||
|
- "fips140-2: allowing access to %s\n",
|
|||
|
+ "fips140-3: allowing access to %s\n",
|
|||
|
gnutls_mac_get_name(algo));
|
|||
|
FALLTHROUGH;
|
|||
|
case GNUTLS_FIPS140_DISABLED:
|
|||
|
@@ -210,7 +210,7 @@ inline static bool is_cipher_algo_allowe
|
|||
|
switch (mode) {
|
|||
|
case GNUTLS_FIPS140_LOG:
|
|||
|
_gnutls_audit_log(NULL,
|
|||
|
- "fips140-2: allowing access to %s\n",
|
|||
|
+ "fips140-3: allowing access to %s\n",
|
|||
|
gnutls_cipher_get_name(algo));
|
|||
|
FALLTHROUGH;
|
|||
|
case GNUTLS_FIPS140_DISABLED:
|
|||
|
Index: gnutls-3.8.3/lib/global.c
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/lib/global.c
|
|||
|
+++ gnutls-3.8.3/lib/global.c
|
|||
|
@@ -337,12 +337,12 @@ static int _gnutls_global_init(unsigned
|
|||
|
|
|||
|
#ifdef ENABLE_FIPS140
|
|||
|
res = _gnutls_fips_mode_enabled();
|
|||
|
- /* res == 1 -> fips140-2 mode enabled
|
|||
|
+ /* res == 1 -> fips140-3 mode enabled
|
|||
|
* res == 2 -> only self checks performed - but no failure
|
|||
|
* res == not in fips140 mode
|
|||
|
*/
|
|||
|
if (res != 0) {
|
|||
|
- _gnutls_debug_log("FIPS140-2 mode: %d\n", res);
|
|||
|
+ _gnutls_debug_log("FIPS140-3 mode: %d\n", res);
|
|||
|
_gnutls_priority_update_fips();
|
|||
|
|
|||
|
/* first round of self checks, these are done on the
|
|||
|
@@ -352,7 +352,7 @@ static int _gnutls_global_init(unsigned
|
|||
|
if (ret < 0) {
|
|||
|
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
|||
|
_gnutls_audit_log(
|
|||
|
- NULL, "FIPS140-2 self testing part1 failed\n");
|
|||
|
+ NULL, "FIPS140-3 self testing part1 failed\n");
|
|||
|
if (res != 2) {
|
|||
|
gnutls_assert();
|
|||
|
goto out;
|
|||
|
@@ -375,7 +375,7 @@ static int _gnutls_global_init(unsigned
|
|||
|
if (ret < 0) {
|
|||
|
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
|||
|
_gnutls_audit_log(
|
|||
|
- NULL, "FIPS140-2 self testing part 2 failed\n");
|
|||
|
+ NULL, "FIPS140-3 self testing part 2 failed\n");
|
|||
|
if (res != 2) {
|
|||
|
gnutls_assert();
|
|||
|
goto out;
|
|||
|
Index: gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/lib/includes/gnutls/gnutls.h.in
|
|||
|
+++ gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
|
|||
|
@@ -3199,16 +3199,16 @@ typedef int (*gnutls_alert_read_func)(gn
|
|||
|
void gnutls_alert_set_read_function(gnutls_session_t session,
|
|||
|
gnutls_alert_read_func func);
|
|||
|
|
|||
|
-/* FIPS140-2 related functions */
|
|||
|
+/* FIPS140-3 related functions */
|
|||
|
unsigned gnutls_fips140_mode_enabled(void);
|
|||
|
|
|||
|
/**
|
|||
|
* gnutls_fips_mode_t:
|
|||
|
- * @GNUTLS_FIPS140_DISABLED: The FIPS140-2 mode is disabled.
|
|||
|
+ * @GNUTLS_FIPS140_DISABLED: The FIPS140-3 mode is disabled.
|
|||
|
* @GNUTLS_FIPS140_STRICT: The default mode; all forbidden operations will cause an
|
|||
|
* operation failure via error code.
|
|||
|
- * @GNUTLS_FIPS140_LAX: The library still uses the FIPS140-2 relevant algorithms but all
|
|||
|
- * forbidden by FIPS140-2 operations are allowed; this is useful when the
|
|||
|
+ * @GNUTLS_FIPS140_LAX: The library still uses the FIPS140-3 relevant algorithms but all
|
|||
|
+ * forbidden by FIPS140-3 operations are allowed; this is useful when the
|
|||
|
* application is aware of the followed security policy, and needs
|
|||
|
* to utilize disallowed operations for other reasons (e.g., compatibility).
|
|||
|
* @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results
|
|||
|
@@ -3216,7 +3216,7 @@ unsigned gnutls_fips140_mode_enabled(voi
|
|||
|
* @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state
|
|||
|
* cannot be set or seen by applications.
|
|||
|
*
|
|||
|
- * Enumeration of different operational modes under FIPS140-2.
|
|||
|
+ * Enumeration of different operational modes under FIPS140-3.
|
|||
|
*/
|
|||
|
typedef enum gnutls_fips_mode_t {
|
|||
|
GNUTLS_FIPS140_DISABLED = 0,
|
|||
|
Index: gnutls-3.8.3/src/cli.c
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/src/cli.c
|
|||
|
+++ gnutls-3.8.3/src/cli.c
|
|||
|
@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
|
|||
|
|
|||
|
if (HAVE_OPT(FIPS140_MODE)) {
|
|||
|
if (gnutls_fips140_mode_enabled() != 0) {
|
|||
|
- fprintf(stderr, "library is in FIPS140-2 mode\n");
|
|||
|
+ fprintf(stderr, "library is in FIPS140-3 mode\n");
|
|||
|
exit(0);
|
|||
|
}
|
|||
|
- fprintf(stderr, "library is NOT in FIPS140-2 mode\n");
|
|||
|
+ fprintf(stderr, "library is NOT in FIPS140-3 mode\n");
|
|||
|
exit(1);
|
|||
|
}
|
|||
|
|
|||
|
Index: gnutls-3.8.3/src/gnutls-cli-options.c
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/src/gnutls-cli-options.c
|
|||
|
+++ gnutls-3.8.3/src/gnutls-cli-options.c
|
|||
|
@@ -810,7 +810,7 @@ usage (FILE *out, int status)
|
|||
|
" --inline-commands-prefix=str Change the default delimiter for inline commands\n"
|
|||
|
" --provider=file Specify the PKCS #11 provider library\n"
|
|||
|
" - file must pre-exist\n"
|
|||
|
- " --fips140-mode Reports the status of the FIPS140-2 mode in gnutls library\n"
|
|||
|
+ " --fips140-mode Reports the status of the FIPS140-3 mode in gnutls library\n"
|
|||
|
" --list-config Reports the configuration of the library\n"
|
|||
|
" --logfile=str Redirect informational messages to a specific file\n"
|
|||
|
" --keymatexport=str Label used for exporting keying material\n"
|
|||
|
Index: gnutls-3.8.3/tests/cert-tests/gost.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/cert-tests/gost.sh
|
|||
|
+++ gnutls-3.8.3/tests/cert-tests/gost.sh
|
|||
|
@@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
|
|||
|
fi
|
|||
|
|
|||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|||
|
- echo "Cannot run in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/tests/cert-tests/pkcs12-corner-cases.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-corner-cases.sh
|
|||
|
+++ gnutls-3.8.3/tests/cert-tests/pkcs12-corner-cases.sh
|
|||
|
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
|||
|
fi
|
|||
|
|
|||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|||
|
- echo "Cannot run in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/tests/cert-tests/pkcs12-encode.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-encode.sh
|
|||
|
+++ gnutls-3.8.3/tests/cert-tests/pkcs12-encode.sh
|
|||
|
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
|||
|
fi
|
|||
|
|
|||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|||
|
- echo "Cannot run in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/tests/cert-tests/pkcs12-gost.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-gost.sh
|
|||
|
+++ gnutls-3.8.3/tests/cert-tests/pkcs12-gost.sh
|
|||
|
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
|
|||
|
fi
|
|||
|
|
|||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|||
|
- echo "Cannot run in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/tests/cert-tests/pkcs12.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12.sh
|
|||
|
+++ gnutls-3.8.3/tests/cert-tests/pkcs12.sh
|
|||
|
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
|||
|
fi
|
|||
|
|
|||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|||
|
- echo "Cannot run in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/tests/cert-tests/pkcs8-decode.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-decode.sh
|
|||
|
+++ gnutls-3.8.3/tests/cert-tests/pkcs8-decode.sh
|
|||
|
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
|
|||
|
fi
|
|||
|
|
|||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|||
|
- echo "Cannot run in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/tests/cert-tests/pkcs8-eddsa.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-eddsa.sh
|
|||
|
+++ gnutls-3.8.3/tests/cert-tests/pkcs8-eddsa.sh
|
|||
|
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
|
|||
|
fi
|
|||
|
|
|||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|||
|
- echo "Cannot run in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/tests/cert-tests/pkcs8-gost.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-gost.sh
|
|||
|
+++ gnutls-3.8.3/tests/cert-tests/pkcs8-gost.sh
|
|||
|
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
|||
|
fi
|
|||
|
|
|||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|||
|
- echo "Cannot run in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/tests/cert-tests/pkcs8.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8.sh
|
|||
|
+++ gnutls-3.8.3/tests/cert-tests/pkcs8.sh
|
|||
|
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
|||
|
fi
|
|||
|
|
|||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|||
|
- echo "Cannot run in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/tests/cipher-listings.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/cipher-listings.sh
|
|||
|
+++ gnutls-3.8.3/tests/cipher-listings.sh
|
|||
|
@@ -63,7 +63,7 @@ check()
|
|||
|
|
|||
|
${CLI} --fips140-mode
|
|||
|
if test $? = 0;then
|
|||
|
- echo "Cannot run this test in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run this test in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/tests/testpkcs11.sh
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/tests/testpkcs11.sh
|
|||
|
+++ gnutls-3.8.3/tests/testpkcs11.sh
|
|||
|
@@ -26,7 +26,7 @@
|
|||
|
RETCODE=0
|
|||
|
|
|||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|||
|
- echo "Cannot run in FIPS140-2 mode"
|
|||
|
+ echo "Cannot run in FIPS140-3 mode"
|
|||
|
exit 77
|
|||
|
fi
|
|||
|
|
|||
|
Index: gnutls-3.8.3/doc/enums/gnutls_fips_mode_t
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/enums/gnutls_fips_mode_t
|
|||
|
+++ gnutls-3.8.3/doc/enums/gnutls_fips_mode_t
|
|||
|
@@ -3,7 +3,7 @@
|
|||
|
@c gnutls_fips_mode_t
|
|||
|
@table @code
|
|||
|
@item GNUTLS_@-FIPS140_@-DISABLED
|
|||
|
-The FIPS140-2 mode is disabled.
|
|||
|
+The FIPS140-3 mode is disabled.
|
|||
|
@item GNUTLS_@-FIPS140_@-STRICT
|
|||
|
The default mode; all forbidden operations will cause an
|
|||
|
operation failure via error code.
|
|||
|
@@ -11,8 +11,8 @@ operation failure via error code.
|
|||
|
A transient state during library initialization. That state
|
|||
|
cannot be set or seen by applications.
|
|||
|
@item GNUTLS_@-FIPS140_@-LAX
|
|||
|
-The library still uses the FIPS140-2 relevant algorithms but all
|
|||
|
-forbidden by FIPS140-2 operations are allowed; this is useful when the
|
|||
|
+The library still uses the FIPS140-3 relevant algorithms but all
|
|||
|
+forbidden by FIPS140-3 operations are allowed; this is useful when the
|
|||
|
application is aware of the followed security policy, and needs
|
|||
|
to utilize disallowed operations for other reasons (e.g., compatibility).
|
|||
|
@item GNUTLS_@-FIPS140_@-LOG
|
|||
|
Index: gnutls-3.8.3/doc/gnutls-api.texi
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/gnutls-api.texi
|
|||
|
+++ gnutls-3.8.3/doc/gnutls-api.texi
|
|||
|
@@ -3275,7 +3275,7 @@ unusable. This function is not thread-s
|
|||
|
@subheading gnutls_fips140_set_mode
|
|||
|
@anchor{gnutls_fips140_set_mode}
|
|||
|
@deftypefun {void} {gnutls_fips140_set_mode} (gnutls_fips_mode_t @var{mode}, unsigned @var{flags})
|
|||
|
-@var{mode}: the FIPS140-2 mode to switch to
|
|||
|
+@var{mode}: the FIPS140-3 mode to switch to
|
|||
|
|
|||
|
@var{flags}: should be zero or @code{GNUTLS_FIPS140_SET_MODE_THREAD}
|
|||
|
|
|||
|
@@ -3284,13 +3284,13 @@ That function is not thread-safe when ch
|
|||
|
behavior with no flags after threads are created is undefined.
|
|||
|
|
|||
|
When the flag @code{GNUTLS_FIPS140_SET_MODE_THREAD} is specified
|
|||
|
-then this call will change the FIPS140-2 mode for this particular
|
|||
|
+then this call will change the FIPS140-3 mode for this particular
|
|||
|
thread and not for the whole process. That way an application
|
|||
|
can utilize this function to set and reset mode for specific
|
|||
|
operations.
|
|||
|
|
|||
|
This function never fails but will be a no-op if used when
|
|||
|
-the library is not in FIPS140-2 mode. When asked to switch to unknown
|
|||
|
+the library is not in FIPS140-3 mode. When asked to switch to unknown
|
|||
|
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
|
|||
|
switches to @code{GNUTLS_FIPS140_STRICT} mode.
|
|||
|
|
|||
|
Index: gnutls-3.8.3/lib/ext/session_ticket.c
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/lib/ext/session_ticket.c
|
|||
|
+++ gnutls-3.8.3/lib/ext/session_ticket.c
|
|||
|
@@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
|
|||
|
{
|
|||
|
if (_gnutls_fips_mode_enabled()) {
|
|||
|
int ret;
|
|||
|
- /* in FIPS140-2 mode gnutls_key_generate imposes
|
|||
|
+ /* in FIPS140-3 mode gnutls_key_generate imposes
|
|||
|
* some limits on allowed key size, thus it is not
|
|||
|
* used. These limits do not affect this function as
|
|||
|
* it does not generate a "key" but rather key material
|
|||
|
Index: gnutls-3.8.3/lib/libgnutls.map
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/lib/libgnutls.map
|
|||
|
+++ gnutls-3.8.3/lib/libgnutls.map
|
|||
|
@@ -1441,7 +1441,7 @@ GNUTLS_FIPS140_3_4 {
|
|||
|
gnutls_hkdf_self_test;
|
|||
|
gnutls_pbkdf2_self_test;
|
|||
|
gnutls_tlsprf_self_test;
|
|||
|
- #for FIPS140-2 validation
|
|||
|
+ #for FIPS140-3 validation
|
|||
|
drbg_aes_reseed;
|
|||
|
drbg_aes_init;
|
|||
|
drbg_aes_generate;
|
|||
|
Index: gnutls-3.8.3/lib/nettle/mac.c
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/lib/nettle/mac.c
|
|||
|
+++ gnutls-3.8.3/lib/nettle/mac.c
|
|||
|
@@ -262,7 +262,7 @@ static void _wrap_gmac_digest(void *_ctx
|
|||
|
static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
|
|||
|
struct nettle_mac_ctx *ctx)
|
|||
|
{
|
|||
|
- /* Any FIPS140-2 related enforcement is performed on
|
|||
|
+ /* Any FIPS140-3 related enforcement is performed on
|
|||
|
* gnutls_hash_init() and gnutls_hmac_init() */
|
|||
|
|
|||
|
ctx->set_nonce = NULL;
|
|||
|
@@ -648,7 +648,7 @@ static void _md5_sha1_digest(void *_ctx,
|
|||
|
static int _ctx_init(gnutls_digest_algorithm_t algo,
|
|||
|
struct nettle_hash_ctx *ctx)
|
|||
|
{
|
|||
|
- /* Any FIPS140-2 related enforcement is performed on
|
|||
|
+ /* Any FIPS140-3 related enforcement is performed on
|
|||
|
* gnutls_hash_init() and gnutls_hmac_init() */
|
|||
|
switch (algo) {
|
|||
|
case GNUTLS_DIG_MD5:
|
|||
|
Index: gnutls-3.8.3/config.h.in
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/config.h.in
|
|||
|
+++ gnutls-3.8.3/config.h.in
|
|||
|
@@ -82,7 +82,7 @@
|
|||
|
/* enable DHE */
|
|||
|
#undef ENABLE_ECDHE
|
|||
|
|
|||
|
-/* Enable FIPS140-2 mode */
|
|||
|
+/* Enable FIPS140-3 mode */
|
|||
|
#undef ENABLE_FIPS140
|
|||
|
|
|||
|
/* enable GOST */
|
|||
|
@@ -125,7 +125,7 @@
|
|||
|
/* Define this to 1 if F_DUPFD behavior does not match POSIX */
|
|||
|
#undef FCNTL_DUPFD_BUGGY
|
|||
|
|
|||
|
-/* The FIPS140-2 integrity key */
|
|||
|
+/* The FIPS140-3 integrity key */
|
|||
|
#undef FIPS_KEY
|
|||
|
|
|||
|
/* The FIPS140 module name */
|
|||
|
Index: gnutls-3.8.3/configure
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/configure
|
|||
|
+++ gnutls-3.8.3/configure
|
|||
|
@@ -3830,7 +3830,7 @@ Optional Features:
|
|||
|
--enable-fast-install[=PKGS]
|
|||
|
optimize for fast installation [default=yes]
|
|||
|
--disable-libtool-lock avoid locking (might break parallel builds)
|
|||
|
- --enable-fips140-mode enable FIPS140-2 mode
|
|||
|
+ --enable-fips140-mode enable FIPS140-3 mode
|
|||
|
--enable-strict-x509 enable stricter sanity checks for x509 certificates
|
|||
|
--disable-non-suiteb-curves
|
|||
|
disable curves not in SuiteB
|
|||
|
Index: gnutls-3.8.3/doc/cha-support.texi
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/cha-support.texi
|
|||
|
+++ gnutls-3.8.3/doc/cha-support.texi
|
|||
|
@@ -134,5 +134,5 @@ There are certifications from national o
|
|||
|
to an auditor that the crypto component follows some best practices, such
|
|||
|
as unit testing and reliance on well known crypto primitives.
|
|||
|
|
|||
|
-GnuTLS has support for the FIPS 140-2 certification under Red Hat Enterprise Linux.
|
|||
|
-See @ref{FIPS140-2 mode} for more information.
|
|||
|
+GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
|
|||
|
+See @ref{FIPS140-3 mode} for more information.
|
|||
|
Index: gnutls-3.8.3/doc/gnutls.info
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/doc/gnutls.info
|
|||
|
+++ gnutls-3.8.3/doc/gnutls.info
|
|||
|
@@ -618,7 +618,7 @@ Ref: fig-crypto-layers744471
|
|||
|
Ref: Cryptographic Backend-Footnote-1747783
|
|||
|
Ref: Cryptographic Backend-Footnote-2747868
|
|||
|
Node: Random Number Generators-internals747980
|
|||
|
-Node: FIPS140-2 mode755450
|
|||
|
+Node: FIPS140-3 mode755450
|
|||
|
Ref: gnutls_fips_mode_t758148
|
|||
|
Node: Upgrading from previous versions761817
|
|||
|
Node: Support776059
|
|||
|
Index: gnutls-3.8.3/src/gnutls-cli-options.json
|
|||
|
===================================================================
|
|||
|
--- gnutls-3.8.3.orig/src/gnutls-cli-options.json
|
|||
|
+++ gnutls-3.8.3/src/gnutls-cli-options.json
|
|||
|
@@ -384,7 +384,7 @@
|
|||
|
},
|
|||
|
{
|
|||
|
"long-option": "fips140-mode",
|
|||
|
- "description": "Reports the status of the FIPS140-2 mode in gnutls library"
|
|||
|
+ "description": "Reports the status of the FIPS140-3 mode in gnutls library"
|
|||
|
},
|
|||
|
{
|
|||
|
"long-option": "list-config",
|