Expose a public interface for executing FIPS integrity tests on-demand
Description of the feature:
One of the FIPS-140-3 requirements is the ability of a crypto module to execute integrity tests on-demand.
This can be done through a function which sets the FIPS state machine to the LIB_STATE_SELFTEST
, executes the integrity tests on the appropriated modules and then sets the state to LIB_STATE_OPERATIONAL
or LIB_STATE_ERROR
based on the result.
The function _gnutls_fips_perform_self_checks2
can be used as an example on how to execute the procedure described above.
The snippet below shows the interesting part:
if (_skip_integrity_checks == 0) {
ret = check_binary_integrity(GNUTLS_LIBRARY_NAME, "gnutls_global_init");
if (ret == 0) {
gnutls_assert();
goto error;
}
ret = check_binary_integrity(NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key");
if (ret == 0) {
gnutls_assert();
goto error;
}
ret = check_binary_integrity(HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u");
if (ret == 0) {
gnutls_assert();
goto error;
}
ret = check_binary_integrity(GMP_LIBRARY_NAME, "__gmpz_init");
if (ret == 0) {
gnutls_assert();
goto error;
}
}
return 0;
error:
_gnutls_switch_lib_state(LIB_STATE_ERROR);
Applications that this feature may be relevant to:
Any application which requires a FIPS-140-3 compliant library.
Is this feature implemented in other libraries (and which)
libgcrypt and openssl