Rename FIPS_mode_set and FIPS_mode. Theses symbols will be defined in
the FIPS capable OpenSSL.
This commit is contained in:
Dr. Stephen Henson
parent
5024b79f5c
commit
c2fd598994
5
CHANGES
5
CHANGES
@ -4,6 +4,11 @@
|
||||
|
||||
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
|
||||
|
||||
*) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
|
||||
FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted
|
||||
outside the validated module in the FIPS capable OpenSSL.
|
||||
[Steve Henson]
|
||||
|
||||
*) Initial TLS v1.2 client support. Add a default signature algorithms
|
||||
extension including all the algorithms we support. Parse new signature
|
||||
format in client key exchange. Relax some ECC signing restrictions for
|
||||
|
||||
@ -252,7 +252,7 @@ static int bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range)
|
||||
* generated. So we just use the second case which is equivalent to
|
||||
* "Generation by Testing Candidates" mentioned in B.1.2 et al.
|
||||
*/
|
||||
else if (!FIPS_mode() && !BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
|
||||
else if (!FIPS_module_mode() && !BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
|
||||
#else
|
||||
else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
|
||||
#endif
|
||||
|
||||
@ -118,7 +118,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
|
||||
if (FIPS_module_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
|
||||
goto err;
|
||||
|
||||
@ -128,7 +128,7 @@ static int generate_key(DH *dh)
|
||||
BIGNUM *pub_key=NULL,*priv_key=NULL;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
|
||||
if (FIPS_module_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
|
||||
return 0;
|
||||
@ -227,7 +227,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
}
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
|
||||
if (FIPS_module_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
|
||||
goto err;
|
||||
|
||||
@ -141,7 +141,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)
|
||||
if (FIPS_module_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
|
||||
@ -412,7 +412,7 @@ static int dsa2_valid_parameters(size_t L, size_t N)
|
||||
int fips_check_dsa_prng(DSA *dsa, size_t L, size_t N)
|
||||
{
|
||||
int strength;
|
||||
if (!FIPS_mode())
|
||||
if (!FIPS_module_mode())
|
||||
return 1;
|
||||
|
||||
if (dsa->flags & (DSA_FLAG_NON_FIPS_ALLOW|DSA_FLAG_FIPS_CHECKED))
|
||||
|
||||
@ -106,7 +106,7 @@ static int dsa_builtin_keygen(DSA *dsa)
|
||||
BIGNUM *pub_key=NULL,*priv_key=NULL;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
|
||||
if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
|
||||
|
||||
@ -150,7 +150,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
|
||||
if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
|
||||
@ -353,7 +353,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
|
||||
if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
|
||||
|
||||
@ -260,7 +260,7 @@ static int fips_check_ec(EC_KEY *key)
|
||||
int fips_check_ec_prng(EC_KEY *ec)
|
||||
{
|
||||
int bits, strength;
|
||||
if (!FIPS_mode())
|
||||
if (!FIPS_module_mode())
|
||||
return 1;
|
||||
|
||||
if (ec->flags & (EC_FLAG_NON_FIPS_ALLOW|EC_FLAG_FIPS_CHECKED))
|
||||
|
||||
@ -247,7 +247,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
if (arg <= 0)
|
||||
return 0;
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
|
||||
if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
|
||||
&& arg < 12)
|
||||
return 0;
|
||||
#endif
|
||||
@ -519,7 +519,7 @@ static int aes_xts(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
return -1;
|
||||
#ifdef OPENSSL_FIPS
|
||||
/* Requirement of SP800-38E */
|
||||
if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
|
||||
if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
|
||||
(len > (1L<<20)*16))
|
||||
{
|
||||
EVPerr(EVP_F_AES_XTS, EVP_R_TOO_LARGE);
|
||||
|
||||
@ -170,7 +170,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
|
||||
@ -382,7 +382,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
|
||||
@ -530,7 +530,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
|
||||
@ -674,7 +674,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
|
||||
|
||||
@ -82,7 +82,7 @@
|
||||
int fips_check_rsa_prng(RSA *rsa, int bits)
|
||||
{
|
||||
int strength;
|
||||
if (!FIPS_mode())
|
||||
if (!FIPS_module_mode())
|
||||
return 1;
|
||||
|
||||
if (rsa->flags & (RSA_FLAG_NON_FIPS_ALLOW|RSA_FLAG_CHECKED))
|
||||
@ -205,7 +205,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT);
|
||||
|
||||
@ -210,7 +210,7 @@ int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb)
|
||||
BN_CTX *ctx = NULL;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
|
||||
if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
|
||||
(bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT);
|
||||
|
||||
@ -96,7 +96,7 @@ static void fips_set_mode(int onoff)
|
||||
}
|
||||
}
|
||||
|
||||
int FIPS_mode(void)
|
||||
int FIPS_module_mode(void)
|
||||
{
|
||||
int ret = 0;
|
||||
int owning_thread = fips_is_owning_thread();
|
||||
@ -237,7 +237,7 @@ int FIPS_check_incore_fingerprint(void)
|
||||
return rv;
|
||||
}
|
||||
|
||||
int FIPS_mode_set(int onoff)
|
||||
int FIPS_module_mode_set(int onoff)
|
||||
{
|
||||
int fips_set_owning_thread();
|
||||
int fips_clear_owning_thread();
|
||||
@ -254,7 +254,7 @@ int FIPS_mode_set(int onoff)
|
||||
|
||||
/* Don't go into FIPS mode twice, just so we can do automagic
|
||||
seeding */
|
||||
if(FIPS_mode())
|
||||
if(FIPS_module_mode())
|
||||
{
|
||||
FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
|
||||
fips_selftest_fail = 1;
|
||||
|
||||
@ -67,8 +67,8 @@ struct env_md_st;
|
||||
struct evp_cipher_st;
|
||||
struct evp_cipher_ctx_st;
|
||||
|
||||
int FIPS_mode_set(int onoff);
|
||||
int FIPS_mode(void);
|
||||
int FIPS_module_mode_set(int onoff);
|
||||
int FIPS_module_mode(void);
|
||||
const void *FIPS_rand_check(void);
|
||||
int FIPS_selftest(void);
|
||||
int FIPS_selftest_failed(void);
|
||||
|
||||
@ -945,7 +945,7 @@ int main(int argc,char **argv)
|
||||
}
|
||||
if (!no_exit) {
|
||||
fips_algtest_init_nofips();
|
||||
if (!FIPS_mode_set(1)) {
|
||||
if (!FIPS_module_mode_set(1)) {
|
||||
printf("Power-up self test failed\n");
|
||||
exit(1);
|
||||
}
|
||||
@ -964,8 +964,8 @@ int main(int argc,char **argv)
|
||||
/* Power-up self test
|
||||
*/
|
||||
ERR_clear_error();
|
||||
test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
|
||||
if (!FIPS_mode())
|
||||
test_msg("2. Automatic power-up self test", FIPS_module_mode_set(1));
|
||||
if (!FIPS_module_mode())
|
||||
exit(1);
|
||||
if (do_drbg_stick)
|
||||
FIPS_drbg_stick();
|
||||
|
||||
@ -136,7 +136,7 @@ void do_entropy_stick(void)
|
||||
void fips_algtest_init(void)
|
||||
{
|
||||
fips_algtest_init_nofips();
|
||||
if (!FIPS_mode_set(1))
|
||||
if (!FIPS_module_mode_set(1))
|
||||
{
|
||||
fprintf(stderr, "Error entering FIPS mode\n");
|
||||
exit(1);
|
||||
|
||||
@ -72,7 +72,7 @@ int FIPS_rand_set_method(const RAND_METHOD *meth)
|
||||
else
|
||||
fips_approved_rand_meth = 0;
|
||||
|
||||
if (!fips_approved_rand_meth && FIPS_mode())
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode())
|
||||
{
|
||||
FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
|
||||
return 0;
|
||||
@ -83,7 +83,7 @@ int FIPS_rand_set_method(const RAND_METHOD *meth)
|
||||
|
||||
void FIPS_rand_seed(const void *buf, int num)
|
||||
{
|
||||
if (!fips_approved_rand_meth && FIPS_mode())
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode())
|
||||
{
|
||||
FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
|
||||
return;
|
||||
@ -94,7 +94,7 @@ void FIPS_rand_seed(const void *buf, int num)
|
||||
|
||||
void FIPS_rand_add(const void *buf, int num, double entropy)
|
||||
{
|
||||
if (!fips_approved_rand_meth && FIPS_mode())
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode())
|
||||
{
|
||||
FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
|
||||
return;
|
||||
@ -105,7 +105,7 @@ void FIPS_rand_add(const void *buf, int num, double entropy)
|
||||
|
||||
int FIPS_rand_bytes(unsigned char *buf, int num)
|
||||
{
|
||||
if (!fips_approved_rand_meth && FIPS_mode())
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode())
|
||||
{
|
||||
FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
|
||||
return 0;
|
||||
@ -117,7 +117,7 @@ int FIPS_rand_bytes(unsigned char *buf, int num)
|
||||
|
||||
int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
|
||||
{
|
||||
if (!fips_approved_rand_meth && FIPS_mode())
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode())
|
||||
{
|
||||
FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
|
||||
return 0;
|
||||
@ -129,7 +129,7 @@ int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
|
||||
|
||||
int FIPS_rand_status(void)
|
||||
{
|
||||
if (!fips_approved_rand_meth && FIPS_mode())
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode())
|
||||
{
|
||||
FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
|
||||
return 0;
|
||||
@ -153,7 +153,7 @@ int FIPS_rand_strength(void)
|
||||
return 80;
|
||||
else if (fips_approved_rand_meth == 0)
|
||||
{
|
||||
if (FIPS_mode())
|
||||
if (FIPS_module_mode())
|
||||
return 0;
|
||||
else
|
||||
return 256;
|
||||
|
||||
@ -136,7 +136,7 @@ int FIPS_cipherinit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
||||
if (cipher)
|
||||
{
|
||||
/* Only FIPS ciphers allowed */
|
||||
if (FIPS_mode() && !(cipher->flags & EVP_CIPH_FLAG_FIPS) &&
|
||||
if (FIPS_module_mode() && !(cipher->flags & EVP_CIPH_FLAG_FIPS) &&
|
||||
!(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
|
||||
{
|
||||
EVPerr(EVP_F_FIPS_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS);
|
||||
@ -288,7 +288,7 @@ int FIPS_cipher_ctx_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
|
||||
}
|
||||
|
||||
/* Only FIPS ciphers allowed */
|
||||
if (FIPS_mode() && !(in->cipher->flags & EVP_CIPH_FLAG_FIPS) &&
|
||||
if (FIPS_module_mode() && !(in->cipher->flags & EVP_CIPH_FLAG_FIPS) &&
|
||||
!(out->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
|
||||
{
|
||||
EVPerr(EVP_F_FIPS_CIPHER_CTX_COPY, EVP_R_DISABLED_FOR_FIPS);
|
||||
|
||||
@ -173,7 +173,7 @@ int FIPS_digestinit(EVP_MD_CTX *ctx, const EVP_MD *type)
|
||||
ctx->digest = &bad_md;
|
||||
return 0;
|
||||
}
|
||||
if(FIPS_mode() && !(type->flags & EVP_MD_FLAG_FIPS) &&
|
||||
if(FIPS_module_mode() && !(type->flags & EVP_MD_FLAG_FIPS) &&
|
||||
!(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
|
||||
{
|
||||
EVPerr(EVP_F_FIPS_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user