Rename FIPS_mode_set and FIPS_mode. Theses symbols will be defined in
authorDr. Stephen Henson <steve@openssl.org>
Wed, 11 May 2011 14:43:38 +0000 (14:43 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 11 May 2011 14:43:38 +0000 (14:43 +0000)
the FIPS capable OpenSSL.

19 files changed:
CHANGES
crypto/bn/bn_rand.c
crypto/dh/dh_gen.c
crypto/dh/dh_key.c
crypto/dsa/dsa_gen.c
crypto/dsa/dsa_key.c
crypto/dsa/dsa_ossl.c
crypto/ec/ec_key.c
crypto/evp/e_aes.c
crypto/rsa/rsa_eay.c
crypto/rsa/rsa_gen.c
crypto/rsa/rsa_x931g.c
fips/fips.c
fips/fips.h
fips/fips_test_suite.c
fips/fips_utl.h
fips/rand/fips_rand_lib.c
fips/utl/fips_enc.c
fips/utl/fips_md.c

diff --git a/CHANGES b/CHANGES
index 1ee3a47..872ab10 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]
 
+  *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
+     FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted
+     outside the validated module in the FIPS capable OpenSSL.
+     [Steve Henson]
+
   *) Initial TLS v1.2 client support. Add a default signature algorithms
      extension including all the algorithms we support. Parse new signature
      format in client key exchange. Relax some ECC signing restrictions for
index 30cc929..8d74895 100644 (file)
@@ -252,7 +252,7 @@ static int bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range)
         * generated. So we just use the second case which is equivalent to
         * "Generation by Testing Candidates" mentioned in B.1.2 et al.
         */
-       else if (!FIPS_mode() && !BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
+       else if (!FIPS_module_mode() && !BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
 #else
        else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
 #endif
index 9749b72..d0cecda 100644 (file)
@@ -118,7 +118,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB
                return 0;
                }
 
-       if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+       if (FIPS_module_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
                {
                DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
                goto err;
index 6c0c745..ca2435e 100644 (file)
@@ -128,7 +128,7 @@ static int generate_key(DH *dh)
        BIGNUM *pub_key=NULL,*priv_key=NULL;
 
 #ifdef OPENSSL_FIPS
-       if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+       if (FIPS_module_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
                {
                DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
                return 0;
@@ -227,7 +227,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
                }
 
 #ifdef OPENSSL_FIPS
-       if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+       if (FIPS_module_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
                {
                DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
                goto err;
index 4ff8a47..a4a0421 100644 (file)
@@ -141,7 +141,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
            goto err;
            }
 
-       if (FIPS_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) 
+       if (FIPS_module_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) 
                        && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
                {
                DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
@@ -412,7 +412,7 @@ static int dsa2_valid_parameters(size_t L, size_t N)
 int fips_check_dsa_prng(DSA *dsa, size_t L, size_t N)
        {
        int strength;
-       if (!FIPS_mode())
+       if (!FIPS_module_mode())
                return 1;
 
        if (dsa->flags & (DSA_FLAG_NON_FIPS_ALLOW|DSA_FLAG_FIPS_CHECKED))
index 3df9a6c..0c47ac4 100644 (file)
@@ -106,7 +106,7 @@ static int dsa_builtin_keygen(DSA *dsa)
        BIGNUM *pub_key=NULL,*priv_key=NULL;
 
 #ifdef OPENSSL_FIPS
-       if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+       if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
                && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
                {
                DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
index 38f667f..38b4f06 100644 (file)
@@ -150,7 +150,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
            return NULL;
            }
 
-       if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
+       if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
                && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
                {
                DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
@@ -353,7 +353,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
            return -1;
            }
 
-       if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
+       if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
                && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
                {
                DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
index 87ef77f..ef22737 100644 (file)
@@ -260,7 +260,7 @@ static int fips_check_ec(EC_KEY *key)
 int fips_check_ec_prng(EC_KEY *ec)
        {
        int bits, strength;
-       if (!FIPS_mode())
+       if (!FIPS_module_mode())
                return 1;
 
        if (ec->flags & (EC_FLAG_NON_FIPS_ALLOW|EC_FLAG_FIPS_CHECKED))
index b0cb33e..361abf2 100644 (file)
@@ -247,7 +247,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
                if (arg <= 0)
                        return 0;
 #ifdef OPENSSL_FIPS
-               if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
+               if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
                                                 && arg < 12)
                        return 0;
 #endif
@@ -519,7 +519,7 @@ static int aes_xts(EVP_CIPHER_CTX *ctx, unsigned char *out,
                return -1;
 #ifdef OPENSSL_FIPS
        /* Requirement of SP800-38E */
-       if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
+       if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
                        (len > (1L<<20)*16))
                {
                EVPerr(EVP_F_AES_XTS, EVP_R_TOO_LARGE);
index bb434d7..325efb9 100644 (file)
@@ -170,7 +170,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                goto err;
                }
 
-       if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+       if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
                && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
                {
                RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
@@ -382,7 +382,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                goto err;
                }
 
-       if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+       if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
                && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
                {
                RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
@@ -530,7 +530,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                goto err;
                }
 
-       if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+       if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
                && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
                {
                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
@@ -674,7 +674,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                goto err;
                }
 
-       if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+       if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
                && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
                {
                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
index 24f9eaf..d28f872 100644 (file)
@@ -82,7 +82,7 @@
 int fips_check_rsa_prng(RSA *rsa, int bits)
        {
        int strength;
-       if (!FIPS_mode())
+       if (!FIPS_module_mode())
                return 1;
 
        if (rsa->flags & (RSA_FLAG_NON_FIPS_ALLOW|RSA_FLAG_CHECKED))
@@ -205,7 +205,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
            return 0;
            }
 
-       if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) 
+       if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) 
                && (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
            {
            FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT);
index 819a728..e6e62c4 100644 (file)
@@ -210,7 +210,7 @@ int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb)
        BN_CTX *ctx = NULL;
 
 #ifdef OPENSSL_FIPS
-       if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) && 
+       if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) && 
                (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
            {
            FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT);
index a18fd58..6498595 100644 (file)
@@ -96,7 +96,7 @@ static void fips_set_mode(int onoff)
                }
        }
 
-int FIPS_mode(void)
+int FIPS_module_mode(void)
        {
        int ret = 0;
        int owning_thread = fips_is_owning_thread();
@@ -237,7 +237,7 @@ int FIPS_check_incore_fingerprint(void)
     return rv;
     }
 
-int FIPS_mode_set(int onoff)
+int FIPS_module_mode_set(int onoff)
     {
     int fips_set_owning_thread();
     int fips_clear_owning_thread();
@@ -254,7 +254,7 @@ int FIPS_mode_set(int onoff)
 
        /* Don't go into FIPS mode twice, just so we can do automagic
           seeding */
-       if(FIPS_mode())
+       if(FIPS_module_mode())
            {
            FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
            fips_selftest_fail = 1;
index c37c32b..d07d190 100644 (file)
@@ -67,8 +67,8 @@ struct env_md_st;
 struct evp_cipher_st;
 struct evp_cipher_ctx_st;
 
-int FIPS_mode_set(int onoff);
-int FIPS_mode(void);
+int FIPS_module_mode_set(int onoff);
+int FIPS_module_mode(void);
 const void *FIPS_rand_check(void);
 int FIPS_selftest(void);
 int FIPS_selftest_failed(void);
index 2f9333c..5290cb2 100644 (file)
@@ -945,7 +945,7 @@ int main(int argc,char **argv)
         }
        if (!no_exit) {
                fips_algtest_init_nofips();
-               if (!FIPS_mode_set(1)) {
+               if (!FIPS_module_mode_set(1)) {
                    printf("Power-up self test failed\n");
                    exit(1);
                }
@@ -964,8 +964,8 @@ int main(int argc,char **argv)
     /* Power-up self test
     */
     ERR_clear_error();
-    test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
-    if (!FIPS_mode())
+    test_msg("2. Automatic power-up self test", FIPS_module_mode_set(1));
+    if (!FIPS_module_mode())
        exit(1);
     if (do_drbg_stick)
             FIPS_drbg_stick();
index dc29c20..6cb5809 100644 (file)
@@ -136,7 +136,7 @@ void do_entropy_stick(void)
 void fips_algtest_init(void)
        {
        fips_algtest_init_nofips();
-       if (!FIPS_mode_set(1))
+       if (!FIPS_module_mode_set(1))
                {
                fprintf(stderr, "Error entering FIPS mode\n");
                exit(1);
index 9ea6655..cc8d717 100644 (file)
@@ -72,7 +72,7 @@ int FIPS_rand_set_method(const RAND_METHOD *meth)
        else
                fips_approved_rand_meth = 0;
 
-       if (!fips_approved_rand_meth && FIPS_mode())
+       if (!fips_approved_rand_meth && FIPS_module_mode())
                {
                FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
                return 0;
@@ -83,7 +83,7 @@ int FIPS_rand_set_method(const RAND_METHOD *meth)
 
 void FIPS_rand_seed(const void *buf, int num)
        {
-       if (!fips_approved_rand_meth && FIPS_mode())
+       if (!fips_approved_rand_meth && FIPS_module_mode())
                {
                FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
                return;
@@ -94,7 +94,7 @@ void FIPS_rand_seed(const void *buf, int num)
 
 void FIPS_rand_add(const void *buf, int num, double entropy)
        {
-       if (!fips_approved_rand_meth && FIPS_mode())
+       if (!fips_approved_rand_meth && FIPS_module_mode())
                {
                FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
                return;
@@ -105,7 +105,7 @@ void FIPS_rand_add(const void *buf, int num, double entropy)
 
 int FIPS_rand_bytes(unsigned char *buf, int num)
        {
-       if (!fips_approved_rand_meth && FIPS_mode())
+       if (!fips_approved_rand_meth && FIPS_module_mode())
                {
                FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
                return 0;
@@ -117,7 +117,7 @@ int FIPS_rand_bytes(unsigned char *buf, int num)
 
 int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
        {
-       if (!fips_approved_rand_meth && FIPS_mode())
+       if (!fips_approved_rand_meth && FIPS_module_mode())
                {
                FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
                return 0;
@@ -129,7 +129,7 @@ int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
 
 int FIPS_rand_status(void)
        {
-       if (!fips_approved_rand_meth && FIPS_mode())
+       if (!fips_approved_rand_meth && FIPS_module_mode())
                {
                FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
                return 0;
@@ -153,7 +153,7 @@ int FIPS_rand_strength(void)
                return 80;
        else if (fips_approved_rand_meth == 0)
                {
-               if (FIPS_mode())
+               if (FIPS_module_mode())
                        return 0;
                else
                        return 256;
index 55a880d..fcff5ec 100644 (file)
@@ -136,7 +136,7 @@ int FIPS_cipherinit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
        if (cipher)
                {
                /* Only FIPS ciphers allowed */
-               if (FIPS_mode() && !(cipher->flags & EVP_CIPH_FLAG_FIPS) &&
+               if (FIPS_module_mode() && !(cipher->flags & EVP_CIPH_FLAG_FIPS) &&
                        !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
                        {
                        EVPerr(EVP_F_FIPS_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS);
@@ -288,7 +288,7 @@ int FIPS_cipher_ctx_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
                }
 
        /* Only FIPS ciphers allowed */
-       if (FIPS_mode() && !(in->cipher->flags & EVP_CIPH_FLAG_FIPS) &&
+       if (FIPS_module_mode() && !(in->cipher->flags & EVP_CIPH_FLAG_FIPS) &&
                !(out->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
                {
                EVPerr(EVP_F_FIPS_CIPHER_CTX_COPY, EVP_R_DISABLED_FOR_FIPS);
index 5562679..8bc028a 100644 (file)
@@ -173,7 +173,7 @@ int FIPS_digestinit(EVP_MD_CTX *ctx, const EVP_MD *type)
                ctx->digest = &bad_md;
                return 0;
                }
-       if(FIPS_mode() && !(type->flags & EVP_MD_FLAG_FIPS) &&
+       if(FIPS_module_mode() && !(type->flags & EVP_MD_FLAG_FIPS) &&
                !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
                {
                EVPerr(EVP_F_FIPS_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS);