Rename FIPS_mode_set and FIPS_mode. Theses symbols will be defined in the FIPS capable OpenSSL.

commit: c2fd5989945501b81b7d698c71eb34d767ac55bd [log] [tgz]
author: Dr. Stephen Henson <steve@openssl.org> Wed May 11 14:43:38 2011 +0000
committer: Dr. Stephen Henson <steve@openssl.org> Wed May 11 14:43:38 2011 +0000
tree: 55053bc68483b680272f347b8c53c6d3119487cc
parent: 5024b79f5c41d97f023a5dbb6142af906129bf86 [diff]
diff --git a/CHANGES b/CHANGES
index 1ee3a47..872ab10 100644
--- a/CHANGES
+++ b/CHANGES

@@ -4,6 +4,11 @@
 
  Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]
 
+  *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
+     FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted
+     outside the validated module in the FIPS capable OpenSSL.
+     [Steve Henson]
+
   *) Initial TLS v1.2 client support. Add a default signature algorithms
      extension including all the algorithms we support. Parse new signature
      format in client key exchange. Relax some ECC signing restrictions for

diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 30cc929..8d74895 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c

@@ -252,7 +252,7 @@
 	 * generated. So we just use the second case which is equivalent to
 	 * "Generation by Testing Candidates" mentioned in B.1.2 et al.
 	 */
-	else if (!FIPS_mode() && !BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
+	else if (!FIPS_module_mode() && !BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
 #else
 	else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
 #endif

diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 9749b72..d0cecda 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c

@@ -118,7 +118,7 @@
 		return 0;
 		}
 
-	if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+	if (FIPS_module_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
 		{
 		DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
 		goto err;

diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 6c0c745..ca2435e 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c

@@ -128,7 +128,7 @@
 	BIGNUM *pub_key=NULL,*priv_key=NULL;
 
 #ifdef OPENSSL_FIPS
-	if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+	if (FIPS_module_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
 		{
 		DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
 		return 0;
@@ -227,7 +227,7 @@
 		}
 
 #ifdef OPENSSL_FIPS
-	if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+	if (FIPS_module_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
 		{
 		DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
 		goto err;

diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 4ff8a47..a4a0421 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c

@@ -141,7 +141,7 @@
 	    goto err;
 	    }
 
-	if (FIPS_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) 
+	if (FIPS_module_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) 
 			&& (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
 		{
 		DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
@@ -412,7 +412,7 @@
 int fips_check_dsa_prng(DSA *dsa, size_t L, size_t N)
 	{
 	int strength;
-	if (!FIPS_mode())
+	if (!FIPS_module_mode())
 		return 1;
 
 	if (dsa->flags & (DSA_FLAG_NON_FIPS_ALLOW|DSA_FLAG_FIPS_CHECKED))

diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c
index 3df9a6c..0c47ac4 100644
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c

@@ -106,7 +106,7 @@
 	BIGNUM *pub_key=NULL,*priv_key=NULL;
 
 #ifdef OPENSSL_FIPS
-	if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
 		&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
 		{
 		DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);

diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 38f667f..38b4f06 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c

@@ -150,7 +150,7 @@
 	    return NULL;
 	    }
 
-	if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
+	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
 		&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
 		{
 		DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
@@ -353,7 +353,7 @@
 	    return -1;
 	    }
 
-	if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
+	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
 		&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
 		{
 		DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);

diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 87ef77f..ef22737 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c

@@ -260,7 +260,7 @@
 int fips_check_ec_prng(EC_KEY *ec)
 	{
 	int bits, strength;
-	if (!FIPS_mode())
+	if (!FIPS_module_mode())
 		return 1;
 
 	if (ec->flags & (EC_FLAG_NON_FIPS_ALLOW|EC_FLAG_FIPS_CHECKED))

diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index b0cb33e..361abf2 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c

@@ -247,7 +247,7 @@
 		if (arg <= 0)
 			return 0;
 #ifdef OPENSSL_FIPS
-		if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
+		if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
 						 && arg < 12)
 			return 0;
 #endif
@@ -519,7 +519,7 @@
 		return -1;
 #ifdef OPENSSL_FIPS
 	/* Requirement of SP800-38E */
-	if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
+	if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
 			(len > (1L<<20)*16))
 		{
 		EVPerr(EVP_F_AES_XTS, EVP_R_TOO_LARGE);

diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index bb434d7..325efb9 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c

@@ -170,7 +170,7 @@
 		goto err;
 		}
 
-	if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+	if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
 		&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
 		{
 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
@@ -382,7 +382,7 @@
 		goto err;
 		}
 
-	if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+	if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
 		&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
 		{
 		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
@@ -530,7 +530,7 @@
 		goto err;
 		}
 
-	if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+	if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
 		&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
 		{
 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
@@ -674,7 +674,7 @@
 		goto err;
 		}
 
-	if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+	if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
 		&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
 		{
 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);

diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index 24f9eaf..d28f872 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c

@@ -82,7 +82,7 @@
 int fips_check_rsa_prng(RSA *rsa, int bits)
 	{
 	int strength;
-	if (!FIPS_mode())
+	if (!FIPS_module_mode())
 		return 1;
 
 	if (rsa->flags & (RSA_FLAG_NON_FIPS_ALLOW|RSA_FLAG_CHECKED))
@@ -205,7 +205,7 @@
 	    return 0;
 	    }
 
-	if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) 
+	if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) 
 		&& (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
 	    {
 	    FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT);

diff --git a/crypto/rsa/rsa_x931g.c b/crypto/rsa/rsa_x931g.c
index 819a728..e6e62c4 100644
--- a/crypto/rsa/rsa_x931g.c
+++ b/crypto/rsa/rsa_x931g.c

@@ -210,7 +210,7 @@
 	BN_CTX *ctx = NULL;
 
 #ifdef OPENSSL_FIPS
-	if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) && 
+	if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) && 
 		(bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
 	    {
 	    FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT);

diff --git a/fips/fips.c b/fips/fips.c
index a18fd58..6498595 100644
--- a/fips/fips.c
+++ b/fips/fips.c

@@ -96,7 +96,7 @@
 		}
 	}
 
-int FIPS_mode(void)
+int FIPS_module_mode(void)
 	{
 	int ret = 0;
 	int owning_thread = fips_is_owning_thread();
@@ -237,7 +237,7 @@
     return rv;
     }
 
-int FIPS_mode_set(int onoff)
+int FIPS_module_mode_set(int onoff)
     {
     int fips_set_owning_thread();
     int fips_clear_owning_thread();
@@ -254,7 +254,7 @@
 
 	/* Don't go into FIPS mode twice, just so we can do automagic
 	   seeding */
-	if(FIPS_mode())
+	if(FIPS_module_mode())
 	    {
 	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
 	    fips_selftest_fail = 1;

diff --git a/fips/fips.h b/fips/fips.h
index c37c32b..d07d190 100644
--- a/fips/fips.h
+++ b/fips/fips.h

@@ -67,8 +67,8 @@
 struct evp_cipher_st;
 struct evp_cipher_ctx_st;
 
-int FIPS_mode_set(int onoff);
-int FIPS_mode(void);
+int FIPS_module_mode_set(int onoff);
+int FIPS_module_mode(void);
 const void *FIPS_rand_check(void);
 int FIPS_selftest(void);
 int FIPS_selftest_failed(void);

diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c
index 2f9333c..5290cb2 100644
--- a/fips/fips_test_suite.c
+++ b/fips/fips_test_suite.c

@@ -945,7 +945,7 @@
         }
 	if (!no_exit) {
     		fips_algtest_init_nofips();
-        	if (!FIPS_mode_set(1)) {
+        	if (!FIPS_module_mode_set(1)) {
         	    printf("Power-up self test failed\n");
 		    exit(1);
 		}
@@ -964,8 +964,8 @@
     /* Power-up self test
     */
     ERR_clear_error();
-    test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
-    if (!FIPS_mode())
+    test_msg("2. Automatic power-up self test", FIPS_module_mode_set(1));
+    if (!FIPS_module_mode())
 	exit(1);
     if (do_drbg_stick)
             FIPS_drbg_stick();

diff --git a/fips/fips_utl.h b/fips/fips_utl.h
index dc29c20..6cb5809 100644
--- a/fips/fips_utl.h
+++ b/fips/fips_utl.h

@@ -136,7 +136,7 @@
 void fips_algtest_init(void)
 	{
 	fips_algtest_init_nofips();
-	if (!FIPS_mode_set(1))
+	if (!FIPS_module_mode_set(1))
 		{
 		fprintf(stderr, "Error entering FIPS mode\n");
 		exit(1);

diff --git a/fips/rand/fips_rand_lib.c b/fips/rand/fips_rand_lib.c
index 9ea6655..cc8d717 100644
--- a/fips/rand/fips_rand_lib.c
+++ b/fips/rand/fips_rand_lib.c

@@ -72,7 +72,7 @@
 	else
 		fips_approved_rand_meth = 0;
 
-	if (!fips_approved_rand_meth && FIPS_mode())
+	if (!fips_approved_rand_meth && FIPS_module_mode())
 		{
 		FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
 		return 0;
@@ -83,7 +83,7 @@
 
 void FIPS_rand_seed(const void *buf, int num)
 	{
-	if (!fips_approved_rand_meth && FIPS_mode())
+	if (!fips_approved_rand_meth && FIPS_module_mode())
 		{
 		FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
 		return;
@@ -94,7 +94,7 @@
 
 void FIPS_rand_add(const void *buf, int num, double entropy)
 	{
-	if (!fips_approved_rand_meth && FIPS_mode())
+	if (!fips_approved_rand_meth && FIPS_module_mode())
 		{
 		FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
 		return;
@@ -105,7 +105,7 @@
 
 int FIPS_rand_bytes(unsigned char *buf, int num)
 	{
-	if (!fips_approved_rand_meth && FIPS_mode())
+	if (!fips_approved_rand_meth && FIPS_module_mode())
 		{
 		FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
 		return 0;
@@ -117,7 +117,7 @@
 
 int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
 	{
-	if (!fips_approved_rand_meth && FIPS_mode())
+	if (!fips_approved_rand_meth && FIPS_module_mode())
 		{
 		FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
 		return 0;
@@ -129,7 +129,7 @@
 
 int FIPS_rand_status(void)
 	{
-	if (!fips_approved_rand_meth && FIPS_mode())
+	if (!fips_approved_rand_meth && FIPS_module_mode())
 		{
 		FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
 		return 0;
@@ -153,7 +153,7 @@
 		return 80;
 	else if (fips_approved_rand_meth == 0)
 		{
-		if (FIPS_mode())
+		if (FIPS_module_mode())
 			return 0;
 		else
 			return 256;

diff --git a/fips/utl/fips_enc.c b/fips/utl/fips_enc.c
index 55a880d..fcff5ec 100644
--- a/fips/utl/fips_enc.c
+++ b/fips/utl/fips_enc.c

@@ -136,7 +136,7 @@
 	if (cipher)
 		{
 		/* Only FIPS ciphers allowed */
-		if (FIPS_mode() && !(cipher->flags & EVP_CIPH_FLAG_FIPS) &&
+		if (FIPS_module_mode() && !(cipher->flags & EVP_CIPH_FLAG_FIPS) &&
 			!(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
 			{
 			EVPerr(EVP_F_FIPS_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS);
@@ -288,7 +288,7 @@
 		}
 
 	/* Only FIPS ciphers allowed */
-	if (FIPS_mode() && !(in->cipher->flags & EVP_CIPH_FLAG_FIPS) &&
+	if (FIPS_module_mode() && !(in->cipher->flags & EVP_CIPH_FLAG_FIPS) &&
 		!(out->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
 		{
 		EVPerr(EVP_F_FIPS_CIPHER_CTX_COPY, EVP_R_DISABLED_FOR_FIPS);

diff --git a/fips/utl/fips_md.c b/fips/utl/fips_md.c
index 5562679..8bc028a 100644
--- a/fips/utl/fips_md.c
+++ b/fips/utl/fips_md.c

@@ -173,7 +173,7 @@
 		ctx->digest = &bad_md;
 		return 0;
 		}
-	if(FIPS_mode() && !(type->flags & EVP_MD_FLAG_FIPS) &&
+	if(FIPS_module_mode() && !(type->flags & EVP_MD_FLAG_FIPS) &&
 		!(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
 		{
 		EVPerr(EVP_F_FIPS_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS);
commit	c2fd5989945501b81b7d698c71eb34d767ac55bd	[log] [tgz]
author	Dr. Stephen Henson <steve@openssl.org>	Wed May 11 14:43:38 2011 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	Wed May 11 14:43:38 2011 +0000
tree	55053bc68483b680272f347b8c53c6d3119487cc
parent	5024b79f5c41d97f023a5dbb6142af906129bf86 [diff]