diff options
author | Richard Levitte <levitte@openssl.org> | 2020-04-13 22:34:56 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2020-04-28 15:37:37 +0200 |
commit | f844f9eb44186df2f8b0cfd3264b4eb003d8c61a (patch) | |
tree | 29860f9c269b67546a418c0197066164e455a362 /crypto | |
parent | cf86057a1acd13b13c9bd8f7b8a14bbc0e3ffd56 (diff) |
Rename FIPS_MODE to FIPS_MODULE
This macro is used to determine if certain pieces of code should
become part of the FIPS module or not. The old name was confusing.
Fixes #11538
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11539)
Diffstat (limited to 'crypto')
71 files changed, 411 insertions, 411 deletions
diff --git a/crypto/bn/bn_conv.c b/crypto/bn/bn_conv.c index fd21464d74..089b755748 100644 --- a/crypto/bn/bn_conv.c +++ b/crypto/bn/bn_conv.c @@ -46,8 +46,8 @@ char *BN_bn2hex(const BIGNUM *a) return buf; } -#ifndef FIPS_MODE -/* No BIO_snprintf in FIPS_MODE */ +#ifndef FIPS_MODULE +/* No BIO_snprintf in FIPS_MODULE */ /* Must 'OPENSSL_free' the returned data */ char *BN_bn2dec(const BIGNUM *a) { diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index ecc0034bbc..5fc8322a31 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -90,7 +90,7 @@ struct bignum_ctx { OPENSSL_CTX *libctx; }; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE /* Debugging functionality */ static void ctxdbg(BIO *channel, const char *text, BN_CTX *ctx) { @@ -126,7 +126,7 @@ static void ctxdbg(BIO *channel, const char *text, BN_CTX *ctx) #else /* TODO(3.0): Consider if we want to do this in FIPS mode */ # define CTXDBG(str, ctx) do {} while(0) -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ BN_CTX *BN_CTX_new_ex(OPENSSL_CTX *ctx) { @@ -143,7 +143,7 @@ BN_CTX *BN_CTX_new_ex(OPENSSL_CTX *ctx) return ret; } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE BN_CTX *BN_CTX_new(void) { return BN_CTX_new_ex(NULL); @@ -159,7 +159,7 @@ BN_CTX *BN_CTX_secure_new_ex(OPENSSL_CTX *ctx) return ret; } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE BN_CTX *BN_CTX_secure_new(void) { return BN_CTX_secure_new_ex(NULL); @@ -170,7 +170,7 @@ void BN_CTX_free(BN_CTX *ctx) { if (ctx == NULL) return; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE OSSL_TRACE_BEGIN(BN_CTX) { BN_POOL_ITEM *pool = ctx->pool.head; BIO_printf(trc_out, diff --git a/crypto/bn/bn_dh.c b/crypto/bn/bn_dh.c index 9ffb6d8d83..9a7cc17f62 100644 --- a/crypto/bn/bn_dh.c +++ b/crypto/bn/bn_dh.c @@ -22,7 +22,7 @@ /* DH parameters from RFC3526 */ -# ifndef FIPS_MODE +# ifndef FIPS_MODULE /* * "1536-bit MODP Group" from RFC3526, Section 2. * @@ -60,7 +60,7 @@ static const BN_ULONG modp_1536_q[] = { BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF) }; -# endif /* FIPS_MODE */ +# endif /* FIPS_MODULE */ /*- * "2048-bit MODP Group" from RFC3526, Section 3. @@ -1037,7 +1037,7 @@ make_dh_bn(ffdhe6144_q) make_dh_bn(ffdhe8192_p) make_dh_bn(ffdhe8192_q) -# ifndef FIPS_MODE +# ifndef FIPS_MODULE make_dh_bn(modp_1536_p) make_dh_bn(modp_1536_q) # endif diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index ce5789ea3e..20fa0baac7 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -207,7 +207,7 @@ int BN_generate_prime_ex2(BIGNUM *ret, int bits, int safe, return found; } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb) { @@ -265,7 +265,7 @@ static int bn_is_prime_int(const BIGNUM *w, int checks, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb) { int i, status, ret = -1; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE BN_CTX *ctxlocal = NULL; #else @@ -301,7 +301,7 @@ static int bn_is_prime_int(const BIGNUM *w, int checks, BN_CTX *ctx, if (!BN_GENCB_call(cb, 1, -1)) return -1; } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE if (ctx == NULL && (ctxlocal = ctx = BN_CTX_new()) == NULL) goto err; #endif @@ -311,7 +311,7 @@ static int bn_is_prime_int(const BIGNUM *w, int checks, BN_CTX *ctx, goto err; ret = (status == BN_PRIMETEST_PROBABLY_PRIME); err: -#ifndef FIPS_MODE +#ifndef FIPS_MODULE BN_CTX_free(ctxlocal); #endif return ret; diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 91cb39ee49..e603bb7030 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -103,7 +103,7 @@ int BN_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, BN_CTX *ctx) { return bnrand(NORMAL, rnd, bits, top, bottom, ctx); } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(NORMAL, rnd, bits, top, bottom, NULL); @@ -120,7 +120,7 @@ int BN_priv_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, BN_CTX *ctx) return bnrand(PRIVATE, rnd, bits, top, bottom, ctx); } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(PRIVATE, rnd, bits, top, bottom, NULL); @@ -199,7 +199,7 @@ int BN_rand_range_ex(BIGNUM *r, const BIGNUM *range, BN_CTX *ctx) return bnrand_range(NORMAL, r, range, ctx); } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE int BN_rand_range(BIGNUM *r, const BIGNUM *range) { return bnrand_range(NORMAL, r, range, NULL); @@ -211,7 +211,7 @@ int BN_priv_rand_range_ex(BIGNUM *r, const BIGNUM *range, BN_CTX *ctx) return bnrand_range(PRIVATE, r, range, ctx); } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range) { return bnrand_range(PRIVATE, r, range, NULL); diff --git a/crypto/context.c b/crypto/context.c index cf3b078b5d..1c95298ea2 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -39,7 +39,7 @@ struct openssl_ctx_st { struct openssl_ctx_onfree_list_st *onfreelist; }; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE static OPENSSL_CTX default_context_int; /* Always points at default_context_int if it has been initialised */ @@ -119,7 +119,7 @@ static int context_deinit(OPENSSL_CTX *ctx) return 1; } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE void openssl_ctx_default_deinit(void) { context_deinit(default_context); @@ -146,7 +146,7 @@ OPENSSL_CTX *OPENSSL_CTX_new(void) return ctx; } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE int OPENSSL_CTX_load_config(OPENSSL_CTX *ctx, const char *config_file) { return CONF_modules_load_file_with_libctx(ctx, config_file, NULL, 0) > 0; @@ -162,7 +162,7 @@ void OPENSSL_CTX_free(OPENSSL_CTX *ctx) OPENSSL_CTX *openssl_ctx_get_concrete(OPENSSL_CTX *ctx) { -#ifndef FIPS_MODE +#ifndef FIPS_MODULE if (ctx == NULL) { if (!RUN_ONCE(&default_context_init, do_default_context_init)) return 0; @@ -174,7 +174,7 @@ OPENSSL_CTX *openssl_ctx_get_concrete(OPENSSL_CTX *ctx) int openssl_ctx_is_default(OPENSSL_CTX *ctx) { -#ifndef FIPS_MODE +#ifndef FIPS_MODULE if (ctx == NULL || ctx == default_context) return 1; #endif diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c index 3d509314fa..94c80de091 100644 --- a/crypto/core_namemap.c +++ b/crypto/core_namemap.c @@ -136,7 +136,7 @@ int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, NAMENUM_ENTRY *namenum_entry, namenum_tmpl; int number = 0; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE if (namemap == NULL) namemap = ossl_namemap_stored(NULL); #endif @@ -198,7 +198,7 @@ int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, NAMENUM_ENTRY *namenum = NULL; int tmp_number; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE if (namemap == NULL) namemap = ossl_namemap_stored(NULL); #endif @@ -309,7 +309,7 @@ int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number, * ============== */ -#ifndef FIPS_MODE +#ifndef FIPS_MODULE #include <openssl/evp.h> /* Creates an initial namemap with names found in the legacy method db */ @@ -366,7 +366,7 @@ OSSL_NAMEMAP *ossl_namemap_stored(OPENSSL_CTX *libctx) openssl_ctx_get_data(libctx, OPENSSL_CTX_NAMEMAP_INDEX, &stored_namemap_method); -#ifndef FIPS_MODE +#ifndef FIPS_MODULE if (namemap != NULL && ossl_namemap_empty(namemap)) { /* Before pilfering, we make sure the legacy database is populated */ OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index a25e83f15e..9dd595ae12 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -44,7 +44,7 @@ int DH_check_params_ex(const DH *dh) return errflags == 0; } -#ifdef FIPS_MODE +#ifdef FIPS_MODULE int DH_check_params(const DH *dh, int *ret) { int nid; @@ -102,7 +102,7 @@ int DH_check_params(const DH *dh, int *ret) BN_CTX_free(ctx); return ok; } -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ /*- * Check that p is a safe prime and @@ -140,7 +140,7 @@ int DH_check_ex(const DH *dh) /* Note: according to documentation - this only checks the params */ int DH_check(const DH *dh, int *ret) { -#ifdef FIPS_MODE +#ifdef FIPS_MODULE return DH_check_params(dh, ret); #else int ok = 0, r; @@ -210,7 +210,7 @@ int DH_check(const DH *dh, int *ret) BN_CTX_end(ctx); BN_CTX_free(ctx); return ok; -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ } int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c index 39bb365216..327f6ff610 100644 --- a/crypto/dh/dh_gen.c +++ b/crypto/dh/dh_gen.c @@ -30,10 +30,10 @@ #include "crypto/dh.h" #include "dh_local.h" -#ifndef FIPS_MODE +#ifndef FIPS_MODULE static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ int dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, EVP_MD *md, BN_GENCB *cb) @@ -47,7 +47,7 @@ int dh_generate_ffc_parameters(DH *dh, int type, int pbits, qbits = (pbits >= 2048 ? SHA256_DIGEST_LENGTH : SHA_DIGEST_LENGTH) * 8; } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE if (type == DH_PARAMGEN_TYPE_FIPS_186_2) ret = ffc_params_FIPS186_2_generate(dh->libctx, &dh->params, FFC_PARAM_TYPE_DH, @@ -96,7 +96,7 @@ int dh_get_named_group_uid_from_size(int pbits) return nid; } -#ifdef FIPS_MODE +#ifdef FIPS_MODULE static int dh_gen_named_group(OPENSSL_CTX *libctx, DH *ret, int prime_len) { @@ -116,12 +116,12 @@ static int dh_gen_named_group(OPENSSL_CTX *libctx, DH *ret, int prime_len) DH_free(dh); return ok; } -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) { -#ifdef FIPS_MODE +#ifdef FIPS_MODULE if (generator != 2) return 0; return dh_gen_named_group(ret->libctx, ret, prime_len); @@ -129,10 +129,10 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, if (ret->meth->generate_params) return ret->meth->generate_params(ret, prime_len, generator, cb); return dh_builtin_genparams(ret, prime_len, generator, cb); -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE /*- * We generate DH parameters as follows * find a prime p which is prime_len bits long, @@ -238,4 +238,4 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_CTX_free(ctx); return ok; } -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ diff --git a/crypto/dh/dh_group_params.c b/crypto/dh/dh_group_params.c index 7221e806c5..e0daa6ebc4 100644 --- a/crypto/dh/dh_group_params.c +++ b/crypto/dh/dh_group_params.c @@ -59,7 +59,7 @@ static const DH_NAMED_GROUP dh_named_groups[] = { FFDHE(4096), FFDHE(6144), FFDHE(8192), -#ifndef FIPS_MODE +#ifndef FIPS_MODULE MODP(1536), #endif MODP(2048), @@ -71,7 +71,7 @@ static const DH_NAMED_GROUP dh_named_groups[] = { * Additional dh named groups from RFC 5114 that have a different g. * The uid can be any unique identifier. */ -#ifndef FIPS_MODE +#ifndef FIPS_MODULE RFC5114("dh_1024_160", 1, 1024, 1024_160), RFC5114("dh_2048_224", 2, 2048, 2048_224), RFC5114("dh_2048_256", 3, 2048, 2048_256), diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 918949d953..1893b487ca 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -20,7 +20,7 @@ #include "crypto/dh.h" #include "crypto/security_bits.h" -#ifdef FIPS_MODE +#ifdef FIPS_MODULE # define MIN_STRENGTH 112 #else # define MIN_STRENGTH 80 @@ -39,7 +39,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) BN_MONT_CTX *mont = NULL; BIGNUM *tmp; int ret = -1; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE int check_result; #endif @@ -74,7 +74,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) goto err; } /* TODO(3.0) : Solve in a PR related to Key validation for DH */ -#ifndef FIPS_MODE +#ifndef FIPS_MODULE if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result) { DHerr(0, DH_R_INVALID_PUBKEY); goto err; @@ -95,7 +95,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { -#ifdef FIPS_MODE +#ifdef FIPS_MODULE return compute_key(key, pub_key, dh); #else return dh->meth->compute_key(key, pub_key, dh); @@ -106,7 +106,7 @@ int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) { int rv, pad; -#ifdef FIPS_MODE +#ifdef FIPS_MODULE rv = compute_key(key, pub_key, dh); #else rv = dh->meth->compute_key(key, pub_key, dh); @@ -166,16 +166,16 @@ static int dh_finish(DH *dh) return 1; } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE void DH_set_default_method(const DH_METHOD *meth) { default_DH_method = meth; } -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ int DH_generate_key(DH *dh) { -#ifdef FIPS_MODE +#ifdef FIPS_MODULE return generate_key(dh); #else return dh->meth->generate_key(dh); @@ -214,7 +214,7 @@ static int generate_key(DH *dh) { int ok = 0; int generate_new_key = 0; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE unsigned l; #endif BN_CTX *ctx = NULL; @@ -264,7 +264,7 @@ static int generate_key(DH *dh) max_strength, priv_key)) goto err; } else { -#ifdef FIPS_MODE +#ifdef FIPS_MODULE if (dh->params.q == NULL) goto err; #else diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index 7e42d13f3c..c3585f264f 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -26,7 +26,7 @@ static DH *dh_new_intern(ENGINE *engine, OPENSSL_CTX *libctx); -#ifndef FIPS_MODE +#ifndef FIPS_MODULE int DH_set_method(DH *dh, const DH_METHOD *meth) { /* @@ -61,7 +61,7 @@ DH *DH_new_method(ENGINE *engine) |