diff options
Diffstat (limited to 'lib/fips.h')
-rw-r--r-- | lib/fips.h | 71 |
1 files changed, 39 insertions, 32 deletions
diff --git a/lib/fips.h b/lib/fips.h index ef82a3227a..b2cfc0b602 100644 --- a/lib/fips.h +++ b/lib/fips.h @@ -21,12 +21,12 @@ */ #ifndef GNUTLS_LIB_FIPS_H -# define GNUTLS_LIB_FIPS_H +#define GNUTLS_LIB_FIPS_H -# include "gnutls_int.h" -# include <gnutls/gnutls.h> +#include "gnutls_int.h" +#include <gnutls/gnutls.h> -# define FIPS140_RND_KEY_SIZE 32 +#define FIPS140_RND_KEY_SIZE 32 typedef enum { LIB_STATE_POWERON, @@ -43,8 +43,7 @@ extern gnutls_crypto_rnd_st _gnutls_fips_rnd_ops; void _gnutls_switch_fips_state(gnutls_fips140_operation_state_t state); -inline static -void _gnutls_switch_lib_state(gnutls_lib_state_t state) +inline static void _gnutls_switch_lib_state(gnutls_lib_state_t state) { /* Once into zombie state no errors can change us */ _gnutls_lib_state = state; @@ -59,16 +58,19 @@ int _gnutls_fips_perform_self_checks1(void); int _gnutls_fips_perform_self_checks2(void); void _gnutls_fips_mode_reset_zombie(void); -# ifdef ENABLE_FIPS140 +#ifdef ENABLE_FIPS140 unsigned _gnutls_fips_mode_enabled(void); -# else -# define _gnutls_fips_mode_enabled() 0 -# endif +#else +#define _gnutls_fips_mode_enabled() 0 +#endif -# define HAVE_LIB_ERROR() unlikely(_gnutls_get_lib_state() != LIB_STATE_OPERATIONAL && _gnutls_get_lib_state() != LIB_STATE_SELFTEST) +#define HAVE_LIB_ERROR() \ + unlikely(_gnutls_get_lib_state() != LIB_STATE_OPERATIONAL && \ + _gnutls_get_lib_state() != LIB_STATE_SELFTEST) -# define FAIL_IF_LIB_ERROR \ - if (HAVE_LIB_ERROR()) return GNUTLS_E_LIB_IN_ERROR_STATE +#define FAIL_IF_LIB_ERROR \ + if (HAVE_LIB_ERROR()) \ + return GNUTLS_E_LIB_IN_ERROR_STATE void _gnutls_switch_lib_state(gnutls_lib_state_t state); @@ -157,21 +159,26 @@ is_cipher_algo_allowed_in_fips(gnutls_cipher_algorithm_t algo) } } -# ifdef ENABLE_FIPS140 +#ifdef ENABLE_FIPS140 /* This will test the condition when in FIPS140-2 mode * and return an error if necessary or ignore */ -# define FIPS_RULE(condition, ret_error, ...) { \ - gnutls_fips_mode_t _mode = _gnutls_fips_mode_enabled(); \ - if (_mode != GNUTLS_FIPS140_DISABLED) { \ - if (condition) { \ - if (_mode == GNUTLS_FIPS140_LOG) { \ - _gnutls_audit_log(NULL, "fips140-2: allowing "__VA_ARGS__); \ - } else if (_mode != GNUTLS_FIPS140_LAX) { \ - _gnutls_debug_log("fips140-2: disallowing "__VA_ARGS__); \ - return ret_error; \ - } \ - } \ - }} +#define FIPS_RULE(condition, ret_error, ...) \ + { \ + gnutls_fips_mode_t _mode = _gnutls_fips_mode_enabled(); \ + if (_mode != GNUTLS_FIPS140_DISABLED) { \ + if (condition) { \ + if (_mode == GNUTLS_FIPS140_LOG) { \ + _gnutls_audit_log( \ + NULL, \ + "fips140-2: allowing " __VA_ARGS__); \ + } else if (_mode != GNUTLS_FIPS140_LAX) { \ + _gnutls_debug_log( \ + "fips140-2: disallowing " __VA_ARGS__); \ + return ret_error; \ + } \ + } \ + } \ + } inline static bool is_mac_algo_allowed(gnutls_mac_algorithm_t algo) { @@ -216,10 +223,10 @@ inline static bool is_cipher_algo_allowed(gnutls_cipher_algorithm_t algo) return true; } -# else -# define is_mac_algo_allowed(x) true -# define is_cipher_algo_allowed(x) true -# define FIPS_RULE(condition, ret_error, ...) -# endif +#else +#define is_mac_algo_allowed(x) true +#define is_cipher_algo_allowed(x) true +#define FIPS_RULE(condition, ret_error, ...) +#endif -#endif /* GNUTLS_LIB_FIPS_H */ +#endif /* GNUTLS_LIB_FIPS_H */ |