Remove the forced fips mode

* cipher/rsa.c (generate_fips): Drop reference to enforced fips mode and
  use normal FIPS mode check
* doc/gcrypt.texi: Drop references to enforced FIPS mode
* src/fips.c (enforced_fips_mode): Removed
  (_gcry_initialize_fips_mode): Remove reading of the FIPS_FORCE_FILE
  to enforce FIPS mode
  (_gcry_enforced_fips_mode): Remove
  (_gcry_set_enforced_fips_mode): Remove
* src/g10lib.h (_gcry_enforced_fips_mode): Remove declaration
  (_gcry_set_enforced_fips_mode): Remova declaration
* src/global.c (print_config): Remove the forced fips flag
  (_gcry_vcontrol): Deprecate GCRYCTL_SET_ENFORCED_FIPS_FLAG
  (get_no_secure_memory): Ignore the option in FIPS mode
--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

(_gcry_vcontrol): Simply ignore GCRYCTL_SET_ENFORCED_FIPS_FLAG.

Signed-off-by: Werner Koch <wk@gnupg.org>
GnuPG-bug-id: 5244

5 files changed, 13 insertions, 85 deletions

diff --git a/cipher/rsa.c b/cipher/rsa.c
index cdb355fa..2461c4ef 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -381,7 +381,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
 
   if (nbits <= 1024 || (nbits & 0x1FF))
     return GPG_ERR_INV_VALUE;
-  if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072)
+  if (fips_mode() && nbits != 2048 && nbits != 3072)
       return GPG_ERR_INV_VALUE;
 
   /* The random quality depends on the transient_key flag.  */
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index 6ef68884..4d7d93f1 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -535,21 +535,6 @@ initialization (i.e. before @code{gcry_check_version}).
 
 @end itemize
 
-@cindex Enforced FIPS mode
-
-In addition to the standard FIPS mode, Libgcrypt may also be put into
-an Enforced FIPS mode by writing a non-zero value into the file
-@file{/etc/gcrypt/fips_enabled} or by using the control command
-@code{GCRYCTL_SET_ENFORCED_FIPS_FLAG} before any other calls to
-libgcrypt.  The Enforced FIPS mode helps to detect applications
-which don't fulfill all requirements for using
-Libgcrypt in FIPS mode (@pxref{FIPS Mode}).
-
-Once Libgcrypt has been put into FIPS mode, it is not possible to
-switch back to standard mode without terminating the process first.
-If the logging verbosity level of Libgcrypt has been set to at least
-2, the state transitions and the self-tests are logged.
-
 @node Hardware features
 @section How to disable hardware features
 @cindex hardware features
@@ -677,10 +662,8 @@ to disable secure memory is to use @code{GCRYCTL_DISABLE_SECMEM} right
 after initialization.
 
 @item GCRYCTL_DISABLE_SECMEM; Arguments: none
-This command disables the use of secure memory.  If this command is
-used in FIPS mode, FIPS mode will be disabled and the function
-@code{gcry_fips_mode_active} returns false.  However, in Enforced FIPS
-mode this command has no effect at all.
+This command disables the use of secure memory.  In FIPS mode this command
+has no effect at all.
 
 Many applications do not require secure memory, so they should disable
 it right away.  This command should be executed right after
@@ -889,13 +872,7 @@ application switch the library into FIPS mode.  Note that Libgcrypt will
 reject an attempt to switch to fips mode during or after the initialization.
 
 @item GCRYCTL_SET_ENFORCED_FIPS_FLAG; Arguments: none
-Running this command sets the internal flag that puts the library into
-the enforced FIPS mode during the FIPS mode initialization.  This command
-does not affect the library if the library is not put into the FIPS mode and
-it must be used before any other libgcrypt library calls that initialize
-the library such as @code{gcry_check_version}. Note that Libgcrypt will
-reject an attempt to switch to the enforced fips mode during or after
-the initialization.
+This command is obsolete and has no effect; do not use it.
 
 @item GCRYCTL_SET_PREFERRED_RNG_TYPE; Arguments: int
 These are advisory commands to select a certain random number
@@ -6771,18 +6748,15 @@ On-the-fly self-tests are not performed, instead self-tests are run
 before entering operational state.
 
 @item
-The function @code{gcry_set_allocation_handler} may not be used.  If
-it is used Libgcrypt disables FIPS mode unless Enforced FIPS mode is
-enabled, in which case Libgcrypt will enter the error state.
+The function @code{gcry_set_allocation_handler} may not be used. In FIPS mode
+this function does not have any effect, because FIPS has a requirements for
+memory zeroization.
 
 @item
-The digest algorithm MD5 may not be used.  If it is used Libgcrypt
-disables FIPS mode unless Enforced FIPS mode is enabled, in which case
-Libgcrypt will enter the error state.
+The digest algorithm MD5 may not be used.
 
 @item
-In Enforced FIPS mode the command @code{GCRYCTL_DISABLE_SECMEM} is
-ignored.  In standard FIPS mode it disables FIPS mode.
+In FIPS mode the command @code{GCRYCTL_DISABLE_SECMEM} is ignored.
 
 @item
 A handler set by @code{gcry_set_outofcore_handler} is ignored.
diff --git a/src/fips.c b/src/fips.c
index 3759a67a..5581da1b 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -58,9 +58,6 @@ enum module_states
    fips_mode()! */
 int _gcry_no_fips_mode_required;
 
-/* Flag to indicate that we are in the enforced FIPS mode.  */
-static int enforced_fips_mode;
-
 /* This is the lock we use to protect the FSM.  */
 GPGRT_LOCK_DEFINE (fsm_lock);
 
@@ -171,7 +168,6 @@ _gcry_initialize_fips_mode (int force)
   if (!_gcry_no_fips_mode_required)
     {
       /* Yes, we are in FIPS mode.  */
-      FILE *fp;
 
       /* Intitialize the lock to protect the FSM.  */
       err = gpgrt_lock_init (&fsm_lock);
@@ -190,19 +186,6 @@ _gcry_initialize_fips_mode (int force)
           abort ();
         }
 
-
-      /* If the FIPS force files exists, is readable and has a number
-         != 0 on its first line, we enable the enforced fips mode.  */
-      fp = fopen (FIPS_FORCE_FILE, "r");
-      if (fp)
-        {
-          char line[256];
-
-          if (fgets (line, sizeof line, fp) && atoi (line))
-            enforced_fips_mode = 1;
-          fclose (fp);
-        }
-
       /* Now get us into the INIT state.  */
       fips_new_state (STATE_INIT);
 
@@ -249,23 +232,6 @@ unlock_fsm (void)
 }
 
 
-/* Return a flag telling whether we are in the enforced fips mode.  */
-int
-_gcry_enforced_fips_mode (void)
-{
-  if (!fips_mode ())
-    return 0;
-  return enforced_fips_mode;
-}
-
-/* Set a flag telling whether we are in the enforced fips mode.  */
-void
-_gcry_set_enforced_fips_mode (void)
-{
-  enforced_fips_mode = 1;
-}
-
-
 static const char *
 state2str (enum module_states state)
 {
diff --git a/src/g10lib.h b/src/g10lib.h
index 74de3653..0f827074 100644
--- a/src/g10lib.h
+++ b/src/g10lib.h
@@ -435,10 +435,6 @@ void _gcry_initialize_fips_mode (int force);
    existing.  */
 #define fips_mode() (!_gcry_no_fips_mode_required)
 
-int _gcry_enforced_fips_mode (void);
-
-void _gcry_set_enforced_fips_mode (void);
-
 
 void _gcry_fips_signal_error (const char *srcfile,
                               int srcline,
diff --git a/src/global.c b/src/global.c
index bebd0818..0e5acd5f 100644
--- a/src/global.c
+++ b/src/global.c
@@ -370,9 +370,8 @@ print_config (const char *what, gpgrt_stream_t fp)
       /* We use y/n instead of 1/0 for the stupid reason that
        * Emacsen's compile error parser would accidentally flag that
        * line when printed during "make check" as an error.  */
-      gpgrt_fprintf (fp, "fips-mode:%c:%c:\n",
-                     fips_mode ()? 'y':'n',
-                     _gcry_enforced_fips_mode ()? 'y':'n' );
+      gpgrt_fprintf (fp, "fips-mode:%c:\n",
+                     fips_mode ()? 'y':'n' );
     }
 
   if (!what || !strcmp (what, "rng-type"))
@@ -768,14 +767,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
       break;
 
     case GCRYCTL_SET_ENFORCED_FIPS_FLAG:
-      if (!_gcry_global_any_init_done)
-        {
-          /* Not yet initialized at all.  Set the enforced fips mode flag */
-          _gcry_set_preferred_rng_type (0);
-          _gcry_set_enforced_fips_mode ();
-        }
-      else
-        rc = GPG_ERR_GENERAL;
+      /* Obsolete - ignore  */
       break;
 
     case GCRYCTL_SET_PREFERRED_RNG_TYPE:
@@ -912,7 +904,7 @@ get_no_secure_memory (void)
 {
   if (!no_secure_memory)
     return 0;
-  if (_gcry_enforced_fips_mode ())
+  if (fips_mode ())
     {
       no_secure_memory = 0;
       return 0;