diff options
| author | Jakub Jelen <jjelen@redhat.com> | 2021-09-17 13:48:10 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2021-09-20 08:18:49 +0200 |
| commit | edbc1dd10bc3e1fcc0e355fe1a9c4c8769f51daf (patch) | |
| tree | d97930e4121bb4162dc4077bb48138a46a9f928c /src/fips.c | |
| parent | fd116968ef2dcecb4058be2b2b3e8ab90f1e3181 (diff) | |
| download | libgcrypt-edbc1dd10bc3e1fcc0e355fe1a9c4c8769f51daf.tar.gz | |
Remove a way to inactive FIPS mode
* cipher/md.c (_gcry_md_hash_buffer): Remove inactivation of FIPS mode
when MD5 is used
(_gcry_md_hash_buffers_extract): Ditto.
* src/fips.c (gcry_is_fips_mode_inactive): Removed
(_gcry_inactivate_fips_mode): Removed
(_gcry_is_fips_mode_inactive): Removed
* src/g10lib.h (_gcry_inactivate_fips_mode): Remove declaration
(_gcry_is_fips_mode_inactive): Remove declaration
* global.c (_gcry_vcontrol): Update the GCRYCTL_FIPS_MODE_P
(_gcry_set_allocation_handler): Silently ignore custom alocation
handlers in FIPS mode
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Diffstat (limited to 'src/fips.c')
| -rw-r--r-- | src/fips.c | 52 |
1 files changed, 0 insertions, 52 deletions
@@ -61,11 +61,6 @@ int _gcry_no_fips_mode_required; /* Flag to indicate that we are in the enforced FIPS mode. */ static int enforced_fips_mode; -/* If this flag is set, the application may no longer assume that the - process is running in FIPS mode. This flag is protected by the - FSM_LOCK. */ -static int inactive_fips_mode; - /* This is the lock we use to protect the FSM. */ GPGRT_LOCK_DEFINE (fsm_lock); @@ -270,53 +265,6 @@ _gcry_set_enforced_fips_mode (void) enforced_fips_mode = 1; } -/* If we do not want to enforce the fips mode, we can set a flag so - that the application may check whether it is still in fips mode. - TEXT will be printed as part of a syslog message. This function - may only be be called if in fips mode. */ -void -_gcry_inactivate_fips_mode (const char *text) -{ - gcry_assert (fips_mode ()); - - if (_gcry_enforced_fips_mode () ) - { - /* Get us into the error state. */ - fips_signal_error (text); - return; - } - - lock_fsm (); - if (!inactive_fips_mode) - { - inactive_fips_mode = 1; - unlock_fsm (); -#ifdef HAVE_SYSLOG - syslog (LOG_USER|LOG_WARNING, "Libgcrypt warning: " - "%s - FIPS mode inactivated", text); -#endif /*HAVE_SYSLOG*/ - } - else - unlock_fsm (); -} - - -/* Return the FIPS mode inactive flag. If it is true the FIPS mode is - not anymore active. */ -int -_gcry_is_fips_mode_inactive (void) -{ - int flag; - - if (!fips_mode ()) - return 0; - lock_fsm (); - flag = inactive_fips_mode; - unlock_fsm (); - return flag; -} - - static const char * state2str (enum module_states state) |