fips: Provide a mechanizm to put libgcrypt in non-FIPS mode.

* doc/gcrypt.texi (Disabling FIPS mode): Add.
* src/gcrypt.h.in (GCRYCTL_NO_FIPS_MODE): New.
* src/global.c (_gcry_vcontrol): Support GCRYCTL_NO_FIPS_MODE.
* tests/t-ed25519.c: Add --no-fips option to test non-FIPS mode.

--

GnuPG-bug-id: 5747
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

1 files changed, 21 insertions, 0 deletions

diff --git a/src/global.c b/src/global.c
index ad2e95a4..a955c3fc 100644
--- a/src/global.c
+++ b/src/global.c
@@ -754,6 +754,27 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
       }
       break;
 
+    case GCRYCTL_NO_FIPS_MODE:
+      /* Performing this command puts the library into non-fips mode,
+         even if system has fips setting.  It is not possible to put
+         the libraty into non-fips mode after having passed the
+         initialization. */
+      _gcry_set_preferred_rng_type (0);
+      if (!_gcry_global_any_init_done)
+        {
+          /* Not yet initialized at all.  Set a flag so that we are put
+             into non-fips mode during initialization.  */
+          force_fips_mode = 0;
+        }
+      else if (!init_finished)
+        {
+          /* Already initialized.  */
+          _gcry_no_fips_mode_required = 1;
+        }
+      else
+	rc = GPG_ERR_GENERAL;
+      break;
+
     case GCRYCTL_SELFTEST:
       /* Run a selftest.  This works in fips mode as well as in
          standard mode.  In contrast to the power-up tests, we use an