From 08a337fac6d56a3b9419f4fbf9a19af958c9c2a1 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Tue, 4 May 2021 12:05:54 -0400 Subject: [PATCH] Remove all trace of FIPS_mode functions Removed error codes, and the mention of the functions. This removal is already documented in the CHANGES doc. Reviewed-by: Shane Lontis Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15140) --- crypto/cpt_err.c | 2 -- crypto/err/openssl.txt | 6 ------ crypto/evp/evp_cnf.c | 6 +++--- crypto/evp/evp_err.c | 5 ----- include/openssl/cryptoerr.h | 1 - include/openssl/cryptoerr_legacy.h | 1 - include/openssl/evperr.h | 3 --- include/openssl/sslerr.h | 1 - ssl/ssl_err.c | 2 -- util/libcrypto.num | 2 -- util/missingcrypto.txt | 2 -- 11 files changed, 3 insertions(+), 28 deletions(-) diff --git a/crypto/cpt_err.c b/crypto/cpt_err.c index 65fb429c58..bad3ca3cee 100644 --- a/crypto/cpt_err.c +++ b/crypto/cpt_err.c @@ -19,8 +19,6 @@ static const ERR_STRING_DATA CRYPTO_str_reasons[] = { "bad algorithm name"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_CONFLICTING_NAMES), "conflicting names"}, - {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED), - "fips mode not supported"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_HEX_STRING_TOO_SHORT), "hex string too short"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_ILLEGAL_HEX_DIGIT), diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 728356148f..1391c00a17 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -427,7 +427,6 @@ CRMF_R_UNSUPPORTED_METHOD_FOR_CREATING_POPO:115:\ CRMF_R_UNSUPPORTED_POPO_METHOD:116:unsupported popo method CRYPTO_R_BAD_ALGORITHM_NAME:117:bad algorithm name CRYPTO_R_CONFLICTING_NAMES:118:conflicting names -CRYPTO_R_FIPS_MODE_NOT_SUPPORTED:101:fips mode not supported CRYPTO_R_HEX_STRING_TOO_SHORT:121:hex string too short CRYPTO_R_ILLEGAL_HEX_DIGIT:102:illegal hex digit CRYPTO_R_INSUFFICIENT_DATA_SPACE:106:insufficient data space @@ -664,7 +663,6 @@ EVP_R_DEFAULT_QUERY_PARSE_ERROR:210:default query parse error EVP_R_DIFFERENT_KEY_TYPES:101:different key types EVP_R_DIFFERENT_PARAMETERS:153:different parameters EVP_R_ERROR_LOADING_SECTION:165:error loading section -EVP_R_ERROR_SETTING_FIPS_MODE:166:error setting fips mode EVP_R_EXPECTING_AN_HMAC_KEY:174:expecting an hmac key EVP_R_EXPECTING_AN_RSA_KEY:127:expecting an rsa key EVP_R_EXPECTING_A_DH_KEY:128:expecting a dh key @@ -674,7 +672,6 @@ EVP_R_EXPECTING_A_EC_KEY:142:expecting an ec key EVP_R_EXPECTING_A_POLY1305_KEY:164:expecting a poly1305 key EVP_R_EXPECTING_A_SIPHASH_KEY:175:expecting a siphash key EVP_R_FINAL_ERROR:188:final error -EVP_R_FIPS_MODE_NOT_SUPPORTED:167:fips mode not supported EVP_R_GENERATE_ERROR:214:generate error EVP_R_GET_RAW_KEY_FAILED:182:get raw key failed EVP_R_ILLEGAL_SCRYPT_PARAMETERS:171:illegal scrypt parameters @@ -684,7 +681,6 @@ EVP_R_INITIALIZATION_ERROR:134:initialization error EVP_R_INPUT_NOT_INITIALIZED:111:input not initialized EVP_R_INVALID_CUSTOM_LENGTH:185:invalid custom length EVP_R_INVALID_DIGEST:152:invalid digest -EVP_R_INVALID_FIPS_MODE:168:invalid fips mode EVP_R_INVALID_IV_LENGTH:194:invalid iv length EVP_R_INVALID_KEY:163:invalid key EVP_R_INVALID_KEY_LENGTH:130:invalid key length @@ -1226,8 +1222,6 @@ SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\ SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT:272:\ attempt to reuse session in different context -SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE:143:\ - at least TLS 1.0 needed in FIPS mode SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE:158:\ at least (D)TLS 1.2 needed in Suite B mode SSL_R_BAD_CHANGE_CIPHER_SPEC:103:bad change cipher spec diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c index 7c2301d26c..aee79712cd 100644 --- a/crypto/evp/evp_cnf.c +++ b/crypto/evp/evp_cnf.c @@ -38,10 +38,10 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) if (strcmp(oval->name, "fips_mode") == 0) { int m; - if (!X509V3_get_value_bool(oval, &m)) { - ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_FIPS_MODE); + /* Detailed error already reported. */ + if (!X509V3_get_value_bool(oval, &m)) return 0; - } + /* * fips_mode is deprecated and should not be used in new * configurations. diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index ad95f5ef02..cd36b09fb5 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -55,8 +55,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { "different parameters"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), "error loading section"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), - "error setting fips mode"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_AN_HMAC_KEY), "expecting an hmac key"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_AN_RSA_KEY), @@ -72,8 +70,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_A_SIPHASH_KEY), "expecting a siphash key"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FINAL_ERROR), "final error"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FIPS_MODE_NOT_SUPPORTED), - "fips mode not supported"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_GENERATE_ERROR), "generate error"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_GET_RAW_KEY_FAILED), "get raw key failed"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ILLEGAL_SCRYPT_PARAMETERS), @@ -88,7 +84,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_CUSTOM_LENGTH), "invalid custom length"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_DIGEST), "invalid digest"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_FIPS_MODE), "invalid fips mode"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_IV_LENGTH), "invalid iv length"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_KEY), "invalid key"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_KEY_LENGTH), "invalid key length"}, diff --git a/include/openssl/cryptoerr.h b/include/openssl/cryptoerr.h index 8db3064ce2..6799668089 100644 --- a/include/openssl/cryptoerr.h +++ b/include/openssl/cryptoerr.h @@ -23,7 +23,6 @@ */ # define CRYPTO_R_BAD_ALGORITHM_NAME 117 # define CRYPTO_R_CONFLICTING_NAMES 118 -# define CRYPTO_R_FIPS_MODE_NOT_SUPPORTED 101 # define CRYPTO_R_HEX_STRING_TOO_SHORT 121 # define CRYPTO_R_ILLEGAL_HEX_DIGIT 102 # define CRYPTO_R_INSUFFICIENT_DATA_SPACE 106 diff --git a/include/openssl/cryptoerr_legacy.h b/include/openssl/cryptoerr_legacy.h index 6b78c5624c..ccab33a5d4 100644 --- a/include/openssl/cryptoerr_legacy.h +++ b/include/openssl/cryptoerr_legacy.h @@ -463,7 +463,6 @@ OSSL_DEPRECATEDIN_3_0 int ERR_load_X509V3_strings(void); # define CRYPTO_F_CRYPTO_OCB128_COPY_CTX 0 # define CRYPTO_F_CRYPTO_OCB128_INIT 0 # define CRYPTO_F_CRYPTO_SET_EX_DATA 0 -# define CRYPTO_F_FIPS_MODE_SET 0 # define CRYPTO_F_GET_AND_LOCK 0 # define CRYPTO_F_OPENSSL_ATEXIT 0 # define CRYPTO_F_OPENSSL_BUF2HEXSTR 0 diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index ffa8bacd5b..a5053f6cd2 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -44,7 +44,6 @@ # define EVP_R_DIFFERENT_KEY_TYPES 101 # define EVP_R_DIFFERENT_PARAMETERS 153 # define EVP_R_ERROR_LOADING_SECTION 165 -# define EVP_R_ERROR_SETTING_FIPS_MODE 166 # define EVP_R_EXPECTING_AN_HMAC_KEY 174 # define EVP_R_EXPECTING_AN_RSA_KEY 127 # define EVP_R_EXPECTING_A_DH_KEY 128 @@ -54,7 +53,6 @@ # define EVP_R_EXPECTING_A_POLY1305_KEY 164 # define EVP_R_EXPECTING_A_SIPHASH_KEY 175 # define EVP_R_FINAL_ERROR 188 -# define EVP_R_FIPS_MODE_NOT_SUPPORTED 167 # define EVP_R_GENERATE_ERROR 214 # define EVP_R_GET_RAW_KEY_FAILED 182 # define EVP_R_ILLEGAL_SCRYPT_PARAMETERS 171 @@ -64,7 +62,6 @@ # define EVP_R_INPUT_NOT_INITIALIZED 111 # define EVP_R_INVALID_CUSTOM_LENGTH 185 # define EVP_R_INVALID_DIGEST 152 -# define EVP_R_INVALID_FIPS_MODE 168 # define EVP_R_INVALID_IV_LENGTH 194 # define EVP_R_INVALID_KEY 163 # define EVP_R_INVALID_KEY_LENGTH 130 diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 30d843cf2d..87aa4f0d00 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -24,7 +24,6 @@ # define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 291 # define SSL_R_APP_DATA_IN_HANDSHAKE 100 # define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 -# define SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE 143 # define SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE 158 # define SSL_R_BAD_CHANGE_CIPHER_SPEC 103 # define SSL_R_BAD_CIPHER 186 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 347b263d69..c15a24f65f 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -21,8 +21,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "app data in handshake"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), "attempt to reuse session in different context"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE), - "at least TLS 1.0 needed in FIPS mode"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE), "at least (D)TLS 1.2 needed in Suite B mode"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CHANGE_CIPHER_SPEC), diff --git a/util/libcrypto.num b/util/libcrypto.num index da5936f1ab..13ec6e26f7 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -490,7 +490,6 @@ X509_CRL_print 499 3_0_0 EXIST::FUNCTION: WHIRLPOOL_Update 500 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,WHIRLPOOL DSA_get_ex_data 501 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA BN_copy 502 3_0_0 EXIST::FUNCTION: -FIPS_mode_set 503 3_0_0 NOEXIST::FUNCTION: X509_VERIFY_PARAM_add0_policy 504 3_0_0 EXIST::FUNCTION: PKCS7_cert_from_signer_info 505 3_0_0 EXIST::FUNCTION: X509_TRUST_get_trust 506 3_0_0 EXIST::FUNCTION: @@ -2534,7 +2533,6 @@ OPENSSL_strnlen 2587 3_0_0 EXIST::FUNCTION: IDEA_ecb_encrypt 2588 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA ASN1_STRING_set_default_mask 2589 3_0_0 EXIST::FUNCTION: TS_VERIFY_CTX_add_flags 2590 3_0_0 EXIST::FUNCTION:TS -FIPS_mode 2591 3_0_0 NOEXIST::FUNCTION: d2i_ASN1_UNIVERSALSTRING 2592 3_0_0 EXIST::FUNCTION: NAME_CONSTRAINTS_free 2593 3_0_0 EXIST::FUNCTION: EC_GROUP_get_order 2594 3_0_0 EXIST::FUNCTION:EC diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index efd3c7516a..cb5a9eaa6f 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -685,8 +685,6 @@ EVP_read_pw_string_min(3) EVP_set_pw_prompt(3) EVP_str2ctrl(3) EXTENDED_KEY_USAGE_it(3) -FIPS_mode(3) -FIPS_mode_set(3) GENERAL_NAMES_it(3) GENERAL_NAME_cmp(3) GENERAL_NAME_get0_otherName(3) -- 2.39.5