[openssl] master update

Dr. Paul Dale pauli at openssl.org
Wed May 5 23:55:23 UTC 2021


The branch master has been updated
       via  08a337fac6d56a3b9419f4fbf9a19af958c9c2a1 (commit)
      from  a07b0bfb99169d23d2801b8aee210d98a0d12cac (commit)


- Log -----------------------------------------------------------------
commit 08a337fac6d56a3b9419f4fbf9a19af958c9c2a1
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue May 4 12:05:54 2021 -0400

    Remove all trace of FIPS_mode functions
    
    Removed error codes, and the mention of the functions.
    This removal is already documented in the CHANGES doc.
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15140)

-----------------------------------------------------------------------

Summary of changes:
 crypto/cpt_err.c                   | 2 --
 crypto/err/openssl.txt             | 6 ------
 crypto/evp/evp_cnf.c               | 6 +++---
 crypto/evp/evp_err.c               | 5 -----
 include/openssl/cryptoerr.h        | 1 -
 include/openssl/cryptoerr_legacy.h | 1 -
 include/openssl/evperr.h           | 3 ---
 include/openssl/sslerr.h           | 1 -
 ssl/ssl_err.c                      | 2 --
 util/libcrypto.num                 | 2 --
 util/missingcrypto.txt             | 2 --
 11 files changed, 3 insertions(+), 28 deletions(-)

diff --git a/crypto/cpt_err.c b/crypto/cpt_err.c
index 65fb429c58..bad3ca3cee 100644
--- a/crypto/cpt_err.c
+++ b/crypto/cpt_err.c
@@ -19,8 +19,6 @@ static const ERR_STRING_DATA CRYPTO_str_reasons[] = {
     "bad algorithm name"},
     {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_CONFLICTING_NAMES),
     "conflicting names"},
-    {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED),
-    "fips mode not supported"},
     {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_HEX_STRING_TOO_SHORT),
     "hex string too short"},
     {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_ILLEGAL_HEX_DIGIT),
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 728356148f..1391c00a17 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -427,7 +427,6 @@ CRMF_R_UNSUPPORTED_METHOD_FOR_CREATING_POPO:115:\
 CRMF_R_UNSUPPORTED_POPO_METHOD:116:unsupported popo method
 CRYPTO_R_BAD_ALGORITHM_NAME:117:bad algorithm name
 CRYPTO_R_CONFLICTING_NAMES:118:conflicting names
-CRYPTO_R_FIPS_MODE_NOT_SUPPORTED:101:fips mode not supported
 CRYPTO_R_HEX_STRING_TOO_SHORT:121:hex string too short
 CRYPTO_R_ILLEGAL_HEX_DIGIT:102:illegal hex digit
 CRYPTO_R_INSUFFICIENT_DATA_SPACE:106:insufficient data space
@@ -664,7 +663,6 @@ EVP_R_DEFAULT_QUERY_PARSE_ERROR:210:default query parse error
 EVP_R_DIFFERENT_KEY_TYPES:101:different key types
 EVP_R_DIFFERENT_PARAMETERS:153:different parameters
 EVP_R_ERROR_LOADING_SECTION:165:error loading section
-EVP_R_ERROR_SETTING_FIPS_MODE:166:error setting fips mode
 EVP_R_EXPECTING_AN_HMAC_KEY:174:expecting an hmac key
 EVP_R_EXPECTING_AN_RSA_KEY:127:expecting an rsa key
 EVP_R_EXPECTING_A_DH_KEY:128:expecting a dh key
@@ -674,7 +672,6 @@ EVP_R_EXPECTING_A_EC_KEY:142:expecting an ec key
 EVP_R_EXPECTING_A_POLY1305_KEY:164:expecting a poly1305 key
 EVP_R_EXPECTING_A_SIPHASH_KEY:175:expecting a siphash key
 EVP_R_FINAL_ERROR:188:final error
-EVP_R_FIPS_MODE_NOT_SUPPORTED:167:fips mode not supported
 EVP_R_GENERATE_ERROR:214:generate error
 EVP_R_GET_RAW_KEY_FAILED:182:get raw key failed
 EVP_R_ILLEGAL_SCRYPT_PARAMETERS:171:illegal scrypt parameters
@@ -684,7 +681,6 @@ EVP_R_INITIALIZATION_ERROR:134:initialization error
 EVP_R_INPUT_NOT_INITIALIZED:111:input not initialized
 EVP_R_INVALID_CUSTOM_LENGTH:185:invalid custom length
 EVP_R_INVALID_DIGEST:152:invalid digest
-EVP_R_INVALID_FIPS_MODE:168:invalid fips mode
 EVP_R_INVALID_IV_LENGTH:194:invalid iv length
 EVP_R_INVALID_KEY:163:invalid key
 EVP_R_INVALID_KEY_LENGTH:130:invalid key length
@@ -1226,8 +1222,6 @@ SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\
 SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake
 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT:272:\
 	attempt to reuse session in different context
-SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE:143:\
-	at least TLS 1.0 needed in FIPS mode
 SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE:158:\
 	at least (D)TLS 1.2 needed in Suite B mode
 SSL_R_BAD_CHANGE_CIPHER_SPEC:103:bad change cipher spec
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
index 7c2301d26c..aee79712cd 100644
--- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c
@@ -38,10 +38,10 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
         if (strcmp(oval->name, "fips_mode") == 0) {
             int m;
 
-            if (!X509V3_get_value_bool(oval, &m)) {
-                ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_FIPS_MODE);
+            /* Detailed error already reported. */
+            if (!X509V3_get_value_bool(oval, &m))
                 return 0;
-            }
+
             /*
              * fips_mode is deprecated and should not be used in new
              * configurations.
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index ad95f5ef02..cd36b09fb5 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -55,8 +55,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
     "different parameters"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION),
     "error loading section"},
-    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE),
-    "error setting fips mode"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_AN_HMAC_KEY),
     "expecting an hmac key"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_AN_RSA_KEY),
@@ -72,8 +70,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_A_SIPHASH_KEY),
     "expecting a siphash key"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FINAL_ERROR), "final error"},
-    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FIPS_MODE_NOT_SUPPORTED),
-    "fips mode not supported"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_GENERATE_ERROR), "generate error"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_GET_RAW_KEY_FAILED), "get raw key failed"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ILLEGAL_SCRYPT_PARAMETERS),
@@ -88,7 +84,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_CUSTOM_LENGTH),
     "invalid custom length"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_DIGEST), "invalid digest"},
-    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_FIPS_MODE), "invalid fips mode"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_IV_LENGTH), "invalid iv length"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_KEY), "invalid key"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_KEY_LENGTH), "invalid key length"},
diff --git a/include/openssl/cryptoerr.h b/include/openssl/cryptoerr.h
index 8db3064ce2..6799668089 100644
--- a/include/openssl/cryptoerr.h
+++ b/include/openssl/cryptoerr.h
@@ -23,7 +23,6 @@
  */
 # define CRYPTO_R_BAD_ALGORITHM_NAME                      117
 # define CRYPTO_R_CONFLICTING_NAMES                       118
-# define CRYPTO_R_FIPS_MODE_NOT_SUPPORTED                 101
 # define CRYPTO_R_HEX_STRING_TOO_SHORT                    121
 # define CRYPTO_R_ILLEGAL_HEX_DIGIT                       102
 # define CRYPTO_R_INSUFFICIENT_DATA_SPACE                 106
diff --git a/include/openssl/cryptoerr_legacy.h b/include/openssl/cryptoerr_legacy.h
index 6b78c5624c..ccab33a5d4 100644
--- a/include/openssl/cryptoerr_legacy.h
+++ b/include/openssl/cryptoerr_legacy.h
@@ -463,7 +463,6 @@ OSSL_DEPRECATEDIN_3_0 int ERR_load_X509V3_strings(void);
 #  define CRYPTO_F_CRYPTO_OCB128_COPY_CTX                  0
 #  define CRYPTO_F_CRYPTO_OCB128_INIT                      0
 #  define CRYPTO_F_CRYPTO_SET_EX_DATA                      0
-#  define CRYPTO_F_FIPS_MODE_SET                           0
 #  define CRYPTO_F_GET_AND_LOCK                            0
 #  define CRYPTO_F_OPENSSL_ATEXIT                          0
 #  define CRYPTO_F_OPENSSL_BUF2HEXSTR                      0
diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
index ffa8bacd5b..a5053f6cd2 100644
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@@ -44,7 +44,6 @@
 # define EVP_R_DIFFERENT_KEY_TYPES                        101
 # define EVP_R_DIFFERENT_PARAMETERS                       153
 # define EVP_R_ERROR_LOADING_SECTION                      165
-# define EVP_R_ERROR_SETTING_FIPS_MODE                    166
 # define EVP_R_EXPECTING_AN_HMAC_KEY                      174
 # define EVP_R_EXPECTING_AN_RSA_KEY                       127
 # define EVP_R_EXPECTING_A_DH_KEY                         128
@@ -54,7 +53,6 @@
 # define EVP_R_EXPECTING_A_POLY1305_KEY                   164
 # define EVP_R_EXPECTING_A_SIPHASH_KEY                    175
 # define EVP_R_FINAL_ERROR                                188
-# define EVP_R_FIPS_MODE_NOT_SUPPORTED                    167
 # define EVP_R_GENERATE_ERROR                             214
 # define EVP_R_GET_RAW_KEY_FAILED                         182
 # define EVP_R_ILLEGAL_SCRYPT_PARAMETERS                  171
@@ -64,7 +62,6 @@
 # define EVP_R_INPUT_NOT_INITIALIZED                      111
 # define EVP_R_INVALID_CUSTOM_LENGTH                      185
 # define EVP_R_INVALID_DIGEST                             152
-# define EVP_R_INVALID_FIPS_MODE                          168
 # define EVP_R_INVALID_IV_LENGTH                          194
 # define EVP_R_INVALID_KEY                                163
 # define EVP_R_INVALID_KEY_LENGTH                         130
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
index 30d843cf2d..87aa4f0d00 100644
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -24,7 +24,6 @@
 # define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY        291
 # define SSL_R_APP_DATA_IN_HANDSHAKE                      100
 # define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
-# define SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE       143
 # define SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE     158
 # define SSL_R_BAD_CHANGE_CIPHER_SPEC                     103
 # define SSL_R_BAD_CIPHER                                 186
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 347b263d69..c15a24f65f 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -21,8 +21,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
     "app data in handshake"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),
     "attempt to reuse session in different context"},
-    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE),
-    "at least TLS 1.0 needed in FIPS mode"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE),
     "at least (D)TLS 1.2 needed in Suite B mode"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CHANGE_CIPHER_SPEC),
diff --git a/util/libcrypto.num b/util/libcrypto.num
index da5936f1ab..13ec6e26f7 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -490,7 +490,6 @@ X509_CRL_print                          499	3_0_0	EXIST::FUNCTION:
 WHIRLPOOL_Update                        500	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,WHIRLPOOL
 DSA_get_ex_data                         501	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA
 BN_copy                                 502	3_0_0	EXIST::FUNCTION:
-FIPS_mode_set                           503	3_0_0	NOEXIST::FUNCTION:
 X509_VERIFY_PARAM_add0_policy           504	3_0_0	EXIST::FUNCTION:
 PKCS7_cert_from_signer_info             505	3_0_0	EXIST::FUNCTION:
 X509_TRUST_get_trust                    506	3_0_0	EXIST::FUNCTION:
@@ -2534,7 +2533,6 @@ OPENSSL_strnlen                         2587	3_0_0	EXIST::FUNCTION:
 IDEA_ecb_encrypt                        2588	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA
 ASN1_STRING_set_default_mask            2589	3_0_0	EXIST::FUNCTION:
 TS_VERIFY_CTX_add_flags                 2590	3_0_0	EXIST::FUNCTION:TS
-FIPS_mode                               2591	3_0_0	NOEXIST::FUNCTION:
 d2i_ASN1_UNIVERSALSTRING                2592	3_0_0	EXIST::FUNCTION:
 NAME_CONSTRAINTS_free                   2593	3_0_0	EXIST::FUNCTION:
 EC_GROUP_get_order                      2594	3_0_0	EXIST::FUNCTION:EC
diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt
index efd3c7516a..cb5a9eaa6f 100644
--- a/util/missingcrypto.txt
+++ b/util/missingcrypto.txt
@@ -685,8 +685,6 @@ EVP_read_pw_string_min(3)
 EVP_set_pw_prompt(3)
 EVP_str2ctrl(3)
 EXTENDED_KEY_USAGE_it(3)
-FIPS_mode(3)
-FIPS_mode_set(3)
 GENERAL_NAMES_it(3)
 GENERAL_NAME_cmp(3)
 GENERAL_NAME_get0_otherName(3)


More information about the openssl-commits mailing list