[PATCH 6/9] Add fast path for _gcry_fips_is_operational
Jussi Kivilinna
jussi.kivilinna at iki.fi
Tue Jun 19 17:51:18 CEST 2018
* src/fips.c (no_fips_mode_required): Rename to...
(_gcry_no_fips_mode_required): ...this and make externally available.
* src/g10lib.h (_gcry_no_fips_mode_required): New extern.
(fips_mode): Inline _gcry_fips_mode to macro, use
_gcry_no_fips_mode_required directly.
(fips_is_operational): Inline fips_mode check from
_gcry_fips_in_operational.
--
Add fast path to reduce call overhead in src/visibility.c where
fips_is_operational is called before cipher/md/etc operations.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna at iki.fi>
---
src/fips.c | 14 +++++++-------
src/g10lib.h | 18 ++++++++++++++++--
2 files changed, 23 insertions(+), 9 deletions(-)
diff --git a/src/fips.c b/src/fips.c
index af3fe2c6d..2b3a0af4b 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -57,7 +57,7 @@ enum module_states
that fips mode is the default unless changed by the initialization
code. To check whether fips mode is enabled, use the function
fips_mode()! */
-static int no_fips_mode_required;
+int _gcry_no_fips_mode_required;
/* Flag to indicate that we are in the enforced FIPS mode. */
static int enforced_fips_mode;
@@ -118,7 +118,7 @@ _gcry_initialize_fips_mode (int force)
/* If the calling application explicitly requested fipsmode, do so. */
if (force)
{
- gcry_assert (!no_fips_mode_required);
+ gcry_assert (!_gcry_no_fips_mode_required);
goto leave;
}
@@ -129,7 +129,7 @@ _gcry_initialize_fips_mode (int force)
actually used. The file itself may be empty. */
if ( !access (FIPS_FORCE_FILE, F_OK) )
{
- gcry_assert (!no_fips_mode_required);
+ gcry_assert (!_gcry_no_fips_mode_required);
goto leave;
}
@@ -148,7 +148,7 @@ _gcry_initialize_fips_mode (int force)
{
/* System is in fips mode. */
fclose (fp);
- gcry_assert (!no_fips_mode_required);
+ gcry_assert (!_gcry_no_fips_mode_required);
goto leave;
}
fclose (fp);
@@ -171,10 +171,10 @@ _gcry_initialize_fips_mode (int force)
}
/* Fips not not requested, set flag. */
- no_fips_mode_required = 1;
+ _gcry_no_fips_mode_required = 1;
leave:
- if (!no_fips_mode_required)
+ if (!_gcry_no_fips_mode_required)
{
/* Yes, we are in FIPS mode. */
FILE *fp;
@@ -265,7 +265,7 @@ _gcry_fips_mode (void)
/* No locking is required because we have the requirement that this
variable is only initialized once with no other threads
existing. */
- return !no_fips_mode_required;
+ return !_gcry_no_fips_mode_required;
}
diff --git a/src/g10lib.h b/src/g10lib.h
index d41fa0cf7..d52eef324 100644
--- a/src/g10lib.h
+++ b/src/g10lib.h
@@ -422,10 +422,20 @@ gpg_err_code_t _gcry_sexp_vextract_param (gcry_sexp_t sexp, const char *path,
/*-- fips.c --*/
+extern int _gcry_no_fips_mode_required;
+
void _gcry_initialize_fips_mode (int force);
int _gcry_fips_mode (void);
-#define fips_mode() _gcry_fips_mode ()
+
+/* This macro returns true if fips mode is enabled. This is
+ independent of the fips required finite state machine and only used
+ to enable fips specific code.
+
+ No locking is required because we have the requirement that this
+ variable is only initialized once with no other threads
+ existing. */
+#define fips_mode() (!_gcry_no_fips_mode_required)
int _gcry_enforced_fips_mode (void);
@@ -453,7 +463,11 @@ void _gcry_fips_signal_error (const char *srcfile,
#endif
int _gcry_fips_is_operational (void);
-#define fips_is_operational() (_gcry_global_is_operational ())
+
+/* Return true if the library is in the operational state. */
+#define fips_is_operational() \
+ (!fips_mode () || _gcry_fips_is_operational ())
+
#define fips_not_operational() (GPG_ERR_NOT_OPERATIONAL)
int _gcry_fips_test_operational (void);
--
2.17.1
More information about the Gcrypt-devel
mailing list