Unexport <openssl/service_indicator.h>
This only ever contained functions used for internal tests. I avoided
deleting the header for now just to reduce some churn, but ideally we'd
remove it.
Change-Id: I9e6b770569f890bcc5ad88ec734330e9f50b4372
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/79367
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/fipsmodule/service_indicator/internal.h b/crypto/fipsmodule/service_indicator/internal.h
index 5b69172..8495138 100644
--- a/crypto/fipsmodule/service_indicator/internal.h
+++ b/crypto/fipsmodule/service_indicator/internal.h
@@ -16,7 +16,26 @@
#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_SERVICE_INDICATOR_INTERNAL_H
#include <openssl/base.h>
-#include <openssl/service_indicator.h>
+
+
+// FIPS_service_indicator_before_call and |FIPS_service_indicator_after_call|
+// both currently return the same local thread counter which is slowly
+// incremented whenever approved services are called. The
+// |CALL_SERVICE_AND_CHECK_APPROVED| macro is strongly recommended over calling
+// these functions directly.
+//
+// |FIPS_service_indicator_before_call| is intended to be called immediately
+// before an approved service, while |FIPS_service_indicator_after_call| should
+// be called immediately after. If the values returned from these two functions
+// are not equal, this means that the service called inbetween is deemed to be
+// approved. If the values are still the same, this means the counter has not
+// been incremented, and the service called is not approved for FIPS.
+//
+// In non-FIPS builds, |FIPS_service_indicator_before_call| always returns zero
+// and |FIPS_service_indicator_after_call| always returns one. Thus calls always
+// appear to be approved. This is intended to simplify testing.
+OPENSSL_EXPORT uint64_t FIPS_service_indicator_before_call(void);
+OPENSSL_EXPORT uint64_t FIPS_service_indicator_after_call(void);
#if defined(BORINGSSL_FIPS)
diff --git a/crypto/fipsmodule/service_indicator/service_indicator.cc.inc b/crypto/fipsmodule/service_indicator/service_indicator.cc.inc
index a979d04..8b77013 100644
--- a/crypto/fipsmodule/service_indicator/service_indicator.cc.inc
+++ b/crypto/fipsmodule/service_indicator/service_indicator.cc.inc
@@ -17,7 +17,6 @@
#include <openssl/ec_key.h>
#include <openssl/err.h>
#include <openssl/evp.h>
-#include <openssl/service_indicator.h>
#include "../../evp/internal.h"
#include "../../internal.h"
diff --git a/crypto/fipsmodule/service_indicator/service_indicator_test.cc b/crypto/fipsmodule/service_indicator/service_indicator_test.cc
index e969b0b..c91b11b 100644
--- a/crypto/fipsmodule/service_indicator/service_indicator_test.cc
+++ b/crypto/fipsmodule/service_indicator/service_indicator_test.cc
@@ -32,7 +32,6 @@
#include <openssl/md5.h>
#include <openssl/rand.h> // TODO(bbe): only for RAND_bytes call below, replace with BCM call
#include <openssl/rsa.h>
-#include <openssl/service_indicator.h>
#include "../../test/abi_test.h"
#include "../../test/test_util.h"
@@ -40,11 +39,48 @@
#include "../bn/internal.h"
#include "../rand/internal.h"
#include "../tls/internal.h"
+#include "internal.h"
namespace {
-using bssl::FIPSStatus;
+// CALL_SERVICE_AND_CHECK_APPROVED runs |func| and sets |approved| to one of the
+// |FIPSStatus*| values, above, depending on whether |func| invoked an
+// approved service. The result of |func| becomes the result of this macro.
+#define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \
+ [&] { \
+ FIPSIndicatorHelper fips_indicator_helper(&approved); \
+ return func; \
+ }()
+
+enum class FIPSStatus {
+ NOT_APPROVED = 0,
+ APPROVED = 1,
+};
+
+// FIPSIndicatorHelper records whether the service indicator counter advanced
+// during its lifetime.
+class FIPSIndicatorHelper {
+ public:
+ FIPSIndicatorHelper(FIPSStatus *result)
+ : result_(result), before_(FIPS_service_indicator_before_call()) {
+ *result_ = FIPSStatus::NOT_APPROVED;
+ }
+
+ ~FIPSIndicatorHelper() {
+ uint64_t after = FIPS_service_indicator_after_call();
+ if (after != before_) {
+ *result_ = FIPSStatus::APPROVED;
+ }
+ }
+
+ FIPSIndicatorHelper(const FIPSIndicatorHelper&) = delete;
+ FIPSIndicatorHelper &operator=(const FIPSIndicatorHelper &) = delete;
+
+ private:
+ FIPSStatus *const result_;
+ const uint64_t before_;
+};
static const uint8_t kAESKey[16] = {'A', 'W', 'S', '-', 'L', 'C', 'C', 'r',
'y', 'p', 't', 'o', ' ', 'K', 'e', 'y'};
diff --git a/include/openssl/service_indicator.h b/include/openssl/service_indicator.h
index f866b40..460c749 100644
--- a/include/openssl/service_indicator.h
+++ b/include/openssl/service_indicator.h
@@ -12,85 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-#ifndef OPENSSL_HEADER_SERVICE_INDICATOR_H
-#define OPENSSL_HEADER_SERVICE_INDICATOR_H
-
-#include <openssl/base.h> // IWYU pragma: export
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-// FIPS_service_indicator_before_call and |FIPS_service_indicator_after_call|
-// both currently return the same local thread counter which is slowly
-// incremented whenever approved services are called. The
-// |CALL_SERVICE_AND_CHECK_APPROVED| macro is strongly recommended over calling
-// these functions directly.
+// This empty header is provided in order to make compiling against older code
+// easier. Some bindings libraries depended on every header that was present in
+// an older version of library.
//
-// |FIPS_service_indicator_before_call| is intended to be called immediately
-// before an approved service, while |FIPS_service_indicator_after_call| should
-// be called immediately after. If the values returned from these two functions
-// are not equal, this means that the service called inbetween is deemed to be
-// approved. If the values are still the same, this means the counter has not
-// been incremented, and the service called is not approved for FIPS.
-//
-// In non-FIPS builds, |FIPS_service_indicator_before_call| always returns zero
-// and |FIPS_service_indicator_after_call| always returns one. Thus calls always
-// appear to be approved. This is intended to simplify testing.
-OPENSSL_EXPORT uint64_t FIPS_service_indicator_before_call(void);
-OPENSSL_EXPORT uint64_t FIPS_service_indicator_after_call(void);
-
-#if defined(__cplusplus)
-}
-
-#if !defined(BORINGSSL_NO_CXX)
-
-extern "C++" {
-
-// CALL_SERVICE_AND_CHECK_APPROVED runs |func| and sets |approved| to one of the
-// |FIPSStatus*| values, above, depending on whether |func| invoked an
-// approved service. The result of |func| becomes the result of this macro.
-#define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \
- [&] { \
- bssl::FIPSIndicatorHelper fips_indicator_helper(&approved); \
- return func; \
- }()
-
-BSSL_NAMESPACE_BEGIN
-
-enum class FIPSStatus {
- NOT_APPROVED = 0,
- APPROVED = 1,
-};
-
-// FIPSIndicatorHelper records whether the service indicator counter advanced
-// during its lifetime.
-class FIPSIndicatorHelper {
- public:
- FIPSIndicatorHelper(FIPSStatus *result)
- : result_(result), before_(FIPS_service_indicator_before_call()) {
- *result_ = FIPSStatus::NOT_APPROVED;
- }
-
- ~FIPSIndicatorHelper() {
- uint64_t after = FIPS_service_indicator_after_call();
- if (after != before_) {
- *result_ = FIPSStatus::APPROVED;
- }
- }
-
- FIPSIndicatorHelper(const FIPSIndicatorHelper&) = delete;
- FIPSIndicatorHelper &operator=(const FIPSIndicatorHelper &) = delete;
-
- private:
- FIPSStatus *const result_;
- const uint64_t before_;
-};
-
-BSSL_NAMESPACE_END
-} // extern "C++"
-
-#endif // !BORINGSSL_NO_CXX
-#endif // __cplusplus
-
-#endif // OPENSSL_HEADER_SERVICE_INDICATOR_H
+// TODO(davidben): Remove this header from downstream code and remove the file.
