From: Emilia Kasper Date: Tue, 28 Feb 2017 11:30:28 +0000 (+0100) Subject: Clean up references to FIPS X-Git-Tag: OpenSSL_1_1_1-pre1~2236 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=b53338cbf8822dd774f9e4057307f347d2b63ff0;p=oweals%2Fopenssl.git Clean up references to FIPS This removes the fips configure option. This option is broken as the required FIPS code is not available. FIPS_mode() and FIPS_mode_set() are retained for compatibility, but FIPS_mode() always returns 0, and FIPS_mode_set() can only be used to turn FIPS mode off. Reviewed-by: Stephen Henson --- diff --git a/Configure b/Configure index 4404963aa7..f6d5a7cfd3 100755 --- a/Configure +++ b/Configure @@ -302,12 +302,9 @@ $config{openssldir}=""; $config{processor}=""; $config{libdir}=""; $config{cross_compile_prefix}=""; -$config{fipslibdir}="/usr/local/ssl/fips-2.0/lib/"; -my $nofipscanistercheck=0; $config{baseaddr}="0xFB00000"; my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -$config{fips}=0; # Top level directories to build $config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ]; @@ -685,7 +682,7 @@ while (@argvcopy) { $config{processor}=386; } elsif (/^fips$/) { - $config{fips}=1; + die "FIPS mode not supported\n"; } elsif (/^rsaref$/) { @@ -695,8 +692,7 @@ while (@argvcopy) } elsif (/^nofipscanistercheck$/) { - $config{fips} = 1; - $nofipscanistercheck = 1; + die "FIPS mode not supported\n"; } elsif (/^[-+]/) { @@ -734,10 +730,6 @@ while (@argvcopy) { $withargs{fuzzer_include}=$1; } - elsif (/^--with-fipslibdir=(.*)$/) - { - $config{fipslibdir}="$1/"; - } elsif (/^--with-baseaddr=(.*)$/) { $config{baseaddr}="$1"; @@ -821,15 +813,6 @@ if ($libs =~ /(^|\s)-Wl,-rpath,/ "***** any of asan, msan or ubsan\n"; } -if ($config{fips}) - { - delete $disabled{"shared"} if ($disabled{"shared"} =~ /^default/); - } -else - { - @{$config{dirs}} = grep !/^fips$/, @{$config{dirs}}; - } - my @tocheckfor = (keys %disabled); while (@tocheckfor) { my %new_tocheckfor = (); @@ -1058,15 +1041,6 @@ if (!$disabled{dso} && $target{dso_scheme} ne "") $config{ex_libs}="$libs$config{ex_libs}" if ($libs ne ""); -if ($disabled{asm}) - { - if ($config{fips}) - { - @{$config{defines}} = grep !/^[BL]_ENDIAN$/, @{$config{defines}}; - @{$target{defines}} = grep !/^[BL]_ENDIAN$/, @{$target{defines}}; - } - } - # If threads aren't disabled, check how possible they are unless ($disabled{threads}) { if ($auto_threads) { @@ -1107,8 +1081,7 @@ if (defined($disabled{"deprecated"})) { if ($target{shared_target} eq "") { $no_shared_warn = 1 - if ((!$disabled{shared} || !$disabled{"dynamic-engine"}) - && !$config{fips}); + if (!$disabled{shared} || !$disabled{"dynamic-engine"}); $disabled{shared} = "no-shared-target"; $disabled{pic} = $disabled{shared} = $disabled{"dynamic-engine"} = "no-shared-target"; @@ -1172,10 +1145,6 @@ unless ($disabled{asm}) { push @{$config{defines}}, "OPENSSL_BN_ASM_MONT5" if ($target{bn_asm_src} =~ /-mont5/); push @{$config{defines}}, "OPENSSL_BN_ASM_GF2m" if ($target{bn_asm_src} =~ /-gf2m/); - if ($config{fips}) { - push @{$config{openssl_other_defines}}, "OPENSSL_FIPS"; - } - if ($target{sha1_asm_src}) { push @{$config{defines}}, "SHA1_ASM" if ($target{sha1_asm_src} =~ /sx86/ || $target{sha1_asm_src} =~ /sha1/); push @{$config{defines}}, "SHA256_ASM" if ($target{sha1_asm_src} =~ /sha256/); diff --git a/apps/openssl.c b/apps/openssl.c index bb776eb310..e42ee1e6e9 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -21,9 +21,6 @@ # include #endif #include -#ifdef OPENSSL_FIPS -# include -#endif #define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */ #include "s_apps.h" /* Needed to get the other O_xxx flags. */ @@ -143,15 +140,8 @@ int main(int argc, char *argv[]) CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); if (getenv("OPENSSL_FIPS")) { -#ifdef OPENSSL_FIPS - if (!FIPS_mode_set(1)) { - ERR_print_errors(bio_err); - return 1; - } -#else BIO_printf(bio_err, "FIPS mode not supported.\n"); return 1; -#endif } if (!apps_startup()) diff --git a/crypto/aes/asm/aes-mips.pl b/crypto/aes/asm/aes-mips.pl index 0eb1474a3a..ba3e4545df 100644 --- a/crypto/aes/asm/aes-mips.pl +++ b/crypto/aes/asm/aes-mips.pl @@ -105,10 +105,6 @@ $code.=<<___; #include "mips_arch.h" .text -#ifdef OPENSSL_FIPSCANISTER -# include -#endif - #if !defined(__mips_eabi) && (!defined(__vxworks) || defined(__pic__)) .option pic2 #endif diff --git a/crypto/bn/asm/sparcv8plus.S b/crypto/bn/asm/sparcv8plus.S index 714a136675..f3c611ae31 100644 --- a/crypto/bn/asm/sparcv8plus.S +++ b/crypto/bn/asm/sparcv8plus.S @@ -144,10 +144,6 @@ * } */ -#ifdef OPENSSL_FIPSCANISTER -#include -#endif - #if defined(__SUNPRO_C) && defined(__sparcv9) /* They've said -xarch=v9 at command line */ .register %g2,#scratch diff --git a/crypto/des/asm/des_enc.m4 b/crypto/des/asm/des_enc.m4 index 2d794d3374..c1f6391f53 100644 --- a/crypto/des/asm/des_enc.m4 +++ b/crypto/des/asm/des_enc.m4 @@ -31,10 +31,6 @@ #include -#ifdef OPENSSL_FIPSCANISTER -#include -#endif - #if defined(__SUNPRO_C) && defined(__sparcv9) # define ABI64 /* They've said -xarch=v9 at command line */ #elif defined(__GNUC__) && defined(__arch64__) diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index 3b1304f8e0..6cc8c8f20b 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -31,9 +31,6 @@ #include #include #include -#ifdef OPENSSL_FIPS -# include -#endif #include #include #include @@ -43,9 +40,6 @@ int err_load_crypto_strings_int(void) { if ( -#ifdef OPENSSL_FIPS - FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata) == 0 || -#endif #ifndef OPENSSL_NO_ERR ERR_load_ERR_strings() == 0 || /* include error strings for SYSerr */ ERR_load_BN_strings() == 0 || @@ -91,9 +85,6 @@ int err_load_crypto_strings_int(void) #ifndef OPENSSL_NO_UI ERR_load_UI_strings() == 0 || #endif -# ifdef OPENSSL_FIPS - ERR_load_FIPS_strings() == 0 || -# endif # ifndef OPENSSL_NO_CMS ERR_load_CMS_strings() == 0 || # endif diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c index 71d13b8df0..d0d61b28be 100644 --- a/crypto/evp/evp_cnf.c +++ b/crypto/evp/evp_cnf.c @@ -38,16 +38,8 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) return 0; } if (m > 0) { -#ifdef OPENSSL_FIPS - if (!FIPS_mode() && !FIPS_mode_set(1)) { - EVPerr(EVP_F_ALG_MODULE_INIT, - EVP_R_ERROR_SETTING_FIPS_MODE); - return 0; - } -#else EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED); return 0; -#endif } } else { EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION); diff --git a/crypto/o_fips.c b/crypto/o_fips.c index bf6db65fed..050ea9c216 100644 --- a/crypto/o_fips.c +++ b/crypto/o_fips.c @@ -8,27 +8,17 @@ */ #include "internal/cryptlib.h" -#ifdef OPENSSL_FIPS -# include -#endif int FIPS_mode(void) { -#ifdef OPENSSL_FIPS - return FIPS_module_mode(); -#else + /* This version of the library does not support FIPS mode. */ return 0; -#endif } int FIPS_mode_set(int r) { -#ifdef OPENSSL_FIPS - return FIPS_module_mode_set(r); -#else if (r == 0) return 1; CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); return 0; -#endif } diff --git a/crypto/o_init.c b/crypto/o_init.c index 2e0c126095..5eb7654d32 100644 --- a/crypto/o_init.c +++ b/crypto/o_init.c @@ -9,26 +9,13 @@ #include #include -#ifdef OPENSSL_FIPS -# include -# include -#endif /* - * Perform any essential OpenSSL initialization operations. Currently only - * sets FIPS callbacks + * Perform any essential OpenSSL initialization operations. Currently does + * nothing. */ void OPENSSL_init(void) { - static int done = 0; - if (done) - return; - done = 1; -#ifdef OPENSSL_FIPS - FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock); - FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata); - FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free); - RAND_init_fips(); -#endif + return; } diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 78da14a8e6..8cbfae170f 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -29,10 +29,6 @@ #include -#ifdef OPENSSL_FIPS -# include -#endif - #if defined(BN_DEBUG) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) # define PREDICT #endif diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 238712671b..fc47dc97a2 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -15,11 +15,6 @@ #include -#ifdef OPENSSL_FIPS -# include -# include -#endif - #ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ static ENGINE *funct_ref = NULL; diff --git a/crypto/sha/asm/sha1-mips.pl b/crypto/sha/asm/sha1-mips.pl index d9911c8503..ab2924070a 100644 --- a/crypto/sha/asm/sha1-mips.pl +++ b/crypto/sha/asm/sha1-mips.pl @@ -342,10 +342,6 @@ $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0xc0fff008" : "0xc0ff0000"; $code=<<___; #include "mips_arch.h" -#ifdef OPENSSL_FIPSCANISTER -# include -#endif - .text .set noat diff --git a/crypto/sha/asm/sha512-mips.pl b/crypto/sha/asm/sha512-mips.pl index 5464543db8..e6fd2687f8 100644 --- a/crypto/sha/asm/sha512-mips.pl +++ b/crypto/sha/asm/sha512-mips.pl @@ -304,10 +304,6 @@ $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0xc0fff008" : "0xc0ff0000"; $code.=<<___; #include "mips_arch.h" -#ifdef OPENSSL_FIPSCANISTER -# include -#endif - .text .set noat #if !defined(__mips_eabi) && (!defined(__vxworks) || defined(__pic__)) diff --git a/crypto/sparccpuid.S b/crypto/sparccpuid.S index c6ca224738..95acd2f9d4 100644 --- a/crypto/sparccpuid.S +++ b/crypto/sparccpuid.S @@ -5,10 +5,6 @@ ! in the file LICENSE in the source distribution or at ! https://www.openssl.org/source/license.html -#ifdef OPENSSL_FIPSCANISTER -#include -#endif - #if defined(__SUNPRO_C) && defined(__sparcv9) # define ABI64 /* They've said -xarch=v9 at command line */ #elif defined(__GNUC__) && defined(__arch64__) diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 9df0ecb1e4..24ebafb533 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -193,17 +193,8 @@ This modules has the name B which points to a section containing algorithm commands. Currently the only algorithm command supported is B whose -value should be a boolean string such as B or B. If the value is -B this attempt to enter FIPS mode. If the call fails or the library is -not FIPS capable then an error occurs. - -For example: - - alg_section = evp_settings - - [evp_settings] - - fips_mode = on +value can only be the boolean string B. If B is set to B, +an error occurs as this library version is not FIPS capable. =head2 SSL Configuration Module diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index df6e04523c..c6e15a5aa3 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -40,11 +40,7 @@ extern "C" { * major minor fix final patch/beta) */ # define OPENSSL_VERSION_NUMBER 0x10101000L -# ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-fips-dev xx XXX xxxx" -# else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-dev xx XXX xxxx" -# endif +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-dev xx XXX xxxx" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index df7d012049..84f54cbabd 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1119,13 +1119,6 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) EVP_MD_CTX_free(hmac); return 0; } - if (!send && !SSL_READ_ETM(ssl) && FIPS_mode()) - if (!tls_fips_digest_extra(ssl->enc_read_ctx, - mac_ctx, rec->input, - rec->length, rec->orig_len)) { - EVP_MD_CTX_free(hmac); - return 0; - } } EVP_MD_CTX_free(hmac); diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 3a757455b0..186ab174ba 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -89,8 +89,6 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out) */ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) { - if (FIPS_mode()) - return 0; switch (EVP_MD_CTX_type(ctx)) { case NID_md5: case NID_sha1: @@ -483,49 +481,3 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, EVP_MD_CTX_free(md_ctx); return 0; } - -/* - * Due to the need to use EVP in FIPS mode we can't reimplement digests but - * we can ensure the number of blocks processed is equal for all cases by - * digesting additional data. - */ - -int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx, - EVP_MD_CTX *mac_ctx, const unsigned char *data, - size_t data_len, size_t orig_len) -{ - size_t block_size, digest_pad, blocks_data, blocks_orig; - if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) - return 1; - block_size = EVP_MD_CTX_block_size(mac_ctx); - /*- - * We are in FIPS mode if we get this far so we know we have only SHA* - * digests and TLS to deal with. - * Minimum digest padding length is 17 for SHA384/SHA512 and 9 - * otherwise. - * Additional header is 13 bytes. To get the number of digest blocks - * processed round up the amount of data plus padding to the nearest - * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. - * So we have: - * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size - * equivalently: - * blocks = (payload_len + digest_pad + 12)/block_size + 1 - * HMAC adds a constant overhead. - * We're ultimately only interested in differences so this becomes - * blocks = (payload_len + 29)/128 - * for SHA384/SHA512 and - * blocks = (payload_len + 21)/64 - * otherwise. - */ - digest_pad = block_size == 64 ? 21 : 29; - blocks_orig = (orig_len + digest_pad) / block_size; - blocks_data = (data_len + digest_pad) / block_size; - /* - * MAC enough blocks to make up the difference between the original and - * actual lengths plus one extra block to ensure this is never a no op. - * The "data" pointer should always have enough space to perform this - * operation as it is large enough for a maximum length TLS buffer. - */ - return EVP_DigestSignUpdate(mac_ctx, data, - (blocks_orig - blocks_data + 1) * block_size); -} diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index e64e3da32e..0b60debdd9 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -577,9 +577,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, s->ssl_version < TLS1_VERSION) return 1; - if (FIPS_mode()) - return 1; - if (c->algorithm_enc == SSL_RC4 && c->algorithm_mac == SSL_MD5 && (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) @@ -687,8 +684,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, /* drop those that use any of that is not available */ if (c == NULL || !c->valid) continue; - if (FIPS_mode() && (c->algo_strength & SSL_FIPS)) - continue; if ((c->algorithm_mkey & disabled_mkey) || (c->algorithm_auth & disabled_auth) || (c->algorithm_enc & disabled_enc) || @@ -1495,8 +1490,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ for (curr = head; curr != NULL; curr = curr->next) { - if (curr->active - && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) { + if (curr->active) { if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9382c2ed1d..39254f16f9 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2504,11 +2504,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) return NULL; - if (FIPS_mode() && (meth->version < TLS1_VERSION)) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE); - return NULL; - } - if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index ac8c826a0a..565fa36f9b 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2358,10 +2358,6 @@ __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, const unsigned char *mac_secret, size_t mac_secret_length, char is_sslv3); -__owur int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx, - EVP_MD_CTX *mac_ctx, const unsigned char *data, - size_t data_len, size_t orig_len); - __owur int srp_generate_server_master_secret(SSL *s); __owur int srp_generate_client_master_secret(SSL *s); __owur int srp_verify_server_param(SSL *s, int *al); diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index c871c00c0c..ed1ecce160 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1321,8 +1321,6 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) return SSL_R_UNSUPPORTED_PROTOCOL; if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; - else if ((method->flags & SSL_METHOD_NO_FIPS) != 0 && FIPS_mode()) - return SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE; return 0; } @@ -1680,7 +1678,7 @@ int ssl_choose_client_version(SSL *s, int version) * Work out what version we should be using for the initial ClientHello if the * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx * options, the MinProtocol and MaxProtocol configuration commands, any Suite B - * or FIPS_mode() constraints and any floor imposed by the security level here, + * constraints and any floor imposed by the security level here, * so we don't advertise the wrong protocol version to only reject the outcome later. * * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, diff --git a/test/ssltest_old.c b/test/ssltest_old.c index 1bfa983122..649215d9b7 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -699,9 +699,6 @@ static void sv_usage(void) { fprintf(stderr, "usage: ssltest [args ...]\n"); fprintf(stderr, "\n"); -#ifdef OPENSSL_FIPS - fprintf(stderr, "-F - run test in FIPS mode\n"); -#endif fprintf(stderr, " -server_auth - check server certificate\n"); fprintf(stderr, " -client_auth - do client authentication\n"); fprintf(stderr, " -v - more output\n"); @@ -988,9 +985,6 @@ int main(int argc, char *argv[]) int n, comp = 0; COMP_METHOD *cm = NULL; STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; -#endif -#ifdef OPENSSL_FIPS - int fips_mode = 0; #endif int no_protocol; int min_version = 0, max_version = 0; @@ -1060,13 +1054,9 @@ int main(int argc, char *argv[]) while (argc >= 1) { if (strcmp(*argv, "-F") == 0) { -#ifdef OPENSSL_FIPS - fips_mode = 1; -#else fprintf(stderr, "not compiled with FIPS support, so exiting without running.\n"); EXIT(0); -#endif } else if (strcmp(*argv, "-server_auth") == 0) server_auth = 1; else if (strcmp(*argv, "-client_auth") == 0) @@ -1383,15 +1373,6 @@ int main(int argc, char *argv[]) "to avoid protocol mismatch.\n"); EXIT(1); } -#ifdef OPENSSL_FIPS - if (fips_mode) { - if (!FIPS_mode_set(1)) { - ERR_print_errors(bio_err); - EXIT(1); - } else - fprintf(stderr, "*** IN FIPS MODE ***\n"); - } -#endif if (print_time) { if (bio_type != BIO_PAIR) {