diff options
| author |   tedu <tedu@openbsd.org> | 2014-04-15 20:06:09 +0000 |
|---|---|---|
| committer | tedu <tedu@openbsd.org> | 2014-04-15 20:06:09 +0000 |
| commit | 68c0184592b044f3976f88a8512516f3a3780200 (patch) | |
| tree | 91f93963a9f8d67c5ab9bcc88fe6c0dfdbb5f400 /lib/libssl/src | |
| parent | Q: How would you like your lies, sir? (diff) | |
| download | wireguard-openbsd-68c0184592b044f3976f88a8512516f3a3780200.tar.xz wireguard-openbsd-68c0184592b044f3976f88a8512516f3a3780200.zip | |
remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok beck deraadt
Diffstat (limited to 'lib/libssl/src')
65 files changed, 6 insertions, 976 deletions
diff --git a/lib/libssl/src/crypto/Makefile b/lib/libssl/src/crypto/Makefile index 326915d5202..5c02ba28447 100644 --- a/lib/libssl/src/crypto/Makefile +++ b/lib/libssl/src/crypto/Makefile @@ -35,9 +35,9 @@ GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a SHARED_LIB= libcrypto$(SHLIB_EXT) LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ - uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c + uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \ - uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ) + uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o $(CPUID_OBJ) SRC= $(LIBSRC) diff --git a/lib/libssl/src/crypto/aes/aes_misc.c b/lib/libssl/src/crypto/aes/aes_misc.c index d666c06409a..9380abc46c2 100644 --- a/lib/libssl/src/crypto/aes/aes_misc.c +++ b/lib/libssl/src/crypto/aes/aes_misc.c @@ -71,9 +71,6 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) { -#ifdef OPENSSL_FIPS - fips_cipher_abort(AES); -#endif return private_AES_set_encrypt_key(userKey, bits, key); } @@ -81,8 +78,5 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) { -#ifdef OPENSSL_FIPS - fips_cipher_abort(AES); -#endif return private_AES_set_decrypt_key(userKey, bits, key); } diff --git a/lib/libssl/src/crypto/bf/bf_skey.c b/lib/libssl/src/crypto/bf/bf_skey.c index 3b0bca41aec..d8e6287a32e 100644 --- a/lib/libssl/src/crypto/bf/bf_skey.c +++ b/lib/libssl/src/crypto/bf/bf_skey.c @@ -64,13 +64,6 @@ #include "bf_pi.h" void BF_set_key(BF_KEY *key, int len, const unsigned char *data) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(BLOWFISH); - private_BF_set_key(key, len, data); - } -void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data) -#endif { int i; BF_LONG *p,ri,in[2]; diff --git a/lib/libssl/src/crypto/bf/blowfish.h b/lib/libssl/src/crypto/bf/blowfish.h index 4b6c8920a4a..65685f478c7 100644 --- a/lib/libssl/src/crypto/bf/blowfish.h +++ b/lib/libssl/src/crypto/bf/blowfish.h @@ -104,9 +104,6 @@ typedef struct bf_key_st BF_LONG S[4*256]; } BF_KEY; -#ifdef OPENSSL_FIPS -void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data); -#endif void BF_set_key(BF_KEY *key, int len, const unsigned char *data); void BF_encrypt(BF_LONG *data,const BF_KEY *key); diff --git a/lib/libssl/src/crypto/bn/bn_lcl.h b/lib/libssl/src/crypto/bn/bn_lcl.h index 817c773b659..9194e86b399 100644 --- a/lib/libssl/src/crypto/bn/bn_lcl.h +++ b/lib/libssl/src/crypto/bn/bn_lcl.h @@ -479,10 +479,6 @@ extern "C" { } #endif /* !BN_LLONG */ -#if defined(OPENSSL_DOING_MAKEDEPEND) && defined(OPENSSL_FIPS) -#undef bn_div_words -#endif - void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb); void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); diff --git a/lib/libssl/src/crypto/camellia/camellia.h b/lib/libssl/src/crypto/camellia/camellia.h index 67911e0adf8..cf0457dd976 100644 --- a/lib/libssl/src/crypto/camellia/camellia.h +++ b/lib/libssl/src/crypto/camellia/camellia.h @@ -88,10 +88,6 @@ struct camellia_key_st }; typedef struct camellia_key_st CAMELLIA_KEY; -#ifdef OPENSSL_FIPS -int private_Camellia_set_key(const unsigned char *userKey, const int bits, - CAMELLIA_KEY *key); -#endif int Camellia_set_key(const unsigned char *userKey, const int bits, CAMELLIA_KEY *key); diff --git a/lib/libssl/src/crypto/camellia/cmll_utl.c b/lib/libssl/src/crypto/camellia/cmll_utl.c index 7a35711ec1c..b88a996a3f0 100644 --- a/lib/libssl/src/crypto/camellia/cmll_utl.c +++ b/lib/libssl/src/crypto/camellia/cmll_utl.c @@ -57,8 +57,5 @@ int Camellia_set_key(const unsigned char *userKey, const int bits, CAMELLIA_KEY *key) { -#ifdef OPENSSL_FIPS - fips_cipher_abort(Camellia); -#endif return private_Camellia_set_key(userKey, bits, key); } diff --git a/lib/libssl/src/crypto/cast/c_skey.c b/lib/libssl/src/crypto/cast/c_skey.c index cb6bf9fee37..54ea98cd0bf 100644 --- a/lib/libssl/src/crypto/cast/c_skey.c +++ b/lib/libssl/src/crypto/cast/c_skey.c @@ -73,13 +73,6 @@ #define S6 CAST_S_table6 #define S7 CAST_S_table7 void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(CAST); - private_CAST_set_key(key, len, data); - } -void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) -#endif { CAST_LONG x[16]; CAST_LONG z[16]; diff --git a/lib/libssl/src/crypto/cast/cast.h b/lib/libssl/src/crypto/cast/cast.h index 203922ea2b4..8741532e9e4 100644 --- a/lib/libssl/src/crypto/cast/cast.h +++ b/lib/libssl/src/crypto/cast/cast.h @@ -83,9 +83,6 @@ typedef struct cast_key_st int short_key; /* Use reduced rounds for short key */ } CAST_KEY; -#ifdef OPENSSL_FIPS -void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); -#endif void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key, int enc); diff --git a/lib/libssl/src/crypto/cmac/cmac.c b/lib/libssl/src/crypto/cmac/cmac.c index 8b72b096813..f92a7bb1437 100644 --- a/lib/libssl/src/crypto/cmac/cmac.c +++ b/lib/libssl/src/crypto/cmac/cmac.c @@ -57,10 +57,6 @@ #include "cryptlib.h" #include <openssl/cmac.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - struct CMAC_CTX_st { /* Cipher context to use */ @@ -107,13 +103,6 @@ CMAC_CTX *CMAC_CTX_new(void) void CMAC_CTX_cleanup(CMAC_CTX *ctx) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->cctx.engine) - { - FIPS_cmac_ctx_cleanup(ctx); - return; - } -#endif EVP_CIPHER_CTX_cleanup(&ctx->cctx); OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); @@ -153,24 +142,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, const EVP_CIPHER *cipher, ENGINE *impl) { static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH]; -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - { - /* If we have an ENGINE need to allow non FIPS */ - if ((impl || ctx->cctx.engine) - && !(ctx->cctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) - - { - EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS); - return 0; - } - /* Other algorithm blocking will be done in FIPS_cmac_init, - * via FIPS_cipherinit(). - */ - if (!impl && !ctx->cctx.engine) - return FIPS_cmac_init(ctx, key, keylen, cipher, NULL); - } -#endif /* All zeros means restart */ if (!key && !cipher && !impl && keylen == 0) { @@ -216,10 +187,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) { const unsigned char *data = in; size_t bl; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->cctx.engine) - return FIPS_cmac_update(ctx, in, dlen); -#endif + if (ctx->nlast_block == -1) return 0; if (dlen == 0) @@ -261,10 +229,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) { int i, bl, lb; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->cctx.engine) - return FIPS_cmac_final(ctx, out, poutlen); -#endif + if (ctx->nlast_block == -1) return 0; bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); diff --git a/lib/libssl/src/crypto/crypto.h b/lib/libssl/src/crypto/crypto.h index 351ccfd35b4..56c5dfadb8c 100644 --- a/lib/libssl/src/crypto/crypto.h +++ b/lib/libssl/src/crypto/crypto.h @@ -538,25 +538,9 @@ void OPENSSL_init(void); #define fips_md_init(alg) fips_md_init_ctx(alg, alg) -#ifdef OPENSSL_FIPS -#define fips_md_init_ctx(alg, cx) \ - int alg##_Init(cx##_CTX *c) \ - { \ - if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \ - "Low level API call to digest " #alg " forbidden in FIPS mode!"); \ - return private_##alg##_Init(c); \ - } \ - int private_##alg##_Init(cx##_CTX *c) - -#define fips_cipher_abort(alg) \ - if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \ - "Low level API call to cipher " #alg " forbidden in FIPS mode!") - -#else #define fips_md_init_ctx(alg, cx) \ int alg##_Init(cx##_CTX *c) #define fips_cipher_abort(alg) while(0) -#endif /* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It * takes an amount of time dependent on |len|, but independent of the contents diff --git a/lib/libssl/src/crypto/des/des.h b/lib/libssl/src/crypto/des/des.h index 1eaedcbd24b..92b66635998 100644 --- a/lib/libssl/src/crypto/des/des.h +++ b/lib/libssl/src/crypto/des/des.h @@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DES_key_schedule *schedule); int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule); int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule); void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule); -#ifdef OPENSSL_FIPS -void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule); -#endif void DES_string_to_key(const char *str,DES_cblock *key); void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2); void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length, diff --git a/lib/libssl/src/crypto/des/set_key.c b/lib/libssl/src/crypto/des/set_key.c index 99e3555ba92..e8dea50b962 100644 --- a/lib/libssl/src/crypto/des/set_key.c +++ b/lib/libssl/src/crypto/des/set_key.c @@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule) } void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(DES); - private_DES_set_key_unchecked(key, schedule); - } -void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) -#endif { static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; register DES_LONG c,d,t,s,t2; diff --git a/lib/libssl/src/crypto/dh/dh_gen.c b/lib/libssl/src/crypto/dh/dh_gen.c index 7b1fe9c9cbb..cfd5b118681 100644 --- a/lib/libssl/src/crypto/dh/dh_gen.c +++ b/lib/libssl/src/crypto/dh/dh_gen.c @@ -66,29 +66,12 @@ #include <openssl/bn.h> #include <openssl/dh.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) - && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) - { - DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); - return 0; - } -#endif if(ret->meth->generate_params) return ret->meth->generate_params(ret, prime_len, generator, cb); -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_dh_generate_parameters_ex(ret, prime_len, - generator, cb); -#endif return dh_builtin_genparams(ret, prime_len, generator, cb); } diff --git a/lib/libssl/src/crypto/dh/dh_key.c b/lib/libssl/src/crypto/dh/dh_key.c index 89a74db4e69..9596270f7d4 100644 --- a/lib/libssl/src/crypto/dh/dh_key.c +++ b/lib/libssl/src/crypto/dh/dh_key.c @@ -73,27 +73,11 @@ static int dh_finish(DH *dh); int DH_generate_key(DH *dh) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) - && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) - { - DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD); - return 0; - } -#endif return dh->meth->generate_key(dh); } int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) - && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) - { - DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); - return 0; - } -#endif return dh->meth->compute_key(key, pub_key, dh); } diff --git a/lib/libssl/src/crypto/dh/dh_lib.c b/lib/libssl/src/crypto/dh/dh_lib.c index 00218f2b92b..a40caaf75b1 100644 --- a/lib/libssl/src/crypto/dh/dh_lib.c +++ b/lib/libssl/src/crypto/dh/dh_lib.c @@ -64,10 +64,6 @@ #include <openssl/engine.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; static const DH_METHOD *default_DH_method = NULL; @@ -81,14 +77,7 @@ const DH_METHOD *DH_get_default_method(void) { if(!default_DH_method) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_dh_openssl(); - else - return DH_OpenSSL(); -#else default_DH_method = DH_OpenSSL(); -#endif } return default_DH_method; } diff --git a/lib/libssl/src/crypto/dsa/dsa_gen.c b/lib/libssl/src/crypto/dsa/dsa_gen.c index c398761d0dd..e6a54520161 100644 --- a/lib/libssl/src/crypto/dsa/dsa_gen.c +++ b/lib/libssl/src/crypto/dsa/dsa_gen.c @@ -81,33 +81,13 @@ #include <openssl/sha.h> #include "dsa_locl.h" -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - int DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) - { - DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD); - return 0; - } -#endif if(ret->meth->dsa_paramgen) return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, counter_ret, h_ret, cb); -#ifdef OPENSSL_FIPS - else if (FIPS_mode()) - { - return FIPS_dsa_generate_parameters_ex(ret, bits, - seed_in, seed_len, - counter_ret, h_ret, cb); - } -#endif else { const EVP_MD *evpmd; diff --git a/lib/libssl/src/crypto/dsa/dsa_key.c b/lib/libssl/src/crypto/dsa/dsa_key.c index 9cf669b921a..c4aa86bc6dc 100644 --- a/lib/libssl/src/crypto/dsa/dsa_key.c +++ b/lib/libssl/src/crypto/dsa/dsa_key.c @@ -64,28 +64,12 @@ #include <openssl/dsa.h> #include <openssl/rand.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - static int dsa_builtin_keygen(DSA *dsa); int DSA_generate_key(DSA *dsa) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) - { - DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD); - return 0; - } -#endif if(dsa->meth->dsa_keygen) return dsa->meth->dsa_keygen(dsa); -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_dsa_generate_key(dsa); -#endif return dsa_builtin_keygen(dsa); } diff --git a/lib/libssl/src/crypto/dsa/dsa_lib.c b/lib/libssl/src/crypto/dsa/dsa_lib.c index 96d8d0c4b45..897c0859682 100644 --- a/lib/libssl/src/crypto/dsa/dsa_lib.c +++ b/lib/libssl/src/crypto/dsa/dsa_lib.c @@ -70,10 +70,6 @@ #include <openssl/dh.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT; static const DSA_METHOD *default_DSA_method = NULL; @@ -87,14 +83,7 @@ const DSA_METHOD *DSA_get_default_method(void) { if(!default_DSA_method) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_dsa_openssl(); - else - return DSA_OpenSSL(); -#else default_DSA_method = DSA_OpenSSL(); -#endif } return default_DSA_method; } diff --git a/lib/libssl/src/crypto/dsa/dsa_sign.c b/lib/libssl/src/crypto/dsa/dsa_sign.c index c3cc3642cea..e02365a8b13 100644 --- a/lib/libssl/src/crypto/dsa/dsa_sign.c +++ b/lib/libssl/src/crypto/dsa/dsa_sign.c @@ -65,27 +65,11 @@ DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) - { - DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD); - return NULL; - } -#endif return dsa->meth->dsa_do_sign(dgst, dlen, dsa); } int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) - { - DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD); - return 0; - } -#endif return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); } diff --git a/lib/libssl/src/crypto/dsa/dsa_vrf.c b/lib/libssl/src/crypto/dsa/dsa_vrf.c index 674cb5fa5f5..286ed28cfa5 100644 --- a/lib/libssl/src/crypto/dsa/dsa_vrf.c +++ b/lib/libssl/src/crypto/dsa/dsa_vrf.c @@ -64,13 +64,5 @@ int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) - { - DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD); - return -1; - } -#endif return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); } diff --git a/lib/libssl/src/crypto/ec/ec2_smpl.c b/lib/libssl/src/crypto/ec/ec2_smpl.c index e0e59c7d829..0cf681fa9df 100644 --- a/lib/libssl/src/crypto/ec/ec2_smpl.c +++ b/lib/libssl/src/crypto/ec/ec2_smpl.c @@ -73,16 +73,8 @@ #ifndef OPENSSL_NO_EC2M -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - - const EC_METHOD *EC_GF2m_simple_method(void) { -#ifdef OPENSSL_FIPS - return fips_ec_gf2m_simple_method(); -#else static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_characteristic_two_field, @@ -126,7 +118,6 @@ const EC_METHOD *EC_GF2m_simple_method(void) 0 /* field_set_to_one */ }; return &ret; -#endif } diff --git a/lib/libssl/src/crypto/ec/ec_key.c b/lib/libssl/src/crypto/ec/ec_key.c index 7fa247593d9..d5286010362 100644 --- a/lib/libssl/src/crypto/ec/ec_key.c +++ b/lib/libssl/src/crypto/ec/ec_key.c @@ -64,9 +64,6 @@ #include <string.h> #include "ec_lcl.h" #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif EC_KEY *EC_KEY_new(void) { @@ -241,11 +238,6 @@ int EC_KEY_generate_key(EC_KEY *eckey) BIGNUM *priv_key = NULL, *order = NULL; EC_POINT *pub_key = NULL; -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_ec_key_generate_key(eckey); -#endif - if (!eckey || !eckey->group) { ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); diff --git a/lib/libssl/src/crypto/ec/ecp_mont.c b/lib/libssl/src/crypto/ec/ecp_mont.c index f04f132c7ad..cee0fee12a6 100644 --- a/lib/libssl/src/crypto/ec/ecp_mont.c +++ b/lib/libssl/src/crypto/ec/ecp_mont.c @@ -63,18 +63,11 @@ #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - #include "ec_lcl.h" const EC_METHOD *EC_GFp_mont_method(void) { -#ifdef OPENSSL_FIPS - return fips_ec_gfp_mont_method(); -#else static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, @@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_mont_method(void) ec_GFp_mont_field_set_to_one }; return &ret; -#endif } diff --git a/lib/libssl/src/crypto/ec/ecp_nist.c b/lib/libssl/src/crypto/ec/ecp_nist.c index aad2d5f4438..ac5b8142388 100644 --- a/lib/libssl/src/crypto/ec/ecp_nist.c +++ b/lib/libssl/src/crypto/ec/ecp_nist.c @@ -67,15 +67,8 @@ #include <openssl/obj_mac.h> #include "ec_lcl.h" -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - const EC_METHOD *EC_GFp_nist_method(void) { -#ifdef OPENSSL_FIPS - return fips_ec_gfp_nist_method(); -#else static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, @@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void) 0 /* field_set_to_one */ }; return &ret; -#endif } int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) diff --git a/lib/libssl/src/crypto/ec/ecp_smpl.c b/lib/libssl/src/crypto/ec/ecp_smpl.c index cd05fd12514..bf0ad998dd0 100644 --- a/lib/libssl/src/crypto/ec/ecp_smpl.c +++ b/lib/libssl/src/crypto/ec/ecp_smpl.c @@ -64,17 +64,10 @@ #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - #include "ec_lcl.h" const EC_METHOD *EC_GFp_simple_method(void) { -#ifdef OPENSSL_FIPS - return fips_ec_gfp_simple_method(); -#else static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, @@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_simple_method(void) 0 /* field_set_to_one */ }; return &ret; -#endif } diff --git a/lib/libssl/src/crypto/ecdh/ech_lib.c b/lib/libssl/src/crypto/ecdh/ech_lib.c index 0644431b756..ddf226b1666 100644 --- a/lib/libssl/src/crypto/ecdh/ech_lib.c +++ b/lib/libssl/src/crypto/ecdh/ech_lib.c @@ -73,9 +73,6 @@ #include <openssl/engine.h> #endif #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT; @@ -94,14 +91,7 @@ const ECDH_METHOD *ECDH_get_default_method(void) { if(!default_ECDH_method) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_ecdh_openssl(); - else - return ECDH_OpenSSL(); -#else default_ECDH_method = ECDH_OpenSSL(); -#endif } return default_ECDH_method; } @@ -234,15 +224,6 @@ ECDH_DATA *ecdh_check(EC_KEY *key) } else ecdh_data = (ECDH_DATA *)data; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD) - && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) - { - ECDHerr(ECDH_F_ECDH_CHECK, ECDH_R_NON_FIPS_METHOD); - return NULL; - } -#endif - return ecdh_data; } diff --git a/lib/libssl/src/crypto/ecdsa/ecs_lib.c b/lib/libssl/src/crypto/ecdsa/ecs_lib.c index 814a6bf4046..7b53969ffd8 100644 --- a/lib/libssl/src/crypto/ecdsa/ecs_lib.c +++ b/lib/libssl/src/crypto/ecdsa/ecs_lib.c @@ -60,9 +60,6 @@ #endif #include <openssl/err.h> #include <openssl/bn.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT; @@ -81,14 +78,7 @@ const ECDSA_METHOD *ECDSA_get_default_method(void) { if(!default_ECDSA_method) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_ecdsa_openssl(); - else - return ECDSA_OpenSSL(); -#else default_ECDSA_method = ECDSA_OpenSSL(); -#endif } return default_ECDSA_method; } @@ -212,14 +202,6 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key) } else ecdsa_data = (ECDSA_DATA *)data; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(ecdsa_data->flags & ECDSA_FLAG_FIPS_METHOD) - && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) - { - ECDSAerr(ECDSA_F_ECDSA_CHECK, ECDSA_R_NON_FIPS_METHOD); - return NULL; - } -#endif return ecdsa_data; } diff --git a/lib/libssl/src/crypto/err/err_all.c b/lib/libssl/src/crypto/err/err_all.c index 8eb547d98d5..1c4eccd2516 100644 --- a/lib/libssl/src/crypto/err/err_all.c +++ b/lib/libssl/src/crypto/err/err_all.c @@ -97,9 +97,6 @@ #include <openssl/ui.h> #include <openssl/ocsp.h> #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif #include <openssl/ts.h> #ifndef OPENSSL_NO_CMS #include <openssl/cms.h> @@ -155,9 +152,6 @@ void ERR_load_crypto_strings(void) #endif ERR_load_OCSP_strings(); ERR_load_UI_strings(); -#ifdef OPENSSL_FIPS - ERR_load_FIPS_strings(); -#endif #ifndef OPENSSL_NO_CMS ERR_load_CMS_strings(); #endif diff --git a/lib/libssl/src/crypto/evp/Makefile b/lib/libssl/src/crypto/evp/Makefile index 3982f49f81a..f94a28d383b 100644 --- a/lib/libssl/src/crypto/evp/Makefile +++ b/lib/libssl/src/crypto/evp/Makefile @@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \ - e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \ + e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ @@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \ - e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \ + e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \ e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o SRC= $(LIBSRC) diff --git a/lib/libssl/src/crypto/evp/digest.c b/lib/libssl/src/crypto/evp/digest.c index d14e8e48d5a..782d3199a5a 100644 --- a/lib/libssl/src/crypto/evp/digest.c +++ b/lib/libssl/src/crypto/evp/digest.c @@ -117,10 +117,6 @@ #include <openssl/engine.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - void EVP_MD_CTX_init(EVP_MD_CTX *ctx) { memset(ctx,'\0',sizeof *ctx); @@ -229,26 +225,12 @@ skip_to_init: } if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) return 1; -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - { - if (FIPS_digestinit(ctx, type)) - return 1; - OPENSSL_free(ctx->md_data); - ctx->md_data = NULL; - return 0; - } -#endif return ctx->digest->init(ctx); } int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { -#ifdef OPENSSL_FIPS - return FIPS_digestupdate(ctx, data, count); -#else return ctx->update(ctx,data,count); -#endif } /* The caller can assume that this removes any secret data from the context */ @@ -263,9 +245,6 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) /* The caller can assume that this removes any secret data from the context */ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { -#ifdef OPENSSL_FIPS - return FIPS_digestfinal(ctx, md, size); -#else int ret; OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); @@ -279,7 +258,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) } memset(ctx->md_data,0,ctx->digest->ctx_size); return ret; -#endif } int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) @@ -376,7 +354,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) /* This call frees resources associated with the context */ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { -#ifndef OPENSSL_FIPS /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, * because sometimes only copies of the context are ever finalised. */ @@ -389,7 +366,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); } -#endif if (ctx->pctx) EVP_PKEY_CTX_free(ctx->pctx); #ifndef OPENSSL_NO_ENGINE @@ -398,9 +374,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) * functional reference we held for this reason. */ ENGINE_finish(ctx->engine); #endif -#ifdef OPENSSL_FIPS - FIPS_md_ctx_cleanup(ctx); -#endif memset(ctx,'\0',sizeof *ctx); return 1; diff --git a/lib/libssl/src/crypto/evp/e_null.c b/lib/libssl/src/crypto/evp/e_null.c index f0c1f78b5fe..98a78499f96 100644 --- a/lib/libssl/src/crypto/evp/e_null.c +++ b/lib/libssl/src/crypto/evp/e_null.c @@ -61,8 +61,6 @@ #include <openssl/evp.h> #include <openssl/objects.h> -#ifndef OPENSSL_FIPS - static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv,int enc); static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, @@ -101,4 +99,3 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, memcpy((char *)out,(const char *)in,inl); return 1; } -#endif diff --git a/lib/libssl/src/crypto/evp/evp_enc.c b/lib/libssl/src/crypto/evp/evp_enc.c index 0c54f05e6ef..50403a75780 100644 --- a/lib/libssl/src/crypto/evp/evp_enc.c +++ b/lib/libssl/src/crypto/evp/evp_enc.c @@ -64,17 +64,9 @@ #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif #include "evp_locl.h" -#ifdef OPENSSL_FIPS -#define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl) -#else #define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl) -#endif - const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; @@ -169,10 +161,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp ctx->engine = NULL; #endif -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_cipherinit(ctx, cipher, key, iv, enc); -#endif ctx->cipher=cipher; if (ctx->cipher->ctx_size) { @@ -206,10 +194,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp #ifndef OPENSSL_NO_ENGINE skip_to_init: #endif -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_cipherinit(ctx, cipher, key, iv, enc); -#endif /* we assume block size is a power of 2 in *cryptUpdate */ OPENSSL_assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 @@ -568,7 +552,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) { -#ifndef OPENSSL_FIPS if (c->cipher != NULL) { if(c->cipher->cleanup && !c->cipher->cleanup(c)) @@ -579,16 +562,12 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) } if (c->cipher_data) OPENSSL_free(c->cipher_data); -#endif #ifndef OPENSSL_NO_ENGINE if (c->engine) /* The EVP_CIPHER we used belongs to an ENGINE, release the * functional reference we held for this reason. */ ENGINE_finish(c->engine); #endif -#ifdef OPENSSL_FIPS - FIPS_cipher_ctx_cleanup(c); -#endif memset(c,0,sizeof(EVP_CIPHER_CTX)); return 1; } diff --git a/lib/libssl/src/crypto/evp/evp_fips.c b/lib/libssl/src/crypto/evp/evp_fips.c deleted file mode 100644 index cb7f4fc0faf..00000000000 --- a/lib/libssl/src/crypto/evp/evp_fips.c +++ /dev/null @@ -1,113 +0,0 @@ -/* crypto/evp/evp_fips.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project. - */ -/* ==================================================================== - * Copyright (c) 2011 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - */ - - -#include <openssl/evp.h> - -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> - -const EVP_CIPHER *EVP_aes_128_cbc(void) { return FIPS_evp_aes_128_cbc(); } -const EVP_CIPHER *EVP_aes_128_ccm(void) { return FIPS_evp_aes_128_ccm(); } -const EVP_CIPHER *EVP_aes_128_cfb1(void) { return FIPS_evp_aes_128_cfb1(); } -const EVP_CIPHER *EVP_aes_128_cfb128(void) { return FIPS_evp_aes_128_cfb128(); } -const EVP_CIPHER *EVP_aes_128_cfb8(void) { return FIPS_evp_aes_128_cfb8(); } -const EVP_CIPHER *EVP_aes_128_ctr(void) { return FIPS_evp_aes_128_ctr(); } -const EVP_CIPHER *EVP_aes_128_ecb(void) { return FIPS_evp_aes_128_ecb(); } -const EVP_CIPHER *EVP_aes_128_gcm(void) { return FIPS_evp_aes_128_gcm(); } -const EVP_CIPHER *EVP_aes_128_ofb(void) { return FIPS_evp_aes_128_ofb(); } -const EVP_CIPHER *EVP_aes_128_xts(void) { return FIPS_evp_aes_128_xts(); } -const EVP_CIPHER *EVP_aes_192_cbc(void) { return FIPS_evp_aes_192_cbc(); } -const EVP_CIPHER *EVP_aes_192_ccm(void) { return FIPS_evp_aes_192_ccm(); } -const EVP_CIPHER *EVP_aes_192_cfb1(void) { return FIPS_evp_aes_192_cfb1(); } -const EVP_CIPHER *EVP_aes_192_cfb128(void) { return FIPS_evp_aes_192_cfb128(); } -const EVP_CIPHER *EVP_aes_192_cfb8(void) { return FIPS_evp_aes_192_cfb8(); } -const EVP_CIPHER *EVP_aes_192_ctr(void) { return FIPS_evp_aes_192_ctr(); } -const EVP_CIPHER *EVP_aes_192_ecb(void) { return FIPS_evp_aes_192_ecb(); } -const EVP_CIPHER *EVP_aes_192_gcm(void) { return FIPS_evp_aes_192_gcm(); } -const EVP_CIPHER *EVP_aes_192_ofb(void) { return FIPS_evp_aes_192_ofb(); } -const EVP_CIPHER *EVP_aes_256_cbc(void) { return FIPS_evp_aes_256_cbc(); } -const EVP_CIPHER *EVP_aes_256_ccm(void) { return FIPS_evp_aes_256_ccm(); } -const EVP_CIPHER *EVP_aes_256_cfb1(void) { return FIPS_evp_aes_256_cfb1(); } -const EVP_CIPHER *EVP_aes_256_cfb128(void) { return FIPS_evp_aes_256_cfb128(); } -const EVP_CIPHER *EVP_aes_256_cfb8(void) { return FIPS_evp_aes_256_cfb8(); } -const EVP_CIPHER *EVP_aes_256_ctr(void) { return FIPS_evp_aes_256_ctr(); } -const EVP_CIPHER *EVP_aes_256_ecb(void) { return FIPS_evp_aes_256_ecb(); } -const EVP_CIPHER *EVP_aes_256_gcm(void) { return FIPS_evp_aes_256_gcm(); } -const EVP_CIPHER *EVP_aes_256_ofb(void) { return FIPS_evp_aes_256_ofb(); } -const EVP_CIPHER *EVP_aes_256_xts(void) { return FIPS_evp_aes_256_xts(); } -const EVP_CIPHER *EVP_des_ede(void) { return FIPS_evp_des_ede(); } -const EVP_CIPHER *EVP_des_ede3(void) { return FIPS_evp_des_ede3(); } -const EVP_CIPHER *EVP_des_ede3_cbc(void) { return FIPS_evp_des_ede3_cbc(); } -const EVP_CIPHER *EVP_des_ede3_cfb1(void) { return FIPS_evp_des_ede3_cfb1(); } -const EVP_CIPHER *EVP_des_ede3_cfb64(void) { return FIPS_evp_des_ede3_cfb64(); } -const EVP_CIPHER *EVP_des_ede3_cfb8(void) { return FIPS_evp_des_ede3_cfb8(); } -const EVP_CIPHER *EVP_des_ede3_ecb(void) { return FIPS_evp_des_ede3_ecb(); } -const EVP_CIPHER *EVP_des_ede3_ofb(void) { return FIPS_evp_des_ede3_ofb(); } -const EVP_CIPHER *EVP_des_ede_cbc(void) { return FIPS_evp_des_ede_cbc(); } -const EVP_CIPHER *EVP_des_ede_cfb64(void) { return FIPS_evp_des_ede_cfb64(); } -const EVP_CIPHER *EVP_des_ede_ecb(void) { return FIPS_evp_des_ede_ecb(); } -const EVP_CIPHER *EVP_des_ede_ofb(void) { return FIPS_evp_des_ede_ofb(); } -const EVP_CIPHER *EVP_enc_null(void) { return FIPS_evp_enc_null(); } - -const EVP_MD *EVP_sha1(void) { return FIPS_evp_sha1(); } -const EVP_MD *EVP_sha224(void) { return FIPS_evp_sha224(); } -const EVP_MD *EVP_sha256(void) { return FIPS_evp_sha256(); } -const EVP_MD *EVP_sha384(void) { return FIPS_evp_sha384(); } -const EVP_MD *EVP_sha512(void) { return FIPS_evp_sha512(); } - -const EVP_MD *EVP_dss(void) { return FIPS_evp_dss(); } -const EVP_MD *EVP_dss1(void) { return FIPS_evp_dss1(); } -const EVP_MD *EVP_ecdsa(void) { return FIPS_evp_ecdsa(); } - -#endif diff --git a/lib/libssl/src/crypto/evp/evp_locl.h b/lib/libssl/src/crypto/evp/evp_locl.h index 08c0a66d39c..9e71f39a47e 100644 --- a/lib/libssl/src/crypto/evp/evp_locl.h +++ b/lib/libssl/src/crypto/evp/evp_locl.h @@ -347,39 +347,3 @@ void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx); int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de); - -#ifdef OPENSSL_FIPS - -#ifdef OPENSSL_DOING_MAKEDEPEND -#undef SHA1_Init -#undef SHA1_Update -#undef SHA224_Init -#undef SHA256_Init -#undef SHA384_Init -#undef SHA512_Init -#undef DES_set_key_unchecked -#endif - -#define RIPEMD160_Init private_RIPEMD160_Init -#define WHIRLPOOL_Init private_WHIRLPOOL_Init -#define MD5_Init private_MD5_Init -#define MD4_Init private_MD4_Init -#define MD2_Init private_MD2_Init -#define MDC2_Init private_MDC2_Init -#define SHA_Init private_SHA_Init -#define SHA1_Init private_SHA1_Init -#define SHA224_Init private_SHA224_Init -#define SHA256_Init private_SHA256_Init -#define SHA384_Init private_SHA384_Init -#define SHA512_Init private_SHA512_Init - -#define BF_set_key private_BF_set_key -#define CAST_set_key private_CAST_set_key -#define idea_set_encrypt_key private_idea_set_encrypt_key -#define SEED_set_key private_SEED_set_key -#define RC2_set_key private_RC2_set_key -#define RC4_set_key private_RC4_set_key -#define DES_set_key_unchecked private_DES_set_key_unchecked -#define Camellia_set_key private_Camellia_set_key - -#endif diff --git a/lib/libssl/src/crypto/evp/m_dss.c b/lib/libssl/src/crypto/evp/m_dss.c index 6fb7e9a8610..89ea5b7a6d6 100644 --- a/lib/libssl/src/crypto/evp/m_dss.c +++ b/lib/libssl/src/crypto/evp/m_dss.c @@ -66,7 +66,6 @@ #endif #ifndef OPENSSL_NO_SHA -#ifndef OPENSSL_FIPS static int init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } @@ -98,4 +97,3 @@ const EVP_MD *EVP_dss(void) return(&dsa_md); } #endif -#endif diff --git a/lib/libssl/src/crypto/evp/m_dss1.c b/lib/libssl/src/crypto/evp/m_dss1.c index 2df362a6701..a010103b7a1 100644 --- a/lib/libssl/src/crypto/evp/m_dss1.c +++ b/lib/libssl/src/crypto/evp/m_dss1.c @@ -68,8 +68,6 @@ #include <openssl/dsa.h> #endif -#ifndef OPENSSL_FIPS - static int init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } @@ -100,4 +98,3 @@ const EVP_MD *EVP_dss1(void) return(&dss1_md); } #endif -#endif diff --git a/lib/libssl/src/crypto/evp/m_ecdsa.c b/lib/libssl/src/crypto/evp/m_ecdsa.c index 4b15fb0f6ce..a6ed24b0b68 100644 --- a/lib/libssl/src/crypto/evp/m_ecdsa.c +++ b/lib/libssl/src/crypto/evp/m_ecdsa.c @@ -116,7 +116,6 @@ #include <openssl/x509.h> #ifndef OPENSSL_NO_SHA -#ifndef OPENSSL_FIPS static int init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } @@ -148,4 +147,3 @@ const EVP_MD *EVP_ecdsa(void) return(&ecdsa_md); } #endif -#endif diff --git a/lib/libssl/src/crypto/evp/m_sha1.c b/lib/libssl/src/crypto/evp/m_sha1.c index bd0c01ad3c4..f39ae779259 100644 --- a/lib/libssl/src/crypto/evp/m_sha1.c +++ b/lib/libssl/src/crypto/evp/m_sha1.c @@ -59,8 +59,6 @@ #include <stdio.h> #include "cryptlib.h" -#ifndef OPENSSL_FIPS - #ifndef OPENSSL_NO_SHA #include <openssl/evp.h> @@ -205,5 +203,3 @@ static const EVP_MD sha512_md= const EVP_MD *EVP_sha512(void) { return(&sha512_md); } #endif /* ifndef OPENSSL_NO_SHA512 */ - -#endif diff --git a/lib/libssl/src/crypto/fips_ers.c b/lib/libssl/src/crypto/fips_ers.c deleted file mode 100644 index 1788ed28848..00000000000 --- a/lib/libssl/src/crypto/fips_ers.c +++ /dev/null @@ -1,7 +0,0 @@ -#include <openssl/opensslconf.h> - -#ifdef OPENSSL_FIPS -# include "fips_err.h" -#else -static void *dummy = &dummy; -#endif diff --git a/lib/libssl/src/crypto/hmac/hmac.c b/lib/libssl/src/crypto/hmac/hmac.c index ba27cbf56f2..6c98fc43a31 100644 --- a/lib/libssl/src/crypto/hmac/hmac.c +++ b/lib/libssl/src/crypto/hmac/hmac.c @@ -61,34 +61,12 @@ #include "cryptlib.h" #include <openssl/hmac.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md, ENGINE *impl) { int i,j,reset=0; unsigned char pad[HMAC_MAX_MD_CBLOCK]; -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - { - /* If we have an ENGINE need to allow non FIPS */ - if ((impl || ctx->i_ctx.engine) - && !(ctx->i_ctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) - { - EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); - return 0; - } - /* Other algorithm blocking will be done in FIPS_cmac_init, - * via FIPS_hmac_init_ex(). - */ - if (!impl && !ctx->i_ctx.engine) - return FIPS_hmac_init_ex(ctx, key, len, md, NULL); - } -#endif - if (md != NULL) { reset=1; @@ -155,10 +133,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md) int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->i_ctx.engine) - return FIPS_hmac_update(ctx, data, len); -#endif return EVP_DigestUpdate(&ctx->md_ctx,data,len); } @@ -166,10 +140,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) { unsigned int i; unsigned char buf[EVP_MAX_MD_SIZE]; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->i_ctx.engine) - return FIPS_hmac_final(ctx, md, len); -#endif if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i)) goto err; @@ -209,13 +179,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) void HMAC_CTX_cleanup(HMAC_CTX *ctx) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->i_ctx.engine) - { - FIPS_hmac_ctx_cleanup(ctx); - return; - } -#endif EVP_MD_CTX_cleanup(&ctx->i_ctx); EVP_MD_CTX_cleanup(&ctx->o_ctx); EVP_MD_CTX_cleanup(&ctx->md_ctx); diff --git a/lib/libssl/src/crypto/idea/i_skey.c b/lib/libssl/src/crypto/idea/i_skey.c index afb830964df..244562e690f 100644 --- a/lib/libssl/src/crypto/idea/i_skey.c +++ b/lib/libssl/src/crypto/idea/i_skey.c @@ -62,13 +62,6 @@ static IDEA_INT inverse(unsigned int xin); void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(IDEA); - private_idea_set_encrypt_key(key, ks); - } -void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks) -#endif { int i; register IDEA_INT *kt,*kf,r0,r1,r2; diff --git a/lib/libssl/src/crypto/idea/idea.h b/lib/libssl/src/crypto/idea/idea.h index e9a1e7f1a5e..5782e54b0fd 100644 --- a/lib/libssl/src/crypto/idea/idea.h +++ b/lib/libssl/src/crypto/idea/idea.h @@ -83,9 +83,6 @@ typedef struct idea_key_st const char *idea_options(void); void idea_ecb_encrypt(const unsigned char *in, unsigned char *out, IDEA_KEY_SCHEDULE *ks); -#ifdef OPENSSL_FIPS -void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); -#endif void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, diff --git a/lib/libssl/src/crypto/md2/md2.h b/lib/libssl/src/crypto/md2/md2.h index d59c9f25931..a46120e7d41 100644 --- a/lib/libssl/src/crypto/md2/md2.h +++ b/lib/libssl/src/crypto/md2/md2.h @@ -81,9 +81,6 @@ typedef struct MD2state_st } MD2_CTX; const char *MD2_options(void); -#ifdef OPENSSL_FIPS -int private_MD2_Init(MD2_CTX *c); -#endif int MD2_Init(MD2_CTX *c); int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); int MD2_Final(unsigned char *md, MD2_CTX *c); diff --git a/lib/libssl/src/crypto/md4/md4.h b/lib/libssl/src/crypto/md4/md4.h index a55368a7909..c3ed9b3f75f 100644 --- a/lib/libssl/src/crypto/md4/md4.h +++ b/lib/libssl/src/crypto/md4/md4.h @@ -105,9 +105,6 @@ typedef struct MD4state_st unsigned int num; } MD4_CTX; -#ifdef OPENSSL_FIPS -int private_MD4_Init(MD4_CTX *c); -#endif int MD4_Init(MD4_CTX *c); int MD4_Update(MD4_CTX *c, const void *data, size_t len); int MD4_Final(unsigned char *md, MD4_CTX *c); diff --git a/lib/libssl/src/crypto/md5/md5.h b/lib/libssl/src/crypto/md5/md5.h index 541cc925feb..4cbf84386b3 100644 --- a/lib/libssl/src/crypto/md5/md5.h +++ b/lib/libssl/src/crypto/md5/md5.h @@ -105,9 +105,6 @@ typedef struct MD5state_st unsigned int num; } MD5_CTX; -#ifdef OPENSSL_FIPS -int private_MD5_Init(MD5_CTX *c); -#endif int MD5_Init(MD5_CTX *c); int MD5_Update(MD5_CTX *c, const void *data, size_t len); int MD5_Final(unsigned char *md, MD5_CTX *c); diff --git a/lib/libssl/src/crypto/mdc2/mdc2.h b/lib/libssl/src/crypto/mdc2/mdc2.h index f3e8e579d23..72778a52123 100644 --- a/lib/libssl/src/crypto/mdc2/mdc2.h +++ b/lib/libssl/src/crypto/mdc2/mdc2.h @@ -81,9 +81,6 @@ typedef struct mdc2_ctx_st } MDC2_CTX; -#ifdef OPENSSL_FIPS -int private_MDC2_Init(MDC2_CTX *c); -#endif int MDC2_Init(MDC2_CTX *c); int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); int MDC2_Final(unsigned char *md, MDC2_CTX *c); diff --git a/lib/libssl/src/crypto/o_fips.c b/lib/libssl/src/crypto/o_fips.c index 9c185cfb184..43312ae23f0 100644 --- a/lib/libssl/src/crypto/o_fips.c +++ b/lib/libssl/src/crypto/o_fips.c @@ -56,42 +56,20 @@ */ #include "cryptlib.h" -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#include <openssl/fips_rand.h> -#include <openssl/rand.h> -#endif int FIPS_mode(void) { OPENSSL_init(); -#ifdef OPENSSL_FIPS - return FIPS_module_mode(); -#else return 0; -#endif } int FIPS_mode_set(int r) { OPENSSL_init(); -#ifdef OPENSSL_FIPS -#ifndef FIPS_AUTH_USER_PASS -#define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" -#endif - if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) - return 0; - if (r) - RAND_set_rand_method(FIPS_rand_get_method()); - else - RAND_set_rand_method(NULL); - return 1; -#else if (r == 0) return 1; CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); return 0; -#endif } diff --git a/lib/libssl/src/crypto/o_init.c b/lib/libssl/src/crypto/o_init.c index 07c8e0d694f..5e905d93152 100644 --- a/lib/libssl/src/crypto/o_init.c +++ b/lib/libssl/src/crypto/o_init.c @@ -54,10 +54,6 @@ #include <e_os.h> #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#include <openssl/rand.h> -#endif /* Perform any essential OpenSSL initialization operations. * Currently only sets FIPS callbacks @@ -70,12 +66,6 @@ OPENSSL_init(void) if (done) return; done = 1; -#ifdef OPENSSL_FIPS - FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock); - FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata); - FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free); - RAND_init_fips(); -#endif #if 0 fprintf(stderr, "Called OPENSSL_init\n"); #endif diff --git a/lib/libssl/src/crypto/opensslv.h b/lib/libssl/src/crypto/opensslv.h index ebe71807233..7ba6281f28f 100644 --- a/lib/libssl/src/crypto/opensslv.h +++ b/lib/libssl/src/crypto/opensslv.h @@ -26,11 +26,7 @@ * major minor fix final patch/beta) */ #define OPENSSL_VERSION_NUMBER 0x1000107fL -#ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g-fips 7 Apr 2014" -#else #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014" -#endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/lib/libssl/src/crypto/pem/pem_all.c b/lib/libssl/src/crypto/pem/pem_all.c index eac0460e3eb..6ff6be7fbe5 100644 --- a/lib/libssl/src/crypto/pem/pem_all.c +++ b/lib/libssl/src/crypto/pem/pem_all.c @@ -193,61 +193,8 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, #endif -#ifdef OPENSSL_FIPS - -int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - EVP_PKEY_set1_RSA(k, x); - - ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey, - PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u); -} - -#ifndef OPENSSL_NO_FP_API -int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - - EVP_PKEY_set1_RSA(k, x); - - ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey, - PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u); -} -#endif - -#else - IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) -#endif - IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) @@ -277,59 +224,8 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb, return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ } -#ifdef OPENSSL_FIPS - -int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - EVP_PKEY_set1_DSA(k, x); - - ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey, - PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u); -} - -#ifndef OPENSSL_NO_FP_API -int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - EVP_PKEY_set1_DSA(k, x); - ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey, - PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u); -} -#endif - -#else - IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) -#endif - IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) #ifndef OPENSSL_NO_FP_API @@ -377,61 +273,8 @@ IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKPa -#ifdef OPENSSL_FIPS - -int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - EVP_PKEY_set1_EC_KEY(k, x); - - ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey, - PEM_STRING_ECPRIVATEKEY, - bp,x,enc,kstr,klen,cb,u); -} - -#ifndef OPENSSL_NO_FP_API -int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - EVP_PKEY_set1_EC_KEY(k, x); - ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey, - PEM_STRING_ECPRIVATEKEY, - fp,x,enc,kstr,klen,cb,u); -} -#endif - -#else - IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) -#endif - IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) #ifndef OPENSSL_NO_FP_API diff --git a/lib/libssl/src/crypto/pkcs12/p12_crt.c b/lib/libssl/src/crypto/pkcs12/p12_crt.c index a34915d02d1..0c5e8dc992b 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_crt.c +++ b/lib/libssl/src/crypto/pkcs12/p12_crt.c @@ -91,11 +91,6 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, /* Set defaults */ if (!nid_cert) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - else -#endif nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; } if (!nid_key) diff --git a/lib/libssl/src/crypto/rc2/rc2.h b/lib/libssl/src/crypto/rc2/rc2.h index e542ec94ffb..4c737f5b905 100644 --- a/lib/libssl/src/crypto/rc2/rc2.h +++ b/lib/libssl/src/crypto/rc2/rc2.h @@ -79,9 +79,6 @@ typedef struct rc2_key_st RC2_INT data[64]; } RC2_KEY; -#ifdef OPENSSL_FIPS -void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); -#endif void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, int enc); diff --git a/lib/libssl/src/crypto/rc2/rc2_skey.c b/lib/libssl/src/crypto/rc2/rc2_skey.c index 6668ac011f0..26b8dd63f69 100644 --- a/lib/libssl/src/crypto/rc2/rc2_skey.c +++ b/lib/libssl/src/crypto/rc2/rc2_skey.c @@ -96,13 +96,6 @@ static const unsigned char key_table[256]={ * the same as specifying 1024 for the 'bits' parameter. Bsafe uses * a version where the bits parameter is the same as len*8 */ void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(RC2); - private_RC2_set_key(key, len, data, bits); - } -void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) -#endif { int i,j; unsigned char *k; diff --git a/lib/libssl/src/crypto/rc4/rc4_utl.c b/lib/libssl/src/crypto/rc4/rc4_utl.c index ab3f02fe6a9..bd39a765438 100644 --- a/lib/libssl/src/crypto/rc4/rc4_utl.c +++ b/lib/libssl/src/crypto/rc4/rc4_utl.c @@ -55,8 +55,5 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) { -#ifdef OPENSSL_FIPS - fips_cipher_abort(RC4); -#endif private_RC4_set_key(key, len, data); } diff --git a/lib/libssl/src/crypto/ripemd/ripemd.h b/lib/libssl/src/crypto/ripemd/ripemd.h index 189bd8c90e9..5942eb61808 100644 --- a/lib/libssl/src/crypto/ripemd/ripemd.h +++ b/lib/libssl/src/crypto/ripemd/ripemd.h @@ -91,9 +91,6 @@ typedef struct RIPEMD160state_st unsigned int num; } RIPEMD160_CTX; -#ifdef OPENSSL_FIPS -int private_RIPEMD160_Init(RIPEMD160_CTX *c); -#endif int RIPEMD160_Init(RIPEMD160_CTX *c); int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); diff --git a/lib/libssl/src/crypto/rsa/rsa_crpt.c b/lib/libssl/src/crypto/rsa/rsa_crpt.c index d3e44785dcf..7750366613b 100644 --- a/lib/libssl/src/crypto/rsa/rsa_crpt.c +++ b/lib/libssl/src/crypto/rsa/rsa_crpt.c @@ -75,56 +75,24 @@ int RSA_size(const RSA *r) int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); - return -1; - } -#endif return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); } int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); - return -1; - } -#endif return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); } int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); - return -1; - } -#endif return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); } int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); - return -1; - } -#endif return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); } diff --git a/lib/libssl/src/crypto/rsa/rsa_gen.c b/lib/libssl/src/crypto/rsa/rsa_gen.c index 42290cce66c..767f7ab682a 100644 --- a/lib/libssl/src/crypto/rsa/rsa_gen.c +++ b/lib/libssl/src/crypto/rsa/rsa_gen.c @@ -67,9 +67,6 @@ #include "cryptlib.h" #include <openssl/bn.h> #include <openssl/rsa.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); @@ -80,20 +77,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) * now just because key-generation is part of RSA_METHOD. */ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD); - return 0; - } -#endif if(rsa->meth->rsa_keygen) return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb); -#endif return rsa_builtin_keygen(rsa, bits, e_value, cb); } diff --git a/lib/libssl/src/crypto/rsa/rsa_lib.c b/lib/libssl/src/crypto/rsa/rsa_lib.c index c95ceafc824..9e3f7dafcda 100644 --- a/lib/libssl/src/crypto/rsa/rsa_lib.c +++ b/lib/libssl/src/crypto/rsa/rsa_lib.c @@ -67,10 +67,6 @@ #include <openssl/engine.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; static const RSA_METHOD *default_RSA_meth=NULL; @@ -91,18 +87,11 @@ const RSA_METHOD *RSA_get_default_method(void) { if (default_RSA_meth == NULL) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_rsa_pkcs1_ssleay(); - else - return RSA_PKCS1_SSLeay(); -#else #ifdef RSA_NULL default_RSA_meth=RSA_null_method(); #else default_RSA_meth=RSA_PKCS1_SSLeay(); #endif -#endif } return default_RSA_meth; diff --git a/lib/libssl/src/crypto/rsa/rsa_pmeth.c b/lib/libssl/src/crypto/rsa/rsa_pmeth.c index 157aa5c41d2..d706d35ff6b 100644 --- a/lib/libssl/src/crypto/rsa/rsa_pmeth.c +++ b/lib/libssl/src/crypto/rsa/rsa_pmeth.c @@ -66,9 +66,6 @@ #ifndef OPENSSL_NO_CMS #include <openssl/cms.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif #include "evp_locl.h" #include "rsa_locl.h" @@ -156,32 +153,6 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) OPENSSL_free(rctx); } } -#ifdef OPENSSL_FIPS -/* FIP checker. Return value indicates status of context parameters: - * 1 : redirect to FIPS. - * 0 : don't redirect to FIPS. - * -1 : illegal operation in FIPS mode. - */ - -static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx) - { - RSA_PKEY_CTX *rctx = ctx->data; - RSA *rsa = ctx->pkey->pkey.rsa; - int rv = -1; - if (!FIPS_mode()) - return 0; - if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) - rv = 0; - if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv) - return -1; - if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS)) - return rv; - if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS)) - return rv; - return 1; - } -#endif - static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen) { @@ -189,15 +160,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, RSA_PKEY_CTX *rctx = ctx->data; RSA *rsa = ctx->pkey->pkey.rsa; -#ifdef OPENSSL_FIPS - ret = pkey_fips_check_ctx(ctx); - if (ret < 0) - { - RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); - return -1; - } -#endif - if (rctx->md) { if (tbslen != (size_t)EVP_MD_size(rctx->md)) @@ -206,22 +168,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, RSA_R_INVALID_DIGEST_LENGTH); return -1; } -#ifdef OPENSSL_FIPS - if (ret > 0) - { - unsigned int slen; - ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md, - rctx->pad_mode, - rctx->saltlen, - rctx->mgf1md, - sig, &slen); - if (ret > 0) - *siglen = slen; - else - *siglen = 0; - return ret; - } -#endif if (EVP_MD_type(rctx->md) == NID_mdc2) { @@ -343,30 +289,8 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, RSA_PKEY_CTX *rctx = ctx->data; RSA *rsa = ctx->pkey->pkey.rsa; size_t rslen; -#ifdef OPENSSL_FIPS - int rv; - rv = pkey_fips_check_ctx(ctx); - if (rv < 0) - { - RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); - return -1; - } -#endif if (rctx->md) { -#ifdef OPENSSL_FIPS - if (rv > 0) - { - return FIPS_rsa_verify_digest(rsa, - tbs, tbslen, - rctx->md, - rctx->pad_mode, - rctx->saltlen, - rctx->mgf1md, - sig, siglen); - - } -#endif if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); diff --git a/lib/libssl/src/crypto/rsa/rsa_sign.c b/lib/libssl/src/crypto/rsa/rsa_sign.c index b6f6037ae00..fa3239ab30a 100644 --- a/lib/libssl/src/crypto/rsa/rsa_sign.c +++ b/lib/libssl/src/crypto/rsa/rsa_sign.c @@ -77,14 +77,6 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, const unsigned char *s = NULL; X509_ALGOR algor; ASN1_OCTET_STRING digest; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD); - return 0; - } -#endif if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) { return rsa->meth->rsa_sign(type, m, m_len, @@ -161,15 +153,6 @@ int int_rsa_verify(int dtype, const unsigned char *m, unsigned char *s; X509_SIG *sig=NULL; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD); - return 0; - } -#endif - if (siglen != (unsigned int)RSA_size(rsa)) { RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); diff --git a/lib/libssl/src/crypto/seed/seed.c b/lib/libssl/src/crypto/seed/seed.c index 3e675a8d755..934664ddb69 100644 --- a/lib/libssl/src/crypto/seed/seed.c +++ b/lib/libssl/src/crypto/seed/seed.c @@ -198,13 +198,6 @@ static const seed_word KC[] = { KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 }; #endif void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(SEED); - private_SEED_set_key(rawkey, ks); - } -void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) -#endif { seed_word x1, x2, x3, x4; seed_word t0, t1; diff --git a/lib/libssl/src/crypto/seed/seed.h b/lib/libssl/src/crypto/seed/seed.h index c50fdd36073..6e2ade3fbb9 100644 --- a/lib/libssl/src/crypto/seed/seed.h +++ b/lib/libssl/src/crypto/seed/seed.h @@ -116,9 +116,6 @@ typedef struct seed_key_st { #endif } SEED_KEY_SCHEDULE; -#ifdef OPENSSL_FIPS -void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); -#endif void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks); diff --git a/lib/libssl/src/crypto/sha/sha.h b/lib/libssl/src/crypto/sha/sha.h index 8a6bf4bbbb1..7cbca26ff90 100644 --- a/lib/libssl/src/crypto/sha/sha.h +++ b/lib/libssl/src/crypto/sha/sha.h @@ -70,10 +70,6 @@ extern "C" { #error SHA is disabled. #endif -#if defined(OPENSSL_FIPS) -#define FIPS_SHA_SIZE_T size_t -#endif - /* * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then ! @@ -106,9 +102,6 @@ typedef struct SHAstate_st } SHA_CTX; #ifndef OPENSSL_NO_SHA0 -#ifdef OPENSSL_FIPS -int private_SHA_Init(SHA_CTX *c); -#endif int SHA_Init(SHA_CTX *c); int SHA_Update(SHA_CTX *c, const void *data, size_t len); int SHA_Final(unsigned char *md, SHA_CTX *c); @@ -116,9 +109,6 @@ unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md); void SHA_Transform(SHA_CTX *c, const unsigned char *data); #endif #ifndef OPENSSL_NO_SHA1 -#ifdef OPENSSL_FIPS -int private_SHA1_Init(SHA_CTX *c); -#endif int SHA1_Init(SHA_CTX *c); int SHA1_Update(SHA_CTX *c, const void *data, size_t len); int SHA1_Final(unsigned char *md, SHA_CTX *c); @@ -141,10 +131,6 @@ typedef struct SHA256state_st } SHA256_CTX; #ifndef OPENSSL_NO_SHA256 -#ifdef OPENSSL_FIPS -int private_SHA224_Init(SHA256_CTX *c); -int private_SHA256_Init(SHA256_CTX *c); -#endif int SHA224_Init(SHA256_CTX *c); int SHA224_Update(SHA256_CTX *c, const void *data, size_t len); int SHA224_Final(unsigned char *md, SHA256_CTX *c); @@ -192,10 +178,6 @@ typedef struct SHA512state_st #endif #ifndef OPENSSL_NO_SHA512 -#ifdef OPENSSL_FIPS -int private_SHA384_Init(SHA512_CTX *c); -int private_SHA512_Init(SHA512_CTX *c); -#endif int SHA384_Init(SHA512_CTX *c); int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); int SHA384_Final(unsigned char *md, SHA512_CTX *c); diff --git a/lib/libssl/src/crypto/whrlpool/whrlpool.h b/lib/libssl/src/crypto/whrlpool/whrlpool.h index 9e01f5b0766..03c91da1155 100644 --- a/lib/libssl/src/crypto/whrlpool/whrlpool.h +++ b/lib/libssl/src/crypto/whrlpool/whrlpool.h @@ -24,9 +24,6 @@ typedef struct { } WHIRLPOOL_CTX; #ifndef OPENSSL_NO_WHIRLPOOL -#ifdef OPENSSL_FIPS -int private_WHIRLPOOL_Init(WHIRLPOOL_CTX *c); -#endif int WHIRLPOOL_Init (WHIRLPOOL_CTX *c); int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes); void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits); |