diff options
Diffstat (limited to 'lib/libssl/src')
65 files changed, 6 insertions, 976 deletions
diff --git a/lib/libssl/src/crypto/Makefile b/lib/libssl/src/crypto/Makefile index 326915d5202..5c02ba28447 100644 --- a/lib/libssl/src/crypto/Makefile +++ b/lib/libssl/src/crypto/Makefile @@ -35,9 +35,9 @@ GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a SHARED_LIB= libcrypto$(SHLIB_EXT) LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ - uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c + uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \ - uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ) + uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o $(CPUID_OBJ) SRC= $(LIBSRC) diff --git a/lib/libssl/src/crypto/aes/aes_misc.c b/lib/libssl/src/crypto/aes/aes_misc.c index d666c06409a..9380abc46c2 100644 --- a/lib/libssl/src/crypto/aes/aes_misc.c +++ b/lib/libssl/src/crypto/aes/aes_misc.c @@ -71,9 +71,6 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) { -#ifdef OPENSSL_FIPS - fips_cipher_abort(AES); -#endif return private_AES_set_encrypt_key(userKey, bits, key); } @@ -81,8 +78,5 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) { -#ifdef OPENSSL_FIPS - fips_cipher_abort(AES); -#endif return private_AES_set_decrypt_key(userKey, bits, key); } diff --git a/lib/libssl/src/crypto/bf/bf_skey.c b/lib/libssl/src/crypto/bf/bf_skey.c index 3b0bca41aec..d8e6287a32e 100644 --- a/lib/libssl/src/crypto/bf/bf_skey.c +++ b/lib/libssl/src/crypto/bf/bf_skey.c @@ -64,13 +64,6 @@ #include "bf_pi.h" void BF_set_key(BF_KEY *key, int len, const unsigned char *data) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(BLOWFISH); - private_BF_set_key(key, len, data); - } -void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data) -#endif { int i; BF_LONG *p,ri,in[2]; diff --git a/lib/libssl/src/crypto/bf/blowfish.h b/lib/libssl/src/crypto/bf/blowfish.h index 4b6c8920a4a..65685f478c7 100644 --- a/lib/libssl/src/crypto/bf/blowfish.h +++ b/lib/libssl/src/crypto/bf/blowfish.h @@ -104,9 +104,6 @@ typedef struct bf_key_st BF_LONG S[4*256]; } BF_KEY; -#ifdef OPENSSL_FIPS -void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data); -#endif void BF_set_key(BF_KEY *key, int len, const unsigned char *data); void BF_encrypt(BF_LONG *data,const BF_KEY *key); diff --git a/lib/libssl/src/crypto/bn/bn_lcl.h b/lib/libssl/src/crypto/bn/bn_lcl.h index 817c773b659..9194e86b399 100644 --- a/lib/libssl/src/crypto/bn/bn_lcl.h +++ b/lib/libssl/src/crypto/bn/bn_lcl.h @@ -479,10 +479,6 @@ extern "C" { } #endif /* !BN_LLONG */ -#if defined(OPENSSL_DOING_MAKEDEPEND) && defined(OPENSSL_FIPS) -#undef bn_div_words -#endif - void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb); void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); diff --git a/lib/libssl/src/crypto/camellia/camellia.h b/lib/libssl/src/crypto/camellia/camellia.h index 67911e0adf8..cf0457dd976 100644 --- a/lib/libssl/src/crypto/camellia/camellia.h +++ b/lib/libssl/src/crypto/camellia/camellia.h @@ -88,10 +88,6 @@ struct camellia_key_st }; typedef struct camellia_key_st CAMELLIA_KEY; -#ifdef OPENSSL_FIPS -int private_Camellia_set_key(const unsigned char *userKey, const int bits, - CAMELLIA_KEY *key); -#endif int Camellia_set_key(const unsigned char *userKey, const int bits, CAMELLIA_KEY *key); diff --git a/lib/libssl/src/crypto/camellia/cmll_utl.c b/lib/libssl/src/crypto/camellia/cmll_utl.c index 7a35711ec1c..b88a996a3f0 100644 --- a/lib/libssl/src/crypto/camellia/cmll_utl.c +++ b/lib/libssl/src/crypto/camellia/cmll_utl.c @@ -57,8 +57,5 @@ int Camellia_set_key(const unsigned char *userKey, const int bits, CAMELLIA_KEY *key) { -#ifdef OPENSSL_FIPS - fips_cipher_abort(Camellia); -#endif return private_Camellia_set_key(userKey, bits, key); } diff --git a/lib/libssl/src/crypto/cast/c_skey.c b/lib/libssl/src/crypto/cast/c_skey.c index cb6bf9fee37..54ea98cd0bf 100644 --- a/lib/libssl/src/crypto/cast/c_skey.c +++ b/lib/libssl/src/crypto/cast/c_skey.c @@ -73,13 +73,6 @@ #define S6 CAST_S_table6 #define S7 CAST_S_table7 void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(CAST); - private_CAST_set_key(key, len, data); - } -void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) -#endif { CAST_LONG x[16]; CAST_LONG z[16]; diff --git a/lib/libssl/src/crypto/cast/cast.h b/lib/libssl/src/crypto/cast/cast.h index 203922ea2b4..8741532e9e4 100644 --- a/lib/libssl/src/crypto/cast/cast.h +++ b/lib/libssl/src/crypto/cast/cast.h @@ -83,9 +83,6 @@ typedef struct cast_key_st int short_key; /* Use reduced rounds for short key */ } CAST_KEY; -#ifdef OPENSSL_FIPS -void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); -#endif void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key, int enc); diff --git a/lib/libssl/src/crypto/cmac/cmac.c b/lib/libssl/src/crypto/cmac/cmac.c index 8b72b096813..f92a7bb1437 100644 --- a/lib/libssl/src/crypto/cmac/cmac.c +++ b/lib/libssl/src/crypto/cmac/cmac.c @@ -57,10 +57,6 @@ #include "cryptlib.h" #include <openssl/cmac.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - struct CMAC_CTX_st { /* Cipher context to use */ @@ -107,13 +103,6 @@ CMAC_CTX *CMAC_CTX_new(void) void CMAC_CTX_cleanup(CMAC_CTX *ctx) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->cctx.engine) - { - FIPS_cmac_ctx_cleanup(ctx); - return; - } -#endif EVP_CIPHER_CTX_cleanup(&ctx->cctx); OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); @@ -153,24 +142,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, const EVP_CIPHER *cipher, ENGINE *impl) { static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH]; -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - { - /* If we have an ENGINE need to allow non FIPS */ - if ((impl || ctx->cctx.engine) - && !(ctx->cctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) - - { - EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS); - return 0; - } - /* Other algorithm blocking will be done in FIPS_cmac_init, - * via FIPS_cipherinit(). - */ - if (!impl && !ctx->cctx.engine) - return FIPS_cmac_init(ctx, key, keylen, cipher, NULL); - } -#endif /* All zeros means restart */ if (!key && !cipher && !impl && keylen == 0) { @@ -216,10 +187,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) { const unsigned char *data = in; size_t bl; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->cctx.engine) - return FIPS_cmac_update(ctx, in, dlen); -#endif + if (ctx->nlast_block == -1) return 0; if (dlen == 0) @@ -261,10 +229,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) { int i, bl, lb; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->cctx.engine) - return FIPS_cmac_final(ctx, out, poutlen); -#endif + if (ctx->nlast_block == -1) return 0; bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); diff --git a/lib/libssl/src/crypto/crypto.h b/lib/libssl/src/crypto/crypto.h index 351ccfd35b4..56c5dfadb8c 100644 --- a/lib/libssl/src/crypto/crypto.h +++ b/lib/libssl/src/crypto/crypto.h @@ -538,25 +538,9 @@ void OPENSSL_init(void); #define fips_md_init(alg) fips_md_init_ctx(alg, alg) -#ifdef OPENSSL_FIPS -#define fips_md_init_ctx(alg, cx) \ - int alg##_Init(cx##_CTX *c) \ - { \ - if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \ - "Low level API call to digest " #alg " forbidden in FIPS mode!"); \ - return private_##alg##_Init(c); \ - } \ - int private_##alg##_Init(cx##_CTX *c) - -#define fips_cipher_abort(alg) \ - if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \ - "Low level API call to cipher " #alg " forbidden in FIPS mode!") - -#else #define fips_md_init_ctx(alg, cx) \ int alg##_Init(cx##_CTX *c) #define fips_cipher_abort(alg) while(0) -#endif /* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It * takes an amount of time dependent on |len|, but independent of the contents diff --git a/lib/libssl/src/crypto/des/des.h b/lib/libssl/src/crypto/des/des.h index 1eaedcbd24b..92b66635998 100644 --- a/lib/libssl/src/crypto/des/des.h +++ b/lib/libssl/src/crypto/des/des.h @@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DES_key_schedule *schedule); int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule); int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule); void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule); -#ifdef OPENSSL_FIPS -void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule); -#endif void DES_string_to_key(const char *str,DES_cblock *key); void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2); void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length, diff --git a/lib/libssl/src/crypto/des/set_key.c b/lib/libssl/src/crypto/des/set_key.c index 99e3555ba92..e8dea50b962 100644 --- a/lib/libssl/src/crypto/des/set_key.c +++ b/lib/libssl/src/crypto/des/set_key.c @@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule) } void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(DES); - private_DES_set_key_unchecked(key, schedule); - } -void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) -#endif { static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; register DES_LONG c,d,t,s,t2; diff --git a/lib/libssl/src/crypto/dh/dh_gen.c b/lib/libssl/src/crypto/dh/dh_gen.c index 7b1fe9c9cbb..cfd5b118681 100644 --- a/lib/libssl/src/crypto/dh/dh_gen.c +++ b/lib/libssl/src/crypto/dh/dh_gen.c @@ -66,29 +66,12 @@ #include <openssl/bn.h> #include <openssl/dh.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) - && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) - { - DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); - return 0; - } -#endif if(ret->meth->generate_params) return ret->meth->generate_params(ret, prime_len, generator, cb); -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_dh_generate_parameters_ex(ret, prime_len, - generator, cb); -#endif return dh_builtin_genparams(ret, prime_len, generator, cb); } diff --git a/lib/libssl/src/crypto/dh/dh_key.c b/lib/libssl/src/crypto/dh/dh_key.c index 89a74db4e69..9596270f7d4 100644 --- a/lib/libssl/src/crypto/dh/dh_key.c +++ b/lib/libssl/src/crypto/dh/dh_key.c @@ -73,27 +73,11 @@ static int dh_finish(DH *dh); int DH_generate_key(DH *dh) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) - && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) - { - DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD); - return 0; - } -#endif return dh->meth->generate_key(dh); } int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) - && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) - { - DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); - return 0; - } -#endif return dh->meth->compute_key(key, pub_key, dh); } diff --git a/lib/libssl/src/crypto/dh/dh_lib.c b/lib/libssl/src/crypto/dh/dh_lib.c index 00218f2b92b..a40caaf75b1 100644 --- a/lib/libssl/src/crypto/dh/dh_lib.c +++ b/lib/libssl/src/crypto/dh/dh_lib.c @@ -64,10 +64,6 @@ #include <openssl/engine.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; static const DH_METHOD *default_DH_method = NULL; @@ -81,14 +77,7 @@ const DH_METHOD *DH_get_default_method(void) { if(!default_DH_method) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_dh_openssl(); - else - return DH_OpenSSL(); -#else default_DH_method = DH_OpenSSL(); -#endif } return default_DH_method; } diff --git a/lib/libssl/src/crypto/dsa/dsa_gen.c b/lib/libssl/src/crypto/dsa/dsa_gen.c index c398761d0dd..e6a54520161 100644 --- a/lib/libssl/src/crypto/dsa/dsa_gen.c +++ b/lib/libssl/src/crypto/dsa/dsa_gen.c @@ -81,33 +81,13 @@ #include <openssl/sha.h> #include "dsa_locl.h" -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - int DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) - { - DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD); - return 0; - } -#endif if(ret->meth->dsa_paramgen) return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, counter_ret, h_ret, cb); -#ifdef OPENSSL_FIPS - else if (FIPS_mode()) - { - return FIPS_dsa_generate_parameters_ex(ret, bits, - seed_in, seed_len, - counter_ret, h_ret, cb); - } -#endif else { const EVP_MD *evpmd; diff --git a/lib/libssl/src/crypto/dsa/dsa_key.c b/lib/libssl/src/crypto/dsa/dsa_key.c index 9cf669b921a..c4aa86bc6dc 100644 --- a/lib/libssl/src/crypto/dsa/dsa_key.c +++ b/lib/libssl/src/crypto/dsa/dsa_key.c @@ -64,28 +64,12 @@ #include <openssl/dsa.h> #include <openssl/rand.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - static int dsa_builtin_keygen(DSA *dsa); int DSA_generate_key(DSA *dsa) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) - { - DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD); - return 0; - } -#endif if(dsa->meth->dsa_keygen) return dsa->meth->dsa_keygen(dsa); -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_dsa_generate_key(dsa); -#endif return dsa_builtin_keygen(dsa); } diff --git a/lib/libssl/src/crypto/dsa/dsa_lib.c b/lib/libssl/src/crypto/dsa/dsa_lib.c index 96d8d0c4b45..897c0859682 100644 --- a/lib/libssl/src/crypto/dsa/dsa_lib.c +++ b/lib/libssl/src/crypto/dsa/dsa_lib.c @@ -70,10 +70,6 @@ #include <openssl/dh.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT; static const DSA_METHOD *default_DSA_method = NULL; @@ -87,14 +83,7 @@ const DSA_METHOD *DSA_get_default_method(void) { if(!default_DSA_method) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_dsa_openssl(); - else - return DSA_OpenSSL(); -#else default_DSA_method = DSA_OpenSSL(); -#endif } return default_DSA_method; } diff --git a/lib/libssl/src/crypto/dsa/dsa_sign.c b/lib/libssl/src/crypto/dsa/dsa_sign.c index c3cc3642cea..e02365a8b13 100644 --- a/lib/libssl/src/crypto/dsa/dsa_sign.c +++ b/lib/libssl/src/crypto/dsa/dsa_sign.c @@ -65,27 +65,11 @@ DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) - { - DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD); - return NULL; - } -#endif return dsa->meth->dsa_do_sign(dgst, dlen, dsa); } int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) - { - DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD); - return 0; - } -#endif return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); } diff --git a/lib/libssl/src/crypto/dsa/dsa_vrf.c b/lib/libssl/src/crypto/dsa/dsa_vrf.c index 674cb5fa5f5..286ed28cfa5 100644 --- a/lib/libssl/src/crypto/dsa/dsa_vrf.c +++ b/lib/libssl/src/crypto/dsa/dsa_vrf.c @@ -64,13 +64,5 @@ int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) - { - DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD); - return -1; - } -#endif return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); } diff --git a/lib/libssl/src/crypto/ec/ec2_smpl.c b/lib/libssl/src/crypto/ec/ec2_smpl.c index e0e59c7d829..0cf681fa9df 100644 --- a/lib/libssl/src/crypto/ec/ec2_smpl.c +++ b/lib/libssl/src/crypto/ec/ec2_smpl.c @@ -73,16 +73,8 @@ #ifndef OPENSSL_NO_EC2M -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - - const EC_METHOD *EC_GF2m_simple_method(void) { -#ifdef OPENSSL_FIPS - return fips_ec_gf2m_simple_method(); -#else static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_characteristic_two_field, @@ -126,7 +118,6 @@ const EC_METHOD *EC_GF2m_simple_method(void) 0 /* field_set_to_one */ }; return &ret; -#endif } diff --git a/lib/libssl/src/crypto/ec/ec_key.c b/lib/libssl/src/crypto/ec/ec_key.c index 7fa247593d9..d5286010362 100644 --- a/lib/libssl/src/crypto/ec/ec_key.c +++ b/lib/libssl/src/crypto/ec/ec_key.c @@ -64,9 +64,6 @@ #include <string.h> #include "ec_lcl.h" #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif EC_KEY *EC_KEY_new(void) { @@ -241,11 +238,6 @@ int EC_KEY_generate_key(EC_KEY *eckey) BIGNUM *priv_key = NULL, *order = NULL; EC_POINT *pub_key = NULL; -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_ec_key_generate_key(eckey); -#endif - if (!eckey || !eckey->group) { ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); diff --git a/lib/libssl/src/crypto/ec/ecp_mont.c b/lib/libssl/src/crypto/ec/ecp_mont.c index f04f132c7ad..cee0fee12a6 100644 --- a/lib/libssl/src/crypto/ec/ecp_mont.c +++ b/lib/libssl/src/crypto/ec/ecp_mont.c @@ -63,18 +63,11 @@ #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - #include "ec_lcl.h" const EC_METHOD *EC_GFp_mont_method(void) { -#ifdef OPENSSL_FIPS - return fips_ec_gfp_mont_method(); -#else static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, @@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_mont_method(void) ec_GFp_mont_field_set_to_one }; return &ret; -#endif } diff --git a/lib/libssl/src/crypto/ec/ecp_nist.c b/lib/libssl/src/crypto/ec/ecp_nist.c index aad2d5f4438..ac5b8142388 100644 --- a/lib/libssl/src/crypto/ec/ecp_nist.c +++ b/lib/libssl/src/crypto/ec/ecp_nist.c @@ -67,15 +67,8 @@ #include <openssl/obj_mac.h> #include "ec_lcl.h" -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - const EC_METHOD *EC_GFp_nist_method(void) { -#ifdef OPENSSL_FIPS - return fips_ec_gfp_nist_method(); -#else static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, @@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void) 0 /* field_set_to_one */ }; return &ret; -#endif } int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) diff --git a/lib/libssl/src/crypto/ec/ecp_smpl.c b/lib/libssl/src/crypto/ec/ecp_smpl.c index cd05fd12514..bf0ad998dd0 100644 --- a/lib/libssl/src/crypto/ec/ecp_smpl.c +++ b/lib/libssl/src/crypto/ec/ecp_smpl.c @@ -64,17 +64,10 @@ #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - #include "ec_lcl.h" const EC_METHOD *EC_GFp_simple_method(void) { -#ifdef OPENSSL_FIPS - return fips_ec_gfp_simple_method(); -#else static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, @@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_simple_method(void) 0 /* field_set_to_one */ }; return &ret; -#endif } diff --git a/lib/libssl/src/crypto/ecdh/ech_lib.c b/lib/libssl/src/crypto/ecdh/ech_lib.c index 0644431b756..ddf226b1666 100644 --- a/lib/libssl/src/crypto/ecdh/ech_lib.c +++ b/lib/libssl/src/crypto/ecdh/ech_lib.c @@ -73,9 +73,6 @@ #include <openssl/engine.h> #endif #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT; @@ -94,14 +91,7 @@ const ECDH_METHOD *ECDH_get_default_method(void) { if(!default_ECDH_method) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_ecdh_openssl(); - else - return ECDH_OpenSSL(); -#else default_ECDH_method = ECDH_OpenSSL(); -#endif } return default_ECDH_method; } @@ -234,15 +224,6 @@ ECDH_DATA *ecdh_check(EC_KEY *key) } else ecdh_data = (ECDH_DATA *)data; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD) - && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) - { - ECDHerr(ECDH_F_ECDH_CHECK, ECDH_R_NON_FIPS_METHOD); - return NULL; - } -#endif - return ecdh_data; } diff --git a/lib/libssl/src/crypto/ecdsa/ecs_lib.c b/lib/libssl/src/crypto/ecdsa/ecs_lib.c index 814a6bf4046..7b53969ffd8 100644 --- a/lib/libssl/src/crypto/ecdsa/ecs_lib.c +++ b/lib/libssl/src/crypto/ecdsa/ecs_lib.c @@ -60,9 +60,6 @@ #endif #include <openssl/err.h> #include <openssl/bn.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT; @@ -81,14 +78,7 @@ const ECDSA_METHOD *ECDSA_get_default_method(void) { if(!default_ECDSA_method) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_ecdsa_openssl(); - else - return ECDSA_OpenSSL(); -#else default_ECDSA_method = ECDSA_OpenSSL(); -#endif } return default_ECDSA_method; } @@ -212,14 +202,6 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key) } else ecdsa_data = (ECDSA_DATA *)data; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(ecdsa_data->flags & ECDSA_FLAG_FIPS_METHOD) - && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) - { - ECDSAerr(ECDSA_F_ECDSA_CHECK, ECDSA_R_NON_FIPS_METHOD); - return NULL; - } -#endif return ecdsa_data; } diff --git a/lib/libssl/src/crypto/err/err_all.c b/lib/libssl/src/crypto/err/err_all.c index 8eb547d98d5..1c4eccd2516 100644 --- a/lib/libssl/src/crypto/err/err_all.c +++ b/lib/libssl/src/crypto/err/err_all.c @@ -97,9 +97,6 @@ #include <openssl/ui.h> #include <openssl/ocsp.h> #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif #include <openssl/ts.h> #ifndef OPENSSL_NO_CMS #include <openssl/cms.h> @@ -155,9 +152,6 @@ void ERR_load_crypto_strings(void) #endif ERR_load_OCSP_strings(); ERR_load_UI_strings(); -#ifdef OPENSSL_FIPS - ERR_load_FIPS_strings(); -#endif #ifndef OPENSSL_NO_CMS ERR_load_CMS_strings(); #endif diff --git a/lib/libssl/src/crypto/evp/Makefile b/lib/libssl/src/crypto/evp/Makefile index 3982f49f81a..f94a28d383b 100644 --- a/lib/libssl/src/crypto/evp/Makefile +++ b/lib/libssl/src/crypto/evp/Makefile @@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \ - e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \ + e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ @@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \ - e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \ + e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \ e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o SRC= $(LIBSRC) diff --git a/lib/libssl/src/crypto/evp/digest.c b/lib/libssl/src/crypto/evp/digest.c index d14e8e48d5a..782d3199a5a 100644 --- a/lib/libssl/src/crypto/evp/digest.c +++ b/lib/libssl/src/crypto/evp/digest.c @@ -117,10 +117,6 @@ #include <openssl/engine.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - void EVP_MD_CTX_init(EVP_MD_CTX *ctx) { memset(ctx,'\0',sizeof *ctx); @@ -229,26 +225,12 @@ skip_to_init: } if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) return 1; -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - { - if (FIPS_digestinit(ctx, type)) - return 1; - OPENSSL_free(ctx->md_data); - ctx->md_data = NULL; - return 0; - } -#endif return ctx->digest->init(ctx); } int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { -#ifdef OPENSSL_FIPS - return FIPS_digestupdate(ctx, data, count); -#else return ctx->update(ctx,data,count); -#endif } /* The caller can assume that this removes any secret data from the context */ @@ -263,9 +245,6 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) /* The caller can assume that this removes any secret data from the context */ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { -#ifdef OPENSSL_FIPS - return FIPS_digestfinal(ctx, md, size); -#else int ret; OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); @@ -279,7 +258,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) } memset(ctx->md_data,0,ctx->digest->ctx_size); return ret; -#endif } int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) @@ -376,7 +354,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) /* This call frees resources associated with the context */ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { -#ifndef OPENSSL_FIPS /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, * because sometimes only copies of the context are ever finalised. */ @@ -389,7 +366,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); } -#endif if (ctx->pctx) EVP_PKEY_CTX_free(ctx->pctx); #ifndef OPENSSL_NO_ENGINE @@ -398,9 +374,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) * functional reference we held for this reason. */ ENGINE_finish(ctx->engine); #endif -#ifdef OPENSSL_FIPS - FIPS_md_ctx_cleanup(ctx); -#endif memset(ctx,'\0',sizeof *ctx); return 1; diff --git a/lib/libssl/src/crypto/evp/e_null.c b/lib/libssl/src/crypto/evp/e_null.c index f0c1f78b5fe..98a78499f96 100644 --- a/lib/libssl/src/crypto/evp/e_null.c +++ b/lib/libssl/src/crypto/evp/e_null.c @@ -61,8 +61,6 @@ #include <openssl/evp.h> #include <openssl/objects.h> -#ifndef OPENSSL_FIPS - static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv,int enc); static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, @@ -101,4 +99,3 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, memcpy((char *)out,(const char *)in,inl); return 1; } -#endif diff --git a/lib/libssl/src/crypto/evp/evp_enc.c b/lib/libssl/src/crypto/evp/evp_enc.c index 0c54f05e6ef..50403a75780 100644 --- a/lib/libssl/src/crypto/evp/evp_enc.c +++ b/lib/libssl/src/crypto/evp/evp_enc.c @@ -64,17 +64,9 @@ #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif #include "evp_locl.h" -#ifdef OPENSSL_FIPS -#define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl) -#else #define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl) -#endif - const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; @@ -169,10 +161,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp ctx->engine = NULL; #endif -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_cipherinit(ctx, cipher, key, iv, enc); -#endif ctx->cipher=cipher; if (ctx->cipher->ctx_size) { @@ -206,10 +194,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp #ifndef OPENSSL_NO_ENGINE skip_to_init: #endif -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_cipherinit(ctx, cipher, key, iv, enc); -#endif /* we assume block size is a power of 2 in *cryptUpdate */ OPENSSL_assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 @@ -568,7 +552,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) { -#ifndef OPENSSL_FIPS if (c->cipher != NULL) { if(c->cipher->cleanup && !c->cipher->cleanup(c)) @@ -579,16 +562,12 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) } if (c->cipher_data) OPENSSL_free(c->cipher_data); -#endif #ifndef OPENSSL_NO_ENGINE if (c->engine) /* The EVP_CIPHER we used belongs to an ENGINE, release the * functional reference we held for this reason. */ ENGINE_finish(c->engine); #endif -#ifdef OPENSSL_FIPS - FIPS_cipher_ctx_cleanup(c); -#endif memset(c,0,sizeof(EVP_CIPHER_CTX)); return 1; } diff --git a/lib/libssl/src/crypto/evp/evp_fips.c b/lib/libssl/src/crypto/evp/evp_fips.c deleted file mode 100644 index cb7f4fc0faf..00000000000 --- a/lib/libssl/src/crypto/evp/evp_fips.c +++ /dev/null @@ -1,113 +0,0 @@ -/* crypto/evp/evp_fips.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project. - */ -/* ==================================================================== - * Copyright (c) 2011 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - */ - - -#include <openssl/evp.h> - -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> - -const EVP_CIPHER *EVP_aes_128_cbc(void) { return FIPS_evp_aes_128_cbc(); } -const EVP_CIPHER *EVP_aes_128_ccm(void) { return FIPS_evp_aes_128_ccm(); } -const EVP_CIPHER *EVP_aes_128_cfb1(void) { return FIPS_evp_aes_128_cfb1(); } -const EVP_CIPHER *EVP_aes_128_cfb128(void) { return FIPS_evp_aes_128_cfb128(); } -const EVP_CIPHER *EVP_aes_128_cfb8(void) { return FIPS_evp_aes_128_cfb8(); } -const EVP_CIPHER *EVP_aes_128_ctr(void) { return FIPS_evp_aes_128_ctr(); } -const EVP_CIPHER *EVP_aes_128_ecb(void) { return FIPS_evp_aes_128_ecb(); } -const EVP_CIPHER *EVP_aes_128_gcm(void) { return FIPS_evp_aes_128_gcm(); } -const EVP_CIPHER *EVP_aes_128_ofb(void) { return FIPS_evp_aes_128_ofb(); } -const EVP_CIPHER *EVP_aes_128_xts(void) { return FIPS_evp_aes_128_xts(); } -const EVP_CIPHER *EVP_aes_192_cbc(void) { return FIPS_evp_aes_192_cbc(); } -const EVP_CIPHER *EVP_aes_192_ccm(void) { return FIPS_evp_aes_192_ccm(); } -const EVP_CIPHER *EVP_aes_192_cfb1(void) { return FIPS_evp_aes_192_cfb1(); } -const EVP_CIPHER *EVP_aes_192_cfb128(void) { return FIPS_evp_aes_192_cfb128(); } -const EVP_CIPHER *EVP_aes_192_cfb8(void) { return FIPS_evp_aes_192_cfb8(); } -const EVP_CIPHER *EVP_aes_192_ctr(void) { return FIPS_evp_aes_192_ctr(); } -const EVP_CIPHER *EVP_aes_192_ecb(void) { return FIPS_evp_aes_192_ecb(); } -const EVP_CIPHER *EVP_aes_192_gcm(void) { return FIPS_evp_aes_192_gcm(); } -const EVP_CIPHER *EVP_aes_192_ofb(void) { return FIPS_evp_aes_192_ofb(); } -const EVP_CIPHER *EVP_aes_256_cbc(void) { return FIPS_evp_aes_256_cbc(); } -const EVP_CIPHER *EVP_aes_256_ccm(void) { return FIPS_evp_aes_256_ccm(); } -const EVP_CIPHER *EVP_aes_256_cfb1(void) { return FIPS_evp_aes_256_cfb1(); } -const EVP_CIPHER *EVP_aes_256_cfb128(void) { return FIPS_evp_aes_256_cfb128(); } -const EVP_CIPHER *EVP_aes_256_cfb8(void) { return FIPS_evp_aes_256_cfb8(); } -const EVP_CIPHER *EVP_aes_256_ctr(void) { return FIPS_evp_aes_256_ctr(); } -const EVP_CIPHER *EVP_aes_256_ecb(void) { return FIPS_evp_aes_256_ecb(); } -const EVP_CIPHER *EVP_aes_256_gcm(void) { return FIPS_evp_aes_256_gcm(); } -const EVP_CIPHER *EVP_aes_256_ofb(void) { return FIPS_evp_aes_256_ofb(); } -const EVP_CIPHER *EVP_aes_256_xts(void) { return FIPS_evp_aes_256_xts(); } -const EVP_CIPHER *EVP_des_ede(void) { return FIPS_evp_des_ede(); } -const EVP_CIPHER *EVP_des_ede3(void) { return FIPS_evp_des_ede3(); } -const EVP_CIPHER *EVP_des_ede3_cbc(void) { return FIPS_evp_des_ede3_cbc(); } -const EVP_CIPHER *EVP_des_ede3_cfb1(void) { return FIPS_evp_des_ede3_cfb1(); } -const EVP_CIPHER *EVP_des_ede3_cfb64(void) { return FIPS_evp_des_ede3_cfb64(); } -const EVP_CIPHER *EVP_des_ede3_cfb8(void) { return FIPS_evp_des_ede3_cfb8(); } -const EVP_CIPHER *EVP_des_ede3_ecb(void) { return FIPS_evp_des_ede3_ecb(); } -const EVP_CIPHER *EVP_des_ede3_ofb(void) { return FIPS_evp_des_ede3_ofb(); } -const EVP_CIPHER *EVP_des_ede_cbc(void) { return FIPS_evp_des_ede_cbc(); } -const EVP_CIPHER *EVP_des_ede_cfb64(void) { return FIPS_evp_des_ede_cfb64(); } -const EVP_CIPHER *EVP_des_ede_ecb(void) { return FIPS_evp_des_ede_ecb(); } -const EVP_CIPHER *EVP_des_ede_ofb(void) { return FIPS_evp_des_ede_ofb(); } -const EVP_CIPHER *EVP_enc_null(void) { return FIPS_evp_enc_null(); } - -const EVP_MD *EVP_sha1(void) { return FIPS_evp_sha1(); } -const EVP_MD *EVP_sha224(void) { return FIPS_evp_sha224(); } -const EVP_MD *EVP_sha256(void) { return FIPS_evp_sha256(); } -const EVP_MD *EVP_sha384(void) { return FIPS_evp_sha384(); } -const EVP_MD *EVP_sha512(void) { return FIPS_evp_sha512(); } - -const EVP_MD *EVP_dss(void) { return FIPS_evp_dss(); } -const EVP_MD *EVP_dss1(void) { return FIPS_evp_dss1(); } -const EVP_MD *EVP_ecdsa(void) { return FIPS_evp_ecdsa(); } - -#endif diff --git a/lib/libssl/src/crypto/evp/evp_locl.h b/lib/libssl/src/crypto/evp/evp_locl.h index 08c0a66d39c..9e71f39a47e 100644 --- a/lib/libssl/src/crypto/evp/evp_locl.h +++ b/lib/libssl/src/crypto/evp/evp_locl.h @@ -347,39 +347,3 @@ void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx); int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de); - -#ifdef OPENSSL_FIPS - -#ifdef OPENSSL_DOING_MAKEDEPEND -#undef SHA1_Init -#undef SHA1_Update -#undef SHA224_Init -#undef SHA256_Init -#undef SHA384_Init -#undef SHA512_Init -#undef DES_set_key_unchecked -#endif - -#define RIPEMD160_Init private_RIPEMD160_Init -#define WHIRLPOOL_Init private_WHIRLPOOL_Init -#define MD5_Init private_MD5_Init -#define MD4_Init private_MD4_Init -#define MD2_Init private_MD2_Init -#define MDC2_Init private_MDC2_Init -#define SHA_Init private_SHA_Init -#define SHA1_Init private_SHA1_Init -#define SHA224_Init private_SHA224_Init -#define SHA256_Init private_SHA256_Init -#define SHA384_Init private_SHA384_Init -#define SHA512_Init private_SHA512_Init - -#define BF_set_key private_BF_set_key -#define CAST_set_key private_CAST_set_key -#define idea_set_encrypt_key private_idea_set_encrypt_key -#define SEED_set_key private_SEED_set_key -#define RC2_set_key private_RC2_set_key -#define RC4_set_key private_RC4_set_key -#define DES_set_key_unchecked private_DES_set_key_unchecked -#define Camellia_set_key private_Camellia_set_key - -#endif diff --git a/lib/libssl/src/crypto/evp/m_dss.c b/lib/libssl/src/crypto/evp/m_dss.c index 6fb7e9a8610..89ea5b7a6d6 100644 --- a/lib/libssl/src/crypto/evp/m_dss.c +++ b/lib/libssl/src/crypto/evp/m_dss.c @@ -66,7 +66,6 @@ #endif #ifndef OPENSSL_NO_SHA -#ifndef OPENSSL_FIPS static int init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } @@ -98,4 +97,3 @@ const EVP_MD *EVP_dss(void) return(&dsa_md); } #endif -#endif diff --git a/lib/libssl/src/crypto/evp/m_dss1.c b/lib/libssl/src/crypto/evp/m_dss1.c index 2df362a6701..a010103b7a1 100644 --- a/lib/libssl/src/crypto/evp/m_dss1.c +++ b/lib/libssl/src/crypto/evp/m_dss1.c @@ -68,8 +68,6 @@ #include <openssl/dsa.h> #endif -#ifndef OPENSSL_FIPS - static int init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } @@ -100,4 +98,3 @@ const EVP_MD *EVP_dss1(void) return(&dss1_md); } #endif -#endif diff --git a/lib/libssl/src/crypto/evp/m_ecdsa.c b/lib/libssl/src/crypto/evp/m_ecdsa.c index 4b15fb0f6ce..a6ed24b0b68 100644 --- a/lib/libssl/src/crypto/evp/m_ecdsa.c +++ b/lib/libssl/src/crypto/evp/m_ecdsa.c @@ -116,7 +116,6 @@ #include <openssl/x509.h> #ifndef OPENSSL_NO_SHA -#ifndef OPENSSL_FIPS static int init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } @@ -148,4 +147,3 @@ const EVP_MD *EVP_ecdsa(void) return(&ecdsa_md); } #endif -#endif diff --git a/lib/libssl/src/crypto/evp/m_sha1.c b/lib/libssl/src/crypto/evp/m_sha1.c index bd0c01ad3c4..f39ae779259 100644 --- a/lib/libssl/src/crypto/evp/m_sha1.c +++ b/lib/libssl/src/crypto/evp/m_sha1.c @@ -59,8 +59,6 @@ #include <stdio.h> #include "cryptlib.h" -#ifndef OPENSSL_FIPS - #ifndef OPENSSL_NO_SHA #include <openssl/evp.h> @@ -205,5 +203,3 @@ static const EVP_MD sha512_md= const EVP_MD *EVP_sha512(void) { return(&sha512_md); } #endif /* ifndef OPENSSL_NO_SHA512 */ - -#endif diff --git a/lib/libssl/src/crypto/fips_ers.c b/lib/libssl/src/crypto/fips_ers.c deleted file mode 100644 index 1788ed28848..00000000000 --- a/lib/libssl/src/crypto/fips_ers.c +++ /dev/null @@ -1,7 +0,0 @@ -#include <openssl/opensslconf.h> - -#ifdef OPENSSL_FIPS -# include "fips_err.h" -#else -static void *dummy = &dummy; -#endif diff --git a/lib/libssl/src/crypto/hmac/hmac.c b/lib/libssl/src/crypto/hmac/hmac.c index ba27cbf56f2..6c98fc43a31 100644 --- a/lib/libssl/src/crypto/hmac/hmac.c +++ b/lib/libssl/src/crypto/hmac/hmac.c @@ -61,34 +61,12 @@ #include "cryptlib.h" #include <openssl/hmac.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md, ENGINE *impl) { int i,j,reset=0; unsigned char pad[HMAC_MAX_MD_CBLOCK]; -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - { - /* If we have an ENGINE need to allow non FIPS */ - if ((impl || ctx->i_ctx.engine) - && !(ctx->i_ctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) - { - EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); - return 0; - } - /* Other algorithm blocking will be done in FIPS_cmac_init, - * via FIPS_hmac_init_ex(). - */ - if (!impl && !ctx->i_ctx.engine) - return FIPS_hmac_init_ex(ctx, key, len, md, NULL); - } -#endif - if (md != NULL) { reset=1; @@ -155,10 +133,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md) int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->i_ctx.engine) - return FIPS_hmac_update(ctx, data, len); -#endif return EVP_DigestUpdate(&ctx->md_ctx,data,len); } @@ -166,10 +140,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) { unsigned int i; unsigned char buf[EVP_MAX_MD_SIZE]; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->i_ctx.engine) - return FIPS_hmac_final(ctx, md, len); -#endif if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i)) goto err; @@ -209,13 +179,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) void HMAC_CTX_cleanup(HMAC_CTX *ctx) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !ctx->i_ctx.engine) - { - FIPS_hmac_ctx_cleanup(ctx); - return; - } -#endif EVP_MD_CTX_cleanup(&ctx->i_ctx); EVP_MD_CTX_cleanup(&ctx->o_ctx); EVP_MD_CTX_cleanup(&ctx->md_ctx); diff --git a/lib/libssl/src/crypto/idea/i_skey.c b/lib/libssl/src/crypto/idea/i_skey.c index afb830964df..244562e690f 100644 --- a/lib/libssl/src/crypto/idea/i_skey.c +++ b/lib/libssl/src/crypto/idea/i_skey.c @@ -62,13 +62,6 @@ static IDEA_INT inverse(unsigned int xin); void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(IDEA); - private_idea_set_encrypt_key(key, ks); - } -void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks) -#endif { int i; register IDEA_INT *kt,*kf,r0,r1,r2; diff --git a/lib/libssl/src/crypto/idea/idea.h b/lib/libssl/src/crypto/idea/idea.h index e9a1e7f1a5e..5782e54b0fd 100644 --- a/lib/libssl/src/crypto/idea/idea.h +++ b/lib/libssl/src/crypto/idea/idea.h @@ -83,9 +83,6 @@ typedef struct idea_key_st const char *idea_options(void); void idea_ecb_encrypt(const unsigned char *in, unsigned char *out, IDEA_KEY_SCHEDULE *ks); -#ifdef OPENSSL_FIPS -void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); -#endif void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, diff --git a/lib/libssl/src/crypto/md2/md2.h b/lib/libssl/src/crypto/md2/md2.h index d59c9f25931..a46120e7d41 100644 --- a/lib/libssl/src/crypto/md2/md2.h +++ b/lib/libssl/src/crypto/md2/md2.h @@ -81,9 +81,6 @@ typedef struct MD2state_st } MD2_CTX; const char *MD2_options(void); -#ifdef OPENSSL_FIPS -int private_MD2_Init(MD2_CTX *c); -#endif int MD2_Init(MD2_CTX *c); int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); int MD2_Final(unsigned char *md, MD2_CTX *c); diff --git a/lib/libssl/src/crypto/md4/md4.h b/lib/libssl/src/crypto/md4/md4.h index a55368a7909..c3ed9b3f75f 100644 --- a/lib/libssl/src/crypto/md4/md4.h +++ b/lib/libssl/src/crypto/md4/md4.h @@ -105,9 +105,6 @@ typedef struct MD4state_st unsigned int num; } MD4_CTX; -#ifdef OPENSSL_FIPS -int private_MD4_Init(MD4_CTX *c); -#endif int MD4_Init(MD4_CTX *c); int MD4_Update(MD4_CTX *c, const void *data, size_t len); int MD4_Final(unsigned char *md, MD4_CTX *c); diff --git a/lib/libssl/src/crypto/md5/md5.h b/lib/libssl/src/crypto/md5/md5.h index 541cc925feb..4cbf84386b3 100644 --- a/lib/libssl/src/crypto/md5/md5.h +++ b/lib/libssl/src/crypto/md5/md5.h @@ -105,9 +105,6 @@ typedef struct MD5state_st unsigned int num; } MD5_CTX; -#ifdef OPENSSL_FIPS -int private_MD5_Init(MD5_CTX *c); -#endif int MD5_Init(MD5_CTX *c); int MD5_Update(MD5_CTX *c, const void *data, size_t len); int MD5_Final(unsigned char *md, MD5_CTX *c); diff --git a/lib/libssl/src/crypto/mdc2/mdc2.h b/lib/libssl/src/crypto/mdc2/mdc2.h index f3e8e579d23..72778a52123 100644 --- a/lib/libssl/src/crypto/mdc2/mdc2.h +++ b/lib/libssl/src/crypto/mdc2/mdc2.h @@ -81,9 +81,6 @@ typedef struct mdc2_ctx_st } MDC2_CTX; -#ifdef OPENSSL_FIPS -int private_MDC2_Init(MDC2_CTX *c); -#endif int MDC2_Init(MDC2_CTX *c); int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); int MDC2_Final(unsigned char *md, MDC2_CTX *c); diff --git a/lib/libssl/src/crypto/o_fips.c b/lib/libssl/src/crypto/o_fips.c index 9c185cfb184..43312ae23f0 100644 --- a/lib/libssl/src/crypto/o_fips.c +++ b/lib/libssl/src/crypto/o_fips.c @@ -56,42 +56,20 @@ */ #include "cryptlib.h" -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#include <openssl/fips_rand.h> -#include <openssl/rand.h> -#endif int FIPS_mode(void) { OPENSSL_init(); -#ifdef OPENSSL_FIPS - return FIPS_module_mode(); -#else return 0; -#endif } int FIPS_mode_set(int r) { OPENSSL_init(); -#ifdef OPENSSL_FIPS -#ifndef FIPS_AUTH_USER_PASS -#define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" -#endif - if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) - return 0; - if (r) - RAND_set_rand_method(FIPS_rand_get_method()); - else - RAND_set_rand_method(NULL); - return 1; -#else if (r == 0) return 1; CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); return 0; -#endif } diff --git a/lib/libssl/src/crypto/o_init.c b/lib/libssl/src/crypto/o_init.c index 07c8e0d694f..5e905d93152 100644 --- a/lib/libssl/src/crypto/o_init.c +++ b/lib/libssl/src/crypto/o_init.c @@ -54,10 +54,6 @@ #include <e_os.h> #include <openssl/err.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#include <openssl/rand.h> -#endif /* Perform any essential OpenSSL initialization operations. * Currently only sets FIPS callbacks @@ -70,12 +66,6 @@ OPENSSL_init(void) if (done) return; done = 1; -#ifdef OPENSSL_FIPS - FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock); - FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata); - FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free); - RAND_init_fips(); -#endif #if 0 fprintf(stderr, "Called OPENSSL_init\n"); #endif diff --git a/lib/libssl/src/crypto/opensslv.h b/lib/libssl/src/crypto/opensslv.h index ebe71807233..7ba6281f28f 100644 --- a/lib/libssl/src/crypto/opensslv.h +++ b/lib/libssl/src/crypto/opensslv.h @@ -26,11 +26,7 @@ * major minor fix final patch/beta) */ #define OPENSSL_VERSION_NUMBER 0x1000107fL -#ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g-fips 7 Apr 2014" -#else #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014" -#endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/lib/libssl/src/crypto/pem/pem_all.c b/lib/libssl/src/crypto/pem/pem_all.c index eac0460e3eb..6ff6be7fbe5 100644 --- a/lib/libssl/src/crypto/pem/pem_all.c +++ b/lib/libssl/src/crypto/pem/pem_all.c @@ -193,61 +193,8 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, #endif -#ifdef OPENSSL_FIPS - -int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - EVP_PKEY_set1_RSA(k, x); - - ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey, - PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u); -} - -#ifndef OPENSSL_NO_FP_API -int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - - EVP_PKEY_set1_RSA(k, x); - - ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey, - PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u); -} -#endif - -#else - IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) -#endif - IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) @@ -277,59 +224,8 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb, return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ } -#ifdef OPENSSL_FIPS - -int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - EVP_PKEY_set1_DSA(k, x); - - ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey, - PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u); -} - -#ifndef OPENSSL_NO_FP_API -int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - EVP_PKEY_set1_DSA(k, x); - ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey, - PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u); -} -#endif - -#else - IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) -#endif - IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) #ifndef OPENSSL_NO_FP_API @@ -377,61 +273,8 @@ IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKPa -#ifdef OPENSSL_FIPS - -int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - EVP_PKEY_set1_EC_KEY(k, x); - - ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey, - PEM_STRING_ECPRIVATEKEY, - bp,x,enc,kstr,klen,cb,u); -} - -#ifndef OPENSSL_NO_FP_API -int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - if (FIPS_mode()) - { - EVP_PKEY *k; - int ret; - k = EVP_PKEY_new(); - if (!k) - return 0; - EVP_PKEY_set1_EC_KEY(k, x); - ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); - EVP_PKEY_free(k); - return ret; - } - else - return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey, - PEM_STRING_ECPRIVATEKEY, - fp,x,enc,kstr,klen,cb,u); -} -#endif - -#else - IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) -#endif - IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) #ifndef OPENSSL_NO_FP_API diff --git a/lib/libssl/src/crypto/pkcs12/p12_crt.c b/lib/libssl/src/crypto/pkcs12/p12_crt.c index a34915d02d1..0c5e8dc992b 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_crt.c +++ b/lib/libssl/src/crypto/pkcs12/p12_crt.c @@ -91,11 +91,6 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, /* Set defaults */ if (!nid_cert) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - else -#endif nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; } if (!nid_key) diff --git a/lib/libssl/src/crypto/rc2/rc2.h b/lib/libssl/src/crypto/rc2/rc2.h index e542ec94ffb..4c737f5b905 100644 --- a/lib/libssl/src/crypto/rc2/rc2.h +++ b/lib/libssl/src/crypto/rc2/rc2.h @@ -79,9 +79,6 @@ typedef struct rc2_key_st RC2_INT data[64]; } RC2_KEY; -#ifdef OPENSSL_FIPS -void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); -#endif void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, int enc); diff --git a/lib/libssl/src/crypto/rc2/rc2_skey.c b/lib/libssl/src/crypto/rc2/rc2_skey.c index 6668ac011f0..26b8dd63f69 100644 --- a/lib/libssl/src/crypto/rc2/rc2_skey.c +++ b/lib/libssl/src/crypto/rc2/rc2_skey.c @@ -96,13 +96,6 @@ static const unsigned char key_table[256]={ * the same as specifying 1024 for the 'bits' parameter. Bsafe uses * a version where the bits parameter is the same as len*8 */ void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(RC2); - private_RC2_set_key(key, len, data, bits); - } -void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) -#endif { int i,j; unsigned char *k; diff --git a/lib/libssl/src/crypto/rc4/rc4_utl.c b/lib/libssl/src/crypto/rc4/rc4_utl.c index ab3f02fe6a9..bd39a765438 100644 --- a/lib/libssl/src/crypto/rc4/rc4_utl.c +++ b/lib/libssl/src/crypto/rc4/rc4_utl.c @@ -55,8 +55,5 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) { -#ifdef OPENSSL_FIPS - fips_cipher_abort(RC4); -#endif private_RC4_set_key(key, len, data); } diff --git a/lib/libssl/src/crypto/ripemd/ripemd.h b/lib/libssl/src/crypto/ripemd/ripemd.h index 189bd8c90e9..5942eb61808 100644 --- a/lib/libssl/src/crypto/ripemd/ripemd.h +++ b/lib/libssl/src/crypto/ripemd/ripemd.h @@ -91,9 +91,6 @@ typedef struct RIPEMD160state_st unsigned int num; } RIPEMD160_CTX; -#ifdef OPENSSL_FIPS -int private_RIPEMD160_Init(RIPEMD160_CTX *c); -#endif int RIPEMD160_Init(RIPEMD160_CTX *c); int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); diff --git a/lib/libssl/src/crypto/rsa/rsa_crpt.c b/lib/libssl/src/crypto/rsa/rsa_crpt.c index d3e44785dcf..7750366613b 100644 --- a/lib/libssl/src/crypto/rsa/rsa_crpt.c +++ b/lib/libssl/src/crypto/rsa/rsa_crpt.c @@ -75,56 +75,24 @@ int RSA_size(const RSA *r) int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); - return -1; - } -#endif return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); } int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); - return -1; - } -#endif return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); } int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); - return -1; - } -#endif return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); } int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); - return -1; - } -#endif return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); } diff --git a/lib/libssl/src/crypto/rsa/rsa_gen.c b/lib/libssl/src/crypto/rsa/rsa_gen.c index 42290cce66c..767f7ab682a 100644 --- a/lib/libssl/src/crypto/rsa/rsa_gen.c +++ b/lib/libssl/src/crypto/rsa/rsa_gen.c @@ -67,9 +67,6 @@ #include "cryptlib.h" #include <openssl/bn.h> #include <openssl/rsa.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); @@ -80,20 +77,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) * now just because key-generation is part of RSA_METHOD. */ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD); - return 0; - } -#endif if(rsa->meth->rsa_keygen) return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb); -#endif return rsa_builtin_keygen(rsa, bits, e_value, cb); } diff --git a/lib/libssl/src/crypto/rsa/rsa_lib.c b/lib/libssl/src/crypto/rsa/rsa_lib.c index c95ceafc824..9e3f7dafcda 100644 --- a/lib/libssl/src/crypto/rsa/rsa_lib.c +++ b/lib/libssl/src/crypto/rsa/rsa_lib.c @@ -67,10 +67,6 @@ #include <openssl/engine.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif - const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; static const RSA_METHOD *default_RSA_meth=NULL; @@ -91,18 +87,11 @@ const RSA_METHOD *RSA_get_default_method(void) { if (default_RSA_meth == NULL) { -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return FIPS_rsa_pkcs1_ssleay(); - else - return RSA_PKCS1_SSLeay(); -#else #ifdef RSA_NULL default_RSA_meth=RSA_null_method(); #else default_RSA_meth=RSA_PKCS1_SSLeay(); #endif -#endif } return default_RSA_meth; diff --git a/lib/libssl/src/crypto/rsa/rsa_pmeth.c b/lib/libssl/src/crypto/rsa/rsa_pmeth.c index 157aa5c41d2..d706d35ff6b 100644 --- a/lib/libssl/src/crypto/rsa/rsa_pmeth.c +++ b/lib/libssl/src/crypto/rsa/rsa_pmeth.c @@ -66,9 +66,6 @@ #ifndef OPENSSL_NO_CMS #include <openssl/cms.h> #endif -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif #include "evp_locl.h" #include "rsa_locl.h" @@ -156,32 +153,6 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) OPENSSL_free(rctx); } } -#ifdef OPENSSL_FIPS -/* FIP checker. Return value indicates status of context parameters: - * 1 : redirect to FIPS. - * 0 : don't redirect to FIPS. - * -1 : illegal operation in FIPS mode. - */ - -static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx) - { - RSA_PKEY_CTX *rctx = ctx->data; - RSA *rsa = ctx->pkey->pkey.rsa; - int rv = -1; - if (!FIPS_mode()) - return 0; - if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) - rv = 0; - if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv) - return -1; - if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS)) - return rv; - if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS)) - return rv; - return 1; - } -#endif - static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen) { @@ -189,15 +160,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, RSA_PKEY_CTX *rctx = ctx->data; RSA *rsa = ctx->pkey->pkey.rsa; -#ifdef OPENSSL_FIPS - ret = pkey_fips_check_ctx(ctx); - if (ret < 0) - { - RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); - return -1; - } -#endif - if (rctx->md) { if (tbslen != (size_t)EVP_MD_size(rctx->md)) @@ -206,22 +168,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, RSA_R_INVALID_DIGEST_LENGTH); return -1; } -#ifdef OPENSSL_FIPS - if (ret > 0) - { - unsigned int slen; - ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md, - rctx->pad_mode, - rctx->saltlen, - rctx->mgf1md, - sig, &slen); - if (ret > 0) - *siglen = slen; - else - *siglen = 0; - return ret; - } -#endif if (EVP_MD_type(rctx->md) == NID_mdc2) { @@ -343,30 +289,8 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, RSA_PKEY_CTX *rctx = ctx->data; RSA *rsa = ctx->pkey->pkey.rsa; size_t rslen; -#ifdef OPENSSL_FIPS - int rv; - rv = pkey_fips_check_ctx(ctx); - if (rv < 0) - { - RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); - return -1; - } -#endif if (rctx->md) { -#ifdef OPENSSL_FIPS - if (rv > 0) - { - return FIPS_rsa_verify_digest(rsa, - tbs, tbslen, - rctx->md, - rctx->pad_mode, - rctx->saltlen, - rctx->mgf1md, - sig, siglen); - - } -#endif if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); diff --git a/lib/libssl/src/crypto/rsa/rsa_sign.c b/lib/libssl/src/crypto/rsa/rsa_sign.c index b6f6037ae00..fa3239ab30a 100644 --- a/lib/libssl/src/crypto/rsa/rsa_sign.c +++ b/lib/libssl/src/crypto/rsa/rsa_sign.c @@ -77,14 +77,6 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, const unsigned char *s = NULL; X509_ALGOR algor; ASN1_OCTET_STRING digest; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD); - return 0; - } -#endif if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) { return rsa->meth->rsa_sign(type, m, m_len, @@ -161,15 +153,6 @@ int int_rsa_verify(int dtype, const unsigned char *m, unsigned char *s; X509_SIG *sig=NULL; -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) - { - RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD); - return 0; - } -#endif - if (siglen != (unsigned int)RSA_size(rsa)) { RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); diff --git a/lib/libssl/src/crypto/seed/seed.c b/lib/libssl/src/crypto/seed/seed.c index 3e675a8d755..934664ddb69 100644 --- a/lib/libssl/src/crypto/seed/seed.c +++ b/lib/libssl/src/crypto/seed/seed.c @@ -198,13 +198,6 @@ static const seed_word KC[] = { KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 }; #endif void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) -#ifdef OPENSSL_FIPS - { - fips_cipher_abort(SEED); - private_SEED_set_key(rawkey, ks); - } -void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) -#endif { seed_word x1, x2, x3, x4; seed_word t0, t1; diff --git a/lib/libssl/src/crypto/seed/seed.h b/lib/libssl/src/crypto/seed/seed.h index c50fdd36073..6e2ade3fbb9 100644 --- a/lib/libssl/src/crypto/seed/seed.h +++ b/lib/libssl/src/crypto/seed/seed.h @@ -116,9 +116,6 @@ typedef struct seed_key_st { #endif } SEED_KEY_SCHEDULE; -#ifdef OPENSSL_FIPS -void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); -#endif void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks); diff --git a/lib/libssl/src/crypto/sha/sha.h b/lib/libssl/src/crypto/sha/sha.h index 8a6bf4bbbb1..7cbca26ff90 100644 --- a/lib/libssl/src/crypto/sha/sha.h +++ b/lib/libssl/src/crypto/sha/sha.h @@ -70,10 +70,6 @@ extern "C" { #error SHA is disabled. #endif -#if defined(OPENSSL_FIPS) -#define FIPS_SHA_SIZE_T size_t -#endif - /* * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then ! @@ -106,9 +102,6 @@ typedef struct SHAstate_st } SHA_CTX; #ifndef OPENSSL_NO_SHA0 -#ifdef OPENSSL_FIPS -int private_SHA_Init(SHA_CTX *c); -#endif int SHA_Init(SHA_CTX *c); int SHA_Update(SHA_CTX *c, const void *data, size_t len); int SHA_Final(unsigned char *md, SHA_CTX *c); @@ -116,9 +109,6 @@ unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md); void SHA_Transform(SHA_CTX *c, const unsigned char *data); #endif #ifndef OPENSSL_NO_SHA1 -#ifdef OPENSSL_FIPS -int private_SHA1_Init(SHA_CTX *c); -#endif int SHA1_Init(SHA_CTX *c); int SHA1_Update(SHA_CTX *c, const void *data, size_t len); int SHA1_Final(unsigned char *md, SHA_CTX *c); @@ -141,10 +131,6 @@ typedef struct SHA256state_st } SHA256_CTX; #ifndef OPENSSL_NO_SHA256 -#ifdef OPENSSL_FIPS -int private_SHA224_Init(SHA256_CTX *c); -int private_SHA256_Init(SHA256_CTX *c); -#endif int SHA224_Init(SHA256_CTX *c); int SHA224_Update(SHA256_CTX *c, const void *data, size_t len); int SHA224_Final(unsigned char *md, SHA256_CTX *c); @@ -192,10 +178,6 @@ typedef struct SHA512state_st #endif #ifndef OPENSSL_NO_SHA512 -#ifdef OPENSSL_FIPS -int private_SHA384_Init(SHA512_CTX *c); -int private_SHA512_Init(SHA512_CTX *c); -#endif int SHA384_Init(SHA512_CTX *c); int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); int SHA384_Final(unsigned char *md, SHA512_CTX *c); diff --git a/lib/libssl/src/crypto/whrlpool/whrlpool.h b/lib/libssl/src/crypto/whrlpool/whrlpool.h index 9e01f5b0766..03c91da1155 100644 --- a/lib/libssl/src/crypto/whrlpool/whrlpool.h +++ b/lib/libssl/src/crypto/whrlpool/whrlpool.h @@ -24,9 +24,6 @@ typedef struct { } WHIRLPOOL_CTX; #ifndef OPENSSL_NO_WHIRLPOOL -#ifdef OPENSSL_FIPS -int private_WHIRLPOOL_Init(WHIRLPOOL_CTX *c); -#endif int WHIRLPOOL_Init (WHIRLPOOL_CTX *c); int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes); void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits); |