diff options
| author | tedu <> | 2014-04-15 20:06:10 +0000 | 
|---|---|---|
| committer | tedu <> | 2014-04-15 20:06:10 +0000 | 
| commit | f88d9acb16e601adf96b4de4b1041d52d0d846da (patch) | |
| tree | 11be20c8110348001494179db4f9b0b67ce149ba /src/lib/libc | |
| parent | e3275129dc02b842088cee9974244d4933cd72c6 (diff) | |
| download | openbsd-f88d9acb16e601adf96b4de4b1041d52d0d846da.tar.gz openbsd-f88d9acb16e601adf96b4de4b1041d52d0d846da.tar.bz2 openbsd-f88d9acb16e601adf96b4de4b1041d52d0d846da.zip | |
remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok beck deraadt
Diffstat (limited to '')
66 files changed, 9 insertions, 979 deletions
| diff --git a/src/lib/libcrypto/Attic/Makefile b/src/lib/libcrypto/Attic/Makefile index 326915d520..5c02ba2844 100644 --- a/src/lib/libcrypto/Attic/Makefile +++ b/src/lib/libcrypto/Attic/Makefile | |||
| @@ -35,9 +35,9 @@ GENERAL=Makefile README crypto-lib.com install.com | |||
| 35 | LIB= $(TOP)/libcrypto.a | 35 | LIB= $(TOP)/libcrypto.a | 
| 36 | SHARED_LIB= libcrypto$(SHLIB_EXT) | 36 | SHARED_LIB= libcrypto$(SHLIB_EXT) | 
| 37 | LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ | 37 | LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ | 
| 38 | uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c | 38 | uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c | 
| 39 | LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \ | 39 | LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \ | 
| 40 | uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ) | 40 | uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o $(CPUID_OBJ) | 
| 41 | 41 | ||
| 42 | SRC= $(LIBSRC) | 42 | SRC= $(LIBSRC) | 
| 43 | 43 | ||
| diff --git a/src/lib/libcrypto/aes/aes_misc.c b/src/lib/libcrypto/aes/aes_misc.c index d666c06409..9380abc46c 100644 --- a/src/lib/libcrypto/aes/aes_misc.c +++ b/src/lib/libcrypto/aes/aes_misc.c | |||
| @@ -71,9 +71,6 @@ int | |||
| 71 | AES_set_encrypt_key(const unsigned char *userKey, const int bits, | 71 | AES_set_encrypt_key(const unsigned char *userKey, const int bits, | 
| 72 | AES_KEY *key) | 72 | AES_KEY *key) | 
| 73 | { | 73 | { | 
| 74 | #ifdef OPENSSL_FIPS | ||
| 75 | fips_cipher_abort(AES); | ||
| 76 | #endif | ||
| 77 | return private_AES_set_encrypt_key(userKey, bits, key); | 74 | return private_AES_set_encrypt_key(userKey, bits, key); | 
| 78 | } | 75 | } | 
| 79 | 76 | ||
| @@ -81,8 +78,5 @@ int | |||
| 81 | AES_set_decrypt_key(const unsigned char *userKey, const int bits, | 78 | AES_set_decrypt_key(const unsigned char *userKey, const int bits, | 
| 82 | AES_KEY *key) | 79 | AES_KEY *key) | 
| 83 | { | 80 | { | 
| 84 | #ifdef OPENSSL_FIPS | ||
| 85 | fips_cipher_abort(AES); | ||
| 86 | #endif | ||
| 87 | return private_AES_set_decrypt_key(userKey, bits, key); | 81 | return private_AES_set_decrypt_key(userKey, bits, key); | 
| 88 | } | 82 | } | 
| diff --git a/src/lib/libcrypto/bf/bf_skey.c b/src/lib/libcrypto/bf/bf_skey.c index 3b0bca41ae..d8e6287a32 100644 --- a/src/lib/libcrypto/bf/bf_skey.c +++ b/src/lib/libcrypto/bf/bf_skey.c | |||
| @@ -64,13 +64,6 @@ | |||
| 64 | #include "bf_pi.h" | 64 | #include "bf_pi.h" | 
| 65 | 65 | ||
| 66 | void BF_set_key(BF_KEY *key, int len, const unsigned char *data) | 66 | void BF_set_key(BF_KEY *key, int len, const unsigned char *data) | 
| 67 | #ifdef OPENSSL_FIPS | ||
| 68 | { | ||
| 69 | fips_cipher_abort(BLOWFISH); | ||
| 70 | private_BF_set_key(key, len, data); | ||
| 71 | } | ||
| 72 | void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data) | ||
| 73 | #endif | ||
| 74 | { | 67 | { | 
| 75 | int i; | 68 | int i; | 
| 76 | BF_LONG *p,ri,in[2]; | 69 | BF_LONG *p,ri,in[2]; | 
| diff --git a/src/lib/libcrypto/bf/blowfish.h b/src/lib/libcrypto/bf/blowfish.h index 4b6c8920a4..65685f478c 100644 --- a/src/lib/libcrypto/bf/blowfish.h +++ b/src/lib/libcrypto/bf/blowfish.h | |||
| @@ -104,9 +104,6 @@ typedef struct bf_key_st | |||
| 104 | BF_LONG S[4*256]; | 104 | BF_LONG S[4*256]; | 
| 105 | } BF_KEY; | 105 | } BF_KEY; | 
| 106 | 106 | ||
| 107 | #ifdef OPENSSL_FIPS | ||
| 108 | void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data); | ||
| 109 | #endif | ||
| 110 | void BF_set_key(BF_KEY *key, int len, const unsigned char *data); | 107 | void BF_set_key(BF_KEY *key, int len, const unsigned char *data); | 
| 111 | 108 | ||
| 112 | void BF_encrypt(BF_LONG *data,const BF_KEY *key); | 109 | void BF_encrypt(BF_LONG *data,const BF_KEY *key); | 
| diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h index 817c773b65..9194e86b39 100644 --- a/src/lib/libcrypto/bn/bn_lcl.h +++ b/src/lib/libcrypto/bn/bn_lcl.h | |||
| @@ -479,10 +479,6 @@ extern "C" { | |||
| 479 | } | 479 | } | 
| 480 | #endif /* !BN_LLONG */ | 480 | #endif /* !BN_LLONG */ | 
| 481 | 481 | ||
| 482 | #if defined(OPENSSL_DOING_MAKEDEPEND) && defined(OPENSSL_FIPS) | ||
| 483 | #undef bn_div_words | ||
| 484 | #endif | ||
| 485 | |||
| 486 | void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb); | 482 | void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb); | 
| 487 | void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); | 483 | void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); | 
| 488 | void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); | 484 | void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); | 
| diff --git a/src/lib/libcrypto/camellia/camellia.h b/src/lib/libcrypto/camellia/camellia.h index 67911e0adf..cf0457dd97 100644 --- a/src/lib/libcrypto/camellia/camellia.h +++ b/src/lib/libcrypto/camellia/camellia.h | |||
| @@ -88,10 +88,6 @@ struct camellia_key_st | |||
| 88 | }; | 88 | }; | 
| 89 | typedef struct camellia_key_st CAMELLIA_KEY; | 89 | typedef struct camellia_key_st CAMELLIA_KEY; | 
| 90 | 90 | ||
| 91 | #ifdef OPENSSL_FIPS | ||
| 92 | int private_Camellia_set_key(const unsigned char *userKey, const int bits, | ||
| 93 | CAMELLIA_KEY *key); | ||
| 94 | #endif | ||
| 95 | int Camellia_set_key(const unsigned char *userKey, const int bits, | 91 | int Camellia_set_key(const unsigned char *userKey, const int bits, | 
| 96 | CAMELLIA_KEY *key); | 92 | CAMELLIA_KEY *key); | 
| 97 | 93 | ||
| diff --git a/src/lib/libcrypto/camellia/cmll_utl.c b/src/lib/libcrypto/camellia/cmll_utl.c index 7a35711ec1..b88a996a3f 100644 --- a/src/lib/libcrypto/camellia/cmll_utl.c +++ b/src/lib/libcrypto/camellia/cmll_utl.c | |||
| @@ -57,8 +57,5 @@ | |||
| 57 | int Camellia_set_key(const unsigned char *userKey, const int bits, | 57 | int Camellia_set_key(const unsigned char *userKey, const int bits, | 
| 58 | CAMELLIA_KEY *key) | 58 | CAMELLIA_KEY *key) | 
| 59 | { | 59 | { | 
| 60 | #ifdef OPENSSL_FIPS | ||
| 61 | fips_cipher_abort(Camellia); | ||
| 62 | #endif | ||
| 63 | return private_Camellia_set_key(userKey, bits, key); | 60 | return private_Camellia_set_key(userKey, bits, key); | 
| 64 | } | 61 | } | 
| diff --git a/src/lib/libcrypto/cast/c_skey.c b/src/lib/libcrypto/cast/c_skey.c index cb6bf9fee3..54ea98cd0b 100644 --- a/src/lib/libcrypto/cast/c_skey.c +++ b/src/lib/libcrypto/cast/c_skey.c | |||
| @@ -73,13 +73,6 @@ | |||
| 73 | #define S6 CAST_S_table6 | 73 | #define S6 CAST_S_table6 | 
| 74 | #define S7 CAST_S_table7 | 74 | #define S7 CAST_S_table7 | 
| 75 | void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) | 75 | void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) | 
| 76 | #ifdef OPENSSL_FIPS | ||
| 77 | { | ||
| 78 | fips_cipher_abort(CAST); | ||
| 79 | private_CAST_set_key(key, len, data); | ||
| 80 | } | ||
| 81 | void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) | ||
| 82 | #endif | ||
| 83 | { | 76 | { | 
| 84 | CAST_LONG x[16]; | 77 | CAST_LONG x[16]; | 
| 85 | CAST_LONG z[16]; | 78 | CAST_LONG z[16]; | 
| diff --git a/src/lib/libcrypto/cast/cast.h b/src/lib/libcrypto/cast/cast.h index 203922ea2b..8741532e9e 100644 --- a/src/lib/libcrypto/cast/cast.h +++ b/src/lib/libcrypto/cast/cast.h | |||
| @@ -83,9 +83,6 @@ typedef struct cast_key_st | |||
| 83 | int short_key; /* Use reduced rounds for short key */ | 83 | int short_key; /* Use reduced rounds for short key */ | 
| 84 | } CAST_KEY; | 84 | } CAST_KEY; | 
| 85 | 85 | ||
| 86 | #ifdef OPENSSL_FIPS | ||
| 87 | void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); | ||
| 88 | #endif | ||
| 89 | void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); | 86 | void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); | 
| 90 | void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key, | 87 | void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key, | 
| 91 | int enc); | 88 | int enc); | 
| diff --git a/src/lib/libcrypto/cmac/cmac.c b/src/lib/libcrypto/cmac/cmac.c index 8b72b09681..f92a7bb143 100644 --- a/src/lib/libcrypto/cmac/cmac.c +++ b/src/lib/libcrypto/cmac/cmac.c | |||
| @@ -57,10 +57,6 @@ | |||
| 57 | #include "cryptlib.h" | 57 | #include "cryptlib.h" | 
| 58 | #include <openssl/cmac.h> | 58 | #include <openssl/cmac.h> | 
| 59 | 59 | ||
| 60 | #ifdef OPENSSL_FIPS | ||
| 61 | #include <openssl/fips.h> | ||
| 62 | #endif | ||
| 63 | |||
| 64 | struct CMAC_CTX_st | 60 | struct CMAC_CTX_st | 
| 65 | { | 61 | { | 
| 66 | /* Cipher context to use */ | 62 | /* Cipher context to use */ | 
| @@ -107,13 +103,6 @@ CMAC_CTX *CMAC_CTX_new(void) | |||
| 107 | 103 | ||
| 108 | void CMAC_CTX_cleanup(CMAC_CTX *ctx) | 104 | void CMAC_CTX_cleanup(CMAC_CTX *ctx) | 
| 109 | { | 105 | { | 
| 110 | #ifdef OPENSSL_FIPS | ||
| 111 | if (FIPS_mode() && !ctx->cctx.engine) | ||
| 112 | { | ||
| 113 | FIPS_cmac_ctx_cleanup(ctx); | ||
| 114 | return; | ||
| 115 | } | ||
| 116 | #endif | ||
| 117 | EVP_CIPHER_CTX_cleanup(&ctx->cctx); | 106 | EVP_CIPHER_CTX_cleanup(&ctx->cctx); | 
| 118 | OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); | 107 | OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); | 
| 119 | OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); | 108 | OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); | 
| @@ -153,24 +142,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, | |||
| 153 | const EVP_CIPHER *cipher, ENGINE *impl) | 142 | const EVP_CIPHER *cipher, ENGINE *impl) | 
| 154 | { | 143 | { | 
| 155 | static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH]; | 144 | static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH]; | 
| 156 | #ifdef OPENSSL_FIPS | ||
| 157 | if (FIPS_mode()) | ||
| 158 | { | ||
| 159 | /* If we have an ENGINE need to allow non FIPS */ | ||
| 160 | if ((impl || ctx->cctx.engine) | ||
| 161 | && !(ctx->cctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) | ||
| 162 | |||
| 163 | { | ||
| 164 | EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS); | ||
| 165 | return 0; | ||
| 166 | } | ||
| 167 | /* Other algorithm blocking will be done in FIPS_cmac_init, | ||
| 168 | * via FIPS_cipherinit(). | ||
| 169 | */ | ||
| 170 | if (!impl && !ctx->cctx.engine) | ||
| 171 | return FIPS_cmac_init(ctx, key, keylen, cipher, NULL); | ||
| 172 | } | ||
| 173 | #endif | ||
| 174 | /* All zeros means restart */ | 145 | /* All zeros means restart */ | 
| 175 | if (!key && !cipher && !impl && keylen == 0) | 146 | if (!key && !cipher && !impl && keylen == 0) | 
| 176 | { | 147 | { | 
| @@ -216,10 +187,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) | |||
| 216 | { | 187 | { | 
| 217 | const unsigned char *data = in; | 188 | const unsigned char *data = in; | 
| 218 | size_t bl; | 189 | size_t bl; | 
| 219 | #ifdef OPENSSL_FIPS | 190 | |
| 220 | if (FIPS_mode() && !ctx->cctx.engine) | ||
| 221 | return FIPS_cmac_update(ctx, in, dlen); | ||
| 222 | #endif | ||
| 223 | if (ctx->nlast_block == -1) | 191 | if (ctx->nlast_block == -1) | 
| 224 | return 0; | 192 | return 0; | 
| 225 | if (dlen == 0) | 193 | if (dlen == 0) | 
| @@ -261,10 +229,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) | |||
| 261 | int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) | 229 | int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) | 
| 262 | { | 230 | { | 
| 263 | int i, bl, lb; | 231 | int i, bl, lb; | 
| 264 | #ifdef OPENSSL_FIPS | 232 | |
| 265 | if (FIPS_mode() && !ctx->cctx.engine) | ||
| 266 | return FIPS_cmac_final(ctx, out, poutlen); | ||
| 267 | #endif | ||
| 268 | if (ctx->nlast_block == -1) | 233 | if (ctx->nlast_block == -1) | 
| 269 | return 0; | 234 | return 0; | 
| 270 | bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); | 235 | bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); | 
| diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h index 351ccfd35b..56c5dfadb8 100644 --- a/src/lib/libcrypto/crypto.h +++ b/src/lib/libcrypto/crypto.h | |||
| @@ -538,25 +538,9 @@ void OPENSSL_init(void); | |||
| 538 | 538 | ||
| 539 | #define fips_md_init(alg) fips_md_init_ctx(alg, alg) | 539 | #define fips_md_init(alg) fips_md_init_ctx(alg, alg) | 
| 540 | 540 | ||
| 541 | #ifdef OPENSSL_FIPS | ||
| 542 | #define fips_md_init_ctx(alg, cx) \ | ||
| 543 | int alg##_Init(cx##_CTX *c) \ | ||
| 544 | { \ | ||
| 545 | if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \ | ||
| 546 | "Low level API call to digest " #alg " forbidden in FIPS mode!"); \ | ||
| 547 | return private_##alg##_Init(c); \ | ||
| 548 | } \ | ||
| 549 | int private_##alg##_Init(cx##_CTX *c) | ||
| 550 | |||
| 551 | #define fips_cipher_abort(alg) \ | ||
| 552 | if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \ | ||
| 553 | "Low level API call to cipher " #alg " forbidden in FIPS mode!") | ||
| 554 | |||
| 555 | #else | ||
| 556 | #define fips_md_init_ctx(alg, cx) \ | 541 | #define fips_md_init_ctx(alg, cx) \ | 
| 557 | int alg##_Init(cx##_CTX *c) | 542 | int alg##_Init(cx##_CTX *c) | 
| 558 | #define fips_cipher_abort(alg) while(0) | 543 | #define fips_cipher_abort(alg) while(0) | 
| 559 | #endif | ||
| 560 | 544 | ||
| 561 | /* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It | 545 | /* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It | 
| 562 | * takes an amount of time dependent on |len|, but independent of the contents | 546 | * takes an amount of time dependent on |len|, but independent of the contents | 
| diff --git a/src/lib/libcrypto/crypto/Makefile b/src/lib/libcrypto/crypto/Makefile index e3bb0a2b36..a149537c3f 100644 --- a/src/lib/libcrypto/crypto/Makefile +++ b/src/lib/libcrypto/crypto/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.8 2014/04/15 17:46:16 beck Exp $ | 1 | # $OpenBSD: Makefile,v 1.9 2014/04/15 20:06:09 tedu Exp $ | 
| 2 | 2 | ||
| 3 | LIB= crypto | 3 | LIB= crypto | 
| 4 | 4 | ||
| @@ -43,7 +43,7 @@ CFLAGS+= -I${LCRYPTO_SRC}/modes -I${LCRYPTO_SRC}/asn1 -I${LCRYPTO_SRC}/evp | |||
| 43 | 43 | ||
| 44 | # crypto/ | 44 | # crypto/ | 
| 45 | SRCS+= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c | 45 | SRCS+= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c | 
| 46 | SRCS+= uid.c o_time.c o_str.c o_fips.c o_init.c fips_ers.c | 46 | SRCS+= uid.c o_time.c o_str.c o_fips.c o_init.c | 
| 47 | 47 | ||
| 48 | # aes/ | 48 | # aes/ | 
| 49 | SRCS+= aes_misc.c aes_ecb.c aes_cfb.c aes_ofb.c | 49 | SRCS+= aes_misc.c aes_ecb.c aes_cfb.c aes_ofb.c | 
| @@ -163,7 +163,7 @@ SRCS+= p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c | |||
| 163 | SRCS+= bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c | 163 | SRCS+= bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c | 
| 164 | SRCS+= c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c | 164 | SRCS+= c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c | 
| 165 | SRCS+= evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c | 165 | SRCS+= evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c | 
| 166 | SRCS+= e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c | 166 | SRCS+= e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c | 
| 167 | SRCS+= e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c | 167 | SRCS+= e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c | 
| 168 | 168 | ||
| 169 | # hmac/ | 169 | # hmac/ | 
| diff --git a/src/lib/libcrypto/des/des.h b/src/lib/libcrypto/des/des.h index 1eaedcbd24..92b6663599 100644 --- a/src/lib/libcrypto/des/des.h +++ b/src/lib/libcrypto/des/des.h | |||
| @@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DES_key_schedule *schedule); | |||
| 224 | int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule); | 224 | int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule); | 
| 225 | int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule); | 225 | int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule); | 
| 226 | void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule); | 226 | void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule); | 
| 227 | #ifdef OPENSSL_FIPS | ||
| 228 | void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule); | ||
| 229 | #endif | ||
| 230 | void DES_string_to_key(const char *str,DES_cblock *key); | 227 | void DES_string_to_key(const char *str,DES_cblock *key); | 
| 231 | void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2); | 228 | void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2); | 
| 232 | void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length, | 229 | void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length, | 
| diff --git a/src/lib/libcrypto/des/set_key.c b/src/lib/libcrypto/des/set_key.c index 99e3555ba9..e8dea50b96 100644 --- a/src/lib/libcrypto/des/set_key.c +++ b/src/lib/libcrypto/des/set_key.c | |||
| @@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule) | |||
| 336 | } | 336 | } | 
| 337 | 337 | ||
| 338 | void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) | 338 | void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) | 
| 339 | #ifdef OPENSSL_FIPS | ||
| 340 | { | ||
| 341 | fips_cipher_abort(DES); | ||
| 342 | private_DES_set_key_unchecked(key, schedule); | ||
| 343 | } | ||
| 344 | void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) | ||
| 345 | #endif | ||
| 346 | { | 339 | { | 
| 347 | static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; | 340 | static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; | 
| 348 | register DES_LONG c,d,t,s,t2; | 341 | register DES_LONG c,d,t,s,t2; | 
| diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c index 7b1fe9c9cb..cfd5b11868 100644 --- a/src/lib/libcrypto/dh/dh_gen.c +++ b/src/lib/libcrypto/dh/dh_gen.c | |||
| @@ -66,29 +66,12 @@ | |||
| 66 | #include <openssl/bn.h> | 66 | #include <openssl/bn.h> | 
| 67 | #include <openssl/dh.h> | 67 | #include <openssl/dh.h> | 
| 68 | 68 | ||
| 69 | #ifdef OPENSSL_FIPS | ||
| 70 | #include <openssl/fips.h> | ||
| 71 | #endif | ||
| 72 | |||
| 73 | static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); | 69 | static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); | 
| 74 | 70 | ||
| 75 | int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) | 71 | int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) | 
| 76 | { | 72 | { | 
| 77 | #ifdef OPENSSL_FIPS | ||
| 78 | if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) | ||
| 79 | && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) | ||
| 80 | { | ||
| 81 | DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); | ||
| 82 | return 0; | ||
| 83 | } | ||
| 84 | #endif | ||
| 85 | if(ret->meth->generate_params) | 73 | if(ret->meth->generate_params) | 
| 86 | return ret->meth->generate_params(ret, prime_len, generator, cb); | 74 | return ret->meth->generate_params(ret, prime_len, generator, cb); | 
| 87 | #ifdef OPENSSL_FIPS | ||
| 88 | if (FIPS_mode()) | ||
| 89 | return FIPS_dh_generate_parameters_ex(ret, prime_len, | ||
| 90 | generator, cb); | ||
| 91 | #endif | ||
| 92 | return dh_builtin_genparams(ret, prime_len, generator, cb); | 75 | return dh_builtin_genparams(ret, prime_len, generator, cb); | 
| 93 | } | 76 | } | 
| 94 | 77 | ||
| diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c index 89a74db4e6..9596270f7d 100644 --- a/src/lib/libcrypto/dh/dh_key.c +++ b/src/lib/libcrypto/dh/dh_key.c | |||
| @@ -73,27 +73,11 @@ static int dh_finish(DH *dh); | |||
| 73 | 73 | ||
| 74 | int DH_generate_key(DH *dh) | 74 | int DH_generate_key(DH *dh) | 
| 75 | { | 75 | { | 
| 76 | #ifdef OPENSSL_FIPS | ||
| 77 | if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) | ||
| 78 | && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) | ||
| 79 | { | ||
| 80 | DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD); | ||
| 81 | return 0; | ||
| 82 | } | ||
| 83 | #endif | ||
| 84 | return dh->meth->generate_key(dh); | 76 | return dh->meth->generate_key(dh); | 
| 85 | } | 77 | } | 
| 86 | 78 | ||
| 87 | int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) | 79 | int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) | 
| 88 | { | 80 | { | 
| 89 | #ifdef OPENSSL_FIPS | ||
| 90 | if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) | ||
| 91 | && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) | ||
| 92 | { | ||
| 93 | DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); | ||
| 94 | return 0; | ||
| 95 | } | ||
| 96 | #endif | ||
| 97 | return dh->meth->compute_key(key, pub_key, dh); | 81 | return dh->meth->compute_key(key, pub_key, dh); | 
| 98 | } | 82 | } | 
| 99 | 83 | ||
| diff --git a/src/lib/libcrypto/dh/dh_lib.c b/src/lib/libcrypto/dh/dh_lib.c index 00218f2b92..a40caaf75b 100644 --- a/src/lib/libcrypto/dh/dh_lib.c +++ b/src/lib/libcrypto/dh/dh_lib.c | |||
| @@ -64,10 +64,6 @@ | |||
| 64 | #include <openssl/engine.h> | 64 | #include <openssl/engine.h> | 
| 65 | #endif | 65 | #endif | 
| 66 | 66 | ||
| 67 | #ifdef OPENSSL_FIPS | ||
| 68 | #include <openssl/fips.h> | ||
| 69 | #endif | ||
| 70 | |||
| 71 | const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; | 67 | const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; | 
| 72 | 68 | ||
| 73 | static const DH_METHOD *default_DH_method = NULL; | 69 | static const DH_METHOD *default_DH_method = NULL; | 
| @@ -81,14 +77,7 @@ const DH_METHOD *DH_get_default_method(void) | |||
| 81 | { | 77 | { | 
| 82 | if(!default_DH_method) | 78 | if(!default_DH_method) | 
| 83 | { | 79 | { | 
| 84 | #ifdef OPENSSL_FIPS | ||
| 85 | if (FIPS_mode()) | ||
| 86 | return FIPS_dh_openssl(); | ||
| 87 | else | ||
| 88 | return DH_OpenSSL(); | ||
| 89 | #else | ||
| 90 | default_DH_method = DH_OpenSSL(); | 80 | default_DH_method = DH_OpenSSL(); | 
| 91 | #endif | ||
| 92 | } | 81 | } | 
| 93 | return default_DH_method; | 82 | return default_DH_method; | 
| 94 | } | 83 | } | 
| diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c index c398761d0d..e6a5452016 100644 --- a/src/lib/libcrypto/dsa/dsa_gen.c +++ b/src/lib/libcrypto/dsa/dsa_gen.c | |||
| @@ -81,33 +81,13 @@ | |||
| 81 | #include <openssl/sha.h> | 81 | #include <openssl/sha.h> | 
| 82 | #include "dsa_locl.h" | 82 | #include "dsa_locl.h" | 
| 83 | 83 | ||
| 84 | #ifdef OPENSSL_FIPS | ||
| 85 | #include <openssl/fips.h> | ||
| 86 | #endif | ||
| 87 | |||
| 88 | int DSA_generate_parameters_ex(DSA *ret, int bits, | 84 | int DSA_generate_parameters_ex(DSA *ret, int bits, | 
| 89 | const unsigned char *seed_in, int seed_len, | 85 | const unsigned char *seed_in, int seed_len, | 
| 90 | int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) | 86 | int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) | 
| 91 | { | 87 | { | 
| 92 | #ifdef OPENSSL_FIPS | ||
| 93 | if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD) | ||
| 94 | && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) | ||
| 95 | { | ||
| 96 | DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD); | ||
| 97 | return 0; | ||
| 98 | } | ||
| 99 | #endif | ||
| 100 | if(ret->meth->dsa_paramgen) | 88 | if(ret->meth->dsa_paramgen) | 
| 101 | return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, | 89 | return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, | 
| 102 | counter_ret, h_ret, cb); | 90 | counter_ret, h_ret, cb); | 
| 103 | #ifdef OPENSSL_FIPS | ||
| 104 | else if (FIPS_mode()) | ||
| 105 | { | ||
| 106 | return FIPS_dsa_generate_parameters_ex(ret, bits, | ||
| 107 | seed_in, seed_len, | ||
| 108 | counter_ret, h_ret, cb); | ||
| 109 | } | ||
| 110 | #endif | ||
| 111 | else | 91 | else | 
| 112 | { | 92 | { | 
| 113 | const EVP_MD *evpmd; | 93 | const EVP_MD *evpmd; | 
| diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c index 9cf669b921..c4aa86bc6d 100644 --- a/src/lib/libcrypto/dsa/dsa_key.c +++ b/src/lib/libcrypto/dsa/dsa_key.c | |||
| @@ -64,28 +64,12 @@ | |||
| 64 | #include <openssl/dsa.h> | 64 | #include <openssl/dsa.h> | 
| 65 | #include <openssl/rand.h> | 65 | #include <openssl/rand.h> | 
| 66 | 66 | ||
| 67 | #ifdef OPENSSL_FIPS | ||
| 68 | #include <openssl/fips.h> | ||
| 69 | #endif | ||
| 70 | |||
| 71 | static int dsa_builtin_keygen(DSA *dsa); | 67 | static int dsa_builtin_keygen(DSA *dsa); | 
| 72 | 68 | ||
| 73 | int DSA_generate_key(DSA *dsa) | 69 | int DSA_generate_key(DSA *dsa) | 
| 74 | { | 70 | { | 
| 75 | #ifdef OPENSSL_FIPS | ||
| 76 | if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) | ||
| 77 | && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) | ||
| 78 | { | ||
| 79 | DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD); | ||
| 80 | return 0; | ||
| 81 | } | ||
| 82 | #endif | ||
| 83 | if(dsa->meth->dsa_keygen) | 71 | if(dsa->meth->dsa_keygen) | 
| 84 | return dsa->meth->dsa_keygen(dsa); | 72 | return dsa->meth->dsa_keygen(dsa); | 
| 85 | #ifdef OPENSSL_FIPS | ||
| 86 | if (FIPS_mode()) | ||
| 87 | return FIPS_dsa_generate_key(dsa); | ||
| 88 | #endif | ||
| 89 | return dsa_builtin_keygen(dsa); | 73 | return dsa_builtin_keygen(dsa); | 
| 90 | } | 74 | } | 
| 91 | 75 | ||
| diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c index 96d8d0c4b4..897c085968 100644 --- a/src/lib/libcrypto/dsa/dsa_lib.c +++ b/src/lib/libcrypto/dsa/dsa_lib.c | |||
| @@ -70,10 +70,6 @@ | |||
| 70 | #include <openssl/dh.h> | 70 | #include <openssl/dh.h> | 
| 71 | #endif | 71 | #endif | 
| 72 | 72 | ||
| 73 | #ifdef OPENSSL_FIPS | ||
| 74 | #include <openssl/fips.h> | ||
| 75 | #endif | ||
| 76 | |||
| 77 | const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT; | 73 | const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT; | 
| 78 | 74 | ||
| 79 | static const DSA_METHOD *default_DSA_method = NULL; | 75 | static const DSA_METHOD *default_DSA_method = NULL; | 
| @@ -87,14 +83,7 @@ const DSA_METHOD *DSA_get_default_method(void) | |||
| 87 | { | 83 | { | 
| 88 | if(!default_DSA_method) | 84 | if(!default_DSA_method) | 
| 89 | { | 85 | { | 
| 90 | #ifdef OPENSSL_FIPS | ||
| 91 | if (FIPS_mode()) | ||
| 92 | return FIPS_dsa_openssl(); | ||
| 93 | else | ||
| 94 | return DSA_OpenSSL(); | ||
| 95 | #else | ||
| 96 | default_DSA_method = DSA_OpenSSL(); | 86 | default_DSA_method = DSA_OpenSSL(); | 
| 97 | #endif | ||
| 98 | } | 87 | } | 
| 99 | return default_DSA_method; | 88 | return default_DSA_method; | 
| 100 | } | 89 | } | 
| diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c index c3cc3642ce..e02365a8b1 100644 --- a/src/lib/libcrypto/dsa/dsa_sign.c +++ b/src/lib/libcrypto/dsa/dsa_sign.c | |||
| @@ -65,27 +65,11 @@ | |||
| 65 | 65 | ||
| 66 | DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) | 66 | DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) | 
| 67 | { | 67 | { | 
| 68 | #ifdef OPENSSL_FIPS | ||
| 69 | if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) | ||
| 70 | && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) | ||
| 71 | { | ||
| 72 | DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD); | ||
| 73 | return NULL; | ||
| 74 | } | ||
| 75 | #endif | ||
| 76 | return dsa->meth->dsa_do_sign(dgst, dlen, dsa); | 68 | return dsa->meth->dsa_do_sign(dgst, dlen, dsa); | 
| 77 | } | 69 | } | 
| 78 | 70 | ||
| 79 | int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | 71 | int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | 
| 80 | { | 72 | { | 
| 81 | #ifdef OPENSSL_FIPS | ||
| 82 | if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) | ||
| 83 | && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) | ||
| 84 | { | ||
| 85 | DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD); | ||
| 86 | return 0; | ||
| 87 | } | ||
| 88 | #endif | ||
| 89 | return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); | 73 | return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); | 
| 90 | } | 74 | } | 
| 91 | 75 | ||
| diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c index 674cb5fa5f..286ed28cfa 100644 --- a/src/lib/libcrypto/dsa/dsa_vrf.c +++ b/src/lib/libcrypto/dsa/dsa_vrf.c | |||
| @@ -64,13 +64,5 @@ | |||
| 64 | int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, | 64 | int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, | 
| 65 | DSA *dsa) | 65 | DSA *dsa) | 
| 66 | { | 66 | { | 
| 67 | #ifdef OPENSSL_FIPS | ||
| 68 | if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) | ||
| 69 | && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) | ||
| 70 | { | ||
| 71 | DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD); | ||
| 72 | return -1; | ||
| 73 | } | ||
| 74 | #endif | ||
| 75 | return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); | 67 | return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); | 
| 76 | } | 68 | } | 
| diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c index e0e59c7d82..0cf681fa9d 100644 --- a/src/lib/libcrypto/ec/ec2_smpl.c +++ b/src/lib/libcrypto/ec/ec2_smpl.c | |||
| @@ -73,16 +73,8 @@ | |||
| 73 | 73 | ||
| 74 | #ifndef OPENSSL_NO_EC2M | 74 | #ifndef OPENSSL_NO_EC2M | 
| 75 | 75 | ||
| 76 | #ifdef OPENSSL_FIPS | ||
| 77 | #include <openssl/fips.h> | ||
| 78 | #endif | ||
| 79 | |||
| 80 | |||
| 81 | const EC_METHOD *EC_GF2m_simple_method(void) | 76 | const EC_METHOD *EC_GF2m_simple_method(void) | 
| 82 | { | 77 | { | 
| 83 | #ifdef OPENSSL_FIPS | ||
| 84 | return fips_ec_gf2m_simple_method(); | ||
| 85 | #else | ||
| 86 | static const EC_METHOD ret = { | 78 | static const EC_METHOD ret = { | 
| 87 | EC_FLAGS_DEFAULT_OCT, | 79 | EC_FLAGS_DEFAULT_OCT, | 
| 88 | NID_X9_62_characteristic_two_field, | 80 | NID_X9_62_characteristic_two_field, | 
| @@ -126,7 +118,6 @@ const EC_METHOD *EC_GF2m_simple_method(void) | |||
| 126 | 0 /* field_set_to_one */ }; | 118 | 0 /* field_set_to_one */ }; | 
| 127 | 119 | ||
| 128 | return &ret; | 120 | return &ret; | 
| 129 | #endif | ||
| 130 | } | 121 | } | 
| 131 | 122 | ||
| 132 | 123 | ||
| diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c index 7fa247593d..d528601036 100644 --- a/src/lib/libcrypto/ec/ec_key.c +++ b/src/lib/libcrypto/ec/ec_key.c | |||
| @@ -64,9 +64,6 @@ | |||
| 64 | #include <string.h> | 64 | #include <string.h> | 
| 65 | #include "ec_lcl.h" | 65 | #include "ec_lcl.h" | 
| 66 | #include <openssl/err.h> | 66 | #include <openssl/err.h> | 
| 67 | #ifdef OPENSSL_FIPS | ||
| 68 | #include <openssl/fips.h> | ||
| 69 | #endif | ||
| 70 | 67 | ||
| 71 | EC_KEY *EC_KEY_new(void) | 68 | EC_KEY *EC_KEY_new(void) | 
| 72 | { | 69 | { | 
| @@ -241,11 +238,6 @@ int EC_KEY_generate_key(EC_KEY *eckey) | |||
| 241 | BIGNUM *priv_key = NULL, *order = NULL; | 238 | BIGNUM *priv_key = NULL, *order = NULL; | 
| 242 | EC_POINT *pub_key = NULL; | 239 | EC_POINT *pub_key = NULL; | 
| 243 | 240 | ||
| 244 | #ifdef OPENSSL_FIPS | ||
| 245 | if (FIPS_mode()) | ||
| 246 | return FIPS_ec_key_generate_key(eckey); | ||
| 247 | #endif | ||
| 248 | |||
| 249 | if (!eckey || !eckey->group) | 241 | if (!eckey || !eckey->group) | 
| 250 | { | 242 | { | 
| 251 | ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); | 243 | ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); | 
| diff --git a/src/lib/libcrypto/ec/ecp_mont.c b/src/lib/libcrypto/ec/ecp_mont.c index f04f132c7a..cee0fee12a 100644 --- a/src/lib/libcrypto/ec/ecp_mont.c +++ b/src/lib/libcrypto/ec/ecp_mont.c | |||
| @@ -63,18 +63,11 @@ | |||
| 63 | 63 | ||
| 64 | #include <openssl/err.h> | 64 | #include <openssl/err.h> | 
| 65 | 65 | ||
| 66 | #ifdef OPENSSL_FIPS | ||
| 67 | #include <openssl/fips.h> | ||
| 68 | #endif | ||
| 69 | |||
| 70 | #include "ec_lcl.h" | 66 | #include "ec_lcl.h" | 
| 71 | 67 | ||
| 72 | 68 | ||
| 73 | const EC_METHOD *EC_GFp_mont_method(void) | 69 | const EC_METHOD *EC_GFp_mont_method(void) | 
| 74 | { | 70 | { | 
| 75 | #ifdef OPENSSL_FIPS | ||
| 76 | return fips_ec_gfp_mont_method(); | ||
| 77 | #else | ||
| 78 | static const EC_METHOD ret = { | 71 | static const EC_METHOD ret = { | 
| 79 | EC_FLAGS_DEFAULT_OCT, | 72 | EC_FLAGS_DEFAULT_OCT, | 
| 80 | NID_X9_62_prime_field, | 73 | NID_X9_62_prime_field, | 
| @@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_mont_method(void) | |||
| 115 | ec_GFp_mont_field_set_to_one }; | 108 | ec_GFp_mont_field_set_to_one }; | 
| 116 | 109 | ||
| 117 | return &ret; | 110 | return &ret; | 
| 118 | #endif | ||
| 119 | } | 111 | } | 
| 120 | 112 | ||
| 121 | 113 | ||
| diff --git a/src/lib/libcrypto/ec/ecp_nist.c b/src/lib/libcrypto/ec/ecp_nist.c index aad2d5f443..ac5b814238 100644 --- a/src/lib/libcrypto/ec/ecp_nist.c +++ b/src/lib/libcrypto/ec/ecp_nist.c | |||
| @@ -67,15 +67,8 @@ | |||
| 67 | #include <openssl/obj_mac.h> | 67 | #include <openssl/obj_mac.h> | 
| 68 | #include "ec_lcl.h" | 68 | #include "ec_lcl.h" | 
| 69 | 69 | ||
| 70 | #ifdef OPENSSL_FIPS | ||
| 71 | #include <openssl/fips.h> | ||
| 72 | #endif | ||
| 73 | |||
| 74 | const EC_METHOD *EC_GFp_nist_method(void) | 70 | const EC_METHOD *EC_GFp_nist_method(void) | 
| 75 | { | 71 | { | 
| 76 | #ifdef OPENSSL_FIPS | ||
| 77 | return fips_ec_gfp_nist_method(); | ||
| 78 | #else | ||
| 79 | static const EC_METHOD ret = { | 72 | static const EC_METHOD ret = { | 
| 80 | EC_FLAGS_DEFAULT_OCT, | 73 | EC_FLAGS_DEFAULT_OCT, | 
| 81 | NID_X9_62_prime_field, | 74 | NID_X9_62_prime_field, | 
| @@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void) | |||
| 116 | 0 /* field_set_to_one */ }; | 109 | 0 /* field_set_to_one */ }; | 
| 117 | 110 | ||
| 118 | return &ret; | 111 | return &ret; | 
| 119 | #endif | ||
| 120 | } | 112 | } | 
| 121 | 113 | ||
| 122 | int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) | 114 | int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) | 
| diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c index cd05fd1251..bf0ad998dd 100644 --- a/src/lib/libcrypto/ec/ecp_smpl.c +++ b/src/lib/libcrypto/ec/ecp_smpl.c | |||
| @@ -64,17 +64,10 @@ | |||
| 64 | 64 | ||
| 65 | #include <openssl/err.h> | 65 | #include <openssl/err.h> | 
| 66 | 66 | ||
| 67 | #ifdef OPENSSL_FIPS | ||
| 68 | #include <openssl/fips.h> | ||
| 69 | #endif | ||
| 70 | |||
| 71 | #include "ec_lcl.h" | 67 | #include "ec_lcl.h" | 
| 72 | 68 | ||
| 73 | const EC_METHOD *EC_GFp_simple_method(void) | 69 | const EC_METHOD *EC_GFp_simple_method(void) | 
| 74 | { | 70 | { | 
| 75 | #ifdef OPENSSL_FIPS | ||
| 76 | return fips_ec_gfp_simple_method(); | ||
| 77 | #else | ||
| 78 | static const EC_METHOD ret = { | 71 | static const EC_METHOD ret = { | 
| 79 | EC_FLAGS_DEFAULT_OCT, | 72 | EC_FLAGS_DEFAULT_OCT, | 
| 80 | NID_X9_62_prime_field, | 73 | NID_X9_62_prime_field, | 
| @@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_simple_method(void) | |||
| 115 | 0 /* field_set_to_one */ }; | 108 | 0 /* field_set_to_one */ }; | 
| 116 | 109 | ||
| 117 | return &ret; | 110 | return &ret; | 
| 118 | #endif | ||
| 119 | } | 111 | } | 
| 120 | 112 | ||
| 121 | 113 | ||
| diff --git a/src/lib/libcrypto/ecdh/ech_lib.c b/src/lib/libcrypto/ecdh/ech_lib.c index 0644431b75..ddf226b166 100644 --- a/src/lib/libcrypto/ecdh/ech_lib.c +++ b/src/lib/libcrypto/ecdh/ech_lib.c | |||
| @@ -73,9 +73,6 @@ | |||
| 73 | #include <openssl/engine.h> | 73 | #include <openssl/engine.h> | 
| 74 | #endif | 74 | #endif | 
| 75 | #include <openssl/err.h> | 75 | #include <openssl/err.h> | 
| 76 | #ifdef OPENSSL_FIPS | ||
| 77 | #include <openssl/fips.h> | ||
| 78 | #endif | ||
| 79 | 76 | ||
| 80 | const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT; | 77 | const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT; | 
| 81 | 78 | ||
| @@ -94,14 +91,7 @@ const ECDH_METHOD *ECDH_get_default_method(void) | |||
| 94 | { | 91 | { | 
| 95 | if(!default_ECDH_method) | 92 | if(!default_ECDH_method) | 
| 96 | { | 93 | { | 
| 97 | #ifdef OPENSSL_FIPS | ||
| 98 | if (FIPS_mode()) | ||
| 99 | return FIPS_ecdh_openssl(); | ||
| 100 | else | ||
| 101 | return ECDH_OpenSSL(); | ||
| 102 | #else | ||
| 103 | default_ECDH_method = ECDH_OpenSSL(); | 94 | default_ECDH_method = ECDH_OpenSSL(); | 
| 104 | #endif | ||
| 105 | } | 95 | } | 
| 106 | return default_ECDH_method; | 96 | return default_ECDH_method; | 
| 107 | } | 97 | } | 
| @@ -234,15 +224,6 @@ ECDH_DATA *ecdh_check(EC_KEY *key) | |||
| 234 | } | 224 | } | 
| 235 | else | 225 | else | 
| 236 | ecdh_data = (ECDH_DATA *)data; | 226 | ecdh_data = (ECDH_DATA *)data; | 
| 237 | #ifdef OPENSSL_FIPS | ||
| 238 | if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD) | ||
| 239 | && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) | ||
| 240 | { | ||
| 241 | ECDHerr(ECDH_F_ECDH_CHECK, ECDH_R_NON_FIPS_METHOD); | ||
| 242 | return NULL; | ||
| 243 | } | ||
| 244 | #endif | ||
| 245 | |||
| 246 | 227 | ||
| 247 | return ecdh_data; | 228 | return ecdh_data; | 
| 248 | } | 229 | } | 
| diff --git a/src/lib/libcrypto/ecdsa/ecs_lib.c b/src/lib/libcrypto/ecdsa/ecs_lib.c index 814a6bf404..7b53969ffd 100644 --- a/src/lib/libcrypto/ecdsa/ecs_lib.c +++ b/src/lib/libcrypto/ecdsa/ecs_lib.c | |||
| @@ -60,9 +60,6 @@ | |||
| 60 | #endif | 60 | #endif | 
| 61 | #include <openssl/err.h> | 61 | #include <openssl/err.h> | 
| 62 | #include <openssl/bn.h> | 62 | #include <openssl/bn.h> | 
| 63 | #ifdef OPENSSL_FIPS | ||
| 64 | #include <openssl/fips.h> | ||
| 65 | #endif | ||
| 66 | 63 | ||
| 67 | const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT; | 64 | const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT; | 
| 68 | 65 | ||
| @@ -81,14 +78,7 @@ const ECDSA_METHOD *ECDSA_get_default_method(void) | |||
| 81 | { | 78 | { | 
| 82 | if(!default_ECDSA_method) | 79 | if(!default_ECDSA_method) | 
| 83 | { | 80 | { | 
| 84 | #ifdef OPENSSL_FIPS | ||
| 85 | if (FIPS_mode()) | ||
| 86 | return FIPS_ecdsa_openssl(); | ||
| 87 | else | ||
| 88 | return ECDSA_OpenSSL(); | ||
| 89 | #else | ||
| 90 | default_ECDSA_method = ECDSA_OpenSSL(); | 81 | default_ECDSA_method = ECDSA_OpenSSL(); | 
| 91 | #endif | ||
| 92 | } | 82 | } | 
| 93 | return default_ECDSA_method; | 83 | return default_ECDSA_method; | 
| 94 | } | 84 | } | 
| @@ -212,14 +202,6 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key) | |||
| 212 | } | 202 | } | 
| 213 | else | 203 | else | 
| 214 | ecdsa_data = (ECDSA_DATA *)data; | 204 | ecdsa_data = (ECDSA_DATA *)data; | 
| 215 | #ifdef OPENSSL_FIPS | ||
| 216 | if (FIPS_mode() && !(ecdsa_data->flags & ECDSA_FLAG_FIPS_METHOD) | ||
| 217 | && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) | ||
| 218 | { | ||
| 219 | ECDSAerr(ECDSA_F_ECDSA_CHECK, ECDSA_R_NON_FIPS_METHOD); | ||
| 220 | return NULL; | ||
| 221 | } | ||
| 222 | #endif | ||
| 223 | 205 | ||
| 224 | return ecdsa_data; | 206 | return ecdsa_data; | 
| 225 | } | 207 | } | 
| diff --git a/src/lib/libcrypto/err/err_all.c b/src/lib/libcrypto/err/err_all.c index 8eb547d98d..1c4eccd251 100644 --- a/src/lib/libcrypto/err/err_all.c +++ b/src/lib/libcrypto/err/err_all.c | |||
| @@ -97,9 +97,6 @@ | |||
| 97 | #include <openssl/ui.h> | 97 | #include <openssl/ui.h> | 
| 98 | #include <openssl/ocsp.h> | 98 | #include <openssl/ocsp.h> | 
| 99 | #include <openssl/err.h> | 99 | #include <openssl/err.h> | 
| 100 | #ifdef OPENSSL_FIPS | ||
| 101 | #include <openssl/fips.h> | ||
| 102 | #endif | ||
| 103 | #include <openssl/ts.h> | 100 | #include <openssl/ts.h> | 
| 104 | #ifndef OPENSSL_NO_CMS | 101 | #ifndef OPENSSL_NO_CMS | 
| 105 | #include <openssl/cms.h> | 102 | #include <openssl/cms.h> | 
| @@ -155,9 +152,6 @@ void ERR_load_crypto_strings(void) | |||
| 155 | #endif | 152 | #endif | 
| 156 | ERR_load_OCSP_strings(); | 153 | ERR_load_OCSP_strings(); | 
| 157 | ERR_load_UI_strings(); | 154 | ERR_load_UI_strings(); | 
| 158 | #ifdef OPENSSL_FIPS | ||
| 159 | ERR_load_FIPS_strings(); | ||
| 160 | #endif | ||
| 161 | #ifndef OPENSSL_NO_CMS | 155 | #ifndef OPENSSL_NO_CMS | 
| 162 | ERR_load_CMS_strings(); | 156 | ERR_load_CMS_strings(); | 
| 163 | #endif | 157 | #endif | 
| diff --git a/src/lib/libcrypto/evp/Makefile b/src/lib/libcrypto/evp/Makefile index 3982f49f81..f94a28d383 100644 --- a/src/lib/libcrypto/evp/Makefile +++ b/src/lib/libcrypto/evp/Makefile | |||
| @@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \ | |||
| 28 | bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ | 28 | bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ | 
| 29 | c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ | 29 | c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ | 
| 30 | evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \ | 30 | evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \ | 
| 31 | e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \ | 31 | e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ | 
| 32 | e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c | 32 | e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c | 
| 33 | 33 | ||
| 34 | LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ | 34 | LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ | 
| @@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ | |||
| 41 | bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ | 41 | bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ | 
| 42 | c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ | 42 | c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ | 
| 43 | evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \ | 43 | evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \ | 
| 44 | e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \ | 44 | e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \ | 
| 45 | e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o | 45 | e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o | 
| 46 | 46 | ||
| 47 | SRC= $(LIBSRC) | 47 | SRC= $(LIBSRC) | 
| diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c index d14e8e48d5..782d3199a5 100644 --- a/src/lib/libcrypto/evp/digest.c +++ b/src/lib/libcrypto/evp/digest.c | |||
| @@ -117,10 +117,6 @@ | |||
| 117 | #include <openssl/engine.h> | 117 | #include <openssl/engine.h> | 
| 118 | #endif | 118 | #endif | 
| 119 | 119 | ||
| 120 | #ifdef OPENSSL_FIPS | ||
| 121 | #include <openssl/fips.h> | ||
| 122 | #endif | ||
| 123 | |||
| 124 | void EVP_MD_CTX_init(EVP_MD_CTX *ctx) | 120 | void EVP_MD_CTX_init(EVP_MD_CTX *ctx) | 
| 125 | { | 121 | { | 
| 126 | memset(ctx,'\0',sizeof *ctx); | 122 | memset(ctx,'\0',sizeof *ctx); | 
| @@ -229,26 +225,12 @@ skip_to_init: | |||
| 229 | } | 225 | } | 
| 230 | if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) | 226 | if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) | 
| 231 | return 1; | 227 | return 1; | 
| 232 | #ifdef OPENSSL_FIPS | ||
| 233 | if (FIPS_mode()) | ||
| 234 | { | ||
| 235 | if (FIPS_digestinit(ctx, type)) | ||
| 236 | return 1; | ||
| 237 | OPENSSL_free(ctx->md_data); | ||
| 238 | ctx->md_data = NULL; | ||
| 239 | return 0; | ||
| 240 | } | ||
| 241 | #endif | ||
| 242 | return ctx->digest->init(ctx); | 228 | return ctx->digest->init(ctx); | 
| 243 | } | 229 | } | 
| 244 | 230 | ||
| 245 | int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) | 231 | int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) | 
| 246 | { | 232 | { | 
| 247 | #ifdef OPENSSL_FIPS | ||
| 248 | return FIPS_digestupdate(ctx, data, count); | ||
| 249 | #else | ||
| 250 | return ctx->update(ctx,data,count); | 233 | return ctx->update(ctx,data,count); | 
| 251 | #endif | ||
| 252 | } | 234 | } | 
| 253 | 235 | ||
| 254 | /* The caller can assume that this removes any secret data from the context */ | 236 | /* The caller can assume that this removes any secret data from the context */ | 
| @@ -263,9 +245,6 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) | |||
| 263 | /* The caller can assume that this removes any secret data from the context */ | 245 | /* The caller can assume that this removes any secret data from the context */ | 
| 264 | int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) | 246 | int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) | 
| 265 | { | 247 | { | 
| 266 | #ifdef OPENSSL_FIPS | ||
| 267 | return FIPS_digestfinal(ctx, md, size); | ||
| 268 | #else | ||
| 269 | int ret; | 248 | int ret; | 
| 270 | 249 | ||
| 271 | OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); | 250 | OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); | 
| @@ -279,7 +258,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) | |||
| 279 | } | 258 | } | 
| 280 | memset(ctx->md_data,0,ctx->digest->ctx_size); | 259 | memset(ctx->md_data,0,ctx->digest->ctx_size); | 
| 281 | return ret; | 260 | return ret; | 
| 282 | #endif | ||
| 283 | } | 261 | } | 
| 284 | 262 | ||
| 285 | int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) | 263 | int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) | 
| @@ -376,7 +354,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) | |||
| 376 | /* This call frees resources associated with the context */ | 354 | /* This call frees resources associated with the context */ | 
| 377 | int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) | 355 | int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) | 
| 378 | { | 356 | { | 
| 379 | #ifndef OPENSSL_FIPS | ||
| 380 | /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, | 357 | /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, | 
| 381 | * because sometimes only copies of the context are ever finalised. | 358 | * because sometimes only copies of the context are ever finalised. | 
| 382 | */ | 359 | */ | 
| @@ -389,7 +366,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) | |||
| 389 | OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); | 366 | OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); | 
| 390 | OPENSSL_free(ctx->md_data); | 367 | OPENSSL_free(ctx->md_data); | 
| 391 | } | 368 | } | 
| 392 | #endif | ||
| 393 | if (ctx->pctx) | 369 | if (ctx->pctx) | 
| 394 | EVP_PKEY_CTX_free(ctx->pctx); | 370 | EVP_PKEY_CTX_free(ctx->pctx); | 
| 395 | #ifndef OPENSSL_NO_ENGINE | 371 | #ifndef OPENSSL_NO_ENGINE | 
| @@ -398,9 +374,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) | |||
| 398 | * functional reference we held for this reason. */ | 374 | * functional reference we held for this reason. */ | 
| 399 | ENGINE_finish(ctx->engine); | 375 | ENGINE_finish(ctx->engine); | 
| 400 | #endif | 376 | #endif | 
| 401 | #ifdef OPENSSL_FIPS | ||
| 402 | FIPS_md_ctx_cleanup(ctx); | ||
| 403 | #endif | ||
| 404 | memset(ctx,'\0',sizeof *ctx); | 377 | memset(ctx,'\0',sizeof *ctx); | 
| 405 | 378 | ||
| 406 | return 1; | 379 | return 1; | 
| diff --git a/src/lib/libcrypto/evp/e_null.c b/src/lib/libcrypto/evp/e_null.c index f0c1f78b5f..98a78499f9 100644 --- a/src/lib/libcrypto/evp/e_null.c +++ b/src/lib/libcrypto/evp/e_null.c | |||
| @@ -61,8 +61,6 @@ | |||
| 61 | #include <openssl/evp.h> | 61 | #include <openssl/evp.h> | 
| 62 | #include <openssl/objects.h> | 62 | #include <openssl/objects.h> | 
| 63 | 63 | ||
| 64 | #ifndef OPENSSL_FIPS | ||
| 65 | |||
| 66 | static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | 64 | static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | 
| 67 | const unsigned char *iv,int enc); | 65 | const unsigned char *iv,int enc); | 
| 68 | static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | 66 | static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | 
| @@ -101,4 +99,3 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |||
| 101 | memcpy((char *)out,(const char *)in,inl); | 99 | memcpy((char *)out,(const char *)in,inl); | 
| 102 | return 1; | 100 | return 1; | 
| 103 | } | 101 | } | 
| 104 | #endif | ||
| diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c index 0c54f05e6e..50403a7578 100644 --- a/src/lib/libcrypto/evp/evp_enc.c +++ b/src/lib/libcrypto/evp/evp_enc.c | |||
| @@ -64,17 +64,9 @@ | |||
| 64 | #ifndef OPENSSL_NO_ENGINE | 64 | #ifndef OPENSSL_NO_ENGINE | 
| 65 | #include <openssl/engine.h> | 65 | #include <openssl/engine.h> | 
| 66 | #endif | 66 | #endif | 
| 67 | #ifdef OPENSSL_FIPS | ||
| 68 | #include <openssl/fips.h> | ||
| 69 | #endif | ||
| 70 | #include "evp_locl.h" | 67 | #include "evp_locl.h" | 
| 71 | 68 | ||
| 72 | #ifdef OPENSSL_FIPS | ||
| 73 | #define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl) | ||
| 74 | #else | ||
| 75 | #define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl) | 69 | #define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl) | 
| 76 | #endif | ||
| 77 | |||
| 78 | 70 | ||
| 79 | const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; | 71 | const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; | 
| 80 | 72 | ||
| @@ -169,10 +161,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp | |||
| 169 | ctx->engine = NULL; | 161 | ctx->engine = NULL; | 
| 170 | #endif | 162 | #endif | 
| 171 | 163 | ||
| 172 | #ifdef OPENSSL_FIPS | ||
| 173 | if (FIPS_mode()) | ||
| 174 | return FIPS_cipherinit(ctx, cipher, key, iv, enc); | ||
| 175 | #endif | ||
| 176 | ctx->cipher=cipher; | 164 | ctx->cipher=cipher; | 
| 177 | if (ctx->cipher->ctx_size) | 165 | if (ctx->cipher->ctx_size) | 
| 178 | { | 166 | { | 
| @@ -206,10 +194,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp | |||
| 206 | #ifndef OPENSSL_NO_ENGINE | 194 | #ifndef OPENSSL_NO_ENGINE | 
| 207 | skip_to_init: | 195 | skip_to_init: | 
| 208 | #endif | 196 | #endif | 
| 209 | #ifdef OPENSSL_FIPS | ||
| 210 | if (FIPS_mode()) | ||
| 211 | return FIPS_cipherinit(ctx, cipher, key, iv, enc); | ||
| 212 | #endif | ||
| 213 | /* we assume block size is a power of 2 in *cryptUpdate */ | 197 | /* we assume block size is a power of 2 in *cryptUpdate */ | 
| 214 | OPENSSL_assert(ctx->cipher->block_size == 1 | 198 | OPENSSL_assert(ctx->cipher->block_size == 1 | 
| 215 | || ctx->cipher->block_size == 8 | 199 | || ctx->cipher->block_size == 8 | 
| @@ -568,7 +552,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) | |||
| 568 | 552 | ||
| 569 | int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) | 553 | int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) | 
| 570 | { | 554 | { | 
| 571 | #ifndef OPENSSL_FIPS | ||
| 572 | if (c->cipher != NULL) | 555 | if (c->cipher != NULL) | 
| 573 | { | 556 | { | 
| 574 | if(c->cipher->cleanup && !c->cipher->cleanup(c)) | 557 | if(c->cipher->cleanup && !c->cipher->cleanup(c)) | 
| @@ -579,16 +562,12 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) | |||
| 579 | } | 562 | } | 
| 580 | if (c->cipher_data) | 563 | if (c->cipher_data) | 
| 581 | OPENSSL_free(c->cipher_data); | 564 | OPENSSL_free(c->cipher_data); | 
| 582 | #endif | ||
| 583 | #ifndef OPENSSL_NO_ENGINE | 565 | #ifndef OPENSSL_NO_ENGINE | 
| 584 | if (c->engine) | 566 | if (c->engine) | 
| 585 | /* The EVP_CIPHER we used belongs to an ENGINE, release the | 567 | /* The EVP_CIPHER we used belongs to an ENGINE, release the | 
| 586 | * functional reference we held for this reason. */ | 568 | * functional reference we held for this reason. */ | 
| 587 | ENGINE_finish(c->engine); | 569 | ENGINE_finish(c->engine); | 
| 588 | #endif | 570 | #endif | 
| 589 | #ifdef OPENSSL_FIPS | ||
| 590 | FIPS_cipher_ctx_cleanup(c); | ||
| 591 | #endif | ||
| 592 | memset(c,0,sizeof(EVP_CIPHER_CTX)); | 571 | memset(c,0,sizeof(EVP_CIPHER_CTX)); | 
| 593 | return 1; | 572 | return 1; | 
| 594 | } | 573 | } | 
| diff --git a/src/lib/libcrypto/evp/evp_fips.c b/src/lib/libcrypto/evp/evp_fips.c deleted file mode 100644 index cb7f4fc0fa..0000000000 --- a/src/lib/libcrypto/evp/evp_fips.c +++ /dev/null | |||
| @@ -1,113 +0,0 @@ | |||
| 1 | /* crypto/evp/evp_fips.c */ | ||
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | ||
| 3 | * project. | ||
| 4 | */ | ||
| 5 | /* ==================================================================== | ||
| 6 | * Copyright (c) 2011 The OpenSSL Project. All rights reserved. | ||
| 7 | * | ||
| 8 | * Redistribution and use in source and binary forms, with or without | ||
| 9 | * modification, are permitted provided that the following conditions | ||
| 10 | * are met: | ||
| 11 | * | ||
| 12 | * 1. Redistributions of source code must retain the above copyright | ||
| 13 | * notice, this list of conditions and the following disclaimer. | ||
| 14 | * | ||
| 15 | * 2. Redistributions in binary form must reproduce the above copyright | ||
| 16 | * notice, this list of conditions and the following disclaimer in | ||
| 17 | * the documentation and/or other materials provided with the | ||
| 18 | * distribution. | ||
| 19 | * | ||
| 20 | * 3. All advertising materials mentioning features or use of this | ||
| 21 | * software must display the following acknowledgment: | ||
| 22 | * "This product includes software developed by the OpenSSL Project | ||
| 23 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | ||
| 24 | * | ||
| 25 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||
| 26 | * endorse or promote products derived from this software without | ||
| 27 | * prior written permission. For written permission, please contact | ||
| 28 | * licensing@OpenSSL.org. | ||
| 29 | * | ||
| 30 | * 5. Products derived from this software may not be called "OpenSSL" | ||
| 31 | * nor may "OpenSSL" appear in their names without prior written | ||
| 32 | * permission of the OpenSSL Project. | ||
| 33 | * | ||
| 34 | * 6. Redistributions of any form whatsoever must retain the following | ||
| 35 | * acknowledgment: | ||
| 36 | * "This product includes software developed by the OpenSSL Project | ||
| 37 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | ||
| 38 | * | ||
| 39 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||
| 40 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| 41 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
| 42 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||
| 43 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
| 44 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
| 45 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
| 46 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
| 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||
| 48 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| 49 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||
| 50 | * OF THE POSSIBILITY OF SUCH DAMAGE. | ||
| 51 | * ==================================================================== | ||
| 52 | */ | ||
| 53 | |||
| 54 | |||
| 55 | #include <openssl/evp.h> | ||
| 56 | |||
| 57 | #ifdef OPENSSL_FIPS | ||
| 58 | #include <openssl/fips.h> | ||
| 59 | |||
| 60 | const EVP_CIPHER *EVP_aes_128_cbc(void) { return FIPS_evp_aes_128_cbc(); } | ||
| 61 | const EVP_CIPHER *EVP_aes_128_ccm(void) { return FIPS_evp_aes_128_ccm(); } | ||
| 62 | const EVP_CIPHER *EVP_aes_128_cfb1(void) { return FIPS_evp_aes_128_cfb1(); } | ||
| 63 | const EVP_CIPHER *EVP_aes_128_cfb128(void) { return FIPS_evp_aes_128_cfb128(); } | ||
| 64 | const EVP_CIPHER *EVP_aes_128_cfb8(void) { return FIPS_evp_aes_128_cfb8(); } | ||
| 65 | const EVP_CIPHER *EVP_aes_128_ctr(void) { return FIPS_evp_aes_128_ctr(); } | ||
| 66 | const EVP_CIPHER *EVP_aes_128_ecb(void) { return FIPS_evp_aes_128_ecb(); } | ||
| 67 | const EVP_CIPHER *EVP_aes_128_gcm(void) { return FIPS_evp_aes_128_gcm(); } | ||
| 68 | const EVP_CIPHER *EVP_aes_128_ofb(void) { return FIPS_evp_aes_128_ofb(); } | ||
| 69 | const EVP_CIPHER *EVP_aes_128_xts(void) { return FIPS_evp_aes_128_xts(); } | ||
| 70 | const EVP_CIPHER *EVP_aes_192_cbc(void) { return FIPS_evp_aes_192_cbc(); } | ||
| 71 | const EVP_CIPHER *EVP_aes_192_ccm(void) { return FIPS_evp_aes_192_ccm(); } | ||
| 72 | const EVP_CIPHER *EVP_aes_192_cfb1(void) { return FIPS_evp_aes_192_cfb1(); } | ||
| 73 | const EVP_CIPHER *EVP_aes_192_cfb128(void) { return FIPS_evp_aes_192_cfb128(); } | ||
| 74 | const EVP_CIPHER *EVP_aes_192_cfb8(void) { return FIPS_evp_aes_192_cfb8(); } | ||
| 75 | const EVP_CIPHER *EVP_aes_192_ctr(void) { return FIPS_evp_aes_192_ctr(); } | ||
| 76 | const EVP_CIPHER *EVP_aes_192_ecb(void) { return FIPS_evp_aes_192_ecb(); } | ||
| 77 | const EVP_CIPHER *EVP_aes_192_gcm(void) { return FIPS_evp_aes_192_gcm(); } | ||
| 78 | const EVP_CIPHER *EVP_aes_192_ofb(void) { return FIPS_evp_aes_192_ofb(); } | ||
| 79 | const EVP_CIPHER *EVP_aes_256_cbc(void) { return FIPS_evp_aes_256_cbc(); } | ||
| 80 | const EVP_CIPHER *EVP_aes_256_ccm(void) { return FIPS_evp_aes_256_ccm(); } | ||
| 81 | const EVP_CIPHER *EVP_aes_256_cfb1(void) { return FIPS_evp_aes_256_cfb1(); } | ||
| 82 | const EVP_CIPHER *EVP_aes_256_cfb128(void) { return FIPS_evp_aes_256_cfb128(); } | ||
| 83 | const EVP_CIPHER *EVP_aes_256_cfb8(void) { return FIPS_evp_aes_256_cfb8(); } | ||
| 84 | const EVP_CIPHER *EVP_aes_256_ctr(void) { return FIPS_evp_aes_256_ctr(); } | ||
| 85 | const EVP_CIPHER *EVP_aes_256_ecb(void) { return FIPS_evp_aes_256_ecb(); } | ||
| 86 | const EVP_CIPHER *EVP_aes_256_gcm(void) { return FIPS_evp_aes_256_gcm(); } | ||
| 87 | const EVP_CIPHER *EVP_aes_256_ofb(void) { return FIPS_evp_aes_256_ofb(); } | ||
| 88 | const EVP_CIPHER *EVP_aes_256_xts(void) { return FIPS_evp_aes_256_xts(); } | ||
| 89 | const EVP_CIPHER *EVP_des_ede(void) { return FIPS_evp_des_ede(); } | ||
| 90 | const EVP_CIPHER *EVP_des_ede3(void) { return FIPS_evp_des_ede3(); } | ||
| 91 | const EVP_CIPHER *EVP_des_ede3_cbc(void) { return FIPS_evp_des_ede3_cbc(); } | ||
| 92 | const EVP_CIPHER *EVP_des_ede3_cfb1(void) { return FIPS_evp_des_ede3_cfb1(); } | ||
| 93 | const EVP_CIPHER *EVP_des_ede3_cfb64(void) { return FIPS_evp_des_ede3_cfb64(); } | ||
| 94 | const EVP_CIPHER *EVP_des_ede3_cfb8(void) { return FIPS_evp_des_ede3_cfb8(); } | ||
| 95 | const EVP_CIPHER *EVP_des_ede3_ecb(void) { return FIPS_evp_des_ede3_ecb(); } | ||
| 96 | const EVP_CIPHER *EVP_des_ede3_ofb(void) { return FIPS_evp_des_ede3_ofb(); } | ||
| 97 | const EVP_CIPHER *EVP_des_ede_cbc(void) { return FIPS_evp_des_ede_cbc(); } | ||
| 98 | const EVP_CIPHER *EVP_des_ede_cfb64(void) { return FIPS_evp_des_ede_cfb64(); } | ||
| 99 | const EVP_CIPHER *EVP_des_ede_ecb(void) { return FIPS_evp_des_ede_ecb(); } | ||
| 100 | const EVP_CIPHER *EVP_des_ede_ofb(void) { return FIPS_evp_des_ede_ofb(); } | ||
| 101 | const EVP_CIPHER *EVP_enc_null(void) { return FIPS_evp_enc_null(); } | ||
| 102 | |||
| 103 | const EVP_MD *EVP_sha1(void) { return FIPS_evp_sha1(); } | ||
| 104 | const EVP_MD *EVP_sha224(void) { return FIPS_evp_sha224(); } | ||
| 105 | const EVP_MD *EVP_sha256(void) { return FIPS_evp_sha256(); } | ||
| 106 | const EVP_MD *EVP_sha384(void) { return FIPS_evp_sha384(); } | ||
| 107 | const EVP_MD *EVP_sha512(void) { return FIPS_evp_sha512(); } | ||
| 108 | |||
| 109 | const EVP_MD *EVP_dss(void) { return FIPS_evp_dss(); } | ||
| 110 | const EVP_MD *EVP_dss1(void) { return FIPS_evp_dss1(); } | ||
| 111 | const EVP_MD *EVP_ecdsa(void) { return FIPS_evp_ecdsa(); } | ||
| 112 | |||
| 113 | #endif | ||
| diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h index 08c0a66d39..9e71f39a47 100644 --- a/src/lib/libcrypto/evp/evp_locl.h +++ b/src/lib/libcrypto/evp/evp_locl.h | |||
| @@ -347,39 +347,3 @@ void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx); | |||
| 347 | int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, | 347 | int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, | 
| 348 | ASN1_TYPE *param, | 348 | ASN1_TYPE *param, | 
| 349 | const EVP_CIPHER *c, const EVP_MD *md, int en_de); | 349 | const EVP_CIPHER *c, const EVP_MD *md, int en_de); | 
| 350 | |||
| 351 | #ifdef OPENSSL_FIPS | ||
| 352 | |||
| 353 | #ifdef OPENSSL_DOING_MAKEDEPEND | ||
| 354 | #undef SHA1_Init | ||
| 355 | #undef SHA1_Update | ||
| 356 | #undef SHA224_Init | ||
| 357 | #undef SHA256_Init | ||
| 358 | #undef SHA384_Init | ||
| 359 | #undef SHA512_Init | ||
| 360 | #undef DES_set_key_unchecked | ||
| 361 | #endif | ||
| 362 | |||
| 363 | #define RIPEMD160_Init private_RIPEMD160_Init | ||
| 364 | #define WHIRLPOOL_Init private_WHIRLPOOL_Init | ||
| 365 | #define MD5_Init private_MD5_Init | ||
| 366 | #define MD4_Init private_MD4_Init | ||
| 367 | #define MD2_Init private_MD2_Init | ||
| 368 | #define MDC2_Init private_MDC2_Init | ||
| 369 | #define SHA_Init private_SHA_Init | ||
| 370 | #define SHA1_Init private_SHA1_Init | ||
| 371 | #define SHA224_Init private_SHA224_Init | ||
| 372 | #define SHA256_Init private_SHA256_Init | ||
| 373 | #define SHA384_Init private_SHA384_Init | ||
| 374 | #define SHA512_Init private_SHA512_Init | ||
| 375 | |||
| 376 | #define BF_set_key private_BF_set_key | ||
| 377 | #define CAST_set_key private_CAST_set_key | ||
| 378 | #define idea_set_encrypt_key private_idea_set_encrypt_key | ||
| 379 | #define SEED_set_key private_SEED_set_key | ||
| 380 | #define RC2_set_key private_RC2_set_key | ||
| 381 | #define RC4_set_key private_RC4_set_key | ||
| 382 | #define DES_set_key_unchecked private_DES_set_key_unchecked | ||
| 383 | #define Camellia_set_key private_Camellia_set_key | ||
| 384 | |||
| 385 | #endif | ||
| diff --git a/src/lib/libcrypto/evp/m_dss.c b/src/lib/libcrypto/evp/m_dss.c index 6fb7e9a861..89ea5b7a6d 100644 --- a/src/lib/libcrypto/evp/m_dss.c +++ b/src/lib/libcrypto/evp/m_dss.c | |||
| @@ -66,7 +66,6 @@ | |||
| 66 | #endif | 66 | #endif | 
| 67 | 67 | ||
| 68 | #ifndef OPENSSL_NO_SHA | 68 | #ifndef OPENSSL_NO_SHA | 
| 69 | #ifndef OPENSSL_FIPS | ||
| 70 | 69 | ||
| 71 | static int init(EVP_MD_CTX *ctx) | 70 | static int init(EVP_MD_CTX *ctx) | 
| 72 | { return SHA1_Init(ctx->md_data); } | 71 | { return SHA1_Init(ctx->md_data); } | 
| @@ -98,4 +97,3 @@ const EVP_MD *EVP_dss(void) | |||
| 98 | return(&dsa_md); | 97 | return(&dsa_md); | 
| 99 | } | 98 | } | 
| 100 | #endif | 99 | #endif | 
| 101 | #endif | ||
| diff --git a/src/lib/libcrypto/evp/m_dss1.c b/src/lib/libcrypto/evp/m_dss1.c index 2df362a670..a010103b7a 100644 --- a/src/lib/libcrypto/evp/m_dss1.c +++ b/src/lib/libcrypto/evp/m_dss1.c | |||
| @@ -68,8 +68,6 @@ | |||
| 68 | #include <openssl/dsa.h> | 68 | #include <openssl/dsa.h> | 
| 69 | #endif | 69 | #endif | 
| 70 | 70 | ||
| 71 | #ifndef OPENSSL_FIPS | ||
| 72 | |||
| 73 | static int init(EVP_MD_CTX *ctx) | 71 | static int init(EVP_MD_CTX *ctx) | 
| 74 | { return SHA1_Init(ctx->md_data); } | 72 | { return SHA1_Init(ctx->md_data); } | 
| 75 | 73 | ||
| @@ -100,4 +98,3 @@ const EVP_MD *EVP_dss1(void) | |||
| 100 | return(&dss1_md); | 98 | return(&dss1_md); | 
| 101 | } | 99 | } | 
| 102 | #endif | 100 | #endif | 
| 103 | #endif | ||
| diff --git a/src/lib/libcrypto/evp/m_ecdsa.c b/src/lib/libcrypto/evp/m_ecdsa.c index 4b15fb0f6c..a6ed24b0b6 100644 --- a/src/lib/libcrypto/evp/m_ecdsa.c +++ b/src/lib/libcrypto/evp/m_ecdsa.c | |||
| @@ -116,7 +116,6 @@ | |||
| 116 | #include <openssl/x509.h> | 116 | #include <openssl/x509.h> | 
| 117 | 117 | ||
| 118 | #ifndef OPENSSL_NO_SHA | 118 | #ifndef OPENSSL_NO_SHA | 
| 119 | #ifndef OPENSSL_FIPS | ||
| 120 | 119 | ||
| 121 | static int init(EVP_MD_CTX *ctx) | 120 | static int init(EVP_MD_CTX *ctx) | 
| 122 | { return SHA1_Init(ctx->md_data); } | 121 | { return SHA1_Init(ctx->md_data); } | 
| @@ -148,4 +147,3 @@ const EVP_MD *EVP_ecdsa(void) | |||
| 148 | return(&ecdsa_md); | 147 | return(&ecdsa_md); | 
| 149 | } | 148 | } | 
| 150 | #endif | 149 | #endif | 
| 151 | #endif | ||
| diff --git a/src/lib/libcrypto/evp/m_sha1.c b/src/lib/libcrypto/evp/m_sha1.c index bd0c01ad3c..f39ae77925 100644 --- a/src/lib/libcrypto/evp/m_sha1.c +++ b/src/lib/libcrypto/evp/m_sha1.c | |||
| @@ -59,8 +59,6 @@ | |||
| 59 | #include <stdio.h> | 59 | #include <stdio.h> | 
| 60 | #include "cryptlib.h" | 60 | #include "cryptlib.h" | 
| 61 | 61 | ||
| 62 | #ifndef OPENSSL_FIPS | ||
| 63 | |||
| 64 | #ifndef OPENSSL_NO_SHA | 62 | #ifndef OPENSSL_NO_SHA | 
| 65 | 63 | ||
| 66 | #include <openssl/evp.h> | 64 | #include <openssl/evp.h> | 
| @@ -205,5 +203,3 @@ static const EVP_MD sha512_md= | |||
| 205 | const EVP_MD *EVP_sha512(void) | 203 | const EVP_MD *EVP_sha512(void) | 
| 206 | { return(&sha512_md); } | 204 | { return(&sha512_md); } | 
| 207 | #endif /* ifndef OPENSSL_NO_SHA512 */ | 205 | #endif /* ifndef OPENSSL_NO_SHA512 */ | 
| 208 | |||
| 209 | #endif | ||
| diff --git a/src/lib/libcrypto/fips_ers.c b/src/lib/libcrypto/fips_ers.c deleted file mode 100644 index 1788ed2884..0000000000 --- a/src/lib/libcrypto/fips_ers.c +++ /dev/null | |||
| @@ -1,7 +0,0 @@ | |||
| 1 | #include <openssl/opensslconf.h> | ||
| 2 | |||
| 3 | #ifdef OPENSSL_FIPS | ||
| 4 | # include "fips_err.h" | ||
| 5 | #else | ||
| 6 | static void *dummy = &dummy; | ||
| 7 | #endif | ||
| diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c index ba27cbf56f..6c98fc43a3 100644 --- a/src/lib/libcrypto/hmac/hmac.c +++ b/src/lib/libcrypto/hmac/hmac.c | |||
| @@ -61,34 +61,12 @@ | |||
| 61 | #include "cryptlib.h" | 61 | #include "cryptlib.h" | 
| 62 | #include <openssl/hmac.h> | 62 | #include <openssl/hmac.h> | 
| 63 | 63 | ||
| 64 | #ifdef OPENSSL_FIPS | ||
| 65 | #include <openssl/fips.h> | ||
| 66 | #endif | ||
| 67 | |||
| 68 | int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, | 64 | int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, | 
| 69 | const EVP_MD *md, ENGINE *impl) | 65 | const EVP_MD *md, ENGINE *impl) | 
| 70 | { | 66 | { | 
| 71 | int i,j,reset=0; | 67 | int i,j,reset=0; | 
| 72 | unsigned char pad[HMAC_MAX_MD_CBLOCK]; | 68 | unsigned char pad[HMAC_MAX_MD_CBLOCK]; | 
| 73 | 69 | ||
| 74 | #ifdef OPENSSL_FIPS | ||
| 75 | if (FIPS_mode()) | ||
| 76 | { | ||
| 77 | /* If we have an ENGINE need to allow non FIPS */ | ||
| 78 | if ((impl || ctx->i_ctx.engine) | ||
| 79 | && !(ctx->i_ctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) | ||
| 80 | { | ||
| 81 | EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); | ||
| 82 | return 0; | ||
| 83 | } | ||
| 84 | /* Other algorithm blocking will be done in FIPS_cmac_init, | ||
| 85 | * via FIPS_hmac_init_ex(). | ||
| 86 | */ | ||
| 87 | if (!impl && !ctx->i_ctx.engine) | ||
| 88 | return FIPS_hmac_init_ex(ctx, key, len, md, NULL); | ||
| 89 | } | ||
| 90 | #endif | ||
| 91 | |||
| 92 | if (md != NULL) | 70 | if (md != NULL) | 
| 93 | { | 71 | { | 
| 94 | reset=1; | 72 | reset=1; | 
| @@ -155,10 +133,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md) | |||
| 155 | 133 | ||
| 156 | int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) | 134 | int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) | 
| 157 | { | 135 | { | 
| 158 | #ifdef OPENSSL_FIPS | ||
| 159 | if (FIPS_mode() && !ctx->i_ctx.engine) | ||
| 160 | return FIPS_hmac_update(ctx, data, len); | ||
| 161 | #endif | ||
| 162 | return EVP_DigestUpdate(&ctx->md_ctx,data,len); | 136 | return EVP_DigestUpdate(&ctx->md_ctx,data,len); | 
| 163 | } | 137 | } | 
| 164 | 138 | ||
| @@ -166,10 +140,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) | |||
| 166 | { | 140 | { | 
| 167 | unsigned int i; | 141 | unsigned int i; | 
| 168 | unsigned char buf[EVP_MAX_MD_SIZE]; | 142 | unsigned char buf[EVP_MAX_MD_SIZE]; | 
| 169 | #ifdef OPENSSL_FIPS | ||
| 170 | if (FIPS_mode() && !ctx->i_ctx.engine) | ||
| 171 | return FIPS_hmac_final(ctx, md, len); | ||
| 172 | #endif | ||
| 173 | 143 | ||
| 174 | if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i)) | 144 | if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i)) | 
| 175 | goto err; | 145 | goto err; | 
| @@ -209,13 +179,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) | |||
| 209 | 179 | ||
| 210 | void HMAC_CTX_cleanup(HMAC_CTX *ctx) | 180 | void HMAC_CTX_cleanup(HMAC_CTX *ctx) | 
| 211 | { | 181 | { | 
| 212 | #ifdef OPENSSL_FIPS | ||
| 213 | if (FIPS_mode() && !ctx->i_ctx.engine) | ||
| 214 | { | ||
| 215 | FIPS_hmac_ctx_cleanup(ctx); | ||
| 216 | return; | ||
| 217 | } | ||
| 218 | #endif | ||
| 219 | EVP_MD_CTX_cleanup(&ctx->i_ctx); | 182 | EVP_MD_CTX_cleanup(&ctx->i_ctx); | 
| 220 | EVP_MD_CTX_cleanup(&ctx->o_ctx); | 183 | EVP_MD_CTX_cleanup(&ctx->o_ctx); | 
| 221 | EVP_MD_CTX_cleanup(&ctx->md_ctx); | 184 | EVP_MD_CTX_cleanup(&ctx->md_ctx); | 
| diff --git a/src/lib/libcrypto/idea/i_skey.c b/src/lib/libcrypto/idea/i_skey.c index afb830964d..244562e690 100644 --- a/src/lib/libcrypto/idea/i_skey.c +++ b/src/lib/libcrypto/idea/i_skey.c | |||
| @@ -62,13 +62,6 @@ | |||
| 62 | 62 | ||
| 63 | static IDEA_INT inverse(unsigned int xin); | 63 | static IDEA_INT inverse(unsigned int xin); | 
| 64 | void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks) | 64 | void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks) | 
| 65 | #ifdef OPENSSL_FIPS | ||
| 66 | { | ||
| 67 | fips_cipher_abort(IDEA); | ||
| 68 | private_idea_set_encrypt_key(key, ks); | ||
| 69 | } | ||
| 70 | void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks) | ||
| 71 | #endif | ||
| 72 | { | 65 | { | 
| 73 | int i; | 66 | int i; | 
| 74 | register IDEA_INT *kt,*kf,r0,r1,r2; | 67 | register IDEA_INT *kt,*kf,r0,r1,r2; | 
| diff --git a/src/lib/libcrypto/idea/idea.h b/src/lib/libcrypto/idea/idea.h index e9a1e7f1a5..5782e54b0f 100644 --- a/src/lib/libcrypto/idea/idea.h +++ b/src/lib/libcrypto/idea/idea.h | |||
| @@ -83,9 +83,6 @@ typedef struct idea_key_st | |||
| 83 | const char *idea_options(void); | 83 | const char *idea_options(void); | 
| 84 | void idea_ecb_encrypt(const unsigned char *in, unsigned char *out, | 84 | void idea_ecb_encrypt(const unsigned char *in, unsigned char *out, | 
| 85 | IDEA_KEY_SCHEDULE *ks); | 85 | IDEA_KEY_SCHEDULE *ks); | 
| 86 | #ifdef OPENSSL_FIPS | ||
| 87 | void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); | ||
| 88 | #endif | ||
| 89 | void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); | 86 | void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); | 
| 90 | void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); | 87 | void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); | 
| 91 | void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, | 88 | void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, | 
| diff --git a/src/lib/libcrypto/md2/md2.h b/src/lib/libcrypto/md2/md2.h index d59c9f2593..a46120e7d4 100644 --- a/src/lib/libcrypto/md2/md2.h +++ b/src/lib/libcrypto/md2/md2.h | |||
| @@ -81,9 +81,6 @@ typedef struct MD2state_st | |||
| 81 | } MD2_CTX; | 81 | } MD2_CTX; | 
| 82 | 82 | ||
| 83 | const char *MD2_options(void); | 83 | const char *MD2_options(void); | 
| 84 | #ifdef OPENSSL_FIPS | ||
| 85 | int private_MD2_Init(MD2_CTX *c); | ||
| 86 | #endif | ||
| 87 | int MD2_Init(MD2_CTX *c); | 84 | int MD2_Init(MD2_CTX *c); | 
| 88 | int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); | 85 | int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); | 
| 89 | int MD2_Final(unsigned char *md, MD2_CTX *c); | 86 | int MD2_Final(unsigned char *md, MD2_CTX *c); | 
| diff --git a/src/lib/libcrypto/md4/md4.h b/src/lib/libcrypto/md4/md4.h index a55368a790..c3ed9b3f75 100644 --- a/src/lib/libcrypto/md4/md4.h +++ b/src/lib/libcrypto/md4/md4.h | |||
| @@ -105,9 +105,6 @@ typedef struct MD4state_st | |||
| 105 | unsigned int num; | 105 | unsigned int num; | 
| 106 | } MD4_CTX; | 106 | } MD4_CTX; | 
| 107 | 107 | ||
| 108 | #ifdef OPENSSL_FIPS | ||
| 109 | int private_MD4_Init(MD4_CTX *c); | ||
| 110 | #endif | ||
| 111 | int MD4_Init(MD4_CTX *c); | 108 | int MD4_Init(MD4_CTX *c); | 
| 112 | int MD4_Update(MD4_CTX *c, const void *data, size_t len); | 109 | int MD4_Update(MD4_CTX *c, const void *data, size_t len); | 
| 113 | int MD4_Final(unsigned char *md, MD4_CTX *c); | 110 | int MD4_Final(unsigned char *md, MD4_CTX *c); | 
| diff --git a/src/lib/libcrypto/md5/md5.h b/src/lib/libcrypto/md5/md5.h index 541cc925fe..4cbf84386b 100644 --- a/src/lib/libcrypto/md5/md5.h +++ b/src/lib/libcrypto/md5/md5.h | |||
| @@ -105,9 +105,6 @@ typedef struct MD5state_st | |||
| 105 | unsigned int num; | 105 | unsigned int num; | 
| 106 | } MD5_CTX; | 106 | } MD5_CTX; | 
| 107 | 107 | ||
| 108 | #ifdef OPENSSL_FIPS | ||
| 109 | int private_MD5_Init(MD5_CTX *c); | ||
| 110 | #endif | ||
| 111 | int MD5_Init(MD5_CTX *c); | 108 | int MD5_Init(MD5_CTX *c); | 
| 112 | int MD5_Update(MD5_CTX *c, const void *data, size_t len); | 109 | int MD5_Update(MD5_CTX *c, const void *data, size_t len); | 
| 113 | int MD5_Final(unsigned char *md, MD5_CTX *c); | 110 | int MD5_Final(unsigned char *md, MD5_CTX *c); | 
| diff --git a/src/lib/libcrypto/mdc2/mdc2.h b/src/lib/libcrypto/mdc2/mdc2.h index f3e8e579d2..72778a5212 100644 --- a/src/lib/libcrypto/mdc2/mdc2.h +++ b/src/lib/libcrypto/mdc2/mdc2.h | |||
| @@ -81,9 +81,6 @@ typedef struct mdc2_ctx_st | |||
| 81 | } MDC2_CTX; | 81 | } MDC2_CTX; | 
| 82 | 82 | ||
| 83 | 83 | ||
| 84 | #ifdef OPENSSL_FIPS | ||
| 85 | int private_MDC2_Init(MDC2_CTX *c); | ||
| 86 | #endif | ||
| 87 | int MDC2_Init(MDC2_CTX *c); | 84 | int MDC2_Init(MDC2_CTX *c); | 
| 88 | int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); | 85 | int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); | 
| 89 | int MDC2_Final(unsigned char *md, MDC2_CTX *c); | 86 | int MDC2_Final(unsigned char *md, MDC2_CTX *c); | 
| diff --git a/src/lib/libcrypto/o_fips.c b/src/lib/libcrypto/o_fips.c index 9c185cfb18..43312ae23f 100644 --- a/src/lib/libcrypto/o_fips.c +++ b/src/lib/libcrypto/o_fips.c | |||
| @@ -56,42 +56,20 @@ | |||
| 56 | */ | 56 | */ | 
| 57 | 57 | ||
| 58 | #include "cryptlib.h" | 58 | #include "cryptlib.h" | 
| 59 | #ifdef OPENSSL_FIPS | ||
| 60 | #include <openssl/fips.h> | ||
| 61 | #include <openssl/fips_rand.h> | ||
| 62 | #include <openssl/rand.h> | ||
| 63 | #endif | ||
| 64 | 59 | ||
| 65 | int | 60 | int | 
| 66 | FIPS_mode(void) | 61 | FIPS_mode(void) | 
| 67 | { | 62 | { | 
| 68 | OPENSSL_init(); | 63 | OPENSSL_init(); | 
| 69 | #ifdef OPENSSL_FIPS | ||
| 70 | return FIPS_module_mode(); | ||
| 71 | #else | ||
| 72 | return 0; | 64 | return 0; | 
| 73 | #endif | ||
| 74 | } | 65 | } | 
| 75 | 66 | ||
| 76 | int | 67 | int | 
| 77 | FIPS_mode_set(int r) | 68 | FIPS_mode_set(int r) | 
| 78 | { | 69 | { | 
| 79 | OPENSSL_init(); | 70 | OPENSSL_init(); | 
| 80 | #ifdef OPENSSL_FIPS | ||
| 81 | #ifndef FIPS_AUTH_USER_PASS | ||
| 82 | #define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" | ||
| 83 | #endif | ||
| 84 | if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) | ||
| 85 | return 0; | ||
| 86 | if (r) | ||
| 87 | RAND_set_rand_method(FIPS_rand_get_method()); | ||
| 88 | else | ||
| 89 | RAND_set_rand_method(NULL); | ||
| 90 | return 1; | ||
| 91 | #else | ||
| 92 | if (r == 0) | 71 | if (r == 0) | 
| 93 | return 1; | 72 | return 1; | 
| 94 | CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); | 73 | CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); | 
| 95 | return 0; | 74 | return 0; | 
| 96 | #endif | ||
| 97 | } | 75 | } | 
| diff --git a/src/lib/libcrypto/o_init.c b/src/lib/libcrypto/o_init.c index 07c8e0d694..5e905d9315 100644 --- a/src/lib/libcrypto/o_init.c +++ b/src/lib/libcrypto/o_init.c | |||
| @@ -54,10 +54,6 @@ | |||
| 54 | 54 | ||
| 55 | #include <e_os.h> | 55 | #include <e_os.h> | 
| 56 | #include <openssl/err.h> | 56 | #include <openssl/err.h> | 
| 57 | #ifdef OPENSSL_FIPS | ||
| 58 | #include <openssl/fips.h> | ||
| 59 | #include <openssl/rand.h> | ||
| 60 | #endif | ||
| 61 | 57 | ||
| 62 | /* Perform any essential OpenSSL initialization operations. | 58 | /* Perform any essential OpenSSL initialization operations. | 
| 63 | * Currently only sets FIPS callbacks | 59 | * Currently only sets FIPS callbacks | 
| @@ -70,12 +66,6 @@ OPENSSL_init(void) | |||
| 70 | if (done) | 66 | if (done) | 
| 71 | return; | 67 | return; | 
| 72 | done = 1; | 68 | done = 1; | 
| 73 | #ifdef OPENSSL_FIPS | ||
| 74 | FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock); | ||
| 75 | FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata); | ||
| 76 | FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free); | ||
| 77 | RAND_init_fips(); | ||
| 78 | #endif | ||
| 79 | #if 0 | 69 | #if 0 | 
| 80 | fprintf(stderr, "Called OPENSSL_init\n"); | 70 | fprintf(stderr, "Called OPENSSL_init\n"); | 
| 81 | #endif | 71 | #endif | 
| diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h index ebe7180723..7ba6281f28 100644 --- a/src/lib/libcrypto/opensslv.h +++ b/src/lib/libcrypto/opensslv.h | |||
| @@ -26,11 +26,7 @@ | |||
| 26 | * major minor fix final patch/beta) | 26 | * major minor fix final patch/beta) | 
| 27 | */ | 27 | */ | 
| 28 | #define OPENSSL_VERSION_NUMBER 0x1000107fL | 28 | #define OPENSSL_VERSION_NUMBER 0x1000107fL | 
| 29 | #ifdef OPENSSL_FIPS | ||
| 30 | #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g-fips 7 Apr 2014" | ||
| 31 | #else | ||
| 32 | #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014" | 29 | #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014" | 
| 33 | #endif | ||
| 34 | #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT | 30 | #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT | 
| 35 | 31 | ||
| 36 | 32 | ||
| diff --git a/src/lib/libcrypto/pem/pem_all.c b/src/lib/libcrypto/pem/pem_all.c index eac0460e3e..6ff6be7fbe 100644 --- a/src/lib/libcrypto/pem/pem_all.c +++ b/src/lib/libcrypto/pem/pem_all.c | |||
| @@ -193,61 +193,8 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, | |||
| 193 | 193 | ||
| 194 | #endif | 194 | #endif | 
| 195 | 195 | ||
| 196 | #ifdef OPENSSL_FIPS | ||
| 197 | |||
| 198 | int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, | ||
| 199 | unsigned char *kstr, int klen, | ||
| 200 | pem_password_cb *cb, void *u) | ||
| 201 | { | ||
| 202 | if (FIPS_mode()) | ||
| 203 | { | ||
| 204 | EVP_PKEY *k; | ||
| 205 | int ret; | ||
| 206 | k = EVP_PKEY_new(); | ||
| 207 | if (!k) | ||
| 208 | return 0; | ||
| 209 | EVP_PKEY_set1_RSA(k, x); | ||
| 210 | |||
| 211 | ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); | ||
| 212 | EVP_PKEY_free(k); | ||
| 213 | return ret; | ||
| 214 | } | ||
| 215 | else | ||
| 216 | return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey, | ||
| 217 | PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u); | ||
| 218 | } | ||
| 219 | |||
| 220 | #ifndef OPENSSL_NO_FP_API | ||
| 221 | int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, | ||
| 222 | unsigned char *kstr, int klen, | ||
| 223 | pem_password_cb *cb, void *u) | ||
| 224 | { | ||
| 225 | if (FIPS_mode()) | ||
| 226 | { | ||
| 227 | EVP_PKEY *k; | ||
| 228 | int ret; | ||
| 229 | k = EVP_PKEY_new(); | ||
| 230 | if (!k) | ||
| 231 | return 0; | ||
| 232 | |||
| 233 | EVP_PKEY_set1_RSA(k, x); | ||
| 234 | |||
| 235 | ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); | ||
| 236 | EVP_PKEY_free(k); | ||
| 237 | return ret; | ||
| 238 | } | ||
| 239 | else | ||
| 240 | return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey, | ||
| 241 | PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u); | ||
| 242 | } | ||
| 243 | #endif | ||
| 244 | |||
| 245 | #else | ||
| 246 | |||
| 247 | IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) | 196 | IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) | 
| 248 | 197 | ||
| 249 | #endif | ||
| 250 | |||
| 251 | IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) | 198 | IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) | 
| 252 | IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) | 199 | IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) | 
| 253 | 200 | ||
| @@ -277,59 +224,8 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb, | |||
| 277 | return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ | 224 | return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ | 
| 278 | } | 225 | } | 
| 279 | 226 | ||
| 280 | #ifdef OPENSSL_FIPS | ||
| 281 | |||
| 282 | int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, | ||
| 283 | unsigned char *kstr, int klen, | ||
| 284 | pem_password_cb *cb, void *u) | ||
| 285 | { | ||
| 286 | if (FIPS_mode()) | ||
| 287 | { | ||
| 288 | EVP_PKEY *k; | ||
| 289 | int ret; | ||
| 290 | k = EVP_PKEY_new(); | ||
| 291 | if (!k) | ||
| 292 | return 0; | ||
| 293 | EVP_PKEY_set1_DSA(k, x); | ||
| 294 | |||
| 295 | ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); | ||
| 296 | EVP_PKEY_free(k); | ||
| 297 | return ret; | ||
| 298 | } | ||
| 299 | else | ||
| 300 | return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey, | ||
| 301 | PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u); | ||
| 302 | } | ||
| 303 | |||
| 304 | #ifndef OPENSSL_NO_FP_API | ||
| 305 | int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, | ||
| 306 | unsigned char *kstr, int klen, | ||
| 307 | pem_password_cb *cb, void *u) | ||
| 308 | { | ||
| 309 | if (FIPS_mode()) | ||
| 310 | { | ||
| 311 | EVP_PKEY *k; | ||
| 312 | int ret; | ||
| 313 | k = EVP_PKEY_new(); | ||
| 314 | if (!k) | ||
| 315 | return 0; | ||
| 316 | EVP_PKEY_set1_DSA(k, x); | ||
| 317 | ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); | ||
| 318 | EVP_PKEY_free(k); | ||
| 319 | return ret; | ||
| 320 | } | ||
| 321 | else | ||
| 322 | return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey, | ||
| 323 | PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u); | ||
| 324 | } | ||
| 325 | #endif | ||
| 326 | |||
| 327 | #else | ||
| 328 | |||
| 329 | IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) | 227 | IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) | 
| 330 | 228 | ||
| 331 | #endif | ||
| 332 | |||
| 333 | IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) | 229 | IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) | 
| 334 | 230 | ||
| 335 | #ifndef OPENSSL_NO_FP_API | 231 | #ifndef OPENSSL_NO_FP_API | 
| @@ -377,61 +273,8 @@ IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKPa | |||
| 377 | 273 | ||
| 378 | 274 | ||
| 379 | 275 | ||
| 380 | #ifdef OPENSSL_FIPS | ||
| 381 | |||
| 382 | int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc, | ||
| 383 | unsigned char *kstr, int klen, | ||
| 384 | pem_password_cb *cb, void *u) | ||
| 385 | { | ||
| 386 | if (FIPS_mode()) | ||
| 387 | { | ||
| 388 | EVP_PKEY *k; | ||
| 389 | int ret; | ||
| 390 | k = EVP_PKEY_new(); | ||
| 391 | if (!k) | ||
| 392 | return 0; | ||
| 393 | EVP_PKEY_set1_EC_KEY(k, x); | ||
| 394 | |||
| 395 | ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); | ||
| 396 | EVP_PKEY_free(k); | ||
| 397 | return ret; | ||
| 398 | } | ||
| 399 | else | ||
| 400 | return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey, | ||
| 401 | PEM_STRING_ECPRIVATEKEY, | ||
| 402 | bp,x,enc,kstr,klen,cb,u); | ||
| 403 | } | ||
| 404 | |||
| 405 | #ifndef OPENSSL_NO_FP_API | ||
| 406 | int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc, | ||
| 407 | unsigned char *kstr, int klen, | ||
| 408 | pem_password_cb *cb, void *u) | ||
| 409 | { | ||
| 410 | if (FIPS_mode()) | ||
| 411 | { | ||
| 412 | EVP_PKEY *k; | ||
| 413 | int ret; | ||
| 414 | k = EVP_PKEY_new(); | ||
| 415 | if (!k) | ||
| 416 | return 0; | ||
| 417 | EVP_PKEY_set1_EC_KEY(k, x); | ||
| 418 | ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); | ||
| 419 | EVP_PKEY_free(k); | ||
| 420 | return ret; | ||
| 421 | } | ||
| 422 | else | ||
| 423 | return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey, | ||
| 424 | PEM_STRING_ECPRIVATEKEY, | ||
| 425 | fp,x,enc,kstr,klen,cb,u); | ||
| 426 | } | ||
| 427 | #endif | ||
| 428 | |||
| 429 | #else | ||
| 430 | |||
| 431 | IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) | 276 | IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) | 
| 432 | 277 | ||
| 433 | #endif | ||
| 434 | |||
| 435 | IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) | 278 | IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) | 
| 436 | 279 | ||
| 437 | #ifndef OPENSSL_NO_FP_API | 280 | #ifndef OPENSSL_NO_FP_API | 
| diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c index a34915d02d..0c5e8dc992 100644 --- a/src/lib/libcrypto/pkcs12/p12_crt.c +++ b/src/lib/libcrypto/pkcs12/p12_crt.c | |||
| @@ -91,11 +91,6 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, | |||
| 91 | /* Set defaults */ | 91 | /* Set defaults */ | 
| 92 | if (!nid_cert) | 92 | if (!nid_cert) | 
| 93 | { | 93 | { | 
| 94 | #ifdef OPENSSL_FIPS | ||
| 95 | if (FIPS_mode()) | ||
| 96 | nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; | ||
| 97 | else | ||
| 98 | #endif | ||
| 99 | nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; | 94 | nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; | 
| 100 | } | 95 | } | 
| 101 | if (!nid_key) | 96 | if (!nid_key) | 
| diff --git a/src/lib/libcrypto/rc2/rc2.h b/src/lib/libcrypto/rc2/rc2.h index e542ec94ff..4c737f5b90 100644 --- a/src/lib/libcrypto/rc2/rc2.h +++ b/src/lib/libcrypto/rc2/rc2.h | |||
| @@ -79,9 +79,6 @@ typedef struct rc2_key_st | |||
| 79 | RC2_INT data[64]; | 79 | RC2_INT data[64]; | 
| 80 | } RC2_KEY; | 80 | } RC2_KEY; | 
| 81 | 81 | ||
| 82 | #ifdef OPENSSL_FIPS | ||
| 83 | void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); | ||
| 84 | #endif | ||
| 85 | void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); | 82 | void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); | 
| 86 | void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, | 83 | void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, | 
| 87 | int enc); | 84 | int enc); | 
| diff --git a/src/lib/libcrypto/rc2/rc2_skey.c b/src/lib/libcrypto/rc2/rc2_skey.c index 6668ac011f..26b8dd63f6 100644 --- a/src/lib/libcrypto/rc2/rc2_skey.c +++ b/src/lib/libcrypto/rc2/rc2_skey.c | |||
| @@ -96,13 +96,6 @@ static const unsigned char key_table[256]={ | |||
| 96 | * the same as specifying 1024 for the 'bits' parameter. Bsafe uses | 96 | * the same as specifying 1024 for the 'bits' parameter. Bsafe uses | 
| 97 | * a version where the bits parameter is the same as len*8 */ | 97 | * a version where the bits parameter is the same as len*8 */ | 
| 98 | void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) | 98 | void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) | 
| 99 | #ifdef OPENSSL_FIPS | ||
| 100 | { | ||
| 101 | fips_cipher_abort(RC2); | ||
| 102 | private_RC2_set_key(key, len, data, bits); | ||
| 103 | } | ||
| 104 | void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) | ||
| 105 | #endif | ||
| 106 | { | 99 | { | 
| 107 | int i,j; | 100 | int i,j; | 
| 108 | unsigned char *k; | 101 | unsigned char *k; | 
| diff --git a/src/lib/libcrypto/rc4/rc4_utl.c b/src/lib/libcrypto/rc4/rc4_utl.c index ab3f02fe6a..bd39a76543 100644 --- a/src/lib/libcrypto/rc4/rc4_utl.c +++ b/src/lib/libcrypto/rc4/rc4_utl.c | |||
| @@ -55,8 +55,5 @@ | |||
| 55 | 55 | ||
| 56 | void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) | 56 | void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) | 
| 57 | { | 57 | { | 
| 58 | #ifdef OPENSSL_FIPS | ||
| 59 | fips_cipher_abort(RC4); | ||
| 60 | #endif | ||
| 61 | private_RC4_set_key(key, len, data); | 58 | private_RC4_set_key(key, len, data); | 
| 62 | } | 59 | } | 
| diff --git a/src/lib/libcrypto/ripemd/ripemd.h b/src/lib/libcrypto/ripemd/ripemd.h index 189bd8c90e..5942eb6180 100644 --- a/src/lib/libcrypto/ripemd/ripemd.h +++ b/src/lib/libcrypto/ripemd/ripemd.h | |||
| @@ -91,9 +91,6 @@ typedef struct RIPEMD160state_st | |||
| 91 | unsigned int num; | 91 | unsigned int num; | 
| 92 | } RIPEMD160_CTX; | 92 | } RIPEMD160_CTX; | 
| 93 | 93 | ||
| 94 | #ifdef OPENSSL_FIPS | ||
| 95 | int private_RIPEMD160_Init(RIPEMD160_CTX *c); | ||
| 96 | #endif | ||
| 97 | int RIPEMD160_Init(RIPEMD160_CTX *c); | 94 | int RIPEMD160_Init(RIPEMD160_CTX *c); | 
| 98 | int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); | 95 | int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); | 
| 99 | int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); | 96 | int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); | 
| diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c index d3e44785dc..7750366613 100644 --- a/src/lib/libcrypto/rsa/rsa_crpt.c +++ b/src/lib/libcrypto/rsa/rsa_crpt.c | |||
| @@ -75,56 +75,24 @@ int RSA_size(const RSA *r) | |||
| 75 | int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, | 75 | int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, | 
| 76 | RSA *rsa, int padding) | 76 | RSA *rsa, int padding) | 
| 77 | { | 77 | { | 
| 78 | #ifdef OPENSSL_FIPS | ||
| 79 | if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) | ||
| 80 | && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) | ||
| 81 | { | ||
| 82 | RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); | ||
| 83 | return -1; | ||
| 84 | } | ||
| 85 | #endif | ||
| 86 | return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); | 78 | return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); | 
| 87 | } | 79 | } | 
| 88 | 80 | ||
| 89 | int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, | 81 | int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, | 
| 90 | RSA *rsa, int padding) | 82 | RSA *rsa, int padding) | 
| 91 | { | 83 | { | 
| 92 | #ifdef OPENSSL_FIPS | ||
| 93 | if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) | ||
| 94 | && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) | ||
| 95 | { | ||
| 96 | RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); | ||
| 97 | return -1; | ||
| 98 | } | ||
| 99 | #endif | ||
| 100 | return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); | 84 | return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); | 
| 101 | } | 85 | } | 
| 102 | 86 | ||
| 103 | int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, | 87 | int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, | 
| 104 | RSA *rsa, int padding) | 88 | RSA *rsa, int padding) | 
| 105 | { | 89 | { | 
| 106 | #ifdef OPENSSL_FIPS | ||
| 107 | if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) | ||
| 108 | && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) | ||
| 109 | { | ||
| 110 | RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); | ||
| 111 | return -1; | ||
| 112 | } | ||
| 113 | #endif | ||
| 114 | return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); | 90 | return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); | 
| 115 | } | 91 | } | 
| 116 | 92 | ||
| 117 | int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, | 93 | int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, | 
| 118 | RSA *rsa, int padding) | 94 | RSA *rsa, int padding) | 
| 119 | { | 95 | { | 
| 120 | #ifdef OPENSSL_FIPS | ||
| 121 | if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) | ||
| 122 | && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) | ||
| 123 | { | ||
| 124 | RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); | ||
| 125 | return -1; | ||
| 126 | } | ||
| 127 | #endif | ||
| 128 | return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); | 96 | return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); | 
| 129 | } | 97 | } | 
| 130 | 98 | ||
| diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index 42290cce66..767f7ab682 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c | |||
| @@ -67,9 +67,6 @@ | |||
| 67 | #include "cryptlib.h" | 67 | #include "cryptlib.h" | 
| 68 | #include <openssl/bn.h> | 68 | #include <openssl/bn.h> | 
| 69 | #include <openssl/rsa.h> | 69 | #include <openssl/rsa.h> | 
| 70 | #ifdef OPENSSL_FIPS | ||
| 71 | #include <openssl/fips.h> | ||
| 72 | #endif | ||
| 73 | 70 | ||
| 74 | static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); | 71 | static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); | 
| 75 | 72 | ||
| @@ -80,20 +77,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | |||
| 80 | * now just because key-generation is part of RSA_METHOD. */ | 77 | * now just because key-generation is part of RSA_METHOD. */ | 
| 81 | int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | 78 | int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | 
| 82 | { | 79 | { | 
| 83 | #ifdef OPENSSL_FIPS | ||
| 84 | if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) | ||
| 85 | && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) | ||
| 86 | { | ||
| 87 | RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD); | ||
| 88 | return 0; | ||
| 89 | } | ||
| 90 | #endif | ||
| 91 | if(rsa->meth->rsa_keygen) | 80 | if(rsa->meth->rsa_keygen) | 
| 92 | return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); | 81 | return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); | 
| 93 | #ifdef OPENSSL_FIPS | ||
| 94 | if (FIPS_mode()) | ||
| 95 | return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb); | ||
| 96 | #endif | ||
| 97 | return rsa_builtin_keygen(rsa, bits, e_value, cb); | 82 | return rsa_builtin_keygen(rsa, bits, e_value, cb); | 
| 98 | } | 83 | } | 
| 99 | 84 | ||
| diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c index c95ceafc82..9e3f7dafcd 100644 --- a/src/lib/libcrypto/rsa/rsa_lib.c +++ b/src/lib/libcrypto/rsa/rsa_lib.c | |||
| @@ -67,10 +67,6 @@ | |||
| 67 | #include <openssl/engine.h> | 67 | #include <openssl/engine.h> | 
| 68 | #endif | 68 | #endif | 
| 69 | 69 | ||
| 70 | #ifdef OPENSSL_FIPS | ||
| 71 | #include <openssl/fips.h> | ||
| 72 | #endif | ||
| 73 | |||
| 74 | const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; | 70 | const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; | 
| 75 | 71 | ||
| 76 | static const RSA_METHOD *default_RSA_meth=NULL; | 72 | static const RSA_METHOD *default_RSA_meth=NULL; | 
| @@ -91,18 +87,11 @@ const RSA_METHOD *RSA_get_default_method(void) | |||
| 91 | { | 87 | { | 
| 92 | if (default_RSA_meth == NULL) | 88 | if (default_RSA_meth == NULL) | 
| 93 | { | 89 | { | 
| 94 | #ifdef OPENSSL_FIPS | ||
| 95 | if (FIPS_mode()) | ||
| 96 | return FIPS_rsa_pkcs1_ssleay(); | ||
| 97 | else | ||
| 98 | return RSA_PKCS1_SSLeay(); | ||
| 99 | #else | ||
| 100 | #ifdef RSA_NULL | 90 | #ifdef RSA_NULL | 
| 101 | default_RSA_meth=RSA_null_method(); | 91 | default_RSA_meth=RSA_null_method(); | 
| 102 | #else | 92 | #else | 
| 103 | default_RSA_meth=RSA_PKCS1_SSLeay(); | 93 | default_RSA_meth=RSA_PKCS1_SSLeay(); | 
| 104 | #endif | 94 | #endif | 
| 105 | #endif | ||
| 106 | } | 95 | } | 
| 107 | 96 | ||
| 108 | return default_RSA_meth; | 97 | return default_RSA_meth; | 
| diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c index 157aa5c41d..d706d35ff6 100644 --- a/src/lib/libcrypto/rsa/rsa_pmeth.c +++ b/src/lib/libcrypto/rsa/rsa_pmeth.c | |||
| @@ -66,9 +66,6 @@ | |||
| 66 | #ifndef OPENSSL_NO_CMS | 66 | #ifndef OPENSSL_NO_CMS | 
| 67 | #include <openssl/cms.h> | 67 | #include <openssl/cms.h> | 
| 68 | #endif | 68 | #endif | 
| 69 | #ifdef OPENSSL_FIPS | ||
| 70 | #include <openssl/fips.h> | ||
| 71 | #endif | ||
| 72 | #include "evp_locl.h" | 69 | #include "evp_locl.h" | 
| 73 | #include "rsa_locl.h" | 70 | #include "rsa_locl.h" | 
| 74 | 71 | ||
| @@ -156,32 +153,6 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) | |||
| 156 | OPENSSL_free(rctx); | 153 | OPENSSL_free(rctx); | 
| 157 | } | 154 | } | 
| 158 | } | 155 | } | 
| 159 | #ifdef OPENSSL_FIPS | ||
| 160 | /* FIP checker. Return value indicates status of context parameters: | ||
| 161 | * 1 : redirect to FIPS. | ||
| 162 | * 0 : don't redirect to FIPS. | ||
| 163 | * -1 : illegal operation in FIPS mode. | ||
| 164 | */ | ||
| 165 | |||
| 166 | static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx) | ||
| 167 | { | ||
| 168 | RSA_PKEY_CTX *rctx = ctx->data; | ||
| 169 | RSA *rsa = ctx->pkey->pkey.rsa; | ||
| 170 | int rv = -1; | ||
| 171 | if (!FIPS_mode()) | ||
| 172 | return 0; | ||
| 173 | if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) | ||
| 174 | rv = 0; | ||
| 175 | if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv) | ||
| 176 | return -1; | ||
| 177 | if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS)) | ||
| 178 | return rv; | ||
| 179 | if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS)) | ||
| 180 | return rv; | ||
| 181 | return 1; | ||
| 182 | } | ||
| 183 | #endif | ||
| 184 | |||
| 185 | static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, | 156 | static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, | 
| 186 | const unsigned char *tbs, size_t tbslen) | 157 | const unsigned char *tbs, size_t tbslen) | 
| 187 | { | 158 | { | 
| @@ -189,15 +160,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, | |||
| 189 | RSA_PKEY_CTX *rctx = ctx->data; | 160 | RSA_PKEY_CTX *rctx = ctx->data; | 
| 190 | RSA *rsa = ctx->pkey->pkey.rsa; | 161 | RSA *rsa = ctx->pkey->pkey.rsa; | 
| 191 | 162 | ||
| 192 | #ifdef OPENSSL_FIPS | ||
| 193 | ret = pkey_fips_check_ctx(ctx); | ||
| 194 | if (ret < 0) | ||
| 195 | { | ||
| 196 | RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); | ||
| 197 | return -1; | ||
| 198 | } | ||
| 199 | #endif | ||
| 200 | |||
| 201 | if (rctx->md) | 163 | if (rctx->md) | 
| 202 | { | 164 | { | 
| 203 | if (tbslen != (size_t)EVP_MD_size(rctx->md)) | 165 | if (tbslen != (size_t)EVP_MD_size(rctx->md)) | 
| @@ -206,22 +168,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, | |||
| 206 | RSA_R_INVALID_DIGEST_LENGTH); | 168 | RSA_R_INVALID_DIGEST_LENGTH); | 
| 207 | return -1; | 169 | return -1; | 
| 208 | } | 170 | } | 
| 209 | #ifdef OPENSSL_FIPS | ||
| 210 | if (ret > 0) | ||
| 211 | { | ||
| 212 | unsigned int slen; | ||
| 213 | ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md, | ||
| 214 | rctx->pad_mode, | ||
| 215 | rctx->saltlen, | ||
| 216 | rctx->mgf1md, | ||
| 217 | sig, &slen); | ||
| 218 | if (ret > 0) | ||
| 219 | *siglen = slen; | ||
| 220 | else | ||
| 221 | *siglen = 0; | ||
| 222 | return ret; | ||
| 223 | } | ||
| 224 | #endif | ||
| 225 | 171 | ||
| 226 | if (EVP_MD_type(rctx->md) == NID_mdc2) | 172 | if (EVP_MD_type(rctx->md) == NID_mdc2) | 
| 227 | { | 173 | { | 
| @@ -343,30 +289,8 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, | |||
| 343 | RSA_PKEY_CTX *rctx = ctx->data; | 289 | RSA_PKEY_CTX *rctx = ctx->data; | 
| 344 | RSA *rsa = ctx->pkey->pkey.rsa; | 290 | RSA *rsa = ctx->pkey->pkey.rsa; | 
| 345 | size_t rslen; | 291 | size_t rslen; | 
| 346 | #ifdef OPENSSL_FIPS | ||
| 347 | int rv; | ||
| 348 | rv = pkey_fips_check_ctx(ctx); | ||
| 349 | if (rv < 0) | ||
| 350 | { | ||
| 351 | RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); | ||
| 352 | return -1; | ||
| 353 | } | ||
| 354 | #endif | ||
| 355 | if (rctx->md) | 292 | if (rctx->md) | 
| 356 | { | 293 | { | 
| 357 | #ifdef OPENSSL_FIPS | ||
| 358 | if (rv > 0) | ||
| 359 | { | ||
| 360 | return FIPS_rsa_verify_digest(rsa, | ||
| 361 | tbs, tbslen, | ||
| 362 | rctx->md, | ||
| 363 | rctx->pad_mode, | ||
| 364 | rctx->saltlen, | ||
| 365 | rctx->mgf1md, | ||
| 366 | sig, siglen); | ||
| 367 | |||
| 368 | } | ||
| 369 | #endif | ||
| 370 | if (rctx->pad_mode == RSA_PKCS1_PADDING) | 294 | if (rctx->pad_mode == RSA_PKCS1_PADDING) | 
| 371 | return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, | 295 | return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, | 
| 372 | sig, siglen, rsa); | 296 | sig, siglen, rsa); | 
| diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c index b6f6037ae0..fa3239ab30 100644 --- a/src/lib/libcrypto/rsa/rsa_sign.c +++ b/src/lib/libcrypto/rsa/rsa_sign.c | |||
| @@ -77,14 +77,6 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, | |||
| 77 | const unsigned char *s = NULL; | 77 | const unsigned char *s = NULL; | 
| 78 | X509_ALGOR algor; | 78 | X509_ALGOR algor; | 
| 79 | ASN1_OCTET_STRING digest; | 79 | ASN1_OCTET_STRING digest; | 
| 80 | #ifdef OPENSSL_FIPS | ||
| 81 | if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) | ||
| 82 | && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) | ||
| 83 | { | ||
| 84 | RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD); | ||
| 85 | return 0; | ||
| 86 | } | ||
| 87 | #endif | ||
| 88 | if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) | 80 | if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) | 
| 89 | { | 81 | { | 
| 90 | return rsa->meth->rsa_sign(type, m, m_len, | 82 | return rsa->meth->rsa_sign(type, m, m_len, | 
| @@ -161,15 +153,6 @@ int int_rsa_verify(int dtype, const unsigned char *m, | |||
| 161 | unsigned char *s; | 153 | unsigned char *s; | 
| 162 | X509_SIG *sig=NULL; | 154 | X509_SIG *sig=NULL; | 
| 163 | 155 | ||
| 164 | #ifdef OPENSSL_FIPS | ||
| 165 | if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) | ||
| 166 | && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) | ||
| 167 | { | ||
| 168 | RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD); | ||
| 169 | return 0; | ||
| 170 | } | ||
| 171 | #endif | ||
| 172 | |||
| 173 | if (siglen != (unsigned int)RSA_size(rsa)) | 156 | if (siglen != (unsigned int)RSA_size(rsa)) | 
| 174 | { | 157 | { | 
| 175 | RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); | 158 | RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); | 
| diff --git a/src/lib/libcrypto/seed/seed.c b/src/lib/libcrypto/seed/seed.c index 3e675a8d75..934664ddb6 100644 --- a/src/lib/libcrypto/seed/seed.c +++ b/src/lib/libcrypto/seed/seed.c | |||
| @@ -198,13 +198,6 @@ static const seed_word KC[] = { | |||
| 198 | KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 }; | 198 | KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 }; | 
| 199 | #endif | 199 | #endif | 
| 200 | void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) | 200 | void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) | 
| 201 | #ifdef OPENSSL_FIPS | ||
| 202 | { | ||
| 203 | fips_cipher_abort(SEED); | ||
| 204 | private_SEED_set_key(rawkey, ks); | ||
| 205 | } | ||
| 206 | void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) | ||
| 207 | #endif | ||
| 208 | { | 201 | { | 
| 209 | seed_word x1, x2, x3, x4; | 202 | seed_word x1, x2, x3, x4; | 
| 210 | seed_word t0, t1; | 203 | seed_word t0, t1; | 
| diff --git a/src/lib/libcrypto/seed/seed.h b/src/lib/libcrypto/seed/seed.h index c50fdd3607..6e2ade3fbb 100644 --- a/src/lib/libcrypto/seed/seed.h +++ b/src/lib/libcrypto/seed/seed.h | |||
| @@ -116,9 +116,6 @@ typedef struct seed_key_st { | |||
| 116 | #endif | 116 | #endif | 
| 117 | } SEED_KEY_SCHEDULE; | 117 | } SEED_KEY_SCHEDULE; | 
| 118 | 118 | ||
| 119 | #ifdef OPENSSL_FIPS | ||
| 120 | void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); | ||
| 121 | #endif | ||
| 122 | void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); | 119 | void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); | 
| 123 | 120 | ||
| 124 | void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks); | 121 | void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks); | 
| diff --git a/src/lib/libcrypto/sha/sha.h b/src/lib/libcrypto/sha/sha.h index 8a6bf4bbbb..7cbca26ff9 100644 --- a/src/lib/libcrypto/sha/sha.h +++ b/src/lib/libcrypto/sha/sha.h | |||
| @@ -70,10 +70,6 @@ extern "C" { | |||
| 70 | #error SHA is disabled. | 70 | #error SHA is disabled. | 
| 71 | #endif | 71 | #endif | 
| 72 | 72 | ||
| 73 | #if defined(OPENSSL_FIPS) | ||
| 74 | #define FIPS_SHA_SIZE_T size_t | ||
| 75 | #endif | ||
| 76 | |||
| 77 | /* | 73 | /* | 
| 78 | * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | 74 | * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | 
| 79 | * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then ! | 75 | * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then ! | 
| @@ -106,9 +102,6 @@ typedef struct SHAstate_st | |||
| 106 | } SHA_CTX; | 102 | } SHA_CTX; | 
| 107 | 103 | ||
| 108 | #ifndef OPENSSL_NO_SHA0 | 104 | #ifndef OPENSSL_NO_SHA0 | 
| 109 | #ifdef OPENSSL_FIPS | ||
| 110 | int private_SHA_Init(SHA_CTX *c); | ||
| 111 | #endif | ||
| 112 | int SHA_Init(SHA_CTX *c); | 105 | int SHA_Init(SHA_CTX *c); | 
| 113 | int SHA_Update(SHA_CTX *c, const void *data, size_t len); | 106 | int SHA_Update(SHA_CTX *c, const void *data, size_t len); | 
| 114 | int SHA_Final(unsigned char *md, SHA_CTX *c); | 107 | int SHA_Final(unsigned char *md, SHA_CTX *c); | 
| @@ -116,9 +109,6 @@ unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md); | |||
| 116 | void SHA_Transform(SHA_CTX *c, const unsigned char *data); | 109 | void SHA_Transform(SHA_CTX *c, const unsigned char *data); | 
| 117 | #endif | 110 | #endif | 
| 118 | #ifndef OPENSSL_NO_SHA1 | 111 | #ifndef OPENSSL_NO_SHA1 | 
| 119 | #ifdef OPENSSL_FIPS | ||
| 120 | int private_SHA1_Init(SHA_CTX *c); | ||
| 121 | #endif | ||
| 122 | int SHA1_Init(SHA_CTX *c); | 112 | int SHA1_Init(SHA_CTX *c); | 
| 123 | int SHA1_Update(SHA_CTX *c, const void *data, size_t len); | 113 | int SHA1_Update(SHA_CTX *c, const void *data, size_t len); | 
| 124 | int SHA1_Final(unsigned char *md, SHA_CTX *c); | 114 | int SHA1_Final(unsigned char *md, SHA_CTX *c); | 
| @@ -141,10 +131,6 @@ typedef struct SHA256state_st | |||
| 141 | } SHA256_CTX; | 131 | } SHA256_CTX; | 
| 142 | 132 | ||
| 143 | #ifndef OPENSSL_NO_SHA256 | 133 | #ifndef OPENSSL_NO_SHA256 | 
| 144 | #ifdef OPENSSL_FIPS | ||
| 145 | int private_SHA224_Init(SHA256_CTX *c); | ||
| 146 | int private_SHA256_Init(SHA256_CTX *c); | ||
| 147 | #endif | ||
| 148 | int SHA224_Init(SHA256_CTX *c); | 134 | int SHA224_Init(SHA256_CTX *c); | 
| 149 | int SHA224_Update(SHA256_CTX *c, const void *data, size_t len); | 135 | int SHA224_Update(SHA256_CTX *c, const void *data, size_t len); | 
| 150 | int SHA224_Final(unsigned char *md, SHA256_CTX *c); | 136 | int SHA224_Final(unsigned char *md, SHA256_CTX *c); | 
| @@ -192,10 +178,6 @@ typedef struct SHA512state_st | |||
| 192 | #endif | 178 | #endif | 
| 193 | 179 | ||
| 194 | #ifndef OPENSSL_NO_SHA512 | 180 | #ifndef OPENSSL_NO_SHA512 | 
| 195 | #ifdef OPENSSL_FIPS | ||
| 196 | int private_SHA384_Init(SHA512_CTX *c); | ||
| 197 | int private_SHA512_Init(SHA512_CTX *c); | ||
| 198 | #endif | ||
| 199 | int SHA384_Init(SHA512_CTX *c); | 181 | int SHA384_Init(SHA512_CTX *c); | 
| 200 | int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); | 182 | int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); | 
| 201 | int SHA384_Final(unsigned char *md, SHA512_CTX *c); | 183 | int SHA384_Final(unsigned char *md, SHA512_CTX *c); | 
| diff --git a/src/lib/libcrypto/whrlpool/whrlpool.h b/src/lib/libcrypto/whrlpool/whrlpool.h index 9e01f5b076..03c91da115 100644 --- a/src/lib/libcrypto/whrlpool/whrlpool.h +++ b/src/lib/libcrypto/whrlpool/whrlpool.h | |||
| @@ -24,9 +24,6 @@ typedef struct { | |||
| 24 | } WHIRLPOOL_CTX; | 24 | } WHIRLPOOL_CTX; | 
| 25 | 25 | ||
| 26 | #ifndef OPENSSL_NO_WHIRLPOOL | 26 | #ifndef OPENSSL_NO_WHIRLPOOL | 
| 27 | #ifdef OPENSSL_FIPS | ||
| 28 | int private_WHIRLPOOL_Init(WHIRLPOOL_CTX *c); | ||
| 29 | #endif | ||
| 30 | int WHIRLPOOL_Init (WHIRLPOOL_CTX *c); | 27 | int WHIRLPOOL_Init (WHIRLPOOL_CTX *c); | 
| 31 | int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes); | 28 | int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes); | 
| 32 | void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits); | 29 | void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits); | 
