remove FIPS mode support. people who require FIPS can buy something that

meets their needs, but dumping it in here only penalizes the rest of us. ok beck deraadt
author: tedu <> 2014-04-15 20:06:10 +0000
committer: tedu <> 2014-04-15 20:06:10 +0000
commit: 3c7d2178681a2741a8cc8a042cb2ea6ee28528b8 (patch)
tree: 11be20c8110348001494179db4f9b0b67ce149ba /src/lib/libcrypto/cmac
parent: 4c8a9a73429ac4a1d79f4bab6a397df643934861 (diff)
download: openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.gz
openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.bz2
openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.zip
1 files changed, 2 insertions, 37 deletions
diff --git a/src/lib/libcrypto/cmac/cmac.c b/src/lib/libcrypto/cmac/cmac.c
index 8b72b09681..f92a7bb143 100644
--- a/src/lib/libcrypto/cmac/cmac.c
+++ b/src/lib/libcrypto/cmac/cmac.c
@@ -57,10 +57,6 @@
 #include "cryptlib.h"
 #include <openssl/cmac.h>
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 struct CMAC_CTX_st
        {
        /* Cipher context to use */
@@ -107,13 +103,6 @@ CMAC_CTX *CMAC_CTX_new(void)
 void CMAC_CTX_cleanup(CMAC_CTX *ctx)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !ctx->cctx.engine)
-                {
-                FIPS_cmac_ctx_cleanup(ctx);
-                return;
-                }
-#endif
        EVP_CIPHER_CTX_cleanup(&ctx->cctx);
        OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
        OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
@@ -153,24 +142,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
                        const EVP_CIPHER *cipher, ENGINE *impl)
        {
        static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH];
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode())
-                {
-                /* If we have an ENGINE need to allow non FIPS */
-                if ((impl || ctx->cctx.engine)
-                        && !(ctx->cctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
-                        {
-                        EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
-                        return 0;
-                        }
-                /* Other algorithm blocking will be done in FIPS_cmac_init,
-                 * via FIPS_cipherinit().
-                 */
-                if (!impl && !ctx->cctx.engine)
-                        return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
-                }
-#endif
        /* All zeros means restart */
        if (!key && !cipher && !impl && keylen == 0)
                {
@@ -216,10 +187,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
        {
        const unsigned char *data = in;
        size_t bl;
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !ctx->cctx.engine)
-                return FIPS_cmac_update(ctx, in, dlen);
-#endif
        if (ctx->nlast_block == -1)
                return 0;
        if (dlen == 0)
@@ -261,10 +229,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
 int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
        {
        int i, bl, lb;
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !ctx->cctx.engine)
-                return FIPS_cmac_final(ctx, out, poutlen);
-#endif
        if (ctx->nlast_block == -1)
                return 0;
        bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
author	tedu <>	2014-04-15 20:06:10 +0000
committer	tedu <>	2014-04-15 20:06:10 +0000
commit	3c7d2178681a2741a8cc8a042cb2ea6ee28528b8 (patch)
tree	11be20c8110348001494179db4f9b0b67ce149ba /src/lib/libcrypto/cmac
parent	4c8a9a73429ac4a1d79f4bab6a397df643934861 (diff)
download	openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.gz openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.bz2 openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.zip

diff --git a/src/lib/libcrypto/cmac/cmac.c b/src/lib/libcrypto/cmac/cmac.c index 8b72b09681..f92a7bb143 100644 --- a/src/lib/libcrypto/cmac/cmac.c +++ b/src/lib/libcrypto/cmac/cmac.c
@@ -57,10 +57,6 @@
57	#include "cryptlib.h"	57	#include "cryptlib.h"
58	#include <openssl/cmac.h>	58	#include <openssl/cmac.h>
59		59
60	#ifdef OPENSSL_FIPS
61	#include <openssl/fips.h>
62	#endif
63
64	struct CMAC_CTX_st	60	struct CMAC_CTX_st
65	{	61	{
66	/* Cipher context to use */	62	/* Cipher context to use */
@@ -107,13 +103,6 @@ CMAC_CTX *CMAC_CTX_new(void)
107		103
108	void CMAC_CTX_cleanup(CMAC_CTX *ctx)	104	void CMAC_CTX_cleanup(CMAC_CTX *ctx)
109	{	105	{
110	#ifdef OPENSSL_FIPS
111	if (FIPS_mode() && !ctx->cctx.engine)
112	{
113	FIPS_cmac_ctx_cleanup(ctx);
114	return;
115	}
116	#endif
117	EVP_CIPHER_CTX_cleanup(&ctx->cctx);	106	EVP_CIPHER_CTX_cleanup(&ctx->cctx);
118	OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);	107	OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
119	OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);	108	OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
@@ -153,24 +142,6 @@ int CMAC_Init(CMAC_CTX ctx, const void key, size_t keylen,
153	const EVP_CIPHER cipher, ENGINE impl)	142	const EVP_CIPHER cipher, ENGINE impl)
154	{	143	{
155	static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH];	144	static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH];
156	#ifdef OPENSSL_FIPS
157	if (FIPS_mode())
158	{
159	/* If we have an ENGINE need to allow non FIPS */
160	if ((impl \|\| ctx->cctx.engine)
161	&& !(ctx->cctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
162
163	{
164	EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
165	return 0;
166	}
167	/* Other algorithm blocking will be done in FIPS_cmac_init,
168	* via FIPS_cipherinit().
169	*/
170	if (!impl && !ctx->cctx.engine)
171	return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
172	}
173	#endif
174	/* All zeros means restart */	145	/* All zeros means restart */
175	if (!key && !cipher && !impl && keylen == 0)	146	if (!key && !cipher && !impl && keylen == 0)
176	{	147	{
@@ -216,10 +187,7 @@ int CMAC_Update(CMAC_CTX ctx, const void in, size_t dlen)
216	{	187	{
217	const unsigned char *data = in;	188	const unsigned char *data = in;
218	size_t bl;	189	size_t bl;
219	#ifdef OPENSSL_FIPS	190
220	if (FIPS_mode() && !ctx->cctx.engine)
221	return FIPS_cmac_update(ctx, in, dlen);
222	#endif
223	if (ctx->nlast_block == -1)	191	if (ctx->nlast_block == -1)
224	return 0;	192	return 0;
225	if (dlen == 0)	193	if (dlen == 0)
@@ -261,10 +229,7 @@ int CMAC_Update(CMAC_CTX ctx, const void in, size_t dlen)
261	int CMAC_Final(CMAC_CTX ctx, unsigned char out, size_t *poutlen)	229	int CMAC_Final(CMAC_CTX ctx, unsigned char out, size_t *poutlen)
262	{	230	{
263	int i, bl, lb;	231	int i, bl, lb;
264	#ifdef OPENSSL_FIPS	232
265	if (FIPS_mode() && !ctx->cctx.engine)
266	return FIPS_cmac_final(ctx, out, poutlen);
267	#endif
268	if (ctx->nlast_block == -1)	233	if (ctx->nlast_block == -1)
269	return 0;	234	return 0;
270	bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);	235	bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);