remove FIPS mode support. people who require FIPS can buy something that

meets their needs, but dumping it in here only penalizes the rest of us. ok beck deraadt
author: tedu <> 2014-04-15 20:06:10 +0000
committer: tedu <> 2014-04-15 20:06:10 +0000
commit: 3c7d2178681a2741a8cc8a042cb2ea6ee28528b8 (patch)
tree: 11be20c8110348001494179db4f9b0b67ce149ba /src/lib/libcrypto/dsa
parent: 4c8a9a73429ac4a1d79f4bab6a397df643934861 (diff)
download: openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.gz
openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.bz2
openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.zip
5 files changed, 0 insertions, 71 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index c398761d0d..e6a5452016 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -81,33 +81,13 @@
 #include <openssl/sha.h>
 #include "dsa_locl.h"
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 int DSA_generate_parameters_ex(DSA *ret, int bits,
                const unsigned char *seed_in, int seed_len,
                int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
-                        && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW))
-                {
-                DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
-                return 0;
-                }
-#endif
        if(ret->meth->dsa_paramgen)
                return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
                                counter_ret, h_ret, cb);
-#ifdef OPENSSL_FIPS
-        else if (FIPS_mode())
-                {
-                return FIPS_dsa_generate_parameters_ex(ret, bits, 
-                                                        seed_in, seed_len,
-                                                        counter_ret, h_ret, cb);
-                }
-#endif
        else
                {
                const EVP_MD *evpmd;
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index 9cf669b921..c4aa86bc6d 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,28 +64,12 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 static int dsa_builtin_keygen(DSA *dsa);
 int DSA_generate_key(DSA *dsa)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
-                        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
-                {
-                DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
-                return 0;
-                }
-#endif
        if(dsa->meth->dsa_keygen)
                return dsa->meth->dsa_keygen(dsa);
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode())
-                return FIPS_dsa_generate_key(dsa);
-#endif
        return dsa_builtin_keygen(dsa);
        }
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index 96d8d0c4b4..897c085968 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -70,10 +70,6 @@
 #include <openssl/dh.h>
 #endif
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT;
 static const DSA_METHOD *default_DSA_method = NULL;
@@ -87,14 +83,7 @@ const DSA_METHOD *DSA_get_default_method(void)
        {
        if(!default_DSA_method)
                {
-#ifdef OPENSSL_FIPS
-                if (FIPS_mode())
-                        return FIPS_dsa_openssl();
-                else
-                        return DSA_OpenSSL();
-#else
                default_DSA_method = DSA_OpenSSL();
-#endif
                }
        return default_DSA_method;
        }
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index c3cc3642ce..e02365a8b1 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -65,27 +65,11 @@
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
-                        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
-                {
-                DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD);
-                return NULL;
-                }
-#endif
        return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
        }
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
-                        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
-                {
-                DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD);
-                return 0;
-                }
-#endif
        return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
        }
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index 674cb5fa5f..286ed28cfa 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -64,13 +64,5 @@
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                  DSA *dsa)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
-                        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
-                {
-                DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD);
-                return -1;
-                }
-#endif
        return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
        }
author	tedu <>	2014-04-15 20:06:10 +0000
committer	tedu <>	2014-04-15 20:06:10 +0000
commit	3c7d2178681a2741a8cc8a042cb2ea6ee28528b8 (patch)
tree	11be20c8110348001494179db4f9b0b67ce149ba /src/lib/libcrypto/dsa
parent	4c8a9a73429ac4a1d79f4bab6a397df643934861 (diff)
download	openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.gz openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.bz2 openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.zip

diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c index c398761d0d..e6a5452016 100644 --- a/src/lib/libcrypto/dsa/dsa_gen.c +++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -81,33 +81,13 @@
81	#include <openssl/sha.h>	81	#include <openssl/sha.h>
82	#include "dsa_locl.h"	82	#include "dsa_locl.h"
83		83
84	#ifdef OPENSSL_FIPS
85	#include <openssl/fips.h>
86	#endif
87
88	int DSA_generate_parameters_ex(DSA *ret, int bits,	84	int DSA_generate_parameters_ex(DSA *ret, int bits,
89	const unsigned char *seed_in, int seed_len,	85	const unsigned char *seed_in, int seed_len,
90	int counter_ret, unsigned long h_ret, BN_GENCB *cb)	86	int counter_ret, unsigned long h_ret, BN_GENCB *cb)
91	{	87	{
92	#ifdef OPENSSL_FIPS
93	if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
94	&& !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW))
95	{
96	DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
97	return 0;
98	}
99	#endif
100	if(ret->meth->dsa_paramgen)	88	if(ret->meth->dsa_paramgen)
101	return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,	89	return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
102	counter_ret, h_ret, cb);	90	counter_ret, h_ret, cb);
103	#ifdef OPENSSL_FIPS
104	else if (FIPS_mode())
105	{
106	return FIPS_dsa_generate_parameters_ex(ret, bits,
107	seed_in, seed_len,
108	counter_ret, h_ret, cb);
109	}
110	#endif
111	else	91	else
112	{	92	{
113	const EVP_MD *evpmd;	93	const EVP_MD *evpmd;


diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c index 9cf669b921..c4aa86bc6d 100644 --- a/src/lib/libcrypto/dsa/dsa_key.c +++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,28 +64,12 @@
64	#include <openssl/dsa.h>	64	#include <openssl/dsa.h>
65	#include <openssl/rand.h>	65	#include <openssl/rand.h>
66		66
67	#ifdef OPENSSL_FIPS
68	#include <openssl/fips.h>
69	#endif
70
71	static int dsa_builtin_keygen(DSA *dsa);	67	static int dsa_builtin_keygen(DSA *dsa);
72		68
73	int DSA_generate_key(DSA *dsa)	69	int DSA_generate_key(DSA *dsa)
74	{	70	{
75	#ifdef OPENSSL_FIPS
76	if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
77	&& !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
78	{
79	DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
80	return 0;
81	}
82	#endif
83	if(dsa->meth->dsa_keygen)	71	if(dsa->meth->dsa_keygen)
84	return dsa->meth->dsa_keygen(dsa);	72	return dsa->meth->dsa_keygen(dsa);
85	#ifdef OPENSSL_FIPS
86	if (FIPS_mode())
87	return FIPS_dsa_generate_key(dsa);
88	#endif
89	return dsa_builtin_keygen(dsa);	73	return dsa_builtin_keygen(dsa);
90	}	74	}
91		75


diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c index 96d8d0c4b4..897c085968 100644 --- a/src/lib/libcrypto/dsa/dsa_lib.c +++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -70,10 +70,6 @@
70	#include <openssl/dh.h>	70	#include <openssl/dh.h>
71	#endif	71	#endif
72		72
73	#ifdef OPENSSL_FIPS
74	#include <openssl/fips.h>
75	#endif
76
77	const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT;	73	const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT;
78		74
79	static const DSA_METHOD *default_DSA_method = NULL;	75	static const DSA_METHOD *default_DSA_method = NULL;
@@ -87,14 +83,7 @@ const DSA_METHOD *DSA_get_default_method(void)
87	{	83	{
88	if(!default_DSA_method)	84	if(!default_DSA_method)
89	{	85	{
90	#ifdef OPENSSL_FIPS
91	if (FIPS_mode())
92	return FIPS_dsa_openssl();
93	else
94	return DSA_OpenSSL();
95	#else
96	default_DSA_method = DSA_OpenSSL();	86	default_DSA_method = DSA_OpenSSL();
97	#endif
98	}	87	}
99	return default_DSA_method;	88	return default_DSA_method;
100	}	89	}


diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c index c3cc3642ce..e02365a8b1 100644 --- a/src/lib/libcrypto/dsa/dsa_sign.c +++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -65,27 +65,11 @@
65		65
66	DSA_SIG * DSA_do_sign(const unsigned char dgst, int dlen, DSA dsa)	66	DSA_SIG * DSA_do_sign(const unsigned char dgst, int dlen, DSA dsa)
67	{	67	{
68	#ifdef OPENSSL_FIPS
69	if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
70	&& !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
71	{
72	DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD);
73	return NULL;
74	}
75	#endif
76	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);	68	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
77	}	69	}
78		70
79	int DSA_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)	71	int DSA_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
80	{	72	{
81	#ifdef OPENSSL_FIPS
82	if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
83	&& !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
84	{
85	DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD);
86	return 0;
87	}
88	#endif
89	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);	73	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
90	}	74	}
91		75


diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c index 674cb5fa5f..286ed28cfa 100644 --- a/src/lib/libcrypto/dsa/dsa_vrf.c +++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -64,13 +64,5 @@
64	int DSA_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,	64	int DSA_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
65	DSA *dsa)	65	DSA *dsa)
66	{	66	{
67	#ifdef OPENSSL_FIPS
68	if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
69	&& !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
70	{
71	DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD);
72	return -1;
73	}
74	#endif
75	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);	67	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
76	}	68	}