remove FIPS mode support. people who require FIPS can buy something that

meets their needs, but dumping it in here only penalizes the rest of us. ok beck deraadt
author: tedu <> 2014-04-15 20:06:10 +0000
committer: tedu <> 2014-04-15 20:06:10 +0000
commit: 3c7d2178681a2741a8cc8a042cb2ea6ee28528b8 (patch)
tree: 11be20c8110348001494179db4f9b0b67ce149ba /src/lib/libcrypto/rsa
parent: 4c8a9a73429ac4a1d79f4bab6a397df643934861 (diff)
download: openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.gz
openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.bz2
openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.zip
5 files changed, 0 insertions, 151 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c
index d3e44785dc..7750366613 100644
--- a/src/lib/libcrypto/rsa/rsa_crpt.c
+++ b/src/lib/libcrypto/rsa/rsa_crpt.c
@@ -75,56 +75,24 @@ int RSA_size(const RSA *r)
 int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
             RSA *rsa, int padding)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-                        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-                {
-                RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-                return -1;
-                }
-#endif
        return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
        }
 int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
             RSA *rsa, int padding)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-                        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-                {
-                RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-                return -1;
-                }
-#endif
        return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
        }
 int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
             RSA *rsa, int padding)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-                        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-                {
-                RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-                return -1;
-                }
-#endif
        return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
        }
 int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
             RSA *rsa, int padding)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-                        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-                {
-                RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-                return -1;
-                }
-#endif
        return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
        }
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 42290cce66..767f7ab682 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -67,9 +67,6 @@
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
@@ -80,20 +77,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 * now just because key-generation is part of RSA_METHOD. */
 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
        {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-                        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-                {
-                RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
-                return 0;
-                }
-#endif
        if(rsa->meth->rsa_keygen)
                return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode())
-                return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
-#endif
        return rsa_builtin_keygen(rsa, bits, e_value, cb);
        }
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index c95ceafc82..9e3f7dafcd 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -67,10 +67,6 @@
 #include <openssl/engine.h>
 #endif
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
 static const RSA_METHOD *default_RSA_meth=NULL;
@@ -91,18 +87,11 @@ const RSA_METHOD *RSA_get_default_method(void)
        {
        if (default_RSA_meth == NULL)
                {
-#ifdef OPENSSL_FIPS
-                if (FIPS_mode())
-                        return FIPS_rsa_pkcs1_ssleay();
-                else
-                        return RSA_PKCS1_SSLeay();
-#else
 #ifdef RSA_NULL
                default_RSA_meth=RSA_null_method();
 #else
                default_RSA_meth=RSA_PKCS1_SSLeay();
 #endif
-#endif
                }
        return default_RSA_meth;
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 157aa5c41d..d706d35ff6 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -66,9 +66,6 @@
 #ifndef OPENSSL_NO_CMS
 #include <openssl/cms.h>
 #endif
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 #include "evp_locl.h"
 #include "rsa_locl.h"
@@ -156,32 +153,6 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
                OPENSSL_free(rctx);
                }
        }
-#ifdef OPENSSL_FIPS
-/* FIP checker. Return value indicates status of context parameters:
- * 1  : redirect to FIPS.
- * 0  : don't redirect to FIPS.
- * -1 : illegal operation in FIPS mode.
- */
-static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
-        {
-        RSA_PKEY_CTX *rctx = ctx->data;
-        RSA *rsa = ctx->pkey->pkey.rsa;
-        int rv = -1;
-        if (!FIPS_mode())
-                return 0;
-        if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-                rv = 0;
-        if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
-                return -1;
-        if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
-                return rv;
-        if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
-                return rv;
-        return 1;
-        }
-#endif
 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                                        const unsigned char *tbs, size_t tbslen)
        {
@@ -189,15 +160,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
        RSA_PKEY_CTX *rctx = ctx->data;
        RSA *rsa = ctx->pkey->pkey.rsa;
-#ifdef OPENSSL_FIPS
-        ret = pkey_fips_check_ctx(ctx);
-        if (ret < 0)
-                {
-                RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
-                return -1;
-                }
-#endif
        if (rctx->md)
                {
                if (tbslen != (size_t)EVP_MD_size(rctx->md))
@@ -206,22 +168,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                                        RSA_R_INVALID_DIGEST_LENGTH);
                        return -1;
                        }
-#ifdef OPENSSL_FIPS
-                if (ret > 0)
-                        {
-                        unsigned int slen;
-                        ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
-                                                        rctx->pad_mode,
-                                                        rctx->saltlen,
-                                                        rctx->mgf1md,
-                                                        sig, &slen);
-                        if (ret > 0)
-                                *siglen = slen;
-                        else
-                                *siglen = 0;
-                        return ret;
-                        }
-#endif
                if (EVP_MD_type(rctx->md) == NID_mdc2)
                        {
@@ -343,30 +289,8 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
        RSA_PKEY_CTX *rctx = ctx->data;
        RSA *rsa = ctx->pkey->pkey.rsa;
        size_t rslen;
-#ifdef OPENSSL_FIPS
-        int rv;
-        rv = pkey_fips_check_ctx(ctx);
-        if (rv < 0)
-                {
-                RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
-                return -1;
-                }
-#endif
        if (rctx->md)
                {
-#ifdef OPENSSL_FIPS
-                if (rv > 0)
-                        {
-                        return FIPS_rsa_verify_digest(rsa,
-                                                        tbs, tbslen,
-                                                        rctx->md,
-                                                        rctx->pad_mode,
-                                                        rctx->saltlen,
-                                                        rctx->mgf1md,
-                                                        sig, siglen);
-                                                        
-                        }
-#endif
                if (rctx->pad_mode == RSA_PKCS1_PADDING)
                        return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
                                        sig, siglen, rsa);
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index b6f6037ae0..fa3239ab30 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -77,14 +77,6 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
        const unsigned char *s = NULL;
        X509_ALGOR algor;
        ASN1_OCTET_STRING digest;
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-                        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-                {
-                RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
-                return 0;
-                }
-#endif
        if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
                {
                return rsa->meth->rsa_sign(type, m, m_len,
@@ -161,15 +153,6 @@ int int_rsa_verify(int dtype, const unsigned char *m,
        unsigned char *s;
        X509_SIG *sig=NULL;
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-                        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-                {
-                RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD);
-                return 0;
-                }
-#endif
        if (siglen != (unsigned int)RSA_size(rsa))
                {
                RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
author	tedu <>	2014-04-15 20:06:10 +0000
committer	tedu <>	2014-04-15 20:06:10 +0000
commit	3c7d2178681a2741a8cc8a042cb2ea6ee28528b8 (patch)
tree	11be20c8110348001494179db4f9b0b67ce149ba /src/lib/libcrypto/rsa
parent	4c8a9a73429ac4a1d79f4bab6a397df643934861 (diff)
download	openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.gz openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.tar.bz2 openbsd-3c7d2178681a2741a8cc8a042cb2ea6ee28528b8.zip

diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c index d3e44785dc..7750366613 100644 --- a/src/lib/libcrypto/rsa/rsa_crpt.c +++ b/src/lib/libcrypto/rsa/rsa_crpt.c
@@ -75,56 +75,24 @@ int RSA_size(const RSA *r)
75	int RSA_public_encrypt(int flen, const unsigned char from, unsigned char to,	75	int RSA_public_encrypt(int flen, const unsigned char from, unsigned char to,
76	RSA *rsa, int padding)	76	RSA *rsa, int padding)
77	{	77	{
78	#ifdef OPENSSL_FIPS
79	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
80	&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
81	{
82	RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
83	return -1;
84	}
85	#endif
86	return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));	78	return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
87	}	79	}
88		80
89	int RSA_private_encrypt(int flen, const unsigned char from, unsigned char to,	81	int RSA_private_encrypt(int flen, const unsigned char from, unsigned char to,
90	RSA *rsa, int padding)	82	RSA *rsa, int padding)
91	{	83	{
92	#ifdef OPENSSL_FIPS
93	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
94	&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
95	{
96	RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
97	return -1;
98	}
99	#endif
100	return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));	84	return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
101	}	85	}
102		86
103	int RSA_private_decrypt(int flen, const unsigned char from, unsigned char to,	87	int RSA_private_decrypt(int flen, const unsigned char from, unsigned char to,
104	RSA *rsa, int padding)	88	RSA *rsa, int padding)
105	{	89	{
106	#ifdef OPENSSL_FIPS
107	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
108	&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
109	{
110	RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
111	return -1;
112	}
113	#endif
114	return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));	90	return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
115	}	91	}
116		92
117	int RSA_public_decrypt(int flen, const unsigned char from, unsigned char to,	93	int RSA_public_decrypt(int flen, const unsigned char from, unsigned char to,
118	RSA *rsa, int padding)	94	RSA *rsa, int padding)
119	{	95	{
120	#ifdef OPENSSL_FIPS
121	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
122	&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
123	{
124	RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
125	return -1;
126	}
127	#endif
128	return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));	96	return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
129	}	97	}
130		98


diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index 42290cce66..767f7ab682 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -67,9 +67,6 @@
67	#include "cryptlib.h"	67	#include "cryptlib.h"
68	#include <openssl/bn.h>	68	#include <openssl/bn.h>
69	#include <openssl/rsa.h>	69	#include <openssl/rsa.h>
70	#ifdef OPENSSL_FIPS
71	#include <openssl/fips.h>
72	#endif
73		70
74	static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb);	71	static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb);
75		72
@@ -80,20 +77,8 @@ static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
80	* now just because key-generation is part of RSA_METHOD. */	77	* now just because key-generation is part of RSA_METHOD. */
81	int RSA_generate_key_ex(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)	78	int RSA_generate_key_ex(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
82	{	79	{
83	#ifdef OPENSSL_FIPS
84	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
85	&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
86	{
87	RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
88	return 0;
89	}
90	#endif
91	if(rsa->meth->rsa_keygen)	80	if(rsa->meth->rsa_keygen)
92	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);	81	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
93	#ifdef OPENSSL_FIPS
94	if (FIPS_mode())
95	return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
96	#endif
97	return rsa_builtin_keygen(rsa, bits, e_value, cb);	82	return rsa_builtin_keygen(rsa, bits, e_value, cb);
98	}	83	}
99		84


diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c index c95ceafc82..9e3f7dafcd 100644 --- a/src/lib/libcrypto/rsa/rsa_lib.c +++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -67,10 +67,6 @@
67	#include <openssl/engine.h>	67	#include <openssl/engine.h>
68	#endif	68	#endif
69		69
70	#ifdef OPENSSL_FIPS
71	#include <openssl/fips.h>
72	#endif
73
74	const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;	70	const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
75		71
76	static const RSA_METHOD *default_RSA_meth=NULL;	72	static const RSA_METHOD *default_RSA_meth=NULL;
@@ -91,18 +87,11 @@ const RSA_METHOD *RSA_get_default_method(void)
91	{	87	{
92	if (default_RSA_meth == NULL)	88	if (default_RSA_meth == NULL)
93	{	89	{
94	#ifdef OPENSSL_FIPS
95	if (FIPS_mode())
96	return FIPS_rsa_pkcs1_ssleay();
97	else
98	return RSA_PKCS1_SSLeay();
99	#else
100	#ifdef RSA_NULL	90	#ifdef RSA_NULL
101	default_RSA_meth=RSA_null_method();	91	default_RSA_meth=RSA_null_method();
102	#else	92	#else
103	default_RSA_meth=RSA_PKCS1_SSLeay();	93	default_RSA_meth=RSA_PKCS1_SSLeay();
104	#endif	94	#endif
105	#endif
106	}	95	}
107		96
108	return default_RSA_meth;	97	return default_RSA_meth;


diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c index 157aa5c41d..d706d35ff6 100644 --- a/src/lib/libcrypto/rsa/rsa_pmeth.c +++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -66,9 +66,6 @@
66	#ifndef OPENSSL_NO_CMS	66	#ifndef OPENSSL_NO_CMS
67	#include <openssl/cms.h>	67	#include <openssl/cms.h>
68	#endif	68	#endif
69	#ifdef OPENSSL_FIPS
70	#include <openssl/fips.h>
71	#endif
72	#include "evp_locl.h"	69	#include "evp_locl.h"
73	#include "rsa_locl.h"	70	#include "rsa_locl.h"
74		71
@@ -156,32 +153,6 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
156	OPENSSL_free(rctx);	153	OPENSSL_free(rctx);
157	}	154	}
158	}	155	}
159	#ifdef OPENSSL_FIPS
160	/* FIP checker. Return value indicates status of context parameters:
161	* 1 : redirect to FIPS.
162	* 0 : don't redirect to FIPS.
163	* -1 : illegal operation in FIPS mode.
164	*/
165
166	static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
167	{
168	RSA_PKEY_CTX *rctx = ctx->data;
169	RSA *rsa = ctx->pkey->pkey.rsa;
170	int rv = -1;
171	if (!FIPS_mode())
172	return 0;
173	if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
174	rv = 0;
175	if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
176	return -1;
177	if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
178	return rv;
179	if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
180	return rv;
181	return 1;
182	}
183	#endif
184
185	static int pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,	156	static int pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
186	const unsigned char *tbs, size_t tbslen)	157	const unsigned char *tbs, size_t tbslen)
187	{	158	{
@@ -189,15 +160,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
189	RSA_PKEY_CTX *rctx = ctx->data;	160	RSA_PKEY_CTX *rctx = ctx->data;
190	RSA *rsa = ctx->pkey->pkey.rsa;	161	RSA *rsa = ctx->pkey->pkey.rsa;
191		162
192	#ifdef OPENSSL_FIPS
193	ret = pkey_fips_check_ctx(ctx);
194	if (ret < 0)
195	{
196	RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
197	return -1;
198	}
199	#endif
200
201	if (rctx->md)	163	if (rctx->md)
202	{	164	{
203	if (tbslen != (size_t)EVP_MD_size(rctx->md))	165	if (tbslen != (size_t)EVP_MD_size(rctx->md))
@@ -206,22 +168,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
206	RSA_R_INVALID_DIGEST_LENGTH);	168	RSA_R_INVALID_DIGEST_LENGTH);
207	return -1;	169	return -1;
208	}	170	}
209	#ifdef OPENSSL_FIPS
210	if (ret > 0)
211	{
212	unsigned int slen;
213	ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
214	rctx->pad_mode,
215	rctx->saltlen,
216	rctx->mgf1md,
217	sig, &slen);
218	if (ret > 0)
219	*siglen = slen;
220	else
221	*siglen = 0;
222	return ret;
223	}
224	#endif
225		171
226	if (EVP_MD_type(rctx->md) == NID_mdc2)	172	if (EVP_MD_type(rctx->md) == NID_mdc2)
227	{	173	{
@@ -343,30 +289,8 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
343	RSA_PKEY_CTX *rctx = ctx->data;	289	RSA_PKEY_CTX *rctx = ctx->data;
344	RSA *rsa = ctx->pkey->pkey.rsa;	290	RSA *rsa = ctx->pkey->pkey.rsa;
345	size_t rslen;	291	size_t rslen;
346	#ifdef OPENSSL_FIPS
347	int rv;
348	rv = pkey_fips_check_ctx(ctx);
349	if (rv < 0)
350	{
351	RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
352	return -1;
353	}
354	#endif
355	if (rctx->md)	292	if (rctx->md)
356	{	293	{
357	#ifdef OPENSSL_FIPS
358	if (rv > 0)
359	{
360	return FIPS_rsa_verify_digest(rsa,
361	tbs, tbslen,
362	rctx->md,
363	rctx->pad_mode,
364	rctx->saltlen,
365	rctx->mgf1md,
366	sig, siglen);
367
368	}
369	#endif
370	if (rctx->pad_mode == RSA_PKCS1_PADDING)	294	if (rctx->pad_mode == RSA_PKCS1_PADDING)
371	return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,	295	return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
372	sig, siglen, rsa);	296	sig, siglen, rsa);


diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c index b6f6037ae0..fa3239ab30 100644 --- a/src/lib/libcrypto/rsa/rsa_sign.c +++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -77,14 +77,6 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
77	const unsigned char *s = NULL;	77	const unsigned char *s = NULL;
78	X509_ALGOR algor;	78	X509_ALGOR algor;
79	ASN1_OCTET_STRING digest;	79	ASN1_OCTET_STRING digest;
80	#ifdef OPENSSL_FIPS
81	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
82	&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
83	{
84	RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
85	return 0;
86	}
87	#endif
88	if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)	80	if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
89	{	81	{
90	return rsa->meth->rsa_sign(type, m, m_len,	82	return rsa->meth->rsa_sign(type, m, m_len,
@@ -161,15 +153,6 @@ int int_rsa_verify(int dtype, const unsigned char *m,
161	unsigned char *s;	153	unsigned char *s;
162	X509_SIG *sig=NULL;	154	X509_SIG *sig=NULL;
163		155
164	#ifdef OPENSSL_FIPS
165	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
166	&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
167	{
168	RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD);
169	return 0;
170	}
171	#endif
172
173	if (siglen != (unsigned int)RSA_size(rsa))	156	if (siglen != (unsigned int)RSA_size(rsa))
174	{	157	{
175	RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);	158	RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);