1 files changed, 0 insertions, 51 deletions
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index d6cc9b4771..964266e5b2 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -386,10 +386,6 @@ tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
 char
 ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 {
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode())
-                return 0;
-#endif
        switch (EVP_MD_CTX_type(ctx)) {
        case NID_md5:
        case NID_sha1:
@@ -710,50 +706,3 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out,
                *md_out_size = md_out_size_u;
        EVP_MD_CTX_cleanup(&md_ctx);
 }
-#ifdef OPENSSL_FIPS
-/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
- * we can ensure the number of blocks processed is equal for all cases
- * by digesting additional data.
- */
-void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
-    EVP_MD_CTX *mac_ctx, const unsigned char *data, size_t data_len,
-    size_t orig_len)
-{
-        size_t block_size, digest_pad, blocks_data, blocks_orig;
-        if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
-                return;
-        block_size = EVP_MD_CTX_block_size(mac_ctx);
-        /* We are in FIPS mode if we get this far so we know we have only SHA*
-         * digests and TLS to deal with.
-         * Minimum digest padding length is 17 for SHA384/SHA512 and 9
-         * otherwise.
-         * Additional header is 13 bytes. To get the number of digest blocks
-         * processed round up the amount of data plus padding to the nearest
-         * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
-         * So we have:
-         * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
-         * equivalently:
-         * blocks = (payload_len + digest_pad + 12)/block_size + 1
-         * HMAC adds a constant overhead.
-         * We're ultimately only interested in differences so this becomes
-         * blocks = (payload_len + 29)/128
-         * for SHA384/SHA512 and
-         * blocks = (payload_len + 21)/64
-         * otherwise.
-         */
-        digest_pad = block_size == 64 ? 21 : 29;
-        blocks_orig = (orig_len + digest_pad)/block_size;
-        blocks_data = (data_len + digest_pad)/block_size;
-        /* MAC enough blocks to make up the difference between the original
-         * and actual lengths plus one extra block to ensure this is never a
-         * no op. The "data" pointer should always have enough space to
-         * perform this operation as it is large enough for a maximum
-         * length TLS buffer. 
-         */
-        EVP_DigestSignUpdate(mac_ctx, data,
-        (blocks_orig - blocks_data + 1) * block_size);
-}
-#endif

diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c index d6cc9b4771..964266e5b2 100644 --- a/src/lib/libssl/s3_cbc.c +++ b/src/lib/libssl/s3_cbc.c
@@ -386,10 +386,6 @@ tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
386	char	386	char
387	ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)	387	ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
388	{	388	{
389	#ifdef OPENSSL_FIPS
390	if (FIPS_mode())
391	return 0;
392	#endif
393	switch (EVP_MD_CTX_type(ctx)) {	389	switch (EVP_MD_CTX_type(ctx)) {
394	case NID_md5:	390	case NID_md5:
395	case NID_sha1:	391	case NID_sha1:
@@ -710,50 +706,3 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX ctx, unsigned char md_out,
710	*md_out_size = md_out_size_u;	706	*md_out_size = md_out_size_u;
711	EVP_MD_CTX_cleanup(&md_ctx);	707	EVP_MD_CTX_cleanup(&md_ctx);
712	}	708	}
713
714	#ifdef OPENSSL_FIPS
715
716	/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
717	* we can ensure the number of blocks processed is equal for all cases
718	* by digesting additional data.
719	*/
720
721	void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
722	EVP_MD_CTX mac_ctx, const unsigned char data, size_t data_len,
723	size_t orig_len)
724	{
725	size_t block_size, digest_pad, blocks_data, blocks_orig;
726	if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
727	return;
728	block_size = EVP_MD_CTX_block_size(mac_ctx);
729	/* We are in FIPS mode if we get this far so we know we have only SHA*
730	* digests and TLS to deal with.
731	* Minimum digest padding length is 17 for SHA384/SHA512 and 9
732	* otherwise.
733	* Additional header is 13 bytes. To get the number of digest blocks
734	* processed round up the amount of data plus padding to the nearest
735	* block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
736	* So we have:
737	* blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
738	* equivalently:
739	* blocks = (payload_len + digest_pad + 12)/block_size + 1
740	* HMAC adds a constant overhead.
741	* We're ultimately only interested in differences so this becomes
742	* blocks = (payload_len + 29)/128
743	* for SHA384/SHA512 and
744	* blocks = (payload_len + 21)/64
745	* otherwise.
746	*/
747	digest_pad = block_size == 64 ? 21 : 29;
748	blocks_orig = (orig_len + digest_pad)/block_size;
749	blocks_data = (data_len + digest_pad)/block_size;
750	/* MAC enough blocks to make up the difference between the original
751	* and actual lengths plus one extra block to ensure this is never a
752	* no op. The "data" pointer should always have enough space to
753	* perform this operation as it is large enough for a maximum
754	* length TLS buffer.
755	*/
756	EVP_DigestSignUpdate(mac_ctx, data,
757	(blocks_orig - blocks_data + 1) * block_size);
758	}
759	#endif