summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/Attic/Makefile4
-rw-r--r--src/lib/libcrypto/aes/aes_misc.c6
-rw-r--r--src/lib/libcrypto/bf/bf_skey.c7
-rw-r--r--src/lib/libcrypto/bf/blowfish.h3
-rw-r--r--src/lib/libcrypto/bn/bn_lcl.h4
-rw-r--r--src/lib/libcrypto/camellia/camellia.h4
-rw-r--r--src/lib/libcrypto/camellia/cmll_utl.c3
-rw-r--r--src/lib/libcrypto/cast/c_skey.c7
-rw-r--r--src/lib/libcrypto/cast/cast.h3
-rw-r--r--src/lib/libcrypto/cmac/cmac.c39
-rw-r--r--src/lib/libcrypto/crypto.h16
-rw-r--r--src/lib/libcrypto/crypto/Makefile6
-rw-r--r--src/lib/libcrypto/des/des.h3
-rw-r--r--src/lib/libcrypto/des/set_key.c7
-rw-r--r--src/lib/libcrypto/dh/dh_gen.c17
-rw-r--r--src/lib/libcrypto/dh/dh_key.c16
-rw-r--r--src/lib/libcrypto/dh/dh_lib.c11
-rw-r--r--src/lib/libcrypto/dsa/dsa_gen.c20
-rw-r--r--src/lib/libcrypto/dsa/dsa_key.c16
-rw-r--r--src/lib/libcrypto/dsa/dsa_lib.c11
-rw-r--r--src/lib/libcrypto/dsa/dsa_sign.c16
-rw-r--r--src/lib/libcrypto/dsa/dsa_vrf.c8
-rw-r--r--src/lib/libcrypto/ec/ec2_smpl.c9
-rw-r--r--src/lib/libcrypto/ec/ec_key.c8
-rw-r--r--src/lib/libcrypto/ec/ecp_mont.c8
-rw-r--r--src/lib/libcrypto/ec/ecp_nist.c8
-rw-r--r--src/lib/libcrypto/ec/ecp_smpl.c8
-rw-r--r--src/lib/libcrypto/ecdh/ech_lib.c19
-rw-r--r--src/lib/libcrypto/ecdsa/ecs_lib.c18
-rw-r--r--src/lib/libcrypto/err/err_all.c6
-rw-r--r--src/lib/libcrypto/evp/Makefile4
-rw-r--r--src/lib/libcrypto/evp/digest.c27
-rw-r--r--src/lib/libcrypto/evp/e_null.c3
-rw-r--r--src/lib/libcrypto/evp/evp_enc.c21
-rw-r--r--src/lib/libcrypto/evp/evp_fips.c113
-rw-r--r--src/lib/libcrypto/evp/evp_locl.h36
-rw-r--r--src/lib/libcrypto/evp/m_dss.c2
-rw-r--r--src/lib/libcrypto/evp/m_dss1.c3
-rw-r--r--src/lib/libcrypto/evp/m_ecdsa.c2
-rw-r--r--src/lib/libcrypto/evp/m_sha1.c4
-rw-r--r--src/lib/libcrypto/fips_ers.c7
-rw-r--r--src/lib/libcrypto/hmac/hmac.c37
-rw-r--r--src/lib/libcrypto/idea/i_skey.c7
-rw-r--r--src/lib/libcrypto/idea/idea.h3
-rw-r--r--src/lib/libcrypto/md2/md2.h3
-rw-r--r--src/lib/libcrypto/md4/md4.h3
-rw-r--r--src/lib/libcrypto/md5/md5.h3
-rw-r--r--src/lib/libcrypto/mdc2/mdc2.h3
-rw-r--r--src/lib/libcrypto/o_fips.c22
-rw-r--r--src/lib/libcrypto/o_init.c10
-rw-r--r--src/lib/libcrypto/opensslv.h4
-rw-r--r--src/lib/libcrypto/pem/pem_all.c157
-rw-r--r--src/lib/libcrypto/pkcs12/p12_crt.c5
-rw-r--r--src/lib/libcrypto/rc2/rc2.h3
-rw-r--r--src/lib/libcrypto/rc2/rc2_skey.c7
-rw-r--r--src/lib/libcrypto/rc4/rc4_utl.c3
-rw-r--r--src/lib/libcrypto/ripemd/ripemd.h3
-rw-r--r--src/lib/libcrypto/rsa/rsa_crpt.c32
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c15
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c11
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c76
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c17
-rw-r--r--src/lib/libcrypto/seed/seed.c7
-rw-r--r--src/lib/libcrypto/seed/seed.h3
-rw-r--r--src/lib/libcrypto/sha/sha.h18
-rw-r--r--src/lib/libcrypto/whrlpool/whrlpool.h3
-rw-r--r--src/lib/libssl/src/crypto/Makefile4
-rw-r--r--src/lib/libssl/src/crypto/aes/aes_misc.c6
-rw-r--r--src/lib/libssl/src/crypto/bf/bf_skey.c7
-rw-r--r--src/lib/libssl/src/crypto/bf/blowfish.h3
-rw-r--r--src/lib/libssl/src/crypto/bn/bn_lcl.h4
-rw-r--r--src/lib/libssl/src/crypto/camellia/camellia.h4
-rw-r--r--src/lib/libssl/src/crypto/camellia/cmll_utl.c3
-rw-r--r--src/lib/libssl/src/crypto/cast/c_skey.c7
-rw-r--r--src/lib/libssl/src/crypto/cast/cast.h3
-rw-r--r--src/lib/libssl/src/crypto/cmac/cmac.c39
-rw-r--r--src/lib/libssl/src/crypto/crypto.h16
-rw-r--r--src/lib/libssl/src/crypto/des/des.h3
-rw-r--r--src/lib/libssl/src/crypto/des/set_key.c7
-rw-r--r--src/lib/libssl/src/crypto/dh/dh_gen.c17
-rw-r--r--src/lib/libssl/src/crypto/dh/dh_key.c16
-rw-r--r--src/lib/libssl/src/crypto/dh/dh_lib.c11
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa_gen.c20
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa_key.c16
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa_lib.c11
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa_sign.c16
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa_vrf.c8
-rw-r--r--src/lib/libssl/src/crypto/ec/ec2_smpl.c9
-rw-r--r--src/lib/libssl/src/crypto/ec/ec_key.c8
-rw-r--r--src/lib/libssl/src/crypto/ec/ecp_mont.c8
-rw-r--r--src/lib/libssl/src/crypto/ec/ecp_nist.c8
-rw-r--r--src/lib/libssl/src/crypto/ec/ecp_smpl.c8
-rw-r--r--src/lib/libssl/src/crypto/ecdh/ech_lib.c19
-rw-r--r--src/lib/libssl/src/crypto/ecdsa/ecs_lib.c18
-rw-r--r--src/lib/libssl/src/crypto/err/err_all.c6
-rw-r--r--src/lib/libssl/src/crypto/evp/Makefile4
-rw-r--r--src/lib/libssl/src/crypto/evp/digest.c27
-rw-r--r--src/lib/libssl/src/crypto/evp/e_null.c3
-rw-r--r--src/lib/libssl/src/crypto/evp/evp_enc.c21
-rw-r--r--src/lib/libssl/src/crypto/evp/evp_fips.c113
-rw-r--r--src/lib/libssl/src/crypto/evp/evp_locl.h36
-rw-r--r--src/lib/libssl/src/crypto/evp/m_dss.c2
-rw-r--r--src/lib/libssl/src/crypto/evp/m_dss1.c3
-rw-r--r--src/lib/libssl/src/crypto/evp/m_ecdsa.c2
-rw-r--r--src/lib/libssl/src/crypto/evp/m_sha1.c4
-rw-r--r--src/lib/libssl/src/crypto/fips_ers.c7
-rw-r--r--src/lib/libssl/src/crypto/hmac/hmac.c37
-rw-r--r--src/lib/libssl/src/crypto/idea/i_skey.c7
-rw-r--r--src/lib/libssl/src/crypto/idea/idea.h3
-rw-r--r--src/lib/libssl/src/crypto/md2/md2.h3
-rw-r--r--src/lib/libssl/src/crypto/md4/md4.h3
-rw-r--r--src/lib/libssl/src/crypto/md5/md5.h3
-rw-r--r--src/lib/libssl/src/crypto/mdc2/mdc2.h3
-rw-r--r--src/lib/libssl/src/crypto/o_fips.c22
-rw-r--r--src/lib/libssl/src/crypto/o_init.c10
-rw-r--r--src/lib/libssl/src/crypto/opensslv.h4
-rw-r--r--src/lib/libssl/src/crypto/pem/pem_all.c157
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_crt.c5
-rw-r--r--src/lib/libssl/src/crypto/rc2/rc2.h3
-rw-r--r--src/lib/libssl/src/crypto/rc2/rc2_skey.c7
-rw-r--r--src/lib/libssl/src/crypto/rc4/rc4_utl.c3
-rw-r--r--src/lib/libssl/src/crypto/ripemd/ripemd.h3
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_crpt.c32
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_gen.c15
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_lib.c11
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_pmeth.c76
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_sign.c17
-rw-r--r--src/lib/libssl/src/crypto/seed/seed.c7
-rw-r--r--src/lib/libssl/src/crypto/seed/seed.h3
-rw-r--r--src/lib/libssl/src/crypto/sha/sha.h18
-rw-r--r--src/lib/libssl/src/crypto/whrlpool/whrlpool.h3
131 files changed, 15 insertions, 1955 deletions
diff --git a/src/lib/libcrypto/Attic/Makefile b/src/lib/libcrypto/Attic/Makefile
index 326915d520..5c02ba2844 100644
--- a/src/lib/libcrypto/Attic/Makefile
+++ b/src/lib/libcrypto/Attic/Makefile
@@ -35,9 +35,9 @@ GENERAL=Makefile README crypto-lib.com install.com
35LIB= $(TOP)/libcrypto.a 35LIB= $(TOP)/libcrypto.a
36SHARED_LIB= libcrypto$(SHLIB_EXT) 36SHARED_LIB= libcrypto$(SHLIB_EXT)
37LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ 37LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
38 uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c 38 uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c
39LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \ 39LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \
40 uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ) 40 uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o $(CPUID_OBJ)
41 41
42SRC= $(LIBSRC) 42SRC= $(LIBSRC)
43 43
diff --git a/src/lib/libcrypto/aes/aes_misc.c b/src/lib/libcrypto/aes/aes_misc.c
index d666c06409..9380abc46c 100644
--- a/src/lib/libcrypto/aes/aes_misc.c
+++ b/src/lib/libcrypto/aes/aes_misc.c
@@ -71,9 +71,6 @@ int
71AES_set_encrypt_key(const unsigned char *userKey, const int bits, 71AES_set_encrypt_key(const unsigned char *userKey, const int bits,
72 AES_KEY *key) 72 AES_KEY *key)
73{ 73{
74#ifdef OPENSSL_FIPS
75 fips_cipher_abort(AES);
76#endif
77 return private_AES_set_encrypt_key(userKey, bits, key); 74 return private_AES_set_encrypt_key(userKey, bits, key);
78} 75}
79 76
@@ -81,8 +78,5 @@ int
81AES_set_decrypt_key(const unsigned char *userKey, const int bits, 78AES_set_decrypt_key(const unsigned char *userKey, const int bits,
82 AES_KEY *key) 79 AES_KEY *key)
83{ 80{
84#ifdef OPENSSL_FIPS
85 fips_cipher_abort(AES);
86#endif
87 return private_AES_set_decrypt_key(userKey, bits, key); 81 return private_AES_set_decrypt_key(userKey, bits, key);
88} 82}
diff --git a/src/lib/libcrypto/bf/bf_skey.c b/src/lib/libcrypto/bf/bf_skey.c
index 3b0bca41ae..d8e6287a32 100644
--- a/src/lib/libcrypto/bf/bf_skey.c
+++ b/src/lib/libcrypto/bf/bf_skey.c
@@ -64,13 +64,6 @@
64#include "bf_pi.h" 64#include "bf_pi.h"
65 65
66void BF_set_key(BF_KEY *key, int len, const unsigned char *data) 66void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
67#ifdef OPENSSL_FIPS
68 {
69 fips_cipher_abort(BLOWFISH);
70 private_BF_set_key(key, len, data);
71 }
72void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data)
73#endif
74 { 67 {
75 int i; 68 int i;
76 BF_LONG *p,ri,in[2]; 69 BF_LONG *p,ri,in[2];
diff --git a/src/lib/libcrypto/bf/blowfish.h b/src/lib/libcrypto/bf/blowfish.h
index 4b6c8920a4..65685f478c 100644
--- a/src/lib/libcrypto/bf/blowfish.h
+++ b/src/lib/libcrypto/bf/blowfish.h
@@ -104,9 +104,6 @@ typedef struct bf_key_st
104 BF_LONG S[4*256]; 104 BF_LONG S[4*256];
105 } BF_KEY; 105 } BF_KEY;
106 106
107#ifdef OPENSSL_FIPS
108void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
109#endif
110void BF_set_key(BF_KEY *key, int len, const unsigned char *data); 107void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
111 108
112void BF_encrypt(BF_LONG *data,const BF_KEY *key); 109void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index 817c773b65..9194e86b39 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -479,10 +479,6 @@ extern "C" {
479 } 479 }
480#endif /* !BN_LLONG */ 480#endif /* !BN_LLONG */
481 481
482#if defined(OPENSSL_DOING_MAKEDEPEND) && defined(OPENSSL_FIPS)
483#undef bn_div_words
484#endif
485
486void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb); 482void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb);
487void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); 483void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
488void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); 484void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
diff --git a/src/lib/libcrypto/camellia/camellia.h b/src/lib/libcrypto/camellia/camellia.h
index 67911e0adf..cf0457dd97 100644
--- a/src/lib/libcrypto/camellia/camellia.h
+++ b/src/lib/libcrypto/camellia/camellia.h
@@ -88,10 +88,6 @@ struct camellia_key_st
88 }; 88 };
89typedef struct camellia_key_st CAMELLIA_KEY; 89typedef struct camellia_key_st CAMELLIA_KEY;
90 90
91#ifdef OPENSSL_FIPS
92int private_Camellia_set_key(const unsigned char *userKey, const int bits,
93 CAMELLIA_KEY *key);
94#endif
95int Camellia_set_key(const unsigned char *userKey, const int bits, 91int Camellia_set_key(const unsigned char *userKey, const int bits,
96 CAMELLIA_KEY *key); 92 CAMELLIA_KEY *key);
97 93
diff --git a/src/lib/libcrypto/camellia/cmll_utl.c b/src/lib/libcrypto/camellia/cmll_utl.c
index 7a35711ec1..b88a996a3f 100644
--- a/src/lib/libcrypto/camellia/cmll_utl.c
+++ b/src/lib/libcrypto/camellia/cmll_utl.c
@@ -57,8 +57,5 @@
57int Camellia_set_key(const unsigned char *userKey, const int bits, 57int Camellia_set_key(const unsigned char *userKey, const int bits,
58 CAMELLIA_KEY *key) 58 CAMELLIA_KEY *key)
59 { 59 {
60#ifdef OPENSSL_FIPS
61 fips_cipher_abort(Camellia);
62#endif
63 return private_Camellia_set_key(userKey, bits, key); 60 return private_Camellia_set_key(userKey, bits, key);
64 } 61 }
diff --git a/src/lib/libcrypto/cast/c_skey.c b/src/lib/libcrypto/cast/c_skey.c
index cb6bf9fee3..54ea98cd0b 100644
--- a/src/lib/libcrypto/cast/c_skey.c
+++ b/src/lib/libcrypto/cast/c_skey.c
@@ -73,13 +73,6 @@
73#define S6 CAST_S_table6 73#define S6 CAST_S_table6
74#define S7 CAST_S_table7 74#define S7 CAST_S_table7
75void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) 75void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
76#ifdef OPENSSL_FIPS
77 {
78 fips_cipher_abort(CAST);
79 private_CAST_set_key(key, len, data);
80 }
81void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
82#endif
83 { 76 {
84 CAST_LONG x[16]; 77 CAST_LONG x[16];
85 CAST_LONG z[16]; 78 CAST_LONG z[16];
diff --git a/src/lib/libcrypto/cast/cast.h b/src/lib/libcrypto/cast/cast.h
index 203922ea2b..8741532e9e 100644
--- a/src/lib/libcrypto/cast/cast.h
+++ b/src/lib/libcrypto/cast/cast.h
@@ -83,9 +83,6 @@ typedef struct cast_key_st
83 int short_key; /* Use reduced rounds for short key */ 83 int short_key; /* Use reduced rounds for short key */
84 } CAST_KEY; 84 } CAST_KEY;
85 85
86#ifdef OPENSSL_FIPS
87void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
88#endif
89void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); 86void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
90void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key, 87void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key,
91 int enc); 88 int enc);
diff --git a/src/lib/libcrypto/cmac/cmac.c b/src/lib/libcrypto/cmac/cmac.c
index 8b72b09681..f92a7bb143 100644
--- a/src/lib/libcrypto/cmac/cmac.c
+++ b/src/lib/libcrypto/cmac/cmac.c
@@ -57,10 +57,6 @@
57#include "cryptlib.h" 57#include "cryptlib.h"
58#include <openssl/cmac.h> 58#include <openssl/cmac.h>
59 59
60#ifdef OPENSSL_FIPS
61#include <openssl/fips.h>
62#endif
63
64struct CMAC_CTX_st 60struct CMAC_CTX_st
65 { 61 {
66 /* Cipher context to use */ 62 /* Cipher context to use */
@@ -107,13 +103,6 @@ CMAC_CTX *CMAC_CTX_new(void)
107 103
108void CMAC_CTX_cleanup(CMAC_CTX *ctx) 104void CMAC_CTX_cleanup(CMAC_CTX *ctx)
109 { 105 {
110#ifdef OPENSSL_FIPS
111 if (FIPS_mode() && !ctx->cctx.engine)
112 {
113 FIPS_cmac_ctx_cleanup(ctx);
114 return;
115 }
116#endif
117 EVP_CIPHER_CTX_cleanup(&ctx->cctx); 106 EVP_CIPHER_CTX_cleanup(&ctx->cctx);
118 OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); 107 OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
119 OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); 108 OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
@@ -153,24 +142,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
153 const EVP_CIPHER *cipher, ENGINE *impl) 142 const EVP_CIPHER *cipher, ENGINE *impl)
154 { 143 {
155 static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH]; 144 static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH];
156#ifdef OPENSSL_FIPS
157 if (FIPS_mode())
158 {
159 /* If we have an ENGINE need to allow non FIPS */
160 if ((impl || ctx->cctx.engine)
161 && !(ctx->cctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
162
163 {
164 EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
165 return 0;
166 }
167 /* Other algorithm blocking will be done in FIPS_cmac_init,
168 * via FIPS_cipherinit().
169 */
170 if (!impl && !ctx->cctx.engine)
171 return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
172 }
173#endif
174 /* All zeros means restart */ 145 /* All zeros means restart */
175 if (!key && !cipher && !impl && keylen == 0) 146 if (!key && !cipher && !impl && keylen == 0)
176 { 147 {
@@ -216,10 +187,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
216 { 187 {
217 const unsigned char *data = in; 188 const unsigned char *data = in;
218 size_t bl; 189 size_t bl;
219#ifdef OPENSSL_FIPS 190
220 if (FIPS_mode() && !ctx->cctx.engine)
221 return FIPS_cmac_update(ctx, in, dlen);
222#endif
223 if (ctx->nlast_block == -1) 191 if (ctx->nlast_block == -1)
224 return 0; 192 return 0;
225 if (dlen == 0) 193 if (dlen == 0)
@@ -261,10 +229,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
261int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) 229int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
262 { 230 {
263 int i, bl, lb; 231 int i, bl, lb;
264#ifdef OPENSSL_FIPS 232
265 if (FIPS_mode() && !ctx->cctx.engine)
266 return FIPS_cmac_final(ctx, out, poutlen);
267#endif
268 if (ctx->nlast_block == -1) 233 if (ctx->nlast_block == -1)
269 return 0; 234 return 0;
270 bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); 235 bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index 351ccfd35b..56c5dfadb8 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -538,25 +538,9 @@ void OPENSSL_init(void);
538 538
539#define fips_md_init(alg) fips_md_init_ctx(alg, alg) 539#define fips_md_init(alg) fips_md_init_ctx(alg, alg)
540 540
541#ifdef OPENSSL_FIPS
542#define fips_md_init_ctx(alg, cx) \
543 int alg##_Init(cx##_CTX *c) \
544 { \
545 if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
546 "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
547 return private_##alg##_Init(c); \
548 } \
549 int private_##alg##_Init(cx##_CTX *c)
550
551#define fips_cipher_abort(alg) \
552 if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
553 "Low level API call to cipher " #alg " forbidden in FIPS mode!")
554
555#else
556#define fips_md_init_ctx(alg, cx) \ 541#define fips_md_init_ctx(alg, cx) \
557 int alg##_Init(cx##_CTX *c) 542 int alg##_Init(cx##_CTX *c)
558#define fips_cipher_abort(alg) while(0) 543#define fips_cipher_abort(alg) while(0)
559#endif
560 544
561/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It 545/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
562 * takes an amount of time dependent on |len|, but independent of the contents 546 * takes an amount of time dependent on |len|, but independent of the contents
diff --git a/src/lib/libcrypto/crypto/Makefile b/src/lib/libcrypto/crypto/Makefile
index e3bb0a2b36..a149537c3f 100644
--- a/src/lib/libcrypto/crypto/Makefile
+++ b/src/lib/libcrypto/crypto/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.8 2014/04/15 17:46:16 beck Exp $ 1# $OpenBSD: Makefile,v 1.9 2014/04/15 20:06:09 tedu Exp $
2 2
3LIB= crypto 3LIB= crypto
4 4
@@ -43,7 +43,7 @@ CFLAGS+= -I${LCRYPTO_SRC}/modes -I${LCRYPTO_SRC}/asn1 -I${LCRYPTO_SRC}/evp
43 43
44# crypto/ 44# crypto/
45SRCS+= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c 45SRCS+= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c
46SRCS+= uid.c o_time.c o_str.c o_fips.c o_init.c fips_ers.c 46SRCS+= uid.c o_time.c o_str.c o_fips.c o_init.c
47 47
48# aes/ 48# aes/
49SRCS+= aes_misc.c aes_ecb.c aes_cfb.c aes_ofb.c 49SRCS+= aes_misc.c aes_ecb.c aes_cfb.c aes_ofb.c
@@ -163,7 +163,7 @@ SRCS+= p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c
163SRCS+= bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c 163SRCS+= bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c
164SRCS+= c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c 164SRCS+= c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c
165SRCS+= evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c 165SRCS+= evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
166SRCS+= e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c 166SRCS+= e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c
167SRCS+= e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c 167SRCS+= e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
168 168
169# hmac/ 169# hmac/
diff --git a/src/lib/libcrypto/des/des.h b/src/lib/libcrypto/des/des.h
index 1eaedcbd24..92b6663599 100644
--- a/src/lib/libcrypto/des/des.h
+++ b/src/lib/libcrypto/des/des.h
@@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DES_key_schedule *schedule);
224int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule); 224int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule);
225int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule); 225int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule);
226void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule); 226void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
227#ifdef OPENSSL_FIPS
228void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
229#endif
230void DES_string_to_key(const char *str,DES_cblock *key); 227void DES_string_to_key(const char *str,DES_cblock *key);
231void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2); 228void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2);
232void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length, 229void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
diff --git a/src/lib/libcrypto/des/set_key.c b/src/lib/libcrypto/des/set_key.c
index 99e3555ba9..e8dea50b96 100644
--- a/src/lib/libcrypto/des/set_key.c
+++ b/src/lib/libcrypto/des/set_key.c
@@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule)
336 } 336 }
337 337
338void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) 338void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
339#ifdef OPENSSL_FIPS
340 {
341 fips_cipher_abort(DES);
342 private_DES_set_key_unchecked(key, schedule);
343 }
344void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
345#endif
346 { 339 {
347 static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; 340 static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
348 register DES_LONG c,d,t,s,t2; 341 register DES_LONG c,d,t,s,t2;
diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c
index 7b1fe9c9cb..cfd5b11868 100644
--- a/src/lib/libcrypto/dh/dh_gen.c
+++ b/src/lib/libcrypto/dh/dh_gen.c
@@ -66,29 +66,12 @@
66#include <openssl/bn.h> 66#include <openssl/bn.h>
67#include <openssl/dh.h> 67#include <openssl/dh.h>
68 68
69#ifdef OPENSSL_FIPS
70#include <openssl/fips.h>
71#endif
72
73static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); 69static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb);
74 70
75int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) 71int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb)
76 { 72 {
77#ifdef OPENSSL_FIPS
78 if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
79 && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW))
80 {
81 DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
82 return 0;
83 }
84#endif
85 if(ret->meth->generate_params) 73 if(ret->meth->generate_params)
86 return ret->meth->generate_params(ret, prime_len, generator, cb); 74 return ret->meth->generate_params(ret, prime_len, generator, cb);
87#ifdef OPENSSL_FIPS
88 if (FIPS_mode())
89 return FIPS_dh_generate_parameters_ex(ret, prime_len,
90 generator, cb);
91#endif
92 return dh_builtin_genparams(ret, prime_len, generator, cb); 75 return dh_builtin_genparams(ret, prime_len, generator, cb);
93 } 76 }
94 77
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 89a74db4e6..9596270f7d 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -73,27 +73,11 @@ static int dh_finish(DH *dh);
73 73
74int DH_generate_key(DH *dh) 74int DH_generate_key(DH *dh)
75 { 75 {
76#ifdef OPENSSL_FIPS
77 if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
78 && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
79 {
80 DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
81 return 0;
82 }
83#endif
84 return dh->meth->generate_key(dh); 76 return dh->meth->generate_key(dh);
85 } 77 }
86 78
87int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) 79int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
88 { 80 {
89#ifdef OPENSSL_FIPS
90 if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
91 && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
92 {
93 DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
94 return 0;
95 }
96#endif
97 return dh->meth->compute_key(key, pub_key, dh); 81 return dh->meth->compute_key(key, pub_key, dh);
98 } 82 }
99 83
diff --git a/src/lib/libcrypto/dh/dh_lib.c b/src/lib/libcrypto/dh/dh_lib.c
index 00218f2b92..a40caaf75b 100644
--- a/src/lib/libcrypto/dh/dh_lib.c
+++ b/src/lib/libcrypto/dh/dh_lib.c
@@ -64,10 +64,6 @@
64#include <openssl/engine.h> 64#include <openssl/engine.h>
65#endif 65#endif
66 66
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70
71const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; 67const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
72 68
73static const DH_METHOD *default_DH_method = NULL; 69static const DH_METHOD *default_DH_method = NULL;
@@ -81,14 +77,7 @@ const DH_METHOD *DH_get_default_method(void)
81 { 77 {
82 if(!default_DH_method) 78 if(!default_DH_method)
83 { 79 {
84#ifdef OPENSSL_FIPS
85 if (FIPS_mode())
86 return FIPS_dh_openssl();
87 else
88 return DH_OpenSSL();
89#else
90 default_DH_method = DH_OpenSSL(); 80 default_DH_method = DH_OpenSSL();
91#endif
92 } 81 }
93 return default_DH_method; 82 return default_DH_method;
94 } 83 }
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index c398761d0d..e6a5452016 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -81,33 +81,13 @@
81#include <openssl/sha.h> 81#include <openssl/sha.h>
82#include "dsa_locl.h" 82#include "dsa_locl.h"
83 83
84#ifdef OPENSSL_FIPS
85#include <openssl/fips.h>
86#endif
87
88int DSA_generate_parameters_ex(DSA *ret, int bits, 84int DSA_generate_parameters_ex(DSA *ret, int bits,
89 const unsigned char *seed_in, int seed_len, 85 const unsigned char *seed_in, int seed_len,
90 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) 86 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
91 { 87 {
92#ifdef OPENSSL_FIPS
93 if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
94 && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW))
95 {
96 DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
97 return 0;
98 }
99#endif
100 if(ret->meth->dsa_paramgen) 88 if(ret->meth->dsa_paramgen)
101 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, 89 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
102 counter_ret, h_ret, cb); 90 counter_ret, h_ret, cb);
103#ifdef OPENSSL_FIPS
104 else if (FIPS_mode())
105 {
106 return FIPS_dsa_generate_parameters_ex(ret, bits,
107 seed_in, seed_len,
108 counter_ret, h_ret, cb);
109 }
110#endif
111 else 91 else
112 { 92 {
113 const EVP_MD *evpmd; 93 const EVP_MD *evpmd;
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index 9cf669b921..c4aa86bc6d 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,28 +64,12 @@
64#include <openssl/dsa.h> 64#include <openssl/dsa.h>
65#include <openssl/rand.h> 65#include <openssl/rand.h>
66 66
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70
71static int dsa_builtin_keygen(DSA *dsa); 67static int dsa_builtin_keygen(DSA *dsa);
72 68
73int DSA_generate_key(DSA *dsa) 69int DSA_generate_key(DSA *dsa)
74 { 70 {
75#ifdef OPENSSL_FIPS
76 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
77 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
78 {
79 DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
80 return 0;
81 }
82#endif
83 if(dsa->meth->dsa_keygen) 71 if(dsa->meth->dsa_keygen)
84 return dsa->meth->dsa_keygen(dsa); 72 return dsa->meth->dsa_keygen(dsa);
85#ifdef OPENSSL_FIPS
86 if (FIPS_mode())
87 return FIPS_dsa_generate_key(dsa);
88#endif
89 return dsa_builtin_keygen(dsa); 73 return dsa_builtin_keygen(dsa);
90 } 74 }
91 75
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index 96d8d0c4b4..897c085968 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -70,10 +70,6 @@
70#include <openssl/dh.h> 70#include <openssl/dh.h>
71#endif 71#endif
72 72
73#ifdef OPENSSL_FIPS
74#include <openssl/fips.h>
75#endif
76
77const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT; 73const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT;
78 74
79static const DSA_METHOD *default_DSA_method = NULL; 75static const DSA_METHOD *default_DSA_method = NULL;
@@ -87,14 +83,7 @@ const DSA_METHOD *DSA_get_default_method(void)
87 { 83 {
88 if(!default_DSA_method) 84 if(!default_DSA_method)
89 { 85 {
90#ifdef OPENSSL_FIPS
91 if (FIPS_mode())
92 return FIPS_dsa_openssl();
93 else
94 return DSA_OpenSSL();
95#else
96 default_DSA_method = DSA_OpenSSL(); 86 default_DSA_method = DSA_OpenSSL();
97#endif
98 } 87 }
99 return default_DSA_method; 88 return default_DSA_method;
100 } 89 }
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index c3cc3642ce..e02365a8b1 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -65,27 +65,11 @@
65 65
66DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) 66DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
67 { 67 {
68#ifdef OPENSSL_FIPS
69 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
70 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
71 {
72 DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD);
73 return NULL;
74 }
75#endif
76 return dsa->meth->dsa_do_sign(dgst, dlen, dsa); 68 return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
77 } 69 }
78 70
79int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) 71int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
80 { 72 {
81#ifdef OPENSSL_FIPS
82 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
83 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
84 {
85 DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD);
86 return 0;
87 }
88#endif
89 return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); 73 return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
90 } 74 }
91 75
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index 674cb5fa5f..286ed28cfa 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -64,13 +64,5 @@
64int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, 64int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
65 DSA *dsa) 65 DSA *dsa)
66 { 66 {
67#ifdef OPENSSL_FIPS
68 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
69 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
70 {
71 DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD);
72 return -1;
73 }
74#endif
75 return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); 67 return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
76 } 68 }
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
index e0e59c7d82..0cf681fa9d 100644
--- a/src/lib/libcrypto/ec/ec2_smpl.c
+++ b/src/lib/libcrypto/ec/ec2_smpl.c
@@ -73,16 +73,8 @@
73 73
74#ifndef OPENSSL_NO_EC2M 74#ifndef OPENSSL_NO_EC2M
75 75
76#ifdef OPENSSL_FIPS
77#include <openssl/fips.h>
78#endif
79
80
81const EC_METHOD *EC_GF2m_simple_method(void) 76const EC_METHOD *EC_GF2m_simple_method(void)
82 { 77 {
83#ifdef OPENSSL_FIPS
84 return fips_ec_gf2m_simple_method();
85#else
86 static const EC_METHOD ret = { 78 static const EC_METHOD ret = {
87 EC_FLAGS_DEFAULT_OCT, 79 EC_FLAGS_DEFAULT_OCT,
88 NID_X9_62_characteristic_two_field, 80 NID_X9_62_characteristic_two_field,
@@ -126,7 +118,6 @@ const EC_METHOD *EC_GF2m_simple_method(void)
126 0 /* field_set_to_one */ }; 118 0 /* field_set_to_one */ };
127 119
128 return &ret; 120 return &ret;
129#endif
130 } 121 }
131 122
132 123
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index 7fa247593d..d528601036 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -64,9 +64,6 @@
64#include <string.h> 64#include <string.h>
65#include "ec_lcl.h" 65#include "ec_lcl.h"
66#include <openssl/err.h> 66#include <openssl/err.h>
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70 67
71EC_KEY *EC_KEY_new(void) 68EC_KEY *EC_KEY_new(void)
72 { 69 {
@@ -241,11 +238,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
241 BIGNUM *priv_key = NULL, *order = NULL; 238 BIGNUM *priv_key = NULL, *order = NULL;
242 EC_POINT *pub_key = NULL; 239 EC_POINT *pub_key = NULL;
243 240
244#ifdef OPENSSL_FIPS
245 if (FIPS_mode())
246 return FIPS_ec_key_generate_key(eckey);
247#endif
248
249 if (!eckey || !eckey->group) 241 if (!eckey || !eckey->group)
250 { 242 {
251 ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); 243 ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
diff --git a/src/lib/libcrypto/ec/ecp_mont.c b/src/lib/libcrypto/ec/ecp_mont.c
index f04f132c7a..cee0fee12a 100644
--- a/src/lib/libcrypto/ec/ecp_mont.c
+++ b/src/lib/libcrypto/ec/ecp_mont.c
@@ -63,18 +63,11 @@
63 63
64#include <openssl/err.h> 64#include <openssl/err.h>
65 65
66#ifdef OPENSSL_FIPS
67#include <openssl/fips.h>
68#endif
69
70#include "ec_lcl.h" 66#include "ec_lcl.h"
71 67
72 68
73const EC_METHOD *EC_GFp_mont_method(void) 69const EC_METHOD *EC_GFp_mont_method(void)
74 { 70 {
75#ifdef OPENSSL_FIPS
76 return fips_ec_gfp_mont_method();
77#else
78 static const EC_METHOD ret = { 71 static const EC_METHOD ret = {
79 EC_FLAGS_DEFAULT_OCT, 72 EC_FLAGS_DEFAULT_OCT,
80 NID_X9_62_prime_field, 73 NID_X9_62_prime_field,
@@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_mont_method(void)
115 ec_GFp_mont_field_set_to_one }; 108 ec_GFp_mont_field_set_to_one };
116 109
117 return &ret; 110 return &ret;
118#endif
119 } 111 }
120 112
121 113
diff --git a/src/lib/libcrypto/ec/ecp_nist.c b/src/lib/libcrypto/ec/ecp_nist.c
index aad2d5f443..ac5b814238 100644
--- a/src/lib/libcrypto/ec/ecp_nist.c
+++ b/src/lib/libcrypto/ec/ecp_nist.c
@@ -67,15 +67,8 @@
67#include <openssl/obj_mac.h> 67#include <openssl/obj_mac.h>
68#include "ec_lcl.h" 68#include "ec_lcl.h"
69 69
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73
74const EC_METHOD *EC_GFp_nist_method(void) 70const EC_METHOD *EC_GFp_nist_method(void)
75 { 71 {
76#ifdef OPENSSL_FIPS
77 return fips_ec_gfp_nist_method();
78#else
79 static const EC_METHOD ret = { 72 static const EC_METHOD ret = {
80 EC_FLAGS_DEFAULT_OCT, 73 EC_FLAGS_DEFAULT_OCT,
81 NID_X9_62_prime_field, 74 NID_X9_62_prime_field,
@@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void)
116 0 /* field_set_to_one */ }; 109 0 /* field_set_to_one */ };
117 110
118 return &ret; 111 return &ret;
119#endif
120 } 112 }
121 113
122int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) 114int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index cd05fd1251..bf0ad998dd 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -64,17 +64,10 @@
64 64
65#include <openssl/err.h> 65#include <openssl/err.h>
66 66
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70
71#include "ec_lcl.h" 67#include "ec_lcl.h"
72 68
73const EC_METHOD *EC_GFp_simple_method(void) 69const EC_METHOD *EC_GFp_simple_method(void)
74 { 70 {
75#ifdef OPENSSL_FIPS
76 return fips_ec_gfp_simple_method();
77#else
78 static const EC_METHOD ret = { 71 static const EC_METHOD ret = {
79 EC_FLAGS_DEFAULT_OCT, 72 EC_FLAGS_DEFAULT_OCT,
80 NID_X9_62_prime_field, 73 NID_X9_62_prime_field,
@@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_simple_method(void)
115 0 /* field_set_to_one */ }; 108 0 /* field_set_to_one */ };
116 109
117 return &ret; 110 return &ret;
118#endif
119 } 111 }
120 112
121 113
diff --git a/src/lib/libcrypto/ecdh/ech_lib.c b/src/lib/libcrypto/ecdh/ech_lib.c
index 0644431b75..ddf226b166 100644
--- a/src/lib/libcrypto/ecdh/ech_lib.c
+++ b/src/lib/libcrypto/ecdh/ech_lib.c
@@ -73,9 +73,6 @@
73#include <openssl/engine.h> 73#include <openssl/engine.h>
74#endif 74#endif
75#include <openssl/err.h> 75#include <openssl/err.h>
76#ifdef OPENSSL_FIPS
77#include <openssl/fips.h>
78#endif
79 76
80const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT; 77const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT;
81 78
@@ -94,14 +91,7 @@ const ECDH_METHOD *ECDH_get_default_method(void)
94 { 91 {
95 if(!default_ECDH_method) 92 if(!default_ECDH_method)
96 { 93 {
97#ifdef OPENSSL_FIPS
98 if (FIPS_mode())
99 return FIPS_ecdh_openssl();
100 else
101 return ECDH_OpenSSL();
102#else
103 default_ECDH_method = ECDH_OpenSSL(); 94 default_ECDH_method = ECDH_OpenSSL();
104#endif
105 } 95 }
106 return default_ECDH_method; 96 return default_ECDH_method;
107 } 97 }
@@ -234,15 +224,6 @@ ECDH_DATA *ecdh_check(EC_KEY *key)
234 } 224 }
235 else 225 else
236 ecdh_data = (ECDH_DATA *)data; 226 ecdh_data = (ECDH_DATA *)data;
237#ifdef OPENSSL_FIPS
238 if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD)
239 && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW))
240 {
241 ECDHerr(ECDH_F_ECDH_CHECK, ECDH_R_NON_FIPS_METHOD);
242 return NULL;
243 }
244#endif
245
246 227
247 return ecdh_data; 228 return ecdh_data;
248 } 229 }
diff --git a/src/lib/libcrypto/ecdsa/ecs_lib.c b/src/lib/libcrypto/ecdsa/ecs_lib.c
index 814a6bf404..7b53969ffd 100644
--- a/src/lib/libcrypto/ecdsa/ecs_lib.c
+++ b/src/lib/libcrypto/ecdsa/ecs_lib.c
@@ -60,9 +60,6 @@
60#endif 60#endif
61#include <openssl/err.h> 61#include <openssl/err.h>
62#include <openssl/bn.h> 62#include <openssl/bn.h>
63#ifdef OPENSSL_FIPS
64#include <openssl/fips.h>
65#endif
66 63
67const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT; 64const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT;
68 65
@@ -81,14 +78,7 @@ const ECDSA_METHOD *ECDSA_get_default_method(void)
81{ 78{
82 if(!default_ECDSA_method) 79 if(!default_ECDSA_method)
83 { 80 {
84#ifdef OPENSSL_FIPS
85 if (FIPS_mode())
86 return FIPS_ecdsa_openssl();
87 else
88 return ECDSA_OpenSSL();
89#else
90 default_ECDSA_method = ECDSA_OpenSSL(); 81 default_ECDSA_method = ECDSA_OpenSSL();
91#endif
92 } 82 }
93 return default_ECDSA_method; 83 return default_ECDSA_method;
94} 84}
@@ -212,14 +202,6 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key)
212 } 202 }
213 else 203 else
214 ecdsa_data = (ECDSA_DATA *)data; 204 ecdsa_data = (ECDSA_DATA *)data;
215#ifdef OPENSSL_FIPS
216 if (FIPS_mode() && !(ecdsa_data->flags & ECDSA_FLAG_FIPS_METHOD)
217 && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW))
218 {
219 ECDSAerr(ECDSA_F_ECDSA_CHECK, ECDSA_R_NON_FIPS_METHOD);
220 return NULL;
221 }
222#endif
223 205
224 return ecdsa_data; 206 return ecdsa_data;
225} 207}
diff --git a/src/lib/libcrypto/err/err_all.c b/src/lib/libcrypto/err/err_all.c
index 8eb547d98d..1c4eccd251 100644
--- a/src/lib/libcrypto/err/err_all.c
+++ b/src/lib/libcrypto/err/err_all.c
@@ -97,9 +97,6 @@
97#include <openssl/ui.h> 97#include <openssl/ui.h>
98#include <openssl/ocsp.h> 98#include <openssl/ocsp.h>
99#include <openssl/err.h> 99#include <openssl/err.h>
100#ifdef OPENSSL_FIPS
101#include <openssl/fips.h>
102#endif
103#include <openssl/ts.h> 100#include <openssl/ts.h>
104#ifndef OPENSSL_NO_CMS 101#ifndef OPENSSL_NO_CMS
105#include <openssl/cms.h> 102#include <openssl/cms.h>
@@ -155,9 +152,6 @@ void ERR_load_crypto_strings(void)
155#endif 152#endif
156 ERR_load_OCSP_strings(); 153 ERR_load_OCSP_strings();
157 ERR_load_UI_strings(); 154 ERR_load_UI_strings();
158#ifdef OPENSSL_FIPS
159 ERR_load_FIPS_strings();
160#endif
161#ifndef OPENSSL_NO_CMS 155#ifndef OPENSSL_NO_CMS
162 ERR_load_CMS_strings(); 156 ERR_load_CMS_strings();
163#endif 157#endif
diff --git a/src/lib/libcrypto/evp/Makefile b/src/lib/libcrypto/evp/Makefile
index 3982f49f81..f94a28d383 100644
--- a/src/lib/libcrypto/evp/Makefile
+++ b/src/lib/libcrypto/evp/Makefile
@@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
28 bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ 28 bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
29 c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ 29 c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
30 evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \ 30 evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
31 e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \ 31 e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
32 e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c 32 e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
33 33
34LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ 34LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
@@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
41 bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ 41 bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
42 c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ 42 c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
43 evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \ 43 evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
44 e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \ 44 e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
45 e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o 45 e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o
46 46
47SRC= $(LIBSRC) 47SRC= $(LIBSRC)
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index d14e8e48d5..782d3199a5 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -117,10 +117,6 @@
117#include <openssl/engine.h> 117#include <openssl/engine.h>
118#endif 118#endif
119 119
120#ifdef OPENSSL_FIPS
121#include <openssl/fips.h>
122#endif
123
124void EVP_MD_CTX_init(EVP_MD_CTX *ctx) 120void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
125 { 121 {
126 memset(ctx,'\0',sizeof *ctx); 122 memset(ctx,'\0',sizeof *ctx);
@@ -229,26 +225,12 @@ skip_to_init:
229 } 225 }
230 if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) 226 if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
231 return 1; 227 return 1;
232#ifdef OPENSSL_FIPS
233 if (FIPS_mode())
234 {
235 if (FIPS_digestinit(ctx, type))
236 return 1;
237 OPENSSL_free(ctx->md_data);
238 ctx->md_data = NULL;
239 return 0;
240 }
241#endif
242 return ctx->digest->init(ctx); 228 return ctx->digest->init(ctx);
243 } 229 }
244 230
245int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) 231int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
246 { 232 {
247#ifdef OPENSSL_FIPS
248 return FIPS_digestupdate(ctx, data, count);
249#else
250 return ctx->update(ctx,data,count); 233 return ctx->update(ctx,data,count);
251#endif
252 } 234 }
253 235
254/* The caller can assume that this removes any secret data from the context */ 236/* The caller can assume that this removes any secret data from the context */
@@ -263,9 +245,6 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
263/* The caller can assume that this removes any secret data from the context */ 245/* The caller can assume that this removes any secret data from the context */
264int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) 246int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
265 { 247 {
266#ifdef OPENSSL_FIPS
267 return FIPS_digestfinal(ctx, md, size);
268#else
269 int ret; 248 int ret;
270 249
271 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); 250 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
@@ -279,7 +258,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
279 } 258 }
280 memset(ctx->md_data,0,ctx->digest->ctx_size); 259 memset(ctx->md_data,0,ctx->digest->ctx_size);
281 return ret; 260 return ret;
282#endif
283 } 261 }
284 262
285int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) 263int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
@@ -376,7 +354,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
376/* This call frees resources associated with the context */ 354/* This call frees resources associated with the context */
377int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) 355int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
378 { 356 {
379#ifndef OPENSSL_FIPS
380 /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, 357 /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final,
381 * because sometimes only copies of the context are ever finalised. 358 * because sometimes only copies of the context are ever finalised.
382 */ 359 */
@@ -389,7 +366,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
389 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); 366 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
390 OPENSSL_free(ctx->md_data); 367 OPENSSL_free(ctx->md_data);
391 } 368 }
392#endif
393 if (ctx->pctx) 369 if (ctx->pctx)
394 EVP_PKEY_CTX_free(ctx->pctx); 370 EVP_PKEY_CTX_free(ctx->pctx);
395#ifndef OPENSSL_NO_ENGINE 371#ifndef OPENSSL_NO_ENGINE
@@ -398,9 +374,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
398 * functional reference we held for this reason. */ 374 * functional reference we held for this reason. */
399 ENGINE_finish(ctx->engine); 375 ENGINE_finish(ctx->engine);
400#endif 376#endif
401#ifdef OPENSSL_FIPS
402 FIPS_md_ctx_cleanup(ctx);
403#endif
404 memset(ctx,'\0',sizeof *ctx); 377 memset(ctx,'\0',sizeof *ctx);
405 378
406 return 1; 379 return 1;
diff --git a/src/lib/libcrypto/evp/e_null.c b/src/lib/libcrypto/evp/e_null.c
index f0c1f78b5f..98a78499f9 100644
--- a/src/lib/libcrypto/evp/e_null.c
+++ b/src/lib/libcrypto/evp/e_null.c
@@ -61,8 +61,6 @@
61#include <openssl/evp.h> 61#include <openssl/evp.h>
62#include <openssl/objects.h> 62#include <openssl/objects.h>
63 63
64#ifndef OPENSSL_FIPS
65
66static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 64static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
67 const unsigned char *iv,int enc); 65 const unsigned char *iv,int enc);
68static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 66static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -101,4 +99,3 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
101 memcpy((char *)out,(const char *)in,inl); 99 memcpy((char *)out,(const char *)in,inl);
102 return 1; 100 return 1;
103 } 101 }
104#endif
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index 0c54f05e6e..50403a7578 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -64,17 +64,9 @@
64#ifndef OPENSSL_NO_ENGINE 64#ifndef OPENSSL_NO_ENGINE
65#include <openssl/engine.h> 65#include <openssl/engine.h>
66#endif 66#endif
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70#include "evp_locl.h" 67#include "evp_locl.h"
71 68
72#ifdef OPENSSL_FIPS
73#define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
74#else
75#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl) 69#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
76#endif
77
78 70
79const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; 71const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
80 72
@@ -169,10 +161,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
169 ctx->engine = NULL; 161 ctx->engine = NULL;
170#endif 162#endif
171 163
172#ifdef OPENSSL_FIPS
173 if (FIPS_mode())
174 return FIPS_cipherinit(ctx, cipher, key, iv, enc);
175#endif
176 ctx->cipher=cipher; 164 ctx->cipher=cipher;
177 if (ctx->cipher->ctx_size) 165 if (ctx->cipher->ctx_size)
178 { 166 {
@@ -206,10 +194,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
206#ifndef OPENSSL_NO_ENGINE 194#ifndef OPENSSL_NO_ENGINE
207skip_to_init: 195skip_to_init:
208#endif 196#endif
209#ifdef OPENSSL_FIPS
210 if (FIPS_mode())
211 return FIPS_cipherinit(ctx, cipher, key, iv, enc);
212#endif
213 /* we assume block size is a power of 2 in *cryptUpdate */ 197 /* we assume block size is a power of 2 in *cryptUpdate */
214 OPENSSL_assert(ctx->cipher->block_size == 1 198 OPENSSL_assert(ctx->cipher->block_size == 1
215 || ctx->cipher->block_size == 8 199 || ctx->cipher->block_size == 8
@@ -568,7 +552,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
568 552
569int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) 553int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
570 { 554 {
571#ifndef OPENSSL_FIPS
572 if (c->cipher != NULL) 555 if (c->cipher != NULL)
573 { 556 {
574 if(c->cipher->cleanup && !c->cipher->cleanup(c)) 557 if(c->cipher->cleanup && !c->cipher->cleanup(c))
@@ -579,16 +562,12 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
579 } 562 }
580 if (c->cipher_data) 563 if (c->cipher_data)
581 OPENSSL_free(c->cipher_data); 564 OPENSSL_free(c->cipher_data);
582#endif
583#ifndef OPENSSL_NO_ENGINE 565#ifndef OPENSSL_NO_ENGINE
584 if (c->engine) 566 if (c->engine)
585 /* The EVP_CIPHER we used belongs to an ENGINE, release the 567 /* The EVP_CIPHER we used belongs to an ENGINE, release the
586 * functional reference we held for this reason. */ 568 * functional reference we held for this reason. */
587 ENGINE_finish(c->engine); 569 ENGINE_finish(c->engine);
588#endif 570#endif
589#ifdef OPENSSL_FIPS
590 FIPS_cipher_ctx_cleanup(c);
591#endif
592 memset(c,0,sizeof(EVP_CIPHER_CTX)); 571 memset(c,0,sizeof(EVP_CIPHER_CTX));
593 return 1; 572 return 1;
594 } 573 }
diff --git a/src/lib/libcrypto/evp/evp_fips.c b/src/lib/libcrypto/evp/evp_fips.c
deleted file mode 100644
index cb7f4fc0fa..0000000000
--- a/src/lib/libcrypto/evp/evp_fips.c
+++ /dev/null
@@ -1,113 +0,0 @@
1/* crypto/evp/evp_fips.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54
55#include <openssl/evp.h>
56
57#ifdef OPENSSL_FIPS
58#include <openssl/fips.h>
59
60const EVP_CIPHER *EVP_aes_128_cbc(void) { return FIPS_evp_aes_128_cbc(); }
61const EVP_CIPHER *EVP_aes_128_ccm(void) { return FIPS_evp_aes_128_ccm(); }
62const EVP_CIPHER *EVP_aes_128_cfb1(void) { return FIPS_evp_aes_128_cfb1(); }
63const EVP_CIPHER *EVP_aes_128_cfb128(void) { return FIPS_evp_aes_128_cfb128(); }
64const EVP_CIPHER *EVP_aes_128_cfb8(void) { return FIPS_evp_aes_128_cfb8(); }
65const EVP_CIPHER *EVP_aes_128_ctr(void) { return FIPS_evp_aes_128_ctr(); }
66const EVP_CIPHER *EVP_aes_128_ecb(void) { return FIPS_evp_aes_128_ecb(); }
67const EVP_CIPHER *EVP_aes_128_gcm(void) { return FIPS_evp_aes_128_gcm(); }
68const EVP_CIPHER *EVP_aes_128_ofb(void) { return FIPS_evp_aes_128_ofb(); }
69const EVP_CIPHER *EVP_aes_128_xts(void) { return FIPS_evp_aes_128_xts(); }
70const EVP_CIPHER *EVP_aes_192_cbc(void) { return FIPS_evp_aes_192_cbc(); }
71const EVP_CIPHER *EVP_aes_192_ccm(void) { return FIPS_evp_aes_192_ccm(); }
72const EVP_CIPHER *EVP_aes_192_cfb1(void) { return FIPS_evp_aes_192_cfb1(); }
73const EVP_CIPHER *EVP_aes_192_cfb128(void) { return FIPS_evp_aes_192_cfb128(); }
74const EVP_CIPHER *EVP_aes_192_cfb8(void) { return FIPS_evp_aes_192_cfb8(); }
75const EVP_CIPHER *EVP_aes_192_ctr(void) { return FIPS_evp_aes_192_ctr(); }
76const EVP_CIPHER *EVP_aes_192_ecb(void) { return FIPS_evp_aes_192_ecb(); }
77const EVP_CIPHER *EVP_aes_192_gcm(void) { return FIPS_evp_aes_192_gcm(); }
78const EVP_CIPHER *EVP_aes_192_ofb(void) { return FIPS_evp_aes_192_ofb(); }
79const EVP_CIPHER *EVP_aes_256_cbc(void) { return FIPS_evp_aes_256_cbc(); }
80const EVP_CIPHER *EVP_aes_256_ccm(void) { return FIPS_evp_aes_256_ccm(); }
81const EVP_CIPHER *EVP_aes_256_cfb1(void) { return FIPS_evp_aes_256_cfb1(); }
82const EVP_CIPHER *EVP_aes_256_cfb128(void) { return FIPS_evp_aes_256_cfb128(); }
83const EVP_CIPHER *EVP_aes_256_cfb8(void) { return FIPS_evp_aes_256_cfb8(); }
84const EVP_CIPHER *EVP_aes_256_ctr(void) { return FIPS_evp_aes_256_ctr(); }
85const EVP_CIPHER *EVP_aes_256_ecb(void) { return FIPS_evp_aes_256_ecb(); }
86const EVP_CIPHER *EVP_aes_256_gcm(void) { return FIPS_evp_aes_256_gcm(); }
87const EVP_CIPHER *EVP_aes_256_ofb(void) { return FIPS_evp_aes_256_ofb(); }
88const EVP_CIPHER *EVP_aes_256_xts(void) { return FIPS_evp_aes_256_xts(); }
89const EVP_CIPHER *EVP_des_ede(void) { return FIPS_evp_des_ede(); }
90const EVP_CIPHER *EVP_des_ede3(void) { return FIPS_evp_des_ede3(); }
91const EVP_CIPHER *EVP_des_ede3_cbc(void) { return FIPS_evp_des_ede3_cbc(); }
92const EVP_CIPHER *EVP_des_ede3_cfb1(void) { return FIPS_evp_des_ede3_cfb1(); }
93const EVP_CIPHER *EVP_des_ede3_cfb64(void) { return FIPS_evp_des_ede3_cfb64(); }
94const EVP_CIPHER *EVP_des_ede3_cfb8(void) { return FIPS_evp_des_ede3_cfb8(); }
95const EVP_CIPHER *EVP_des_ede3_ecb(void) { return FIPS_evp_des_ede3_ecb(); }
96const EVP_CIPHER *EVP_des_ede3_ofb(void) { return FIPS_evp_des_ede3_ofb(); }
97const EVP_CIPHER *EVP_des_ede_cbc(void) { return FIPS_evp_des_ede_cbc(); }
98const EVP_CIPHER *EVP_des_ede_cfb64(void) { return FIPS_evp_des_ede_cfb64(); }
99const EVP_CIPHER *EVP_des_ede_ecb(void) { return FIPS_evp_des_ede_ecb(); }
100const EVP_CIPHER *EVP_des_ede_ofb(void) { return FIPS_evp_des_ede_ofb(); }
101const EVP_CIPHER *EVP_enc_null(void) { return FIPS_evp_enc_null(); }
102
103const EVP_MD *EVP_sha1(void) { return FIPS_evp_sha1(); }
104const EVP_MD *EVP_sha224(void) { return FIPS_evp_sha224(); }
105const EVP_MD *EVP_sha256(void) { return FIPS_evp_sha256(); }
106const EVP_MD *EVP_sha384(void) { return FIPS_evp_sha384(); }
107const EVP_MD *EVP_sha512(void) { return FIPS_evp_sha512(); }
108
109const EVP_MD *EVP_dss(void) { return FIPS_evp_dss(); }
110const EVP_MD *EVP_dss1(void) { return FIPS_evp_dss1(); }
111const EVP_MD *EVP_ecdsa(void) { return FIPS_evp_ecdsa(); }
112
113#endif
diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h
index 08c0a66d39..9e71f39a47 100644
--- a/src/lib/libcrypto/evp/evp_locl.h
+++ b/src/lib/libcrypto/evp/evp_locl.h
@@ -347,39 +347,3 @@ void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
347int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, 347int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
348 ASN1_TYPE *param, 348 ASN1_TYPE *param,
349 const EVP_CIPHER *c, const EVP_MD *md, int en_de); 349 const EVP_CIPHER *c, const EVP_MD *md, int en_de);
350
351#ifdef OPENSSL_FIPS
352
353#ifdef OPENSSL_DOING_MAKEDEPEND
354#undef SHA1_Init
355#undef SHA1_Update
356#undef SHA224_Init
357#undef SHA256_Init
358#undef SHA384_Init
359#undef SHA512_Init
360#undef DES_set_key_unchecked
361#endif
362
363#define RIPEMD160_Init private_RIPEMD160_Init
364#define WHIRLPOOL_Init private_WHIRLPOOL_Init
365#define MD5_Init private_MD5_Init
366#define MD4_Init private_MD4_Init
367#define MD2_Init private_MD2_Init
368#define MDC2_Init private_MDC2_Init
369#define SHA_Init private_SHA_Init
370#define SHA1_Init private_SHA1_Init
371#define SHA224_Init private_SHA224_Init
372#define SHA256_Init private_SHA256_Init
373#define SHA384_Init private_SHA384_Init
374#define SHA512_Init private_SHA512_Init
375
376#define BF_set_key private_BF_set_key
377#define CAST_set_key private_CAST_set_key
378#define idea_set_encrypt_key private_idea_set_encrypt_key
379#define SEED_set_key private_SEED_set_key
380#define RC2_set_key private_RC2_set_key
381#define RC4_set_key private_RC4_set_key
382#define DES_set_key_unchecked private_DES_set_key_unchecked
383#define Camellia_set_key private_Camellia_set_key
384
385#endif
diff --git a/src/lib/libcrypto/evp/m_dss.c b/src/lib/libcrypto/evp/m_dss.c
index 6fb7e9a861..89ea5b7a6d 100644
--- a/src/lib/libcrypto/evp/m_dss.c
+++ b/src/lib/libcrypto/evp/m_dss.c
@@ -66,7 +66,6 @@
66#endif 66#endif
67 67
68#ifndef OPENSSL_NO_SHA 68#ifndef OPENSSL_NO_SHA
69#ifndef OPENSSL_FIPS
70 69
71static int init(EVP_MD_CTX *ctx) 70static int init(EVP_MD_CTX *ctx)
72 { return SHA1_Init(ctx->md_data); } 71 { return SHA1_Init(ctx->md_data); }
@@ -98,4 +97,3 @@ const EVP_MD *EVP_dss(void)
98 return(&dsa_md); 97 return(&dsa_md);
99 } 98 }
100#endif 99#endif
101#endif
diff --git a/src/lib/libcrypto/evp/m_dss1.c b/src/lib/libcrypto/evp/m_dss1.c
index 2df362a670..a010103b7a 100644
--- a/src/lib/libcrypto/evp/m_dss1.c
+++ b/src/lib/libcrypto/evp/m_dss1.c
@@ -68,8 +68,6 @@
68#include <openssl/dsa.h> 68#include <openssl/dsa.h>
69#endif 69#endif
70 70
71#ifndef OPENSSL_FIPS
72
73static int init(EVP_MD_CTX *ctx) 71static int init(EVP_MD_CTX *ctx)
74 { return SHA1_Init(ctx->md_data); } 72 { return SHA1_Init(ctx->md_data); }
75 73
@@ -100,4 +98,3 @@ const EVP_MD *EVP_dss1(void)
100 return(&dss1_md); 98 return(&dss1_md);
101 } 99 }
102#endif 100#endif
103#endif
diff --git a/src/lib/libcrypto/evp/m_ecdsa.c b/src/lib/libcrypto/evp/m_ecdsa.c
index 4b15fb0f6c..a6ed24b0b6 100644
--- a/src/lib/libcrypto/evp/m_ecdsa.c
+++ b/src/lib/libcrypto/evp/m_ecdsa.c
@@ -116,7 +116,6 @@
116#include <openssl/x509.h> 116#include <openssl/x509.h>
117 117
118#ifndef OPENSSL_NO_SHA 118#ifndef OPENSSL_NO_SHA
119#ifndef OPENSSL_FIPS
120 119
121static int init(EVP_MD_CTX *ctx) 120static int init(EVP_MD_CTX *ctx)
122 { return SHA1_Init(ctx->md_data); } 121 { return SHA1_Init(ctx->md_data); }
@@ -148,4 +147,3 @@ const EVP_MD *EVP_ecdsa(void)
148 return(&ecdsa_md); 147 return(&ecdsa_md);
149 } 148 }
150#endif 149#endif
151#endif
diff --git a/src/lib/libcrypto/evp/m_sha1.c b/src/lib/libcrypto/evp/m_sha1.c
index bd0c01ad3c..f39ae77925 100644
--- a/src/lib/libcrypto/evp/m_sha1.c
+++ b/src/lib/libcrypto/evp/m_sha1.c
@@ -59,8 +59,6 @@
59#include <stdio.h> 59#include <stdio.h>
60#include "cryptlib.h" 60#include "cryptlib.h"
61 61
62#ifndef OPENSSL_FIPS
63
64#ifndef OPENSSL_NO_SHA 62#ifndef OPENSSL_NO_SHA
65 63
66#include <openssl/evp.h> 64#include <openssl/evp.h>
@@ -205,5 +203,3 @@ static const EVP_MD sha512_md=
205const EVP_MD *EVP_sha512(void) 203const EVP_MD *EVP_sha512(void)
206 { return(&sha512_md); } 204 { return(&sha512_md); }
207#endif /* ifndef OPENSSL_NO_SHA512 */ 205#endif /* ifndef OPENSSL_NO_SHA512 */
208
209#endif
diff --git a/src/lib/libcrypto/fips_ers.c b/src/lib/libcrypto/fips_ers.c
deleted file mode 100644
index 1788ed2884..0000000000
--- a/src/lib/libcrypto/fips_ers.c
+++ /dev/null
@@ -1,7 +0,0 @@
1#include <openssl/opensslconf.h>
2
3#ifdef OPENSSL_FIPS
4# include "fips_err.h"
5#else
6static void *dummy = &dummy;
7#endif
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index ba27cbf56f..6c98fc43a3 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -61,34 +61,12 @@
61#include "cryptlib.h" 61#include "cryptlib.h"
62#include <openssl/hmac.h> 62#include <openssl/hmac.h>
63 63
64#ifdef OPENSSL_FIPS
65#include <openssl/fips.h>
66#endif
67
68int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, 64int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
69 const EVP_MD *md, ENGINE *impl) 65 const EVP_MD *md, ENGINE *impl)
70 { 66 {
71 int i,j,reset=0; 67 int i,j,reset=0;
72 unsigned char pad[HMAC_MAX_MD_CBLOCK]; 68 unsigned char pad[HMAC_MAX_MD_CBLOCK];
73 69
74#ifdef OPENSSL_FIPS
75 if (FIPS_mode())
76 {
77 /* If we have an ENGINE need to allow non FIPS */
78 if ((impl || ctx->i_ctx.engine)
79 && !(ctx->i_ctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
80 {
81 EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
82 return 0;
83 }
84 /* Other algorithm blocking will be done in FIPS_cmac_init,
85 * via FIPS_hmac_init_ex().
86 */
87 if (!impl && !ctx->i_ctx.engine)
88 return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
89 }
90#endif
91
92 if (md != NULL) 70 if (md != NULL)
93 { 71 {
94 reset=1; 72 reset=1;
@@ -155,10 +133,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md)
155 133
156int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) 134int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
157 { 135 {
158#ifdef OPENSSL_FIPS
159 if (FIPS_mode() && !ctx->i_ctx.engine)
160 return FIPS_hmac_update(ctx, data, len);
161#endif
162 return EVP_DigestUpdate(&ctx->md_ctx,data,len); 136 return EVP_DigestUpdate(&ctx->md_ctx,data,len);
163 } 137 }
164 138
@@ -166,10 +140,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
166 { 140 {
167 unsigned int i; 141 unsigned int i;
168 unsigned char buf[EVP_MAX_MD_SIZE]; 142 unsigned char buf[EVP_MAX_MD_SIZE];
169#ifdef OPENSSL_FIPS
170 if (FIPS_mode() && !ctx->i_ctx.engine)
171 return FIPS_hmac_final(ctx, md, len);
172#endif
173 143
174 if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i)) 144 if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i))
175 goto err; 145 goto err;
@@ -209,13 +179,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
209 179
210void HMAC_CTX_cleanup(HMAC_CTX *ctx) 180void HMAC_CTX_cleanup(HMAC_CTX *ctx)
211 { 181 {
212#ifdef OPENSSL_FIPS
213 if (FIPS_mode() && !ctx->i_ctx.engine)
214 {
215 FIPS_hmac_ctx_cleanup(ctx);
216 return;
217 }
218#endif
219 EVP_MD_CTX_cleanup(&ctx->i_ctx); 182 EVP_MD_CTX_cleanup(&ctx->i_ctx);
220 EVP_MD_CTX_cleanup(&ctx->o_ctx); 183 EVP_MD_CTX_cleanup(&ctx->o_ctx);
221 EVP_MD_CTX_cleanup(&ctx->md_ctx); 184 EVP_MD_CTX_cleanup(&ctx->md_ctx);
diff --git a/src/lib/libcrypto/idea/i_skey.c b/src/lib/libcrypto/idea/i_skey.c
index afb830964d..244562e690 100644
--- a/src/lib/libcrypto/idea/i_skey.c
+++ b/src/lib/libcrypto/idea/i_skey.c
@@ -62,13 +62,6 @@
62 62
63static IDEA_INT inverse(unsigned int xin); 63static IDEA_INT inverse(unsigned int xin);
64void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks) 64void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
65#ifdef OPENSSL_FIPS
66 {
67 fips_cipher_abort(IDEA);
68 private_idea_set_encrypt_key(key, ks);
69 }
70void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
71#endif
72 { 65 {
73 int i; 66 int i;
74 register IDEA_INT *kt,*kf,r0,r1,r2; 67 register IDEA_INT *kt,*kf,r0,r1,r2;
diff --git a/src/lib/libcrypto/idea/idea.h b/src/lib/libcrypto/idea/idea.h
index e9a1e7f1a5..5782e54b0f 100644
--- a/src/lib/libcrypto/idea/idea.h
+++ b/src/lib/libcrypto/idea/idea.h
@@ -83,9 +83,6 @@ typedef struct idea_key_st
83const char *idea_options(void); 83const char *idea_options(void);
84void idea_ecb_encrypt(const unsigned char *in, unsigned char *out, 84void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
85 IDEA_KEY_SCHEDULE *ks); 85 IDEA_KEY_SCHEDULE *ks);
86#ifdef OPENSSL_FIPS
87void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
88#endif
89void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); 86void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
90void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); 87void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
91void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, 88void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
diff --git a/src/lib/libcrypto/md2/md2.h b/src/lib/libcrypto/md2/md2.h
index d59c9f2593..a46120e7d4 100644
--- a/src/lib/libcrypto/md2/md2.h
+++ b/src/lib/libcrypto/md2/md2.h
@@ -81,9 +81,6 @@ typedef struct MD2state_st
81 } MD2_CTX; 81 } MD2_CTX;
82 82
83const char *MD2_options(void); 83const char *MD2_options(void);
84#ifdef OPENSSL_FIPS
85int private_MD2_Init(MD2_CTX *c);
86#endif
87int MD2_Init(MD2_CTX *c); 84int MD2_Init(MD2_CTX *c);
88int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); 85int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len);
89int MD2_Final(unsigned char *md, MD2_CTX *c); 86int MD2_Final(unsigned char *md, MD2_CTX *c);
diff --git a/src/lib/libcrypto/md4/md4.h b/src/lib/libcrypto/md4/md4.h
index a55368a790..c3ed9b3f75 100644
--- a/src/lib/libcrypto/md4/md4.h
+++ b/src/lib/libcrypto/md4/md4.h
@@ -105,9 +105,6 @@ typedef struct MD4state_st
105 unsigned int num; 105 unsigned int num;
106 } MD4_CTX; 106 } MD4_CTX;
107 107
108#ifdef OPENSSL_FIPS
109int private_MD4_Init(MD4_CTX *c);
110#endif
111int MD4_Init(MD4_CTX *c); 108int MD4_Init(MD4_CTX *c);
112int MD4_Update(MD4_CTX *c, const void *data, size_t len); 109int MD4_Update(MD4_CTX *c, const void *data, size_t len);
113int MD4_Final(unsigned char *md, MD4_CTX *c); 110int MD4_Final(unsigned char *md, MD4_CTX *c);
diff --git a/src/lib/libcrypto/md5/md5.h b/src/lib/libcrypto/md5/md5.h
index 541cc925fe..4cbf84386b 100644
--- a/src/lib/libcrypto/md5/md5.h
+++ b/src/lib/libcrypto/md5/md5.h
@@ -105,9 +105,6 @@ typedef struct MD5state_st
105 unsigned int num; 105 unsigned int num;
106 } MD5_CTX; 106 } MD5_CTX;
107 107
108#ifdef OPENSSL_FIPS
109int private_MD5_Init(MD5_CTX *c);
110#endif
111int MD5_Init(MD5_CTX *c); 108int MD5_Init(MD5_CTX *c);
112int MD5_Update(MD5_CTX *c, const void *data, size_t len); 109int MD5_Update(MD5_CTX *c, const void *data, size_t len);
113int MD5_Final(unsigned char *md, MD5_CTX *c); 110int MD5_Final(unsigned char *md, MD5_CTX *c);
diff --git a/src/lib/libcrypto/mdc2/mdc2.h b/src/lib/libcrypto/mdc2/mdc2.h
index f3e8e579d2..72778a5212 100644
--- a/src/lib/libcrypto/mdc2/mdc2.h
+++ b/src/lib/libcrypto/mdc2/mdc2.h
@@ -81,9 +81,6 @@ typedef struct mdc2_ctx_st
81 } MDC2_CTX; 81 } MDC2_CTX;
82 82
83 83
84#ifdef OPENSSL_FIPS
85int private_MDC2_Init(MDC2_CTX *c);
86#endif
87int MDC2_Init(MDC2_CTX *c); 84int MDC2_Init(MDC2_CTX *c);
88int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); 85int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len);
89int MDC2_Final(unsigned char *md, MDC2_CTX *c); 86int MDC2_Final(unsigned char *md, MDC2_CTX *c);
diff --git a/src/lib/libcrypto/o_fips.c b/src/lib/libcrypto/o_fips.c
index 9c185cfb18..43312ae23f 100644
--- a/src/lib/libcrypto/o_fips.c
+++ b/src/lib/libcrypto/o_fips.c
@@ -56,42 +56,20 @@
56 */ 56 */
57 57
58#include "cryptlib.h" 58#include "cryptlib.h"
59#ifdef OPENSSL_FIPS
60#include <openssl/fips.h>
61#include <openssl/fips_rand.h>
62#include <openssl/rand.h>
63#endif
64 59
65int 60int
66FIPS_mode(void) 61FIPS_mode(void)
67{ 62{
68 OPENSSL_init(); 63 OPENSSL_init();
69#ifdef OPENSSL_FIPS
70 return FIPS_module_mode();
71#else
72 return 0; 64 return 0;
73#endif
74} 65}
75 66
76int 67int
77FIPS_mode_set(int r) 68FIPS_mode_set(int r)
78{ 69{
79 OPENSSL_init(); 70 OPENSSL_init();
80#ifdef OPENSSL_FIPS
81#ifndef FIPS_AUTH_USER_PASS
82#define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password"
83#endif
84 if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
85 return 0;
86 if (r)
87 RAND_set_rand_method(FIPS_rand_get_method());
88 else
89 RAND_set_rand_method(NULL);
90 return 1;
91#else
92 if (r == 0) 71 if (r == 0)
93 return 1; 72 return 1;
94 CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); 73 CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
95 return 0; 74 return 0;
96#endif
97} 75}
diff --git a/src/lib/libcrypto/o_init.c b/src/lib/libcrypto/o_init.c
index 07c8e0d694..5e905d9315 100644
--- a/src/lib/libcrypto/o_init.c
+++ b/src/lib/libcrypto/o_init.c
@@ -54,10 +54,6 @@
54 54
55#include <e_os.h> 55#include <e_os.h>
56#include <openssl/err.h> 56#include <openssl/err.h>
57#ifdef OPENSSL_FIPS
58#include <openssl/fips.h>
59#include <openssl/rand.h>
60#endif
61 57
62/* Perform any essential OpenSSL initialization operations. 58/* Perform any essential OpenSSL initialization operations.
63 * Currently only sets FIPS callbacks 59 * Currently only sets FIPS callbacks
@@ -70,12 +66,6 @@ OPENSSL_init(void)
70 if (done) 66 if (done)
71 return; 67 return;
72 done = 1; 68 done = 1;
73#ifdef OPENSSL_FIPS
74 FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
75 FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
76 FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
77 RAND_init_fips();
78#endif
79#if 0 69#if 0
80 fprintf(stderr, "Called OPENSSL_init\n"); 70 fprintf(stderr, "Called OPENSSL_init\n");
81#endif 71#endif
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index ebe7180723..7ba6281f28 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -26,11 +26,7 @@
26 * major minor fix final patch/beta) 26 * major minor fix final patch/beta)
27 */ 27 */
28#define OPENSSL_VERSION_NUMBER 0x1000107fL 28#define OPENSSL_VERSION_NUMBER 0x1000107fL
29#ifdef OPENSSL_FIPS
30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g-fips 7 Apr 2014"
31#else
32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014" 29#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014"
33#endif
34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT 30#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
35 31
36 32
diff --git a/src/lib/libcrypto/pem/pem_all.c b/src/lib/libcrypto/pem/pem_all.c
index eac0460e3e..6ff6be7fbe 100644
--- a/src/lib/libcrypto/pem/pem_all.c
+++ b/src/lib/libcrypto/pem/pem_all.c
@@ -193,61 +193,8 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
193 193
194#endif 194#endif
195 195
196#ifdef OPENSSL_FIPS
197
198int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
199 unsigned char *kstr, int klen,
200 pem_password_cb *cb, void *u)
201{
202 if (FIPS_mode())
203 {
204 EVP_PKEY *k;
205 int ret;
206 k = EVP_PKEY_new();
207 if (!k)
208 return 0;
209 EVP_PKEY_set1_RSA(k, x);
210
211 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
212 EVP_PKEY_free(k);
213 return ret;
214 }
215 else
216 return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey,
217 PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u);
218}
219
220#ifndef OPENSSL_NO_FP_API
221int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
222 unsigned char *kstr, int klen,
223 pem_password_cb *cb, void *u)
224{
225 if (FIPS_mode())
226 {
227 EVP_PKEY *k;
228 int ret;
229 k = EVP_PKEY_new();
230 if (!k)
231 return 0;
232
233 EVP_PKEY_set1_RSA(k, x);
234
235 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
236 EVP_PKEY_free(k);
237 return ret;
238 }
239 else
240 return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey,
241 PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u);
242}
243#endif
244
245#else
246
247IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) 196IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
248 197
249#endif
250
251IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) 198IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
252IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) 199IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
253 200
@@ -277,59 +224,8 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
277 return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ 224 return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
278} 225}
279 226
280#ifdef OPENSSL_FIPS
281
282int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
283 unsigned char *kstr, int klen,
284 pem_password_cb *cb, void *u)
285{
286 if (FIPS_mode())
287 {
288 EVP_PKEY *k;
289 int ret;
290 k = EVP_PKEY_new();
291 if (!k)
292 return 0;
293 EVP_PKEY_set1_DSA(k, x);
294
295 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
296 EVP_PKEY_free(k);
297 return ret;
298 }
299 else
300 return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey,
301 PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u);
302}
303
304#ifndef OPENSSL_NO_FP_API
305int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
306 unsigned char *kstr, int klen,
307 pem_password_cb *cb, void *u)
308{
309 if (FIPS_mode())
310 {
311 EVP_PKEY *k;
312 int ret;
313 k = EVP_PKEY_new();
314 if (!k)
315 return 0;
316 EVP_PKEY_set1_DSA(k, x);
317 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
318 EVP_PKEY_free(k);
319 return ret;
320 }
321 else
322 return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey,
323 PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u);
324}
325#endif
326
327#else
328
329IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) 227IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
330 228
331#endif
332
333IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) 229IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
334 230
335#ifndef OPENSSL_NO_FP_API 231#ifndef OPENSSL_NO_FP_API
@@ -377,61 +273,8 @@ IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKPa
377 273
378 274
379 275
380#ifdef OPENSSL_FIPS
381
382int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
383 unsigned char *kstr, int klen,
384 pem_password_cb *cb, void *u)
385{
386 if (FIPS_mode())
387 {
388 EVP_PKEY *k;
389 int ret;
390 k = EVP_PKEY_new();
391 if (!k)
392 return 0;
393 EVP_PKEY_set1_EC_KEY(k, x);
394
395 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
396 EVP_PKEY_free(k);
397 return ret;
398 }
399 else
400 return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey,
401 PEM_STRING_ECPRIVATEKEY,
402 bp,x,enc,kstr,klen,cb,u);
403}
404
405#ifndef OPENSSL_NO_FP_API
406int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
407 unsigned char *kstr, int klen,
408 pem_password_cb *cb, void *u)
409{
410 if (FIPS_mode())
411 {
412 EVP_PKEY *k;
413 int ret;
414 k = EVP_PKEY_new();
415 if (!k)
416 return 0;
417 EVP_PKEY_set1_EC_KEY(k, x);
418 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
419 EVP_PKEY_free(k);
420 return ret;
421 }
422 else
423 return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey,
424 PEM_STRING_ECPRIVATEKEY,
425 fp,x,enc,kstr,klen,cb,u);
426}
427#endif
428
429#else
430
431IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) 276IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
432 277
433#endif
434
435IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) 278IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
436 279
437#ifndef OPENSSL_NO_FP_API 280#ifndef OPENSSL_NO_FP_API
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index a34915d02d..0c5e8dc992 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -91,11 +91,6 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
91 /* Set defaults */ 91 /* Set defaults */
92 if (!nid_cert) 92 if (!nid_cert)
93 { 93 {
94#ifdef OPENSSL_FIPS
95 if (FIPS_mode())
96 nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
97 else
98#endif
99 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; 94 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
100 } 95 }
101 if (!nid_key) 96 if (!nid_key)
diff --git a/src/lib/libcrypto/rc2/rc2.h b/src/lib/libcrypto/rc2/rc2.h
index e542ec94ff..4c737f5b90 100644
--- a/src/lib/libcrypto/rc2/rc2.h
+++ b/src/lib/libcrypto/rc2/rc2.h
@@ -79,9 +79,6 @@ typedef struct rc2_key_st
79 RC2_INT data[64]; 79 RC2_INT data[64];
80 } RC2_KEY; 80 } RC2_KEY;
81 81
82#ifdef OPENSSL_FIPS
83void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
84#endif
85void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); 82void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
86void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, 83void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
87 int enc); 84 int enc);
diff --git a/src/lib/libcrypto/rc2/rc2_skey.c b/src/lib/libcrypto/rc2/rc2_skey.c
index 6668ac011f..26b8dd63f6 100644
--- a/src/lib/libcrypto/rc2/rc2_skey.c
+++ b/src/lib/libcrypto/rc2/rc2_skey.c
@@ -96,13 +96,6 @@ static const unsigned char key_table[256]={
96 * the same as specifying 1024 for the 'bits' parameter. Bsafe uses 96 * the same as specifying 1024 for the 'bits' parameter. Bsafe uses
97 * a version where the bits parameter is the same as len*8 */ 97 * a version where the bits parameter is the same as len*8 */
98void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) 98void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
99#ifdef OPENSSL_FIPS
100 {
101 fips_cipher_abort(RC2);
102 private_RC2_set_key(key, len, data, bits);
103 }
104void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
105#endif
106 { 99 {
107 int i,j; 100 int i,j;
108 unsigned char *k; 101 unsigned char *k;
diff --git a/src/lib/libcrypto/rc4/rc4_utl.c b/src/lib/libcrypto/rc4/rc4_utl.c
index ab3f02fe6a..bd39a76543 100644
--- a/src/lib/libcrypto/rc4/rc4_utl.c
+++ b/src/lib/libcrypto/rc4/rc4_utl.c
@@ -55,8 +55,5 @@
55 55
56void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) 56void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
57 { 57 {
58#ifdef OPENSSL_FIPS
59 fips_cipher_abort(RC4);
60#endif
61 private_RC4_set_key(key, len, data); 58 private_RC4_set_key(key, len, data);
62 } 59 }
diff --git a/src/lib/libcrypto/ripemd/ripemd.h b/src/lib/libcrypto/ripemd/ripemd.h
index 189bd8c90e..5942eb6180 100644
--- a/src/lib/libcrypto/ripemd/ripemd.h
+++ b/src/lib/libcrypto/ripemd/ripemd.h
@@ -91,9 +91,6 @@ typedef struct RIPEMD160state_st
91 unsigned int num; 91 unsigned int num;
92 } RIPEMD160_CTX; 92 } RIPEMD160_CTX;
93 93
94#ifdef OPENSSL_FIPS
95int private_RIPEMD160_Init(RIPEMD160_CTX *c);
96#endif
97int RIPEMD160_Init(RIPEMD160_CTX *c); 94int RIPEMD160_Init(RIPEMD160_CTX *c);
98int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); 95int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len);
99int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); 96int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c
index d3e44785dc..7750366613 100644
--- a/src/lib/libcrypto/rsa/rsa_crpt.c
+++ b/src/lib/libcrypto/rsa/rsa_crpt.c
@@ -75,56 +75,24 @@ int RSA_size(const RSA *r)
75int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 75int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
76 RSA *rsa, int padding) 76 RSA *rsa, int padding)
77 { 77 {
78#ifdef OPENSSL_FIPS
79 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
80 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
81 {
82 RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
83 return -1;
84 }
85#endif
86 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); 78 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
87 } 79 }
88 80
89int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 81int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
90 RSA *rsa, int padding) 82 RSA *rsa, int padding)
91 { 83 {
92#ifdef OPENSSL_FIPS
93 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
94 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
95 {
96 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
97 return -1;
98 }
99#endif
100 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); 84 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
101 } 85 }
102 86
103int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 87int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
104 RSA *rsa, int padding) 88 RSA *rsa, int padding)
105 { 89 {
106#ifdef OPENSSL_FIPS
107 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
108 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
109 {
110 RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
111 return -1;
112 }
113#endif
114 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); 90 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
115 } 91 }
116 92
117int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 93int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
118 RSA *rsa, int padding) 94 RSA *rsa, int padding)
119 { 95 {
120#ifdef OPENSSL_FIPS
121 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
122 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
123 {
124 RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
125 return -1;
126 }
127#endif
128 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); 96 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
129 } 97 }
130 98
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 42290cce66..767f7ab682 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -67,9 +67,6 @@
67#include "cryptlib.h" 67#include "cryptlib.h"
68#include <openssl/bn.h> 68#include <openssl/bn.h>
69#include <openssl/rsa.h> 69#include <openssl/rsa.h>
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73 70
74static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); 71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
75 72
@@ -80,20 +77,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
80 * now just because key-generation is part of RSA_METHOD. */ 77 * now just because key-generation is part of RSA_METHOD. */
81int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 78int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
82 { 79 {
83#ifdef OPENSSL_FIPS
84 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
85 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
86 {
87 RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
88 return 0;
89 }
90#endif
91 if(rsa->meth->rsa_keygen) 80 if(rsa->meth->rsa_keygen)
92 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); 81 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
93#ifdef OPENSSL_FIPS
94 if (FIPS_mode())
95 return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
96#endif
97 return rsa_builtin_keygen(rsa, bits, e_value, cb); 82 return rsa_builtin_keygen(rsa, bits, e_value, cb);
98 } 83 }
99 84
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index c95ceafc82..9e3f7dafcd 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -67,10 +67,6 @@
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68#endif 68#endif
69 69
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73
74const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; 70const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
75 71
76static const RSA_METHOD *default_RSA_meth=NULL; 72static const RSA_METHOD *default_RSA_meth=NULL;
@@ -91,18 +87,11 @@ const RSA_METHOD *RSA_get_default_method(void)
91 { 87 {
92 if (default_RSA_meth == NULL) 88 if (default_RSA_meth == NULL)
93 { 89 {
94#ifdef OPENSSL_FIPS
95 if (FIPS_mode())
96 return FIPS_rsa_pkcs1_ssleay();
97 else
98 return RSA_PKCS1_SSLeay();
99#else
100#ifdef RSA_NULL 90#ifdef RSA_NULL
101 default_RSA_meth=RSA_null_method(); 91 default_RSA_meth=RSA_null_method();
102#else 92#else
103 default_RSA_meth=RSA_PKCS1_SSLeay(); 93 default_RSA_meth=RSA_PKCS1_SSLeay();
104#endif 94#endif
105#endif
106 } 95 }
107 96
108 return default_RSA_meth; 97 return default_RSA_meth;
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 157aa5c41d..d706d35ff6 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -66,9 +66,6 @@
66#ifndef OPENSSL_NO_CMS 66#ifndef OPENSSL_NO_CMS
67#include <openssl/cms.h> 67#include <openssl/cms.h>
68#endif 68#endif
69#ifdef OPENSSL_FIPS
70#include <openssl/fips.h>
71#endif
72#include "evp_locl.h" 69#include "evp_locl.h"
73#include "rsa_locl.h" 70#include "rsa_locl.h"
74 71
@@ -156,32 +153,6 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
156 OPENSSL_free(rctx); 153 OPENSSL_free(rctx);
157 } 154 }
158 } 155 }
159#ifdef OPENSSL_FIPS
160/* FIP checker. Return value indicates status of context parameters:
161 * 1 : redirect to FIPS.
162 * 0 : don't redirect to FIPS.
163 * -1 : illegal operation in FIPS mode.
164 */
165
166static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
167 {
168 RSA_PKEY_CTX *rctx = ctx->data;
169 RSA *rsa = ctx->pkey->pkey.rsa;
170 int rv = -1;
171 if (!FIPS_mode())
172 return 0;
173 if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
174 rv = 0;
175 if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
176 return -1;
177 if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
178 return rv;
179 if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
180 return rv;
181 return 1;
182 }
183#endif
184
185static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, 156static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
186 const unsigned char *tbs, size_t tbslen) 157 const unsigned char *tbs, size_t tbslen)
187 { 158 {
@@ -189,15 +160,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
189 RSA_PKEY_CTX *rctx = ctx->data; 160 RSA_PKEY_CTX *rctx = ctx->data;
190 RSA *rsa = ctx->pkey->pkey.rsa; 161 RSA *rsa = ctx->pkey->pkey.rsa;
191 162
192#ifdef OPENSSL_FIPS
193 ret = pkey_fips_check_ctx(ctx);
194 if (ret < 0)
195 {
196 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
197 return -1;
198 }
199#endif
200
201 if (rctx->md) 163 if (rctx->md)
202 { 164 {
203 if (tbslen != (size_t)EVP_MD_size(rctx->md)) 165 if (tbslen != (size_t)EVP_MD_size(rctx->md))
@@ -206,22 +168,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
206 RSA_R_INVALID_DIGEST_LENGTH); 168 RSA_R_INVALID_DIGEST_LENGTH);
207 return -1; 169 return -1;
208 } 170 }
209#ifdef OPENSSL_FIPS
210 if (ret > 0)
211 {
212 unsigned int slen;
213 ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
214 rctx->pad_mode,
215 rctx->saltlen,
216 rctx->mgf1md,
217 sig, &slen);
218 if (ret > 0)
219 *siglen = slen;
220 else
221 *siglen = 0;
222 return ret;
223 }
224#endif
225 171
226 if (EVP_MD_type(rctx->md) == NID_mdc2) 172 if (EVP_MD_type(rctx->md) == NID_mdc2)
227 { 173 {
@@ -343,30 +289,8 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
343 RSA_PKEY_CTX *rctx = ctx->data; 289 RSA_PKEY_CTX *rctx = ctx->data;
344 RSA *rsa = ctx->pkey->pkey.rsa; 290 RSA *rsa = ctx->pkey->pkey.rsa;
345 size_t rslen; 291 size_t rslen;
346#ifdef OPENSSL_FIPS
347 int rv;
348 rv = pkey_fips_check_ctx(ctx);
349 if (rv < 0)
350 {
351 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
352 return -1;
353 }
354#endif
355 if (rctx->md) 292 if (rctx->md)
356 { 293 {
357#ifdef OPENSSL_FIPS
358 if (rv > 0)
359 {
360 return FIPS_rsa_verify_digest(rsa,
361 tbs, tbslen,
362 rctx->md,
363 rctx->pad_mode,
364 rctx->saltlen,
365 rctx->mgf1md,
366 sig, siglen);
367
368 }
369#endif
370 if (rctx->pad_mode == RSA_PKCS1_PADDING) 294 if (rctx->pad_mode == RSA_PKCS1_PADDING)
371 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 295 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
372 sig, siglen, rsa); 296 sig, siglen, rsa);
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index b6f6037ae0..fa3239ab30 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -77,14 +77,6 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
77 const unsigned char *s = NULL; 77 const unsigned char *s = NULL;
78 X509_ALGOR algor; 78 X509_ALGOR algor;
79 ASN1_OCTET_STRING digest; 79 ASN1_OCTET_STRING digest;
80#ifdef OPENSSL_FIPS
81 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
82 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
83 {
84 RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
85 return 0;
86 }
87#endif
88 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) 80 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
89 { 81 {
90 return rsa->meth->rsa_sign(type, m, m_len, 82 return rsa->meth->rsa_sign(type, m, m_len,
@@ -161,15 +153,6 @@ int int_rsa_verify(int dtype, const unsigned char *m,
161 unsigned char *s; 153 unsigned char *s;
162 X509_SIG *sig=NULL; 154 X509_SIG *sig=NULL;
163 155
164#ifdef OPENSSL_FIPS
165 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
166 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
167 {
168 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD);
169 return 0;
170 }
171#endif
172
173 if (siglen != (unsigned int)RSA_size(rsa)) 156 if (siglen != (unsigned int)RSA_size(rsa))
174 { 157 {
175 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); 158 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
diff --git a/src/lib/libcrypto/seed/seed.c b/src/lib/libcrypto/seed/seed.c
index 3e675a8d75..934664ddb6 100644
--- a/src/lib/libcrypto/seed/seed.c
+++ b/src/lib/libcrypto/seed/seed.c
@@ -198,13 +198,6 @@ static const seed_word KC[] = {
198 KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 }; 198 KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 };
199#endif 199#endif
200void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) 200void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks)
201#ifdef OPENSSL_FIPS
202 {
203 fips_cipher_abort(SEED);
204 private_SEED_set_key(rawkey, ks);
205 }
206void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks)
207#endif
208{ 201{
209 seed_word x1, x2, x3, x4; 202 seed_word x1, x2, x3, x4;
210 seed_word t0, t1; 203 seed_word t0, t1;
diff --git a/src/lib/libcrypto/seed/seed.h b/src/lib/libcrypto/seed/seed.h
index c50fdd3607..6e2ade3fbb 100644
--- a/src/lib/libcrypto/seed/seed.h
+++ b/src/lib/libcrypto/seed/seed.h
@@ -116,9 +116,6 @@ typedef struct seed_key_st {
116#endif 116#endif
117} SEED_KEY_SCHEDULE; 117} SEED_KEY_SCHEDULE;
118 118
119#ifdef OPENSSL_FIPS
120void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks);
121#endif
122void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); 119void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks);
123 120
124void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks); 121void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks);
diff --git a/src/lib/libcrypto/sha/sha.h b/src/lib/libcrypto/sha/sha.h
index 8a6bf4bbbb..7cbca26ff9 100644
--- a/src/lib/libcrypto/sha/sha.h
+++ b/src/lib/libcrypto/sha/sha.h
@@ -70,10 +70,6 @@ extern "C" {
70#error SHA is disabled. 70#error SHA is disabled.
71#endif 71#endif
72 72
73#if defined(OPENSSL_FIPS)
74#define FIPS_SHA_SIZE_T size_t
75#endif
76
77/* 73/*
78 * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 74 * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
79 * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then ! 75 * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then !
@@ -106,9 +102,6 @@ typedef struct SHAstate_st
106 } SHA_CTX; 102 } SHA_CTX;
107 103
108#ifndef OPENSSL_NO_SHA0 104#ifndef OPENSSL_NO_SHA0
109#ifdef OPENSSL_FIPS
110int private_SHA_Init(SHA_CTX *c);
111#endif
112int SHA_Init(SHA_CTX *c); 105int SHA_Init(SHA_CTX *c);
113int SHA_Update(SHA_CTX *c, const void *data, size_t len); 106int SHA_Update(SHA_CTX *c, const void *data, size_t len);
114int SHA_Final(unsigned char *md, SHA_CTX *c); 107int SHA_Final(unsigned char *md, SHA_CTX *c);
@@ -116,9 +109,6 @@ unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md);
116void SHA_Transform(SHA_CTX *c, const unsigned char *data); 109void SHA_Transform(SHA_CTX *c, const unsigned char *data);
117#endif 110#endif
118#ifndef OPENSSL_NO_SHA1 111#ifndef OPENSSL_NO_SHA1
119#ifdef OPENSSL_FIPS
120int private_SHA1_Init(SHA_CTX *c);
121#endif
122int SHA1_Init(SHA_CTX *c); 112int SHA1_Init(SHA_CTX *c);
123int SHA1_Update(SHA_CTX *c, const void *data, size_t len); 113int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
124int SHA1_Final(unsigned char *md, SHA_CTX *c); 114int SHA1_Final(unsigned char *md, SHA_CTX *c);
@@ -141,10 +131,6 @@ typedef struct SHA256state_st
141 } SHA256_CTX; 131 } SHA256_CTX;
142 132
143#ifndef OPENSSL_NO_SHA256 133#ifndef OPENSSL_NO_SHA256
144#ifdef OPENSSL_FIPS
145int private_SHA224_Init(SHA256_CTX *c);
146int private_SHA256_Init(SHA256_CTX *c);
147#endif
148int SHA224_Init(SHA256_CTX *c); 134int SHA224_Init(SHA256_CTX *c);
149int SHA224_Update(SHA256_CTX *c, const void *data, size_t len); 135int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
150int SHA224_Final(unsigned char *md, SHA256_CTX *c); 136int SHA224_Final(unsigned char *md, SHA256_CTX *c);
@@ -192,10 +178,6 @@ typedef struct SHA512state_st
192#endif 178#endif
193 179
194#ifndef OPENSSL_NO_SHA512 180#ifndef OPENSSL_NO_SHA512
195#ifdef OPENSSL_FIPS
196int private_SHA384_Init(SHA512_CTX *c);
197int private_SHA512_Init(SHA512_CTX *c);
198#endif
199int SHA384_Init(SHA512_CTX *c); 181int SHA384_Init(SHA512_CTX *c);
200int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); 182int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
201int SHA384_Final(unsigned char *md, SHA512_CTX *c); 183int SHA384_Final(unsigned char *md, SHA512_CTX *c);
diff --git a/src/lib/libcrypto/whrlpool/whrlpool.h b/src/lib/libcrypto/whrlpool/whrlpool.h
index 9e01f5b076..03c91da115 100644
--- a/src/lib/libcrypto/whrlpool/whrlpool.h
+++ b/src/lib/libcrypto/whrlpool/whrlpool.h
@@ -24,9 +24,6 @@ typedef struct {
24 } WHIRLPOOL_CTX; 24 } WHIRLPOOL_CTX;
25 25
26#ifndef OPENSSL_NO_WHIRLPOOL 26#ifndef OPENSSL_NO_WHIRLPOOL
27#ifdef OPENSSL_FIPS
28int private_WHIRLPOOL_Init(WHIRLPOOL_CTX *c);
29#endif
30int WHIRLPOOL_Init (WHIRLPOOL_CTX *c); 27int WHIRLPOOL_Init (WHIRLPOOL_CTX *c);
31int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes); 28int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes);
32void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits); 29void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits);
diff --git a/src/lib/libssl/src/crypto/Makefile b/src/lib/libssl/src/crypto/Makefile
index 326915d520..5c02ba2844 100644
--- a/src/lib/libssl/src/crypto/Makefile
+++ b/src/lib/libssl/src/crypto/Makefile
@@ -35,9 +35,9 @@ GENERAL=Makefile README crypto-lib.com install.com
35LIB= $(TOP)/libcrypto.a 35LIB= $(TOP)/libcrypto.a
36SHARED_LIB= libcrypto$(SHLIB_EXT) 36SHARED_LIB= libcrypto$(SHLIB_EXT)
37LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ 37LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
38 uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c 38 uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c
39LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \ 39LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \
40 uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ) 40 uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o $(CPUID_OBJ)
41 41
42SRC= $(LIBSRC) 42SRC= $(LIBSRC)
43 43
diff --git a/src/lib/libssl/src/crypto/aes/aes_misc.c b/src/lib/libssl/src/crypto/aes/aes_misc.c
index d666c06409..9380abc46c 100644
--- a/src/lib/libssl/src/crypto/aes/aes_misc.c
+++ b/src/lib/libssl/src/crypto/aes/aes_misc.c
@@ -71,9 +71,6 @@ int
71AES_set_encrypt_key(const unsigned char *userKey, const int bits, 71AES_set_encrypt_key(const unsigned char *userKey, const int bits,
72 AES_KEY *key) 72 AES_KEY *key)
73{ 73{
74#ifdef OPENSSL_FIPS
75 fips_cipher_abort(AES);
76#endif
77 return private_AES_set_encrypt_key(userKey, bits, key); 74 return private_AES_set_encrypt_key(userKey, bits, key);
78} 75}
79 76
@@ -81,8 +78,5 @@ int
81AES_set_decrypt_key(const unsigned char *userKey, const int bits, 78AES_set_decrypt_key(const unsigned char *userKey, const int bits,
82 AES_KEY *key) 79 AES_KEY *key)
83{ 80{
84#ifdef OPENSSL_FIPS
85 fips_cipher_abort(AES);
86#endif
87 return private_AES_set_decrypt_key(userKey, bits, key); 81 return private_AES_set_decrypt_key(userKey, bits, key);
88} 82}
diff --git a/src/lib/libssl/src/crypto/bf/bf_skey.c b/src/lib/libssl/src/crypto/bf/bf_skey.c
index 3b0bca41ae..d8e6287a32 100644
--- a/src/lib/libssl/src/crypto/bf/bf_skey.c
+++ b/src/lib/libssl/src/crypto/bf/bf_skey.c
@@ -64,13 +64,6 @@
64#include "bf_pi.h" 64#include "bf_pi.h"
65 65
66void BF_set_key(BF_KEY *key, int len, const unsigned char *data) 66void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
67#ifdef OPENSSL_FIPS
68 {
69 fips_cipher_abort(BLOWFISH);
70 private_BF_set_key(key, len, data);
71 }
72void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data)
73#endif
74 { 67 {
75 int i; 68 int i;
76 BF_LONG *p,ri,in[2]; 69 BF_LONG *p,ri,in[2];
diff --git a/src/lib/libssl/src/crypto/bf/blowfish.h b/src/lib/libssl/src/crypto/bf/blowfish.h
index 4b6c8920a4..65685f478c 100644
--- a/src/lib/libssl/src/crypto/bf/blowfish.h
+++ b/src/lib/libssl/src/crypto/bf/blowfish.h
@@ -104,9 +104,6 @@ typedef struct bf_key_st
104 BF_LONG S[4*256]; 104 BF_LONG S[4*256];
105 } BF_KEY; 105 } BF_KEY;
106 106
107#ifdef OPENSSL_FIPS
108void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
109#endif
110void BF_set_key(BF_KEY *key, int len, const unsigned char *data); 107void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
111 108
112void BF_encrypt(BF_LONG *data,const BF_KEY *key); 109void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff --git a/src/lib/libssl/src/crypto/bn/bn_lcl.h b/src/lib/libssl/src/crypto/bn/bn_lcl.h
index 817c773b65..9194e86b39 100644
--- a/src/lib/libssl/src/crypto/bn/bn_lcl.h
+++ b/src/lib/libssl/src/crypto/bn/bn_lcl.h
@@ -479,10 +479,6 @@ extern "C" {
479 } 479 }
480#endif /* !BN_LLONG */ 480#endif /* !BN_LLONG */
481 481
482#if defined(OPENSSL_DOING_MAKEDEPEND) && defined(OPENSSL_FIPS)
483#undef bn_div_words
484#endif
485
486void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb); 482void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb);
487void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); 483void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
488void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); 484void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
diff --git a/src/lib/libssl/src/crypto/camellia/camellia.h b/src/lib/libssl/src/crypto/camellia/camellia.h
index 67911e0adf..cf0457dd97 100644
--- a/src/lib/libssl/src/crypto/camellia/camellia.h
+++ b/src/lib/libssl/src/crypto/camellia/camellia.h
@@ -88,10 +88,6 @@ struct camellia_key_st
88 }; 88 };
89typedef struct camellia_key_st CAMELLIA_KEY; 89typedef struct camellia_key_st CAMELLIA_KEY;
90 90
91#ifdef OPENSSL_FIPS
92int private_Camellia_set_key(const unsigned char *userKey, const int bits,
93 CAMELLIA_KEY *key);
94#endif
95int Camellia_set_key(const unsigned char *userKey, const int bits, 91int Camellia_set_key(const unsigned char *userKey, const int bits,
96 CAMELLIA_KEY *key); 92 CAMELLIA_KEY *key);
97 93
diff --git a/src/lib/libssl/src/crypto/camellia/cmll_utl.c b/src/lib/libssl/src/crypto/camellia/cmll_utl.c
index 7a35711ec1..b88a996a3f 100644
--- a/src/lib/libssl/src/crypto/camellia/cmll_utl.c
+++ b/src/lib/libssl/src/crypto/camellia/cmll_utl.c
@@ -57,8 +57,5 @@
57int Camellia_set_key(const unsigned char *userKey, const int bits, 57int Camellia_set_key(const unsigned char *userKey, const int bits,
58 CAMELLIA_KEY *key) 58 CAMELLIA_KEY *key)
59 { 59 {
60#ifdef OPENSSL_FIPS
61 fips_cipher_abort(Camellia);
62#endif
63 return private_Camellia_set_key(userKey, bits, key); 60 return private_Camellia_set_key(userKey, bits, key);
64 } 61 }
diff --git a/src/lib/libssl/src/crypto/cast/c_skey.c b/src/lib/libssl/src/crypto/cast/c_skey.c
index cb6bf9fee3..54ea98cd0b 100644
--- a/src/lib/libssl/src/crypto/cast/c_skey.c
+++ b/src/lib/libssl/src/crypto/cast/c_skey.c
@@ -73,13 +73,6 @@
73#define S6 CAST_S_table6 73#define S6 CAST_S_table6
74#define S7 CAST_S_table7 74#define S7 CAST_S_table7
75void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) 75void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
76#ifdef OPENSSL_FIPS
77 {
78 fips_cipher_abort(CAST);
79 private_CAST_set_key(key, len, data);
80 }
81void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
82#endif
83 { 76 {
84 CAST_LONG x[16]; 77 CAST_LONG x[16];
85 CAST_LONG z[16]; 78 CAST_LONG z[16];
diff --git a/src/lib/libssl/src/crypto/cast/cast.h b/src/lib/libssl/src/crypto/cast/cast.h
index 203922ea2b..8741532e9e 100644
--- a/src/lib/libssl/src/crypto/cast/cast.h
+++ b/src/lib/libssl/src/crypto/cast/cast.h
@@ -83,9 +83,6 @@ typedef struct cast_key_st
83 int short_key; /* Use reduced rounds for short key */ 83 int short_key; /* Use reduced rounds for short key */
84 } CAST_KEY; 84 } CAST_KEY;
85 85
86#ifdef OPENSSL_FIPS
87void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
88#endif
89void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); 86void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
90void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key, 87void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key,
91 int enc); 88 int enc);
diff --git a/src/lib/libssl/src/crypto/cmac/cmac.c b/src/lib/libssl/src/crypto/cmac/cmac.c
index 8b72b09681..f92a7bb143 100644
--- a/src/lib/libssl/src/crypto/cmac/cmac.c
+++ b/src/lib/libssl/src/crypto/cmac/cmac.c
@@ -57,10 +57,6 @@
57#include "cryptlib.h" 57#include "cryptlib.h"
58#include <openssl/cmac.h> 58#include <openssl/cmac.h>
59 59
60#ifdef OPENSSL_FIPS
61#include <openssl/fips.h>
62#endif
63
64struct CMAC_CTX_st 60struct CMAC_CTX_st
65 { 61 {
66 /* Cipher context to use */ 62 /* Cipher context to use */
@@ -107,13 +103,6 @@ CMAC_CTX *CMAC_CTX_new(void)
107 103
108void CMAC_CTX_cleanup(CMAC_CTX *ctx) 104void CMAC_CTX_cleanup(CMAC_CTX *ctx)
109 { 105 {
110#ifdef OPENSSL_FIPS
111 if (FIPS_mode() && !ctx->cctx.engine)
112 {
113 FIPS_cmac_ctx_cleanup(ctx);
114 return;
115 }
116#endif
117 EVP_CIPHER_CTX_cleanup(&ctx->cctx); 106 EVP_CIPHER_CTX_cleanup(&ctx->cctx);
118 OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); 107 OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
119 OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); 108 OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
@@ -153,24 +142,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
153 const EVP_CIPHER *cipher, ENGINE *impl) 142 const EVP_CIPHER *cipher, ENGINE *impl)
154 { 143 {
155 static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH]; 144 static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH];
156#ifdef OPENSSL_FIPS
157 if (FIPS_mode())
158 {
159 /* If we have an ENGINE need to allow non FIPS */
160 if ((impl || ctx->cctx.engine)
161 && !(ctx->cctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
162
163 {
164 EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
165 return 0;
166 }
167 /* Other algorithm blocking will be done in FIPS_cmac_init,
168 * via FIPS_cipherinit().
169 */
170 if (!impl && !ctx->cctx.engine)
171 return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
172 }
173#endif
174 /* All zeros means restart */ 145 /* All zeros means restart */
175 if (!key && !cipher && !impl && keylen == 0) 146 if (!key && !cipher && !impl && keylen == 0)
176 { 147 {
@@ -216,10 +187,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
216 { 187 {
217 const unsigned char *data = in; 188 const unsigned char *data = in;
218 size_t bl; 189 size_t bl;
219#ifdef OPENSSL_FIPS 190
220 if (FIPS_mode() && !ctx->cctx.engine)
221 return FIPS_cmac_update(ctx, in, dlen);
222#endif
223 if (ctx->nlast_block == -1) 191 if (ctx->nlast_block == -1)
224 return 0; 192 return 0;
225 if (dlen == 0) 193 if (dlen == 0)
@@ -261,10 +229,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
261int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) 229int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
262 { 230 {
263 int i, bl, lb; 231 int i, bl, lb;
264#ifdef OPENSSL_FIPS 232
265 if (FIPS_mode() && !ctx->cctx.engine)
266 return FIPS_cmac_final(ctx, out, poutlen);
267#endif
268 if (ctx->nlast_block == -1) 233 if (ctx->nlast_block == -1)
269 return 0; 234 return 0;
270 bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); 235 bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
diff --git a/src/lib/libssl/src/crypto/crypto.h b/src/lib/libssl/src/crypto/crypto.h
index 351ccfd35b..56c5dfadb8 100644
--- a/src/lib/libssl/src/crypto/crypto.h
+++ b/src/lib/libssl/src/crypto/crypto.h
@@ -538,25 +538,9 @@ void OPENSSL_init(void);
538 538
539#define fips_md_init(alg) fips_md_init_ctx(alg, alg) 539#define fips_md_init(alg) fips_md_init_ctx(alg, alg)
540 540
541#ifdef OPENSSL_FIPS
542#define fips_md_init_ctx(alg, cx) \
543 int alg##_Init(cx##_CTX *c) \
544 { \
545 if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
546 "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
547 return private_##alg##_Init(c); \
548 } \
549 int private_##alg##_Init(cx##_CTX *c)
550
551#define fips_cipher_abort(alg) \
552 if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
553 "Low level API call to cipher " #alg " forbidden in FIPS mode!")
554
555#else
556#define fips_md_init_ctx(alg, cx) \ 541#define fips_md_init_ctx(alg, cx) \
557 int alg##_Init(cx##_CTX *c) 542 int alg##_Init(cx##_CTX *c)
558#define fips_cipher_abort(alg) while(0) 543#define fips_cipher_abort(alg) while(0)
559#endif
560 544
561/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It 545/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
562 * takes an amount of time dependent on |len|, but independent of the contents 546 * takes an amount of time dependent on |len|, but independent of the contents
diff --git a/src/lib/libssl/src/crypto/des/des.h b/src/lib/libssl/src/crypto/des/des.h
index 1eaedcbd24..92b6663599 100644
--- a/src/lib/libssl/src/crypto/des/des.h
+++ b/src/lib/libssl/src/crypto/des/des.h
@@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DES_key_schedule *schedule);
224int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule); 224int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule);
225int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule); 225int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule);
226void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule); 226void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
227#ifdef OPENSSL_FIPS
228void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
229#endif
230void DES_string_to_key(const char *str,DES_cblock *key); 227void DES_string_to_key(const char *str,DES_cblock *key);
231void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2); 228void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2);
232void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length, 229void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
diff --git a/src/lib/libssl/src/crypto/des/set_key.c b/src/lib/libssl/src/crypto/des/set_key.c
index 99e3555ba9..e8dea50b96 100644
--- a/src/lib/libssl/src/crypto/des/set_key.c
+++ b/src/lib/libssl/src/crypto/des/set_key.c
@@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule)
336 } 336 }
337 337
338void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) 338void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
339#ifdef OPENSSL_FIPS
340 {
341 fips_cipher_abort(DES);
342 private_DES_set_key_unchecked(key, schedule);
343 }
344void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
345#endif
346 { 339 {
347 static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; 340 static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
348 register DES_LONG c,d,t,s,t2; 341 register DES_LONG c,d,t,s,t2;
diff --git a/src/lib/libssl/src/crypto/dh/dh_gen.c b/src/lib/libssl/src/crypto/dh/dh_gen.c
index 7b1fe9c9cb..cfd5b11868 100644
--- a/src/lib/libssl/src/crypto/dh/dh_gen.c
+++ b/src/lib/libssl/src/crypto/dh/dh_gen.c
@@ -66,29 +66,12 @@
66#include <openssl/bn.h> 66#include <openssl/bn.h>
67#include <openssl/dh.h> 67#include <openssl/dh.h>
68 68
69#ifdef OPENSSL_FIPS
70#include <openssl/fips.h>
71#endif
72
73static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); 69static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb);
74 70
75int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) 71int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb)
76 { 72 {
77#ifdef OPENSSL_FIPS
78 if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
79 && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW))
80 {
81 DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
82 return 0;
83 }
84#endif
85 if(ret->meth->generate_params) 73 if(ret->meth->generate_params)
86 return ret->meth->generate_params(ret, prime_len, generator, cb); 74 return ret->meth->generate_params(ret, prime_len, generator, cb);
87#ifdef OPENSSL_FIPS
88 if (FIPS_mode())
89 return FIPS_dh_generate_parameters_ex(ret, prime_len,
90 generator, cb);
91#endif
92 return dh_builtin_genparams(ret, prime_len, generator, cb); 75 return dh_builtin_genparams(ret, prime_len, generator, cb);
93 } 76 }
94 77
diff --git a/src/lib/libssl/src/crypto/dh/dh_key.c b/src/lib/libssl/src/crypto/dh/dh_key.c
index 89a74db4e6..9596270f7d 100644
--- a/src/lib/libssl/src/crypto/dh/dh_key.c
+++ b/src/lib/libssl/src/crypto/dh/dh_key.c
@@ -73,27 +73,11 @@ static int dh_finish(DH *dh);
73 73
74int DH_generate_key(DH *dh) 74int DH_generate_key(DH *dh)
75 { 75 {
76#ifdef OPENSSL_FIPS
77 if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
78 && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
79 {
80 DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
81 return 0;
82 }
83#endif
84 return dh->meth->generate_key(dh); 76 return dh->meth->generate_key(dh);
85 } 77 }
86 78
87int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) 79int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
88 { 80 {
89#ifdef OPENSSL_FIPS
90 if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
91 && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
92 {
93 DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
94 return 0;
95 }
96#endif
97 return dh->meth->compute_key(key, pub_key, dh); 81 return dh->meth->compute_key(key, pub_key, dh);
98 } 82 }
99 83
diff --git a/src/lib/libssl/src/crypto/dh/dh_lib.c b/src/lib/libssl/src/crypto/dh/dh_lib.c
index 00218f2b92..a40caaf75b 100644
--- a/src/lib/libssl/src/crypto/dh/dh_lib.c
+++ b/src/lib/libssl/src/crypto/dh/dh_lib.c
@@ -64,10 +64,6 @@
64#include <openssl/engine.h> 64#include <openssl/engine.h>
65#endif 65#endif
66 66
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70
71const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; 67const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
72 68
73static const DH_METHOD *default_DH_method = NULL; 69static const DH_METHOD *default_DH_method = NULL;
@@ -81,14 +77,7 @@ const DH_METHOD *DH_get_default_method(void)
81 { 77 {
82 if(!default_DH_method) 78 if(!default_DH_method)
83 { 79 {
84#ifdef OPENSSL_FIPS
85 if (FIPS_mode())
86 return FIPS_dh_openssl();
87 else
88 return DH_OpenSSL();
89#else
90 default_DH_method = DH_OpenSSL(); 80 default_DH_method = DH_OpenSSL();
91#endif
92 } 81 }
93 return default_DH_method; 82 return default_DH_method;
94 } 83 }
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_gen.c b/src/lib/libssl/src/crypto/dsa/dsa_gen.c
index c398761d0d..e6a5452016 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_gen.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_gen.c
@@ -81,33 +81,13 @@
81#include <openssl/sha.h> 81#include <openssl/sha.h>
82#include "dsa_locl.h" 82#include "dsa_locl.h"
83 83
84#ifdef OPENSSL_FIPS
85#include <openssl/fips.h>
86#endif
87
88int DSA_generate_parameters_ex(DSA *ret, int bits, 84int DSA_generate_parameters_ex(DSA *ret, int bits,
89 const unsigned char *seed_in, int seed_len, 85 const unsigned char *seed_in, int seed_len,
90 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) 86 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
91 { 87 {
92#ifdef OPENSSL_FIPS
93 if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
94 && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW))
95 {
96 DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
97 return 0;
98 }
99#endif
100 if(ret->meth->dsa_paramgen) 88 if(ret->meth->dsa_paramgen)
101 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, 89 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
102 counter_ret, h_ret, cb); 90 counter_ret, h_ret, cb);
103#ifdef OPENSSL_FIPS
104 else if (FIPS_mode())
105 {
106 return FIPS_dsa_generate_parameters_ex(ret, bits,
107 seed_in, seed_len,
108 counter_ret, h_ret, cb);
109 }
110#endif
111 else 91 else
112 { 92 {
113 const EVP_MD *evpmd; 93 const EVP_MD *evpmd;
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_key.c b/src/lib/libssl/src/crypto/dsa/dsa_key.c
index 9cf669b921..c4aa86bc6d 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_key.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_key.c
@@ -64,28 +64,12 @@
64#include <openssl/dsa.h> 64#include <openssl/dsa.h>
65#include <openssl/rand.h> 65#include <openssl/rand.h>
66 66
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70
71static int dsa_builtin_keygen(DSA *dsa); 67static int dsa_builtin_keygen(DSA *dsa);
72 68
73int DSA_generate_key(DSA *dsa) 69int DSA_generate_key(DSA *dsa)
74 { 70 {
75#ifdef OPENSSL_FIPS
76 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
77 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
78 {
79 DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
80 return 0;
81 }
82#endif
83 if(dsa->meth->dsa_keygen) 71 if(dsa->meth->dsa_keygen)
84 return dsa->meth->dsa_keygen(dsa); 72 return dsa->meth->dsa_keygen(dsa);
85#ifdef OPENSSL_FIPS
86 if (FIPS_mode())
87 return FIPS_dsa_generate_key(dsa);
88#endif
89 return dsa_builtin_keygen(dsa); 73 return dsa_builtin_keygen(dsa);
90 } 74 }
91 75
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_lib.c b/src/lib/libssl/src/crypto/dsa/dsa_lib.c
index 96d8d0c4b4..897c085968 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_lib.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_lib.c
@@ -70,10 +70,6 @@
70#include <openssl/dh.h> 70#include <openssl/dh.h>
71#endif 71#endif
72 72
73#ifdef OPENSSL_FIPS
74#include <openssl/fips.h>
75#endif
76
77const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT; 73const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT;
78 74
79static const DSA_METHOD *default_DSA_method = NULL; 75static const DSA_METHOD *default_DSA_method = NULL;
@@ -87,14 +83,7 @@ const DSA_METHOD *DSA_get_default_method(void)
87 { 83 {
88 if(!default_DSA_method) 84 if(!default_DSA_method)
89 { 85 {
90#ifdef OPENSSL_FIPS
91 if (FIPS_mode())
92 return FIPS_dsa_openssl();
93 else
94 return DSA_OpenSSL();
95#else
96 default_DSA_method = DSA_OpenSSL(); 86 default_DSA_method = DSA_OpenSSL();
97#endif
98 } 87 }
99 return default_DSA_method; 88 return default_DSA_method;
100 } 89 }
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_sign.c b/src/lib/libssl/src/crypto/dsa/dsa_sign.c
index c3cc3642ce..e02365a8b1 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_sign.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_sign.c
@@ -65,27 +65,11 @@
65 65
66DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) 66DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
67 { 67 {
68#ifdef OPENSSL_FIPS
69 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
70 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
71 {
72 DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD);
73 return NULL;
74 }
75#endif
76 return dsa->meth->dsa_do_sign(dgst, dlen, dsa); 68 return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
77 } 69 }
78 70
79int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) 71int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
80 { 72 {
81#ifdef OPENSSL_FIPS
82 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
83 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
84 {
85 DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD);
86 return 0;
87 }
88#endif
89 return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); 73 return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
90 } 74 }
91 75
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_vrf.c b/src/lib/libssl/src/crypto/dsa/dsa_vrf.c
index 674cb5fa5f..286ed28cfa 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_vrf.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_vrf.c
@@ -64,13 +64,5 @@
64int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, 64int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
65 DSA *dsa) 65 DSA *dsa)
66 { 66 {
67#ifdef OPENSSL_FIPS
68 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
69 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
70 {
71 DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD);
72 return -1;
73 }
74#endif
75 return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); 67 return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
76 } 68 }
diff --git a/src/lib/libssl/src/crypto/ec/ec2_smpl.c b/src/lib/libssl/src/crypto/ec/ec2_smpl.c
index e0e59c7d82..0cf681fa9d 100644
--- a/src/lib/libssl/src/crypto/ec/ec2_smpl.c
+++ b/src/lib/libssl/src/crypto/ec/ec2_smpl.c
@@ -73,16 +73,8 @@
73 73
74#ifndef OPENSSL_NO_EC2M 74#ifndef OPENSSL_NO_EC2M
75 75
76#ifdef OPENSSL_FIPS
77#include <openssl/fips.h>
78#endif
79
80
81const EC_METHOD *EC_GF2m_simple_method(void) 76const EC_METHOD *EC_GF2m_simple_method(void)
82 { 77 {
83#ifdef OPENSSL_FIPS
84 return fips_ec_gf2m_simple_method();
85#else
86 static const EC_METHOD ret = { 78 static const EC_METHOD ret = {
87 EC_FLAGS_DEFAULT_OCT, 79 EC_FLAGS_DEFAULT_OCT,
88 NID_X9_62_characteristic_two_field, 80 NID_X9_62_characteristic_two_field,
@@ -126,7 +118,6 @@ const EC_METHOD *EC_GF2m_simple_method(void)
126 0 /* field_set_to_one */ }; 118 0 /* field_set_to_one */ };
127 119
128 return &ret; 120 return &ret;
129#endif
130 } 121 }
131 122
132 123
diff --git a/src/lib/libssl/src/crypto/ec/ec_key.c b/src/lib/libssl/src/crypto/ec/ec_key.c
index 7fa247593d..d528601036 100644
--- a/src/lib/libssl/src/crypto/ec/ec_key.c
+++ b/src/lib/libssl/src/crypto/ec/ec_key.c
@@ -64,9 +64,6 @@
64#include <string.h> 64#include <string.h>
65#include "ec_lcl.h" 65#include "ec_lcl.h"
66#include <openssl/err.h> 66#include <openssl/err.h>
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70 67
71EC_KEY *EC_KEY_new(void) 68EC_KEY *EC_KEY_new(void)
72 { 69 {
@@ -241,11 +238,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
241 BIGNUM *priv_key = NULL, *order = NULL; 238 BIGNUM *priv_key = NULL, *order = NULL;
242 EC_POINT *pub_key = NULL; 239 EC_POINT *pub_key = NULL;
243 240
244#ifdef OPENSSL_FIPS
245 if (FIPS_mode())
246 return FIPS_ec_key_generate_key(eckey);
247#endif
248
249 if (!eckey || !eckey->group) 241 if (!eckey || !eckey->group)
250 { 242 {
251 ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); 243 ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
diff --git a/src/lib/libssl/src/crypto/ec/ecp_mont.c b/src/lib/libssl/src/crypto/ec/ecp_mont.c
index f04f132c7a..cee0fee12a 100644
--- a/src/lib/libssl/src/crypto/ec/ecp_mont.c
+++ b/src/lib/libssl/src/crypto/ec/ecp_mont.c
@@ -63,18 +63,11 @@
63 63
64#include <openssl/err.h> 64#include <openssl/err.h>
65 65
66#ifdef OPENSSL_FIPS
67#include <openssl/fips.h>
68#endif
69
70#include "ec_lcl.h" 66#include "ec_lcl.h"
71 67
72 68
73const EC_METHOD *EC_GFp_mont_method(void) 69const EC_METHOD *EC_GFp_mont_method(void)
74 { 70 {
75#ifdef OPENSSL_FIPS
76 return fips_ec_gfp_mont_method();
77#else
78 static const EC_METHOD ret = { 71 static const EC_METHOD ret = {
79 EC_FLAGS_DEFAULT_OCT, 72 EC_FLAGS_DEFAULT_OCT,
80 NID_X9_62_prime_field, 73 NID_X9_62_prime_field,
@@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_mont_method(void)
115 ec_GFp_mont_field_set_to_one }; 108 ec_GFp_mont_field_set_to_one };
116 109
117 return &ret; 110 return &ret;
118#endif
119 } 111 }
120 112
121 113
diff --git a/src/lib/libssl/src/crypto/ec/ecp_nist.c b/src/lib/libssl/src/crypto/ec/ecp_nist.c
index aad2d5f443..ac5b814238 100644
--- a/src/lib/libssl/src/crypto/ec/ecp_nist.c
+++ b/src/lib/libssl/src/crypto/ec/ecp_nist.c
@@ -67,15 +67,8 @@
67#include <openssl/obj_mac.h> 67#include <openssl/obj_mac.h>
68#include "ec_lcl.h" 68#include "ec_lcl.h"
69 69
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73
74const EC_METHOD *EC_GFp_nist_method(void) 70const EC_METHOD *EC_GFp_nist_method(void)
75 { 71 {
76#ifdef OPENSSL_FIPS
77 return fips_ec_gfp_nist_method();
78#else
79 static const EC_METHOD ret = { 72 static const EC_METHOD ret = {
80 EC_FLAGS_DEFAULT_OCT, 73 EC_FLAGS_DEFAULT_OCT,
81 NID_X9_62_prime_field, 74 NID_X9_62_prime_field,
@@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void)
116 0 /* field_set_to_one */ }; 109 0 /* field_set_to_one */ };
117 110
118 return &ret; 111 return &ret;
119#endif
120 } 112 }
121 113
122int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) 114int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
diff --git a/src/lib/libssl/src/crypto/ec/ecp_smpl.c b/src/lib/libssl/src/crypto/ec/ecp_smpl.c
index cd05fd1251..bf0ad998dd 100644
--- a/src/lib/libssl/src/crypto/ec/ecp_smpl.c
+++ b/src/lib/libssl/src/crypto/ec/ecp_smpl.c
@@ -64,17 +64,10 @@
64 64
65#include <openssl/err.h> 65#include <openssl/err.h>
66 66
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70
71#include "ec_lcl.h" 67#include "ec_lcl.h"
72 68
73const EC_METHOD *EC_GFp_simple_method(void) 69const EC_METHOD *EC_GFp_simple_method(void)
74 { 70 {
75#ifdef OPENSSL_FIPS
76 return fips_ec_gfp_simple_method();
77#else
78 static const EC_METHOD ret = { 71 static const EC_METHOD ret = {
79 EC_FLAGS_DEFAULT_OCT, 72 EC_FLAGS_DEFAULT_OCT,
80 NID_X9_62_prime_field, 73 NID_X9_62_prime_field,
@@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_simple_method(void)
115 0 /* field_set_to_one */ }; 108 0 /* field_set_to_one */ };
116 109
117 return &ret; 110 return &ret;
118#endif
119 } 111 }
120 112
121 113
diff --git a/src/lib/libssl/src/crypto/ecdh/ech_lib.c b/src/lib/libssl/src/crypto/ecdh/ech_lib.c
index 0644431b75..ddf226b166 100644
--- a/src/lib/libssl/src/crypto/ecdh/ech_lib.c
+++ b/src/lib/libssl/src/crypto/ecdh/ech_lib.c
@@ -73,9 +73,6 @@
73#include <openssl/engine.h> 73#include <openssl/engine.h>
74#endif 74#endif
75#include <openssl/err.h> 75#include <openssl/err.h>
76#ifdef OPENSSL_FIPS
77#include <openssl/fips.h>
78#endif
79 76
80const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT; 77const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT;
81 78
@@ -94,14 +91,7 @@ const ECDH_METHOD *ECDH_get_default_method(void)
94 { 91 {
95 if(!default_ECDH_method) 92 if(!default_ECDH_method)
96 { 93 {
97#ifdef OPENSSL_FIPS
98 if (FIPS_mode())
99 return FIPS_ecdh_openssl();
100 else
101 return ECDH_OpenSSL();
102#else
103 default_ECDH_method = ECDH_OpenSSL(); 94 default_ECDH_method = ECDH_OpenSSL();
104#endif
105 } 95 }
106 return default_ECDH_method; 96 return default_ECDH_method;
107 } 97 }
@@ -234,15 +224,6 @@ ECDH_DATA *ecdh_check(EC_KEY *key)
234 } 224 }
235 else 225 else
236 ecdh_data = (ECDH_DATA *)data; 226 ecdh_data = (ECDH_DATA *)data;
237#ifdef OPENSSL_FIPS
238 if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD)
239 && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW))
240 {
241 ECDHerr(ECDH_F_ECDH_CHECK, ECDH_R_NON_FIPS_METHOD);
242 return NULL;
243 }
244#endif
245
246 227
247 return ecdh_data; 228 return ecdh_data;
248 } 229 }
diff --git a/src/lib/libssl/src/crypto/ecdsa/ecs_lib.c b/src/lib/libssl/src/crypto/ecdsa/ecs_lib.c
index 814a6bf404..7b53969ffd 100644
--- a/src/lib/libssl/src/crypto/ecdsa/ecs_lib.c
+++ b/src/lib/libssl/src/crypto/ecdsa/ecs_lib.c
@@ -60,9 +60,6 @@
60#endif 60#endif
61#include <openssl/err.h> 61#include <openssl/err.h>
62#include <openssl/bn.h> 62#include <openssl/bn.h>
63#ifdef OPENSSL_FIPS
64#include <openssl/fips.h>
65#endif
66 63
67const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT; 64const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT;
68 65
@@ -81,14 +78,7 @@ const ECDSA_METHOD *ECDSA_get_default_method(void)
81{ 78{
82 if(!default_ECDSA_method) 79 if(!default_ECDSA_method)
83 { 80 {
84#ifdef OPENSSL_FIPS
85 if (FIPS_mode())
86 return FIPS_ecdsa_openssl();
87 else
88 return ECDSA_OpenSSL();
89#else
90 default_ECDSA_method = ECDSA_OpenSSL(); 81 default_ECDSA_method = ECDSA_OpenSSL();
91#endif
92 } 82 }
93 return default_ECDSA_method; 83 return default_ECDSA_method;
94} 84}
@@ -212,14 +202,6 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key)
212 } 202 }
213 else 203 else
214 ecdsa_data = (ECDSA_DATA *)data; 204 ecdsa_data = (ECDSA_DATA *)data;
215#ifdef OPENSSL_FIPS
216 if (FIPS_mode() && !(ecdsa_data->flags & ECDSA_FLAG_FIPS_METHOD)
217 && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW))
218 {
219 ECDSAerr(ECDSA_F_ECDSA_CHECK, ECDSA_R_NON_FIPS_METHOD);
220 return NULL;
221 }
222#endif
223 205
224 return ecdsa_data; 206 return ecdsa_data;
225} 207}
diff --git a/src/lib/libssl/src/crypto/err/err_all.c b/src/lib/libssl/src/crypto/err/err_all.c
index 8eb547d98d..1c4eccd251 100644
--- a/src/lib/libssl/src/crypto/err/err_all.c
+++ b/src/lib/libssl/src/crypto/err/err_all.c
@@ -97,9 +97,6 @@
97#include <openssl/ui.h> 97#include <openssl/ui.h>
98#include <openssl/ocsp.h> 98#include <openssl/ocsp.h>
99#include <openssl/err.h> 99#include <openssl/err.h>
100#ifdef OPENSSL_FIPS
101#include <openssl/fips.h>
102#endif
103#include <openssl/ts.h> 100#include <openssl/ts.h>
104#ifndef OPENSSL_NO_CMS 101#ifndef OPENSSL_NO_CMS
105#include <openssl/cms.h> 102#include <openssl/cms.h>
@@ -155,9 +152,6 @@ void ERR_load_crypto_strings(void)
155#endif 152#endif
156 ERR_load_OCSP_strings(); 153 ERR_load_OCSP_strings();
157 ERR_load_UI_strings(); 154 ERR_load_UI_strings();
158#ifdef OPENSSL_FIPS
159 ERR_load_FIPS_strings();
160#endif
161#ifndef OPENSSL_NO_CMS 155#ifndef OPENSSL_NO_CMS
162 ERR_load_CMS_strings(); 156 ERR_load_CMS_strings();
163#endif 157#endif
diff --git a/src/lib/libssl/src/crypto/evp/Makefile b/src/lib/libssl/src/crypto/evp/Makefile
index 3982f49f81..f94a28d383 100644
--- a/src/lib/libssl/src/crypto/evp/Makefile
+++ b/src/lib/libssl/src/crypto/evp/Makefile
@@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
28 bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ 28 bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
29 c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ 29 c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
30 evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \ 30 evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
31 e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \ 31 e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
32 e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c 32 e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
33 33
34LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ 34LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
@@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
41 bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ 41 bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
42 c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ 42 c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
43 evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \ 43 evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
44 e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \ 44 e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
45 e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o 45 e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o
46 46
47SRC= $(LIBSRC) 47SRC= $(LIBSRC)
diff --git a/src/lib/libssl/src/crypto/evp/digest.c b/src/lib/libssl/src/crypto/evp/digest.c
index d14e8e48d5..782d3199a5 100644
--- a/src/lib/libssl/src/crypto/evp/digest.c
+++ b/src/lib/libssl/src/crypto/evp/digest.c
@@ -117,10 +117,6 @@
117#include <openssl/engine.h> 117#include <openssl/engine.h>
118#endif 118#endif
119 119
120#ifdef OPENSSL_FIPS
121#include <openssl/fips.h>
122#endif
123
124void EVP_MD_CTX_init(EVP_MD_CTX *ctx) 120void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
125 { 121 {
126 memset(ctx,'\0',sizeof *ctx); 122 memset(ctx,'\0',sizeof *ctx);
@@ -229,26 +225,12 @@ skip_to_init:
229 } 225 }
230 if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) 226 if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
231 return 1; 227 return 1;
232#ifdef OPENSSL_FIPS
233 if (FIPS_mode())
234 {
235 if (FIPS_digestinit(ctx, type))
236 return 1;
237 OPENSSL_free(ctx->md_data);
238 ctx->md_data = NULL;
239 return 0;
240 }
241#endif
242 return ctx->digest->init(ctx); 228 return ctx->digest->init(ctx);
243 } 229 }
244 230
245int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) 231int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
246 { 232 {
247#ifdef OPENSSL_FIPS
248 return FIPS_digestupdate(ctx, data, count);
249#else
250 return ctx->update(ctx,data,count); 233 return ctx->update(ctx,data,count);
251#endif
252 } 234 }
253 235
254/* The caller can assume that this removes any secret data from the context */ 236/* The caller can assume that this removes any secret data from the context */
@@ -263,9 +245,6 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
263/* The caller can assume that this removes any secret data from the context */ 245/* The caller can assume that this removes any secret data from the context */
264int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) 246int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
265 { 247 {
266#ifdef OPENSSL_FIPS
267 return FIPS_digestfinal(ctx, md, size);
268#else
269 int ret; 248 int ret;
270 249
271 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); 250 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
@@ -279,7 +258,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
279 } 258 }
280 memset(ctx->md_data,0,ctx->digest->ctx_size); 259 memset(ctx->md_data,0,ctx->digest->ctx_size);
281 return ret; 260 return ret;
282#endif
283 } 261 }
284 262
285int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) 263int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
@@ -376,7 +354,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
376/* This call frees resources associated with the context */ 354/* This call frees resources associated with the context */
377int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) 355int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
378 { 356 {
379#ifndef OPENSSL_FIPS
380 /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, 357 /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final,
381 * because sometimes only copies of the context are ever finalised. 358 * because sometimes only copies of the context are ever finalised.
382 */ 359 */
@@ -389,7 +366,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
389 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); 366 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
390 OPENSSL_free(ctx->md_data); 367 OPENSSL_free(ctx->md_data);
391 } 368 }
392#endif
393 if (ctx->pctx) 369 if (ctx->pctx)
394 EVP_PKEY_CTX_free(ctx->pctx); 370 EVP_PKEY_CTX_free(ctx->pctx);
395#ifndef OPENSSL_NO_ENGINE 371#ifndef OPENSSL_NO_ENGINE
@@ -398,9 +374,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
398 * functional reference we held for this reason. */ 374 * functional reference we held for this reason. */
399 ENGINE_finish(ctx->engine); 375 ENGINE_finish(ctx->engine);
400#endif 376#endif
401#ifdef OPENSSL_FIPS
402 FIPS_md_ctx_cleanup(ctx);
403#endif
404 memset(ctx,'\0',sizeof *ctx); 377 memset(ctx,'\0',sizeof *ctx);
405 378
406 return 1; 379 return 1;
diff --git a/src/lib/libssl/src/crypto/evp/e_null.c b/src/lib/libssl/src/crypto/evp/e_null.c
index f0c1f78b5f..98a78499f9 100644
--- a/src/lib/libssl/src/crypto/evp/e_null.c
+++ b/src/lib/libssl/src/crypto/evp/e_null.c
@@ -61,8 +61,6 @@
61#include <openssl/evp.h> 61#include <openssl/evp.h>
62#include <openssl/objects.h> 62#include <openssl/objects.h>
63 63
64#ifndef OPENSSL_FIPS
65
66static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 64static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
67 const unsigned char *iv,int enc); 65 const unsigned char *iv,int enc);
68static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 66static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -101,4 +99,3 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
101 memcpy((char *)out,(const char *)in,inl); 99 memcpy((char *)out,(const char *)in,inl);
102 return 1; 100 return 1;
103 } 101 }
104#endif
diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c
index 0c54f05e6e..50403a7578 100644
--- a/src/lib/libssl/src/crypto/evp/evp_enc.c
+++ b/src/lib/libssl/src/crypto/evp/evp_enc.c
@@ -64,17 +64,9 @@
64#ifndef OPENSSL_NO_ENGINE 64#ifndef OPENSSL_NO_ENGINE
65#include <openssl/engine.h> 65#include <openssl/engine.h>
66#endif 66#endif
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70#include "evp_locl.h" 67#include "evp_locl.h"
71 68
72#ifdef OPENSSL_FIPS
73#define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
74#else
75#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl) 69#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
76#endif
77
78 70
79const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; 71const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
80 72
@@ -169,10 +161,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
169 ctx->engine = NULL; 161 ctx->engine = NULL;
170#endif 162#endif
171 163
172#ifdef OPENSSL_FIPS
173 if (FIPS_mode())
174 return FIPS_cipherinit(ctx, cipher, key, iv, enc);
175#endif
176 ctx->cipher=cipher; 164 ctx->cipher=cipher;
177 if (ctx->cipher->ctx_size) 165 if (ctx->cipher->ctx_size)
178 { 166 {
@@ -206,10 +194,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
206#ifndef OPENSSL_NO_ENGINE 194#ifndef OPENSSL_NO_ENGINE
207skip_to_init: 195skip_to_init:
208#endif 196#endif
209#ifdef OPENSSL_FIPS
210 if (FIPS_mode())
211 return FIPS_cipherinit(ctx, cipher, key, iv, enc);
212#endif
213 /* we assume block size is a power of 2 in *cryptUpdate */ 197 /* we assume block size is a power of 2 in *cryptUpdate */
214 OPENSSL_assert(ctx->cipher->block_size == 1 198 OPENSSL_assert(ctx->cipher->block_size == 1
215 || ctx->cipher->block_size == 8 199 || ctx->cipher->block_size == 8
@@ -568,7 +552,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
568 552
569int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) 553int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
570 { 554 {
571#ifndef OPENSSL_FIPS
572 if (c->cipher != NULL) 555 if (c->cipher != NULL)
573 { 556 {
574 if(c->cipher->cleanup && !c->cipher->cleanup(c)) 557 if(c->cipher->cleanup && !c->cipher->cleanup(c))
@@ -579,16 +562,12 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
579 } 562 }
580 if (c->cipher_data) 563 if (c->cipher_data)
581 OPENSSL_free(c->cipher_data); 564 OPENSSL_free(c->cipher_data);
582#endif
583#ifndef OPENSSL_NO_ENGINE 565#ifndef OPENSSL_NO_ENGINE
584 if (c->engine) 566 if (c->engine)
585 /* The EVP_CIPHER we used belongs to an ENGINE, release the 567 /* The EVP_CIPHER we used belongs to an ENGINE, release the
586 * functional reference we held for this reason. */ 568 * functional reference we held for this reason. */
587 ENGINE_finish(c->engine); 569 ENGINE_finish(c->engine);
588#endif 570#endif
589#ifdef OPENSSL_FIPS
590 FIPS_cipher_ctx_cleanup(c);
591#endif
592 memset(c,0,sizeof(EVP_CIPHER_CTX)); 571 memset(c,0,sizeof(EVP_CIPHER_CTX));
593 return 1; 572 return 1;
594 } 573 }
diff --git a/src/lib/libssl/src/crypto/evp/evp_fips.c b/src/lib/libssl/src/crypto/evp/evp_fips.c
deleted file mode 100644
index cb7f4fc0fa..0000000000
--- a/src/lib/libssl/src/crypto/evp/evp_fips.c
+++ /dev/null
@@ -1,113 +0,0 @@
1/* crypto/evp/evp_fips.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54
55#include <openssl/evp.h>
56
57#ifdef OPENSSL_FIPS
58#include <openssl/fips.h>
59
60const EVP_CIPHER *EVP_aes_128_cbc(void) { return FIPS_evp_aes_128_cbc(); }
61const EVP_CIPHER *EVP_aes_128_ccm(void) { return FIPS_evp_aes_128_ccm(); }
62const EVP_CIPHER *EVP_aes_128_cfb1(void) { return FIPS_evp_aes_128_cfb1(); }
63const EVP_CIPHER *EVP_aes_128_cfb128(void) { return FIPS_evp_aes_128_cfb128(); }
64const EVP_CIPHER *EVP_aes_128_cfb8(void) { return FIPS_evp_aes_128_cfb8(); }
65const EVP_CIPHER *EVP_aes_128_ctr(void) { return FIPS_evp_aes_128_ctr(); }
66const EVP_CIPHER *EVP_aes_128_ecb(void) { return FIPS_evp_aes_128_ecb(); }
67const EVP_CIPHER *EVP_aes_128_gcm(void) { return FIPS_evp_aes_128_gcm(); }
68const EVP_CIPHER *EVP_aes_128_ofb(void) { return FIPS_evp_aes_128_ofb(); }
69const EVP_CIPHER *EVP_aes_128_xts(void) { return FIPS_evp_aes_128_xts(); }
70const EVP_CIPHER *EVP_aes_192_cbc(void) { return FIPS_evp_aes_192_cbc(); }
71const EVP_CIPHER *EVP_aes_192_ccm(void) { return FIPS_evp_aes_192_ccm(); }
72const EVP_CIPHER *EVP_aes_192_cfb1(void) { return FIPS_evp_aes_192_cfb1(); }
73const EVP_CIPHER *EVP_aes_192_cfb128(void) { return FIPS_evp_aes_192_cfb128(); }
74const EVP_CIPHER *EVP_aes_192_cfb8(void) { return FIPS_evp_aes_192_cfb8(); }
75const EVP_CIPHER *EVP_aes_192_ctr(void) { return FIPS_evp_aes_192_ctr(); }
76const EVP_CIPHER *EVP_aes_192_ecb(void) { return FIPS_evp_aes_192_ecb(); }
77const EVP_CIPHER *EVP_aes_192_gcm(void) { return FIPS_evp_aes_192_gcm(); }
78const EVP_CIPHER *EVP_aes_192_ofb(void) { return FIPS_evp_aes_192_ofb(); }
79const EVP_CIPHER *EVP_aes_256_cbc(void) { return FIPS_evp_aes_256_cbc(); }
80const EVP_CIPHER *EVP_aes_256_ccm(void) { return FIPS_evp_aes_256_ccm(); }
81const EVP_CIPHER *EVP_aes_256_cfb1(void) { return FIPS_evp_aes_256_cfb1(); }
82const EVP_CIPHER *EVP_aes_256_cfb128(void) { return FIPS_evp_aes_256_cfb128(); }
83const EVP_CIPHER *EVP_aes_256_cfb8(void) { return FIPS_evp_aes_256_cfb8(); }
84const EVP_CIPHER *EVP_aes_256_ctr(void) { return FIPS_evp_aes_256_ctr(); }
85const EVP_CIPHER *EVP_aes_256_ecb(void) { return FIPS_evp_aes_256_ecb(); }
86const EVP_CIPHER *EVP_aes_256_gcm(void) { return FIPS_evp_aes_256_gcm(); }
87const EVP_CIPHER *EVP_aes_256_ofb(void) { return FIPS_evp_aes_256_ofb(); }
88const EVP_CIPHER *EVP_aes_256_xts(void) { return FIPS_evp_aes_256_xts(); }
89const EVP_CIPHER *EVP_des_ede(void) { return FIPS_evp_des_ede(); }
90const EVP_CIPHER *EVP_des_ede3(void) { return FIPS_evp_des_ede3(); }
91const EVP_CIPHER *EVP_des_ede3_cbc(void) { return FIPS_evp_des_ede3_cbc(); }
92const EVP_CIPHER *EVP_des_ede3_cfb1(void) { return FIPS_evp_des_ede3_cfb1(); }
93const EVP_CIPHER *EVP_des_ede3_cfb64(void) { return FIPS_evp_des_ede3_cfb64(); }
94const EVP_CIPHER *EVP_des_ede3_cfb8(void) { return FIPS_evp_des_ede3_cfb8(); }
95const EVP_CIPHER *EVP_des_ede3_ecb(void) { return FIPS_evp_des_ede3_ecb(); }
96const EVP_CIPHER *EVP_des_ede3_ofb(void) { return FIPS_evp_des_ede3_ofb(); }
97const EVP_CIPHER *EVP_des_ede_cbc(void) { return FIPS_evp_des_ede_cbc(); }
98const EVP_CIPHER *EVP_des_ede_cfb64(void) { return FIPS_evp_des_ede_cfb64(); }
99const EVP_CIPHER *EVP_des_ede_ecb(void) { return FIPS_evp_des_ede_ecb(); }
100const EVP_CIPHER *EVP_des_ede_ofb(void) { return FIPS_evp_des_ede_ofb(); }
101const EVP_CIPHER *EVP_enc_null(void) { return FIPS_evp_enc_null(); }
102
103const EVP_MD *EVP_sha1(void) { return FIPS_evp_sha1(); }
104const EVP_MD *EVP_sha224(void) { return FIPS_evp_sha224(); }
105const EVP_MD *EVP_sha256(void) { return FIPS_evp_sha256(); }
106const EVP_MD *EVP_sha384(void) { return FIPS_evp_sha384(); }
107const EVP_MD *EVP_sha512(void) { return FIPS_evp_sha512(); }
108
109const EVP_MD *EVP_dss(void) { return FIPS_evp_dss(); }
110const EVP_MD *EVP_dss1(void) { return FIPS_evp_dss1(); }
111const EVP_MD *EVP_ecdsa(void) { return FIPS_evp_ecdsa(); }
112
113#endif
diff --git a/src/lib/libssl/src/crypto/evp/evp_locl.h b/src/lib/libssl/src/crypto/evp/evp_locl.h
index 08c0a66d39..9e71f39a47 100644
--- a/src/lib/libssl/src/crypto/evp/evp_locl.h
+++ b/src/lib/libssl/src/crypto/evp/evp_locl.h
@@ -347,39 +347,3 @@ void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
347int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, 347int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
348 ASN1_TYPE *param, 348 ASN1_TYPE *param,
349 const EVP_CIPHER *c, const EVP_MD *md, int en_de); 349 const EVP_CIPHER *c, const EVP_MD *md, int en_de);
350
351#ifdef OPENSSL_FIPS
352
353#ifdef OPENSSL_DOING_MAKEDEPEND
354#undef SHA1_Init
355#undef SHA1_Update
356#undef SHA224_Init
357#undef SHA256_Init
358#undef SHA384_Init
359#undef SHA512_Init
360#undef DES_set_key_unchecked
361#endif
362
363#define RIPEMD160_Init private_RIPEMD160_Init
364#define WHIRLPOOL_Init private_WHIRLPOOL_Init
365#define MD5_Init private_MD5_Init
366#define MD4_Init private_MD4_Init
367#define MD2_Init private_MD2_Init
368#define MDC2_Init private_MDC2_Init
369#define SHA_Init private_SHA_Init
370#define SHA1_Init private_SHA1_Init
371#define SHA224_Init private_SHA224_Init
372#define SHA256_Init private_SHA256_Init
373#define SHA384_Init private_SHA384_Init
374#define SHA512_Init private_SHA512_Init
375
376#define BF_set_key private_BF_set_key
377#define CAST_set_key private_CAST_set_key
378#define idea_set_encrypt_key private_idea_set_encrypt_key
379#define SEED_set_key private_SEED_set_key
380#define RC2_set_key private_RC2_set_key
381#define RC4_set_key private_RC4_set_key
382#define DES_set_key_unchecked private_DES_set_key_unchecked
383#define Camellia_set_key private_Camellia_set_key
384
385#endif
diff --git a/src/lib/libssl/src/crypto/evp/m_dss.c b/src/lib/libssl/src/crypto/evp/m_dss.c
index 6fb7e9a861..89ea5b7a6d 100644
--- a/src/lib/libssl/src/crypto/evp/m_dss.c
+++ b/src/lib/libssl/src/crypto/evp/m_dss.c
@@ -66,7 +66,6 @@
66#endif 66#endif
67 67
68#ifndef OPENSSL_NO_SHA 68#ifndef OPENSSL_NO_SHA
69#ifndef OPENSSL_FIPS
70 69
71static int init(EVP_MD_CTX *ctx) 70static int init(EVP_MD_CTX *ctx)
72 { return SHA1_Init(ctx->md_data); } 71 { return SHA1_Init(ctx->md_data); }
@@ -98,4 +97,3 @@ const EVP_MD *EVP_dss(void)
98 return(&dsa_md); 97 return(&dsa_md);
99 } 98 }
100#endif 99#endif
101#endif
diff --git a/src/lib/libssl/src/crypto/evp/m_dss1.c b/src/lib/libssl/src/crypto/evp/m_dss1.c
index 2df362a670..a010103b7a 100644
--- a/src/lib/libssl/src/crypto/evp/m_dss1.c
+++ b/src/lib/libssl/src/crypto/evp/m_dss1.c
@@ -68,8 +68,6 @@
68#include <openssl/dsa.h> 68#include <openssl/dsa.h>
69#endif 69#endif
70 70
71#ifndef OPENSSL_FIPS
72
73static int init(EVP_MD_CTX *ctx) 71static int init(EVP_MD_CTX *ctx)
74 { return SHA1_Init(ctx->md_data); } 72 { return SHA1_Init(ctx->md_data); }
75 73
@@ -100,4 +98,3 @@ const EVP_MD *EVP_dss1(void)
100 return(&dss1_md); 98 return(&dss1_md);
101 } 99 }
102#endif 100#endif
103#endif
diff --git a/src/lib/libssl/src/crypto/evp/m_ecdsa.c b/src/lib/libssl/src/crypto/evp/m_ecdsa.c
index 4b15fb0f6c..a6ed24b0b6 100644
--- a/src/lib/libssl/src/crypto/evp/m_ecdsa.c
+++ b/src/lib/libssl/src/crypto/evp/m_ecdsa.c
@@ -116,7 +116,6 @@
116#include <openssl/x509.h> 116#include <openssl/x509.h>
117 117
118#ifndef OPENSSL_NO_SHA 118#ifndef OPENSSL_NO_SHA
119#ifndef OPENSSL_FIPS
120 119
121static int init(EVP_MD_CTX *ctx) 120static int init(EVP_MD_CTX *ctx)
122 { return SHA1_Init(ctx->md_data); } 121 { return SHA1_Init(ctx->md_data); }
@@ -148,4 +147,3 @@ const EVP_MD *EVP_ecdsa(void)
148 return(&ecdsa_md); 147 return(&ecdsa_md);
149 } 148 }
150#endif 149#endif
151#endif
diff --git a/src/lib/libssl/src/crypto/evp/m_sha1.c b/src/lib/libssl/src/crypto/evp/m_sha1.c
index bd0c01ad3c..f39ae77925 100644
--- a/src/lib/libssl/src/crypto/evp/m_sha1.c
+++ b/src/lib/libssl/src/crypto/evp/m_sha1.c
@@ -59,8 +59,6 @@
59#include <stdio.h> 59#include <stdio.h>
60#include "cryptlib.h" 60#include "cryptlib.h"
61 61
62#ifndef OPENSSL_FIPS
63
64#ifndef OPENSSL_NO_SHA 62#ifndef OPENSSL_NO_SHA
65 63
66#include <openssl/evp.h> 64#include <openssl/evp.h>
@@ -205,5 +203,3 @@ static const EVP_MD sha512_md=
205const EVP_MD *EVP_sha512(void) 203const EVP_MD *EVP_sha512(void)
206 { return(&sha512_md); } 204 { return(&sha512_md); }
207#endif /* ifndef OPENSSL_NO_SHA512 */ 205#endif /* ifndef OPENSSL_NO_SHA512 */
208
209#endif
diff --git a/src/lib/libssl/src/crypto/fips_ers.c b/src/lib/libssl/src/crypto/fips_ers.c
deleted file mode 100644
index 1788ed2884..0000000000
--- a/src/lib/libssl/src/crypto/fips_ers.c
+++ /dev/null
@@ -1,7 +0,0 @@
1#include <openssl/opensslconf.h>
2
3#ifdef OPENSSL_FIPS
4# include "fips_err.h"
5#else
6static void *dummy = &dummy;
7#endif
diff --git a/src/lib/libssl/src/crypto/hmac/hmac.c b/src/lib/libssl/src/crypto/hmac/hmac.c
index ba27cbf56f..6c98fc43a3 100644
--- a/src/lib/libssl/src/crypto/hmac/hmac.c
+++ b/src/lib/libssl/src/crypto/hmac/hmac.c
@@ -61,34 +61,12 @@
61#include "cryptlib.h" 61#include "cryptlib.h"
62#include <openssl/hmac.h> 62#include <openssl/hmac.h>
63 63
64#ifdef OPENSSL_FIPS
65#include <openssl/fips.h>
66#endif
67
68int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, 64int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
69 const EVP_MD *md, ENGINE *impl) 65 const EVP_MD *md, ENGINE *impl)
70 { 66 {
71 int i,j,reset=0; 67 int i,j,reset=0;
72 unsigned char pad[HMAC_MAX_MD_CBLOCK]; 68 unsigned char pad[HMAC_MAX_MD_CBLOCK];
73 69
74#ifdef OPENSSL_FIPS
75 if (FIPS_mode())
76 {
77 /* If we have an ENGINE need to allow non FIPS */
78 if ((impl || ctx->i_ctx.engine)
79 && !(ctx->i_ctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
80 {
81 EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
82 return 0;
83 }
84 /* Other algorithm blocking will be done in FIPS_cmac_init,
85 * via FIPS_hmac_init_ex().
86 */
87 if (!impl && !ctx->i_ctx.engine)
88 return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
89 }
90#endif
91
92 if (md != NULL) 70 if (md != NULL)
93 { 71 {
94 reset=1; 72 reset=1;
@@ -155,10 +133,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md)
155 133
156int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) 134int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
157 { 135 {
158#ifdef OPENSSL_FIPS
159 if (FIPS_mode() && !ctx->i_ctx.engine)
160 return FIPS_hmac_update(ctx, data, len);
161#endif
162 return EVP_DigestUpdate(&ctx->md_ctx,data,len); 136 return EVP_DigestUpdate(&ctx->md_ctx,data,len);
163 } 137 }
164 138
@@ -166,10 +140,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
166 { 140 {
167 unsigned int i; 141 unsigned int i;
168 unsigned char buf[EVP_MAX_MD_SIZE]; 142 unsigned char buf[EVP_MAX_MD_SIZE];
169#ifdef OPENSSL_FIPS
170 if (FIPS_mode() && !ctx->i_ctx.engine)
171 return FIPS_hmac_final(ctx, md, len);
172#endif
173 143
174 if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i)) 144 if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i))
175 goto err; 145 goto err;
@@ -209,13 +179,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
209 179
210void HMAC_CTX_cleanup(HMAC_CTX *ctx) 180void HMAC_CTX_cleanup(HMAC_CTX *ctx)
211 { 181 {
212#ifdef OPENSSL_FIPS
213 if (FIPS_mode() && !ctx->i_ctx.engine)
214 {
215 FIPS_hmac_ctx_cleanup(ctx);
216 return;
217 }
218#endif
219 EVP_MD_CTX_cleanup(&ctx->i_ctx); 182 EVP_MD_CTX_cleanup(&ctx->i_ctx);
220 EVP_MD_CTX_cleanup(&ctx->o_ctx); 183 EVP_MD_CTX_cleanup(&ctx->o_ctx);
221 EVP_MD_CTX_cleanup(&ctx->md_ctx); 184 EVP_MD_CTX_cleanup(&ctx->md_ctx);
diff --git a/src/lib/libssl/src/crypto/idea/i_skey.c b/src/lib/libssl/src/crypto/idea/i_skey.c
index afb830964d..244562e690 100644
--- a/src/lib/libssl/src/crypto/idea/i_skey.c
+++ b/src/lib/libssl/src/crypto/idea/i_skey.c
@@ -62,13 +62,6 @@
62 62
63static IDEA_INT inverse(unsigned int xin); 63static IDEA_INT inverse(unsigned int xin);
64void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks) 64void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
65#ifdef OPENSSL_FIPS
66 {
67 fips_cipher_abort(IDEA);
68 private_idea_set_encrypt_key(key, ks);
69 }
70void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
71#endif
72 { 65 {
73 int i; 66 int i;
74 register IDEA_INT *kt,*kf,r0,r1,r2; 67 register IDEA_INT *kt,*kf,r0,r1,r2;
diff --git a/src/lib/libssl/src/crypto/idea/idea.h b/src/lib/libssl/src/crypto/idea/idea.h
index e9a1e7f1a5..5782e54b0f 100644
--- a/src/lib/libssl/src/crypto/idea/idea.h
+++ b/src/lib/libssl/src/crypto/idea/idea.h
@@ -83,9 +83,6 @@ typedef struct idea_key_st
83const char *idea_options(void); 83const char *idea_options(void);
84void idea_ecb_encrypt(const unsigned char *in, unsigned char *out, 84void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
85 IDEA_KEY_SCHEDULE *ks); 85 IDEA_KEY_SCHEDULE *ks);
86#ifdef OPENSSL_FIPS
87void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
88#endif
89void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); 86void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
90void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); 87void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
91void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, 88void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
diff --git a/src/lib/libssl/src/crypto/md2/md2.h b/src/lib/libssl/src/crypto/md2/md2.h
index d59c9f2593..a46120e7d4 100644
--- a/src/lib/libssl/src/crypto/md2/md2.h
+++ b/src/lib/libssl/src/crypto/md2/md2.h
@@ -81,9 +81,6 @@ typedef struct MD2state_st
81 } MD2_CTX; 81 } MD2_CTX;
82 82
83const char *MD2_options(void); 83const char *MD2_options(void);
84#ifdef OPENSSL_FIPS
85int private_MD2_Init(MD2_CTX *c);
86#endif
87int MD2_Init(MD2_CTX *c); 84int MD2_Init(MD2_CTX *c);
88int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); 85int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len);
89int MD2_Final(unsigned char *md, MD2_CTX *c); 86int MD2_Final(unsigned char *md, MD2_CTX *c);
diff --git a/src/lib/libssl/src/crypto/md4/md4.h b/src/lib/libssl/src/crypto/md4/md4.h
index a55368a790..c3ed9b3f75 100644
--- a/src/lib/libssl/src/crypto/md4/md4.h
+++ b/src/lib/libssl/src/crypto/md4/md4.h
@@ -105,9 +105,6 @@ typedef struct MD4state_st
105 unsigned int num; 105 unsigned int num;
106 } MD4_CTX; 106 } MD4_CTX;
107 107
108#ifdef OPENSSL_FIPS
109int private_MD4_Init(MD4_CTX *c);
110#endif
111int MD4_Init(MD4_CTX *c); 108int MD4_Init(MD4_CTX *c);
112int MD4_Update(MD4_CTX *c, const void *data, size_t len); 109int MD4_Update(MD4_CTX *c, const void *data, size_t len);
113int MD4_Final(unsigned char *md, MD4_CTX *c); 110int MD4_Final(unsigned char *md, MD4_CTX *c);
diff --git a/src/lib/libssl/src/crypto/md5/md5.h b/src/lib/libssl/src/crypto/md5/md5.h
index 541cc925fe..4cbf84386b 100644
--- a/src/lib/libssl/src/crypto/md5/md5.h
+++ b/src/lib/libssl/src/crypto/md5/md5.h
@@ -105,9 +105,6 @@ typedef struct MD5state_st
105 unsigned int num; 105 unsigned int num;
106 } MD5_CTX; 106 } MD5_CTX;
107 107
108#ifdef OPENSSL_FIPS
109int private_MD5_Init(MD5_CTX *c);
110#endif
111int MD5_Init(MD5_CTX *c); 108int MD5_Init(MD5_CTX *c);
112int MD5_Update(MD5_CTX *c, const void *data, size_t len); 109int MD5_Update(MD5_CTX *c, const void *data, size_t len);
113int MD5_Final(unsigned char *md, MD5_CTX *c); 110int MD5_Final(unsigned char *md, MD5_CTX *c);
diff --git a/src/lib/libssl/src/crypto/mdc2/mdc2.h b/src/lib/libssl/src/crypto/mdc2/mdc2.h
index f3e8e579d2..72778a5212 100644
--- a/src/lib/libssl/src/crypto/mdc2/mdc2.h
+++ b/src/lib/libssl/src/crypto/mdc2/mdc2.h
@@ -81,9 +81,6 @@ typedef struct mdc2_ctx_st
81 } MDC2_CTX; 81 } MDC2_CTX;
82 82
83 83
84#ifdef OPENSSL_FIPS
85int private_MDC2_Init(MDC2_CTX *c);
86#endif
87int MDC2_Init(MDC2_CTX *c); 84int MDC2_Init(MDC2_CTX *c);
88int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); 85int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len);
89int MDC2_Final(unsigned char *md, MDC2_CTX *c); 86int MDC2_Final(unsigned char *md, MDC2_CTX *c);
diff --git a/src/lib/libssl/src/crypto/o_fips.c b/src/lib/libssl/src/crypto/o_fips.c
index 9c185cfb18..43312ae23f 100644
--- a/src/lib/libssl/src/crypto/o_fips.c
+++ b/src/lib/libssl/src/crypto/o_fips.c
@@ -56,42 +56,20 @@
56 */ 56 */
57 57
58#include "cryptlib.h" 58#include "cryptlib.h"
59#ifdef OPENSSL_FIPS
60#include <openssl/fips.h>
61#include <openssl/fips_rand.h>
62#include <openssl/rand.h>
63#endif
64 59
65int 60int
66FIPS_mode(void) 61FIPS_mode(void)
67{ 62{
68 OPENSSL_init(); 63 OPENSSL_init();
69#ifdef OPENSSL_FIPS
70 return FIPS_module_mode();
71#else
72 return 0; 64 return 0;
73#endif
74} 65}
75 66
76int 67int
77FIPS_mode_set(int r) 68FIPS_mode_set(int r)
78{ 69{
79 OPENSSL_init(); 70 OPENSSL_init();
80#ifdef OPENSSL_FIPS
81#ifndef FIPS_AUTH_USER_PASS
82#define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password"
83#endif
84 if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
85 return 0;
86 if (r)
87 RAND_set_rand_method(FIPS_rand_get_method());
88 else
89 RAND_set_rand_method(NULL);
90 return 1;
91#else
92 if (r == 0) 71 if (r == 0)
93 return 1; 72 return 1;
94 CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); 73 CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
95 return 0; 74 return 0;
96#endif
97} 75}
diff --git a/src/lib/libssl/src/crypto/o_init.c b/src/lib/libssl/src/crypto/o_init.c
index 07c8e0d694..5e905d9315 100644
--- a/src/lib/libssl/src/crypto/o_init.c
+++ b/src/lib/libssl/src/crypto/o_init.c
@@ -54,10 +54,6 @@
54 54
55#include <e_os.h> 55#include <e_os.h>
56#include <openssl/err.h> 56#include <openssl/err.h>
57#ifdef OPENSSL_FIPS
58#include <openssl/fips.h>
59#include <openssl/rand.h>
60#endif
61 57
62/* Perform any essential OpenSSL initialization operations. 58/* Perform any essential OpenSSL initialization operations.
63 * Currently only sets FIPS callbacks 59 * Currently only sets FIPS callbacks
@@ -70,12 +66,6 @@ OPENSSL_init(void)
70 if (done) 66 if (done)
71 return; 67 return;
72 done = 1; 68 done = 1;
73#ifdef OPENSSL_FIPS
74 FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
75 FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
76 FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
77 RAND_init_fips();
78#endif
79#if 0 69#if 0
80 fprintf(stderr, "Called OPENSSL_init\n"); 70 fprintf(stderr, "Called OPENSSL_init\n");
81#endif 71#endif
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
index ebe7180723..7ba6281f28 100644
--- a/src/lib/libssl/src/crypto/opensslv.h
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -26,11 +26,7 @@
26 * major minor fix final patch/beta) 26 * major minor fix final patch/beta)
27 */ 27 */
28#define OPENSSL_VERSION_NUMBER 0x1000107fL 28#define OPENSSL_VERSION_NUMBER 0x1000107fL
29#ifdef OPENSSL_FIPS
30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g-fips 7 Apr 2014"
31#else
32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014" 29#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014"
33#endif
34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT 30#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
35 31
36 32
diff --git a/src/lib/libssl/src/crypto/pem/pem_all.c b/src/lib/libssl/src/crypto/pem/pem_all.c
index eac0460e3e..6ff6be7fbe 100644
--- a/src/lib/libssl/src/crypto/pem/pem_all.c
+++ b/src/lib/libssl/src/crypto/pem/pem_all.c
@@ -193,61 +193,8 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
193 193
194#endif 194#endif
195 195
196#ifdef OPENSSL_FIPS
197
198int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
199 unsigned char *kstr, int klen,
200 pem_password_cb *cb, void *u)
201{
202 if (FIPS_mode())
203 {
204 EVP_PKEY *k;
205 int ret;
206 k = EVP_PKEY_new();
207 if (!k)
208 return 0;
209 EVP_PKEY_set1_RSA(k, x);
210
211 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
212 EVP_PKEY_free(k);
213 return ret;
214 }
215 else
216 return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey,
217 PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u);
218}
219
220#ifndef OPENSSL_NO_FP_API
221int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
222 unsigned char *kstr, int klen,
223 pem_password_cb *cb, void *u)
224{
225 if (FIPS_mode())
226 {
227 EVP_PKEY *k;
228 int ret;
229 k = EVP_PKEY_new();
230 if (!k)
231 return 0;
232
233 EVP_PKEY_set1_RSA(k, x);
234
235 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
236 EVP_PKEY_free(k);
237 return ret;
238 }
239 else
240 return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey,
241 PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u);
242}
243#endif
244
245#else
246
247IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) 196IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
248 197
249#endif
250
251IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) 198IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
252IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) 199IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
253 200
@@ -277,59 +224,8 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
277 return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ 224 return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
278} 225}
279 226
280#ifdef OPENSSL_FIPS
281
282int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
283 unsigned char *kstr, int klen,
284 pem_password_cb *cb, void *u)
285{
286 if (FIPS_mode())
287 {
288 EVP_PKEY *k;
289 int ret;
290 k = EVP_PKEY_new();
291 if (!k)
292 return 0;
293 EVP_PKEY_set1_DSA(k, x);
294
295 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
296 EVP_PKEY_free(k);
297 return ret;
298 }
299 else
300 return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey,
301 PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u);
302}
303
304#ifndef OPENSSL_NO_FP_API
305int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
306 unsigned char *kstr, int klen,
307 pem_password_cb *cb, void *u)
308{
309 if (FIPS_mode())
310 {
311 EVP_PKEY *k;
312 int ret;
313 k = EVP_PKEY_new();
314 if (!k)
315 return 0;
316 EVP_PKEY_set1_DSA(k, x);
317 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
318 EVP_PKEY_free(k);
319 return ret;
320 }
321 else
322 return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey,
323 PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u);
324}
325#endif
326
327#else
328
329IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) 227IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
330 228
331#endif
332
333IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) 229IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
334 230
335#ifndef OPENSSL_NO_FP_API 231#ifndef OPENSSL_NO_FP_API
@@ -377,61 +273,8 @@ IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKPa
377 273
378 274
379 275
380#ifdef OPENSSL_FIPS
381
382int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
383 unsigned char *kstr, int klen,
384 pem_password_cb *cb, void *u)
385{
386 if (FIPS_mode())
387 {
388 EVP_PKEY *k;
389 int ret;
390 k = EVP_PKEY_new();
391 if (!k)
392 return 0;
393 EVP_PKEY_set1_EC_KEY(k, x);
394
395 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
396 EVP_PKEY_free(k);
397 return ret;
398 }
399 else
400 return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey,
401 PEM_STRING_ECPRIVATEKEY,
402 bp,x,enc,kstr,klen,cb,u);
403}
404
405#ifndef OPENSSL_NO_FP_API
406int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
407 unsigned char *kstr, int klen,
408 pem_password_cb *cb, void *u)
409{
410 if (FIPS_mode())
411 {
412 EVP_PKEY *k;
413 int ret;
414 k = EVP_PKEY_new();
415 if (!k)
416 return 0;
417 EVP_PKEY_set1_EC_KEY(k, x);
418 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
419 EVP_PKEY_free(k);
420 return ret;
421 }
422 else
423 return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey,
424 PEM_STRING_ECPRIVATEKEY,
425 fp,x,enc,kstr,klen,cb,u);
426}
427#endif
428
429#else
430
431IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) 276IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
432 277
433#endif
434
435IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) 278IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
436 279
437#ifndef OPENSSL_NO_FP_API 280#ifndef OPENSSL_NO_FP_API
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
index a34915d02d..0c5e8dc992 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
@@ -91,11 +91,6 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
91 /* Set defaults */ 91 /* Set defaults */
92 if (!nid_cert) 92 if (!nid_cert)
93 { 93 {
94#ifdef OPENSSL_FIPS
95 if (FIPS_mode())
96 nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
97 else
98#endif
99 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; 94 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
100 } 95 }
101 if (!nid_key) 96 if (!nid_key)
diff --git a/src/lib/libssl/src/crypto/rc2/rc2.h b/src/lib/libssl/src/crypto/rc2/rc2.h
index e542ec94ff..4c737f5b90 100644
--- a/src/lib/libssl/src/crypto/rc2/rc2.h
+++ b/src/lib/libssl/src/crypto/rc2/rc2.h
@@ -79,9 +79,6 @@ typedef struct rc2_key_st
79 RC2_INT data[64]; 79 RC2_INT data[64];
80 } RC2_KEY; 80 } RC2_KEY;
81 81
82#ifdef OPENSSL_FIPS
83void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
84#endif
85void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); 82void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
86void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, 83void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
87 int enc); 84 int enc);
diff --git a/src/lib/libssl/src/crypto/rc2/rc2_skey.c b/src/lib/libssl/src/crypto/rc2/rc2_skey.c
index 6668ac011f..26b8dd63f6 100644
--- a/src/lib/libssl/src/crypto/rc2/rc2_skey.c
+++ b/src/lib/libssl/src/crypto/rc2/rc2_skey.c
@@ -96,13 +96,6 @@ static const unsigned char key_table[256]={
96 * the same as specifying 1024 for the 'bits' parameter. Bsafe uses 96 * the same as specifying 1024 for the 'bits' parameter. Bsafe uses
97 * a version where the bits parameter is the same as len*8 */ 97 * a version where the bits parameter is the same as len*8 */
98void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) 98void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
99#ifdef OPENSSL_FIPS
100 {
101 fips_cipher_abort(RC2);
102 private_RC2_set_key(key, len, data, bits);
103 }
104void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
105#endif
106 { 99 {
107 int i,j; 100 int i,j;
108 unsigned char *k; 101 unsigned char *k;
diff --git a/src/lib/libssl/src/crypto/rc4/rc4_utl.c b/src/lib/libssl/src/crypto/rc4/rc4_utl.c
index ab3f02fe6a..bd39a76543 100644
--- a/src/lib/libssl/src/crypto/rc4/rc4_utl.c
+++ b/src/lib/libssl/src/crypto/rc4/rc4_utl.c
@@ -55,8 +55,5 @@
55 55
56void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) 56void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
57 { 57 {
58#ifdef OPENSSL_FIPS
59 fips_cipher_abort(RC4);
60#endif
61 private_RC4_set_key(key, len, data); 58 private_RC4_set_key(key, len, data);
62 } 59 }
diff --git a/src/lib/libssl/src/crypto/ripemd/ripemd.h b/src/lib/libssl/src/crypto/ripemd/ripemd.h
index 189bd8c90e..5942eb6180 100644
--- a/src/lib/libssl/src/crypto/ripemd/ripemd.h
+++ b/src/lib/libssl/src/crypto/ripemd/ripemd.h
@@ -91,9 +91,6 @@ typedef struct RIPEMD160state_st
91 unsigned int num; 91 unsigned int num;
92 } RIPEMD160_CTX; 92 } RIPEMD160_CTX;
93 93
94#ifdef OPENSSL_FIPS
95int private_RIPEMD160_Init(RIPEMD160_CTX *c);
96#endif
97int RIPEMD160_Init(RIPEMD160_CTX *c); 94int RIPEMD160_Init(RIPEMD160_CTX *c);
98int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); 95int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len);
99int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); 96int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_crpt.c b/src/lib/libssl/src/crypto/rsa/rsa_crpt.c
index d3e44785dc..7750366613 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_crpt.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_crpt.c
@@ -75,56 +75,24 @@ int RSA_size(const RSA *r)
75int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 75int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
76 RSA *rsa, int padding) 76 RSA *rsa, int padding)
77 { 77 {
78#ifdef OPENSSL_FIPS
79 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
80 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
81 {
82 RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
83 return -1;
84 }
85#endif
86 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); 78 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
87 } 79 }
88 80
89int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 81int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
90 RSA *rsa, int padding) 82 RSA *rsa, int padding)
91 { 83 {
92#ifdef OPENSSL_FIPS
93 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
94 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
95 {
96 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
97 return -1;
98 }
99#endif
100 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); 84 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
101 } 85 }
102 86
103int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 87int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
104 RSA *rsa, int padding) 88 RSA *rsa, int padding)
105 { 89 {
106#ifdef OPENSSL_FIPS
107 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
108 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
109 {
110 RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
111 return -1;
112 }
113#endif
114 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); 90 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
115 } 91 }
116 92
117int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 93int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
118 RSA *rsa, int padding) 94 RSA *rsa, int padding)
119 { 95 {
120#ifdef OPENSSL_FIPS
121 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
122 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
123 {
124 RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
125 return -1;
126 }
127#endif
128 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); 96 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
129 } 97 }
130 98
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_gen.c b/src/lib/libssl/src/crypto/rsa/rsa_gen.c
index 42290cce66..767f7ab682 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_gen.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_gen.c
@@ -67,9 +67,6 @@
67#include "cryptlib.h" 67#include "cryptlib.h"
68#include <openssl/bn.h> 68#include <openssl/bn.h>
69#include <openssl/rsa.h> 69#include <openssl/rsa.h>
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73 70
74static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); 71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
75 72
@@ -80,20 +77,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
80 * now just because key-generation is part of RSA_METHOD. */ 77 * now just because key-generation is part of RSA_METHOD. */
81int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 78int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
82 { 79 {
83#ifdef OPENSSL_FIPS
84 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
85 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
86 {
87 RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
88 return 0;
89 }
90#endif
91 if(rsa->meth->rsa_keygen) 80 if(rsa->meth->rsa_keygen)
92 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); 81 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
93#ifdef OPENSSL_FIPS
94 if (FIPS_mode())
95 return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
96#endif
97 return rsa_builtin_keygen(rsa, bits, e_value, cb); 82 return rsa_builtin_keygen(rsa, bits, e_value, cb);
98 } 83 }
99 84
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_lib.c b/src/lib/libssl/src/crypto/rsa/rsa_lib.c
index c95ceafc82..9e3f7dafcd 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_lib.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_lib.c
@@ -67,10 +67,6 @@
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68#endif 68#endif
69 69
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73
74const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; 70const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
75 71
76static const RSA_METHOD *default_RSA_meth=NULL; 72static const RSA_METHOD *default_RSA_meth=NULL;
@@ -91,18 +87,11 @@ const RSA_METHOD *RSA_get_default_method(void)
91 { 87 {
92 if (default_RSA_meth == NULL) 88 if (default_RSA_meth == NULL)
93 { 89 {
94#ifdef OPENSSL_FIPS
95 if (FIPS_mode())
96 return FIPS_rsa_pkcs1_ssleay();
97 else
98 return RSA_PKCS1_SSLeay();
99#else
100#ifdef RSA_NULL 90#ifdef RSA_NULL
101 default_RSA_meth=RSA_null_method(); 91 default_RSA_meth=RSA_null_method();
102#else 92#else
103 default_RSA_meth=RSA_PKCS1_SSLeay(); 93 default_RSA_meth=RSA_PKCS1_SSLeay();
104#endif 94#endif
105#endif
106 } 95 }
107 96
108 return default_RSA_meth; 97 return default_RSA_meth;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_pmeth.c b/src/lib/libssl/src/crypto/rsa/rsa_pmeth.c
index 157aa5c41d..d706d35ff6 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_pmeth.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_pmeth.c
@@ -66,9 +66,6 @@
66#ifndef OPENSSL_NO_CMS 66#ifndef OPENSSL_NO_CMS
67#include <openssl/cms.h> 67#include <openssl/cms.h>
68#endif 68#endif
69#ifdef OPENSSL_FIPS
70#include <openssl/fips.h>
71#endif
72#include "evp_locl.h" 69#include "evp_locl.h"
73#include "rsa_locl.h" 70#include "rsa_locl.h"
74 71
@@ -156,32 +153,6 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
156 OPENSSL_free(rctx); 153 OPENSSL_free(rctx);
157 } 154 }
158 } 155 }
159#ifdef OPENSSL_FIPS
160/* FIP checker. Return value indicates status of context parameters:
161 * 1 : redirect to FIPS.
162 * 0 : don't redirect to FIPS.
163 * -1 : illegal operation in FIPS mode.
164 */
165
166static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
167 {
168 RSA_PKEY_CTX *rctx = ctx->data;
169 RSA *rsa = ctx->pkey->pkey.rsa;
170 int rv = -1;
171 if (!FIPS_mode())
172 return 0;
173 if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
174 rv = 0;
175 if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
176 return -1;
177 if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
178 return rv;
179 if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
180 return rv;
181 return 1;
182 }
183#endif
184
185static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, 156static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
186 const unsigned char *tbs, size_t tbslen) 157 const unsigned char *tbs, size_t tbslen)
187 { 158 {
@@ -189,15 +160,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
189 RSA_PKEY_CTX *rctx = ctx->data; 160 RSA_PKEY_CTX *rctx = ctx->data;
190 RSA *rsa = ctx->pkey->pkey.rsa; 161 RSA *rsa = ctx->pkey->pkey.rsa;
191 162
192#ifdef OPENSSL_FIPS
193 ret = pkey_fips_check_ctx(ctx);
194 if (ret < 0)
195 {
196 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
197 return -1;
198 }
199#endif
200
201 if (rctx->md) 163 if (rctx->md)
202 { 164 {
203 if (tbslen != (size_t)EVP_MD_size(rctx->md)) 165 if (tbslen != (size_t)EVP_MD_size(rctx->md))
@@ -206,22 +168,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
206 RSA_R_INVALID_DIGEST_LENGTH); 168 RSA_R_INVALID_DIGEST_LENGTH);
207 return -1; 169 return -1;
208 } 170 }
209#ifdef OPENSSL_FIPS
210 if (ret > 0)
211 {
212 unsigned int slen;
213 ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
214 rctx->pad_mode,
215 rctx->saltlen,
216 rctx->mgf1md,
217 sig, &slen);
218 if (ret > 0)
219 *siglen = slen;
220 else
221 *siglen = 0;
222 return ret;
223 }
224#endif
225 171
226 if (EVP_MD_type(rctx->md) == NID_mdc2) 172 if (EVP_MD_type(rctx->md) == NID_mdc2)
227 { 173 {
@@ -343,30 +289,8 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
343 RSA_PKEY_CTX *rctx = ctx->data; 289 RSA_PKEY_CTX *rctx = ctx->data;
344 RSA *rsa = ctx->pkey->pkey.rsa; 290 RSA *rsa = ctx->pkey->pkey.rsa;
345 size_t rslen; 291 size_t rslen;
346#ifdef OPENSSL_FIPS
347 int rv;
348 rv = pkey_fips_check_ctx(ctx);
349 if (rv < 0)
350 {
351 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
352 return -1;
353 }
354#endif
355 if (rctx->md) 292 if (rctx->md)
356 { 293 {
357#ifdef OPENSSL_FIPS
358 if (rv > 0)
359 {
360 return FIPS_rsa_verify_digest(rsa,
361 tbs, tbslen,
362 rctx->md,
363 rctx->pad_mode,
364 rctx->saltlen,
365 rctx->mgf1md,
366 sig, siglen);
367
368 }
369#endif
370 if (rctx->pad_mode == RSA_PKCS1_PADDING) 294 if (rctx->pad_mode == RSA_PKCS1_PADDING)
371 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 295 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
372 sig, siglen, rsa); 296 sig, siglen, rsa);
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_sign.c b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
index b6f6037ae0..fa3239ab30 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_sign.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
@@ -77,14 +77,6 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
77 const unsigned char *s = NULL; 77 const unsigned char *s = NULL;
78 X509_ALGOR algor; 78 X509_ALGOR algor;
79 ASN1_OCTET_STRING digest; 79 ASN1_OCTET_STRING digest;
80#ifdef OPENSSL_FIPS
81 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
82 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
83 {
84 RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
85 return 0;
86 }
87#endif
88 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) 80 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
89 { 81 {
90 return rsa->meth->rsa_sign(type, m, m_len, 82 return rsa->meth->rsa_sign(type, m, m_len,
@@ -161,15 +153,6 @@ int int_rsa_verify(int dtype, const unsigned char *m,
161 unsigned char *s; 153 unsigned char *s;
162 X509_SIG *sig=NULL; 154 X509_SIG *sig=NULL;
163 155
164#ifdef OPENSSL_FIPS
165 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
166 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
167 {
168 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD);
169 return 0;
170 }
171#endif
172
173 if (siglen != (unsigned int)RSA_size(rsa)) 156 if (siglen != (unsigned int)RSA_size(rsa))
174 { 157 {
175 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); 158 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
diff --git a/src/lib/libssl/src/crypto/seed/seed.c b/src/lib/libssl/src/crypto/seed/seed.c
index 3e675a8d75..934664ddb6 100644
--- a/src/lib/libssl/src/crypto/seed/seed.c
+++ b/src/lib/libssl/src/crypto/seed/seed.c
@@ -198,13 +198,6 @@ static const seed_word KC[] = {
198 KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 }; 198 KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 };
199#endif 199#endif
200void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) 200void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks)
201#ifdef OPENSSL_FIPS
202 {
203 fips_cipher_abort(SEED);
204 private_SEED_set_key(rawkey, ks);
205 }
206void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks)
207#endif
208{ 201{
209 seed_word x1, x2, x3, x4; 202 seed_word x1, x2, x3, x4;
210 seed_word t0, t1; 203 seed_word t0, t1;
diff --git a/src/lib/libssl/src/crypto/seed/seed.h b/src/lib/libssl/src/crypto/seed/seed.h
index c50fdd3607..6e2ade3fbb 100644
--- a/src/lib/libssl/src/crypto/seed/seed.h
+++ b/src/lib/libssl/src/crypto/seed/seed.h
@@ -116,9 +116,6 @@ typedef struct seed_key_st {
116#endif 116#endif
117} SEED_KEY_SCHEDULE; 117} SEED_KEY_SCHEDULE;
118 118
119#ifdef OPENSSL_FIPS
120void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks);
121#endif
122void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); 119void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks);
123 120
124void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks); 121void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks);
diff --git a/src/lib/libssl/src/crypto/sha/sha.h b/src/lib/libssl/src/crypto/sha/sha.h
index 8a6bf4bbbb..7cbca26ff9 100644
--- a/src/lib/libssl/src/crypto/sha/sha.h
+++ b/src/lib/libssl/src/crypto/sha/sha.h
@@ -70,10 +70,6 @@ extern "C" {
70#error SHA is disabled. 70#error SHA is disabled.
71#endif 71#endif
72 72
73#if defined(OPENSSL_FIPS)
74#define FIPS_SHA_SIZE_T size_t
75#endif
76
77/* 73/*
78 * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 74 * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
79 * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then ! 75 * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then !
@@ -106,9 +102,6 @@ typedef struct SHAstate_st
106 } SHA_CTX; 102 } SHA_CTX;
107 103
108#ifndef OPENSSL_NO_SHA0 104#ifndef OPENSSL_NO_SHA0
109#ifdef OPENSSL_FIPS
110int private_SHA_Init(SHA_CTX *c);
111#endif
112int SHA_Init(SHA_CTX *c); 105int SHA_Init(SHA_CTX *c);
113int SHA_Update(SHA_CTX *c, const void *data, size_t len); 106int SHA_Update(SHA_CTX *c, const void *data, size_t len);
114int SHA_Final(unsigned char *md, SHA_CTX *c); 107int SHA_Final(unsigned char *md, SHA_CTX *c);
@@ -116,9 +109,6 @@ unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md);
116void SHA_Transform(SHA_CTX *c, const unsigned char *data); 109void SHA_Transform(SHA_CTX *c, const unsigned char *data);
117#endif 110#endif
118#ifndef OPENSSL_NO_SHA1 111#ifndef OPENSSL_NO_SHA1
119#ifdef OPENSSL_FIPS
120int private_SHA1_Init(SHA_CTX *c);
121#endif
122int SHA1_Init(SHA_CTX *c); 112int SHA1_Init(SHA_CTX *c);
123int SHA1_Update(SHA_CTX *c, const void *data, size_t len); 113int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
124int SHA1_Final(unsigned char *md, SHA_CTX *c); 114int SHA1_Final(unsigned char *md, SHA_CTX *c);
@@ -141,10 +131,6 @@ typedef struct SHA256state_st
141 } SHA256_CTX; 131 } SHA256_CTX;
142 132
143#ifndef OPENSSL_NO_SHA256 133#ifndef OPENSSL_NO_SHA256
144#ifdef OPENSSL_FIPS
145int private_SHA224_Init(SHA256_CTX *c);
146int private_SHA256_Init(SHA256_CTX *c);
147#endif
148int SHA224_Init(SHA256_CTX *c); 134int SHA224_Init(SHA256_CTX *c);
149int SHA224_Update(SHA256_CTX *c, const void *data, size_t len); 135int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
150int SHA224_Final(unsigned char *md, SHA256_CTX *c); 136int SHA224_Final(unsigned char *md, SHA256_CTX *c);
@@ -192,10 +178,6 @@ typedef struct SHA512state_st
192#endif 178#endif
193 179
194#ifndef OPENSSL_NO_SHA512 180#ifndef OPENSSL_NO_SHA512
195#ifdef OPENSSL_FIPS
196int private_SHA384_Init(SHA512_CTX *c);
197int private_SHA512_Init(SHA512_CTX *c);
198#endif
199int SHA384_Init(SHA512_CTX *c); 181int SHA384_Init(SHA512_CTX *c);
200int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); 182int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
201int SHA384_Final(unsigned char *md, SHA512_CTX *c); 183int SHA384_Final(unsigned char *md, SHA512_CTX *c);
diff --git a/src/lib/libssl/src/crypto/whrlpool/whrlpool.h b/src/lib/libssl/src/crypto/whrlpool/whrlpool.h
index 9e01f5b076..03c91da115 100644
--- a/src/lib/libssl/src/crypto/whrlpool/whrlpool.h
+++ b/src/lib/libssl/src/crypto/whrlpool/whrlpool.h
@@ -24,9 +24,6 @@ typedef struct {
24 } WHIRLPOOL_CTX; 24 } WHIRLPOOL_CTX;
25 25
26#ifndef OPENSSL_NO_WHIRLPOOL 26#ifndef OPENSSL_NO_WHIRLPOOL
27#ifdef OPENSSL_FIPS
28int private_WHIRLPOOL_Init(WHIRLPOOL_CTX *c);
29#endif
30int WHIRLPOOL_Init (WHIRLPOOL_CTX *c); 27int WHIRLPOOL_Init (WHIRLPOOL_CTX *c);
31int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes); 28int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes);
32void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits); 29void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-25 22:28:12 +0000