From ad76fc8ee191ac27c7614f9a37b6a8c1cc615aca Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 11 Jun 2014 15:44:10 +0000
Subject: Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored
 since OpenSSL 1.0.0.

ok miod@ (a little while back)
---
 src/lib/libcrypto/x509/x509_cmp.c         | 1 -
 src/lib/libssl/s3_clnt.c                  | 2 --
 src/lib/libssl/s3_srvr.c                  | 2 --
 src/lib/libssl/src/crypto/x509/x509_cmp.c | 1 -
 src/lib/libssl/src/ssl/s3_clnt.c          | 2 --
 src/lib/libssl/src/ssl/s3_enc.c           | 3 ---
 src/lib/libssl/src/ssl/s3_srvr.c          | 2 --
 src/lib/libssl/src/ssl/t1_enc.c           | 2 --
 src/lib/libssl/t1_enc.c                   | 2 --
 9 files changed, 17 deletions(-)

diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index b6b3423e3f..8877c6e284 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -258,7 +258,6 @@ X509_NAME_hash_old(X509_NAME *x)
 	/* Make sure X509_NAME structure contains valid cached encoding */
 	i2d_X509_NAME(x, NULL);
 	EVP_MD_CTX_init(&md_ctx);
-	EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 	if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL) &&
 	    EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length) &&
 	    EVP_DigestFinal_ex(&md_ctx, md, NULL))
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 45dfb64f92..e86d58c671 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1603,8 +1603,6 @@ ssl3_get_key_exchange(SSL *s)
 			j = 0;
 			q = md_buf;
 			for (num = 2; num > 0; num--) {
-				EVP_MD_CTX_set_flags(&md_ctx,
-				EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 				EVP_DigestInit_ex(&md_ctx,
 				    (num == 2) ?  s->ctx->md5 : s->ctx->sha1,
 				    NULL);
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 9dc944706f..6bf4def27d 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1793,8 +1793,6 @@ ssl3_send_server_key_exchange(SSL *s)
 				q = md_buf;
 				j = 0;
 				for (num = 2; num > 0; num--) {
-					EVP_MD_CTX_set_flags(&md_ctx,
-					    EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 					EVP_DigestInit_ex(&md_ctx,
 					    (num == 2) ? s->ctx->md5 :
 					    s->ctx->sha1, NULL);
diff --git a/src/lib/libssl/src/crypto/x509/x509_cmp.c b/src/lib/libssl/src/crypto/x509/x509_cmp.c
index b6b3423e3f..8877c6e284 100644
--- a/src/lib/libssl/src/crypto/x509/x509_cmp.c
+++ b/src/lib/libssl/src/crypto/x509/x509_cmp.c
@@ -258,7 +258,6 @@ X509_NAME_hash_old(X509_NAME *x)
 	/* Make sure X509_NAME structure contains valid cached encoding */
 	i2d_X509_NAME(x, NULL);
 	EVP_MD_CTX_init(&md_ctx);
-	EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 	if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL) &&
 	    EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length) &&
 	    EVP_DigestFinal_ex(&md_ctx, md, NULL))
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 45dfb64f92..e86d58c671 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1603,8 +1603,6 @@ ssl3_get_key_exchange(SSL *s)
 			j = 0;
 			q = md_buf;
 			for (num = 2; num > 0; num--) {
-				EVP_MD_CTX_set_flags(&md_ctx,
-				EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 				EVP_DigestInit_ex(&md_ctx,
 				    (num == 2) ?  s->ctx->md5 : s->ctx->sha1,
 				    NULL);
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 71a3155c60..1f7c592a64 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -172,7 +172,6 @@ ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 
 	k = 0;
 	EVP_MD_CTX_init(&m5);
-	EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 	EVP_MD_CTX_init(&s1);
 	for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
 		k++;
@@ -667,8 +666,6 @@ ssl3_handshake_mac(SSL *s, int md_nid, const char *sender, int len,
 		return 0;
 	}
 	EVP_MD_CTX_init(&ctx);
-	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-
 	if (!EVP_MD_CTX_copy_ex(&ctx, d))
 		return 0;
 	n = EVP_MD_CTX_size(&ctx);
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 9dc944706f..6bf4def27d 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1793,8 +1793,6 @@ ssl3_send_server_key_exchange(SSL *s)
 				q = md_buf;
 				j = 0;
 				for (num = 2; num > 0; num--) {
-					EVP_MD_CTX_set_flags(&md_ctx,
-					    EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 					EVP_DigestInit_ex(&md_ctx,
 					    (num == 2) ? s->ctx->md5 :
 					    s->ctx->sha1, NULL);
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 922d44ad4e..eaf53b48cc 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -165,8 +165,6 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len,
 
 	EVP_MD_CTX_init(&ctx);
 	EVP_MD_CTX_init(&ctx_tmp);
-	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-	EVP_MD_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 	mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
 	if (!mac_key)
 		goto err;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 922d44ad4e..eaf53b48cc 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -165,8 +165,6 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len,
 
 	EVP_MD_CTX_init(&ctx);
 	EVP_MD_CTX_init(&ctx_tmp);
-	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-	EVP_MD_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 	mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
 	if (!mac_key)
 		goto err;
-- 
cgit v1.2.3-55-g6feb