From 3c7d2178681a2741a8cc8a042cb2ea6ee28528b8 Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Tue, 15 Apr 2014 20:06:10 +0000
Subject: remove FIPS mode support. people who require FIPS can buy something
 that meets their needs, but dumping it in here only penalizes the rest of us.
 ok beck deraadt

---
 src/lib/libcrypto/dh/dh_gen.c | 17 -----------------
 src/lib/libcrypto/dh/dh_key.c | 16 ----------------
 src/lib/libcrypto/dh/dh_lib.c | 11 -----------
 3 files changed, 44 deletions(-)

(limited to 'src/lib/libcrypto/dh')

diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c
index 7b1fe9c9cb..cfd5b11868 100644
--- a/src/lib/libcrypto/dh/dh_gen.c
+++ b/src/lib/libcrypto/dh/dh_gen.c
@@ -66,29 +66,12 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
-
 static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb);
 
 int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb)
 	{
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
-			&& !(ret->flags & DH_FLAG_NON_FIPS_ALLOW))
-		{
-		DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
-		return 0;
-		}
-#endif
 	if(ret->meth->generate_params)
 		return ret->meth->generate_params(ret, prime_len, generator, cb);
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode())
-		return FIPS_dh_generate_parameters_ex(ret, prime_len,
-							generator, cb);
-#endif
 	return dh_builtin_genparams(ret, prime_len, generator, cb);
 	}
 
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 89a74db4e6..9596270f7d 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -73,27 +73,11 @@ static int dh_finish(DH *dh);
 
 int DH_generate_key(DH *dh)
 	{
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
-			&& !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
-		{
-		DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
-		return 0;
-		}
-#endif
 	return dh->meth->generate_key(dh);
 	}
 
 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 	{
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
-			&& !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
-		{
-		DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
-		return 0;
-		}
-#endif
 	return dh->meth->compute_key(key, pub_key, dh);
 	}
 
diff --git a/src/lib/libcrypto/dh/dh_lib.c b/src/lib/libcrypto/dh/dh_lib.c
index 00218f2b92..a40caaf75b 100644
--- a/src/lib/libcrypto/dh/dh_lib.c
+++ b/src/lib/libcrypto/dh/dh_lib.c
@@ -64,10 +64,6 @@
 #include <openssl/engine.h>
 #endif
 
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
-
 const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
 
 static const DH_METHOD *default_DH_method = NULL;
@@ -81,14 +77,7 @@ const DH_METHOD *DH_get_default_method(void)
 	{
 	if(!default_DH_method)
 		{
-#ifdef OPENSSL_FIPS
-		if (FIPS_mode())
-			return FIPS_dh_openssl();
-		else
-			return DH_OpenSSL();
-#else
 		default_DH_method = DH_OpenSSL();
-#endif
 		}
 	return default_DH_method;
 	}
-- 
cgit v1.2.3-55-g6feb