From 3c7d2178681a2741a8cc8a042cb2ea6ee28528b8 Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Tue, 15 Apr 2014 20:06:10 +0000
Subject: remove FIPS mode support. people who require FIPS can buy something
 that meets their needs, but dumping it in here only penalizes the rest of us.
 ok beck deraadt

---
 src/lib/libcrypto/dsa/dsa_gen.c  | 20 --------------------
 src/lib/libcrypto/dsa/dsa_key.c  | 16 ----------------
 src/lib/libcrypto/dsa/dsa_lib.c  | 11 -----------
 src/lib/libcrypto/dsa/dsa_sign.c | 16 ----------------
 src/lib/libcrypto/dsa/dsa_vrf.c  |  8 --------
 5 files changed, 71 deletions(-)

(limited to 'src/lib/libcrypto/dsa')

diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index c398761d0d..e6a5452016 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -81,33 +81,13 @@
 #include <openssl/sha.h>
 #include "dsa_locl.h"
 
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
-
 int DSA_generate_parameters_ex(DSA *ret, int bits,
 		const unsigned char *seed_in, int seed_len,
 		int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
 	{
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
-			&& !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW))
-		{
-		DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
-		return 0;
-		}
-#endif
 	if(ret->meth->dsa_paramgen)
 		return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
 				counter_ret, h_ret, cb);
-#ifdef OPENSSL_FIPS
-	else if (FIPS_mode())
-		{
-		return FIPS_dsa_generate_parameters_ex(ret, bits, 
-							seed_in, seed_len,
-							counter_ret, h_ret, cb);
-		}
-#endif
 	else
 		{
 		const EVP_MD *evpmd;
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index 9cf669b921..c4aa86bc6d 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,28 +64,12 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
-
 static int dsa_builtin_keygen(DSA *dsa);
 
 int DSA_generate_key(DSA *dsa)
 	{
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
-			&& !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
-		{
-		DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
-		return 0;
-		}
-#endif
 	if(dsa->meth->dsa_keygen)
 		return dsa->meth->dsa_keygen(dsa);
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode())
-		return FIPS_dsa_generate_key(dsa);
-#endif
 	return dsa_builtin_keygen(dsa);
 	}
 
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index 96d8d0c4b4..897c085968 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -70,10 +70,6 @@
 #include <openssl/dh.h>
 #endif
 
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
-
 const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT;
 
 static const DSA_METHOD *default_DSA_method = NULL;
@@ -87,14 +83,7 @@ const DSA_METHOD *DSA_get_default_method(void)
 	{
 	if(!default_DSA_method)
 		{
-#ifdef OPENSSL_FIPS
-		if (FIPS_mode())
-			return FIPS_dsa_openssl();
-		else
-			return DSA_OpenSSL();
-#else
 		default_DSA_method = DSA_OpenSSL();
-#endif
 		}
 	return default_DSA_method;
 	}
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index c3cc3642ce..e02365a8b1 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -65,27 +65,11 @@
 
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
-			&& !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
-		{
-		DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD);
-		return NULL;
-		}
-#endif
 	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
 	}
 
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	{
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
-			&& !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
-		{
-		DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD);
-		return 0;
-		}
-#endif
 	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
 	}
 
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index 674cb5fa5f..286ed28cfa 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -64,13 +64,5 @@
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		  DSA *dsa)
 	{
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
-			&& !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
-		{
-		DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD);
-		return -1;
-		}
-#endif
 	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
 	}
-- 
cgit v1.2.3-55-g6feb