From f88d9acb16e601adf96b4de4b1041d52d0d846da Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Tue, 15 Apr 2014 20:06:10 +0000
Subject: remove FIPS mode support. people who require FIPS can buy something
 that meets their needs, but dumping it in here only penalizes the rest of us.
 ok beck deraadt

---
 src/lib/libcrypto/rsa/rsa_pmeth.c | 76 ---------------------------------------
 1 file changed, 76 deletions(-)

(limited to 'src/lib/libcrypto/rsa/rsa_pmeth.c')

diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 157aa5c41d..d706d35ff6 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -66,9 +66,6 @@
 #ifndef OPENSSL_NO_CMS
 #include <openssl/cms.h>
 #endif
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 #include "evp_locl.h"
 #include "rsa_locl.h"
 
@@ -156,32 +153,6 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
 		OPENSSL_free(rctx);
 		}
 	}
-#ifdef OPENSSL_FIPS
-/* FIP checker. Return value indicates status of context parameters:
- * 1  : redirect to FIPS.
- * 0  : don't redirect to FIPS.
- * -1 : illegal operation in FIPS mode.
- */
-
-static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
-	{
-	RSA_PKEY_CTX *rctx = ctx->data;
-	RSA *rsa = ctx->pkey->pkey.rsa;
-	int rv = -1;
-	if (!FIPS_mode())
-		return 0;
-	if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-		rv = 0;
-	if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
-		return -1;
-	if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
-		return rv;
-	if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
-		return rv;
-	return 1;
-	}
-#endif
-
 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
 					const unsigned char *tbs, size_t tbslen)
 	{
@@ -189,15 +160,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
 	RSA_PKEY_CTX *rctx = ctx->data;
 	RSA *rsa = ctx->pkey->pkey.rsa;
 
-#ifdef OPENSSL_FIPS
-	ret = pkey_fips_check_ctx(ctx);
-	if (ret < 0)
-		{
-		RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
-		return -1;
-		}
-#endif
-
 	if (rctx->md)
 		{
 		if (tbslen != (size_t)EVP_MD_size(rctx->md))
@@ -206,22 +168,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
 					RSA_R_INVALID_DIGEST_LENGTH);
 			return -1;
 			}
-#ifdef OPENSSL_FIPS
-		if (ret > 0)
-			{
-			unsigned int slen;
-			ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
-							rctx->pad_mode,
-							rctx->saltlen,
-							rctx->mgf1md,
-							sig, &slen);
-			if (ret > 0)
-				*siglen = slen;
-			else
-				*siglen = 0;
-			return ret;
-			}
-#endif
 
 		if (EVP_MD_type(rctx->md) == NID_mdc2)
 			{
@@ -343,30 +289,8 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
 	RSA_PKEY_CTX *rctx = ctx->data;
 	RSA *rsa = ctx->pkey->pkey.rsa;
 	size_t rslen;
-#ifdef OPENSSL_FIPS
-	int rv;
-	rv = pkey_fips_check_ctx(ctx);
-	if (rv < 0)
-		{
-		RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
-		return -1;
-		}
-#endif
 	if (rctx->md)
 		{
-#ifdef OPENSSL_FIPS
-		if (rv > 0)
-			{
-			return FIPS_rsa_verify_digest(rsa,
-							tbs, tbslen,
-							rctx->md,
-							rctx->pad_mode,
-							rctx->saltlen,
-							rctx->mgf1md,
-							sig, siglen);
-							
-			}
-#endif
 		if (rctx->pad_mode == RSA_PKCS1_PADDING)
 			return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
 					sig, siglen, rsa);
-- 
cgit v1.2.3-55-g6feb