From: Dr. Stephen Henson Date: Sat, 18 Oct 2014 19:14:36 +0000 (+0100) Subject: Remove some unnecessary OPENSSL_FIPS references X-Git-Tag: master-pre-reformat~164 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=00b4ee7664051a0dc589b1d81ba56582576a6ca4;p=openssl Remove some unnecessary OPENSSL_FIPS references FIPS_mode() exists in all versions of OpenSSL but always returns 0 if OpenSSL is not FIPS capable. Reviewed-by: Tim Hudson --- diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 37b3e23784..80dd2cab7d 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -356,14 +356,12 @@ static int ssl23_client_hello(SSL *s) version_major = TLS1_VERSION_MAJOR; version_minor = TLS1_VERSION_MINOR; } -#ifdef OPENSSL_FIPS else if(FIPS_mode()) { SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); return -1; } -#endif else if (version == SSL3_VERSION) { version_major = SSL3_VERSION_MAJOR; @@ -519,14 +517,12 @@ static int ssl23_get_server_hello(SSL *s) if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { -#ifdef OPENSSL_FIPS if(FIPS_mode()) { SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); goto err; } -#endif s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index cc91cc2ef4..08aa5b6cf0 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -115,9 +115,6 @@ #include #include #include -#ifdef OPENSSL_FIPS -#include -#endif static const SSL_METHOD *ssl23_get_server_method(int ver); int ssl23_get_client_hello(SSL *s); @@ -419,14 +416,12 @@ int ssl23_get_client_hello(SSL *s) goto err; } -#ifdef OPENSSL_FIPS if (FIPS_mode() && (s->version < TLS1_VERSION)) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); goto err; } -#endif if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) { diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 27f309e72d..6087ee3553 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -353,10 +353,8 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) * which ssl3_cbc_digest_record supports. */ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) { -#ifdef OPENSSL_FIPS if (FIPS_mode()) return 0; -#endif switch (EVP_MD_CTX_type(ctx)) { case NID_md5: @@ -705,8 +703,6 @@ void ssl3_cbc_digest_record( EVP_MD_CTX_cleanup(&md_ctx); } -#ifdef OPENSSL_FIPS - /* Due to the need to use EVP in FIPS mode we can't reimplement digests but * we can ensure the number of blocks processed is equal for all cases * by digesting additional data. @@ -750,4 +746,3 @@ void tls_fips_digest_extra( EVP_DigestSignUpdate(mac_ctx, data, (blocks_orig - blocks_data + 1) * block_size); } -#endif diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index ee0493f576..c5f6ceb5c0 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -156,9 +156,6 @@ #include #include #include -#ifdef OPENSSL_FIPS -#include -#endif #ifndef OPENSSL_NO_DH #include #endif diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 7765de176f..f7de30ba4d 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -630,13 +630,11 @@ int ssl3_digest_cached_records(SSL *s) if ((mask & ssl_get_algorithm2(s)) && md) { s->s3->handshake_dgst[i]=EVP_MD_CTX_create(); -#ifdef OPENSSL_FIPS if (EVP_MD_nid(md) == NID_md5) { EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); } -#endif EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL); EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen); } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index a846c75eba..1599d7971c 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -643,10 +643,8 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, s->ssl_version < TLS1_VERSION) return 1; -#ifdef OPENSSL_FIPS if (FIPS_mode()) return 1; -#endif if (c->algorithm_enc == SSL_RC4 && c->algorithm_mac == SSL_MD5 && @@ -826,9 +824,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, c = ssl_method->get_cipher(i); /* drop those that use any of that is not available */ if ((c != NULL) && c->valid && -#ifdef OPENSSL_FIPS (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) && -#endif !(c->algorithm_mkey & disabled_mkey) && !(c->algorithm_auth & disabled_auth) && !(c->algorithm_enc & disabled_enc) && @@ -1615,11 +1611,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ for (curr = head; curr != NULL; curr = curr->next) { -#ifdef OPENSSL_FIPS if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) -#else - if (curr->active) -#endif { if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5543defa47..743204cd15 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1889,13 +1889,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) return(NULL); } -#ifdef OPENSSL_FIPS if (FIPS_mode() && (meth->version < TLS1_VERSION)) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); return NULL; } -#endif if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 1358bfbd44..59b3fdb6da 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -1054,13 +1054,11 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); t=EVP_DigestSignFinal(mac_ctx,md,&md_size); OPENSSL_assert(t > 0); -#ifdef OPENSSL_FIPS if (!send && !SSL_USE_ETM(ssl) && FIPS_mode()) tls_fips_digest_extra( ssl->enc_read_ctx, mac_ctx, rec->input, rec->length, rec->orig_len); -#endif } if (!stream_mac) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 86c06e2ba8..891cd1fddd 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3599,10 +3599,8 @@ static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg) const EVP_MD *tls12_get_hash(unsigned char hash_alg) { const tls12_hash_info *inf; -#ifndef OPENSSL_FIPS if (hash_alg == TLSEXT_hash_md5 && FIPS_mode()) return NULL; -#endif inf = tls12_get_hash_info(hash_alg); if (!inf || !inf->mfunc) return NULL;