From b53338cbf8822dd774f9e4057307f347d2b63ff0 Mon Sep 17 00:00:00 2001
From: Emilia Kasper <emilia@openssl.org>
Date: Tue, 28 Feb 2017 12:30:28 +0100
Subject: [PATCH] Clean up references to FIPS

This removes the fips configure option. This option is broken as the
required FIPS code is not available.

FIPS_mode() and FIPS_mode_set() are retained for compatibility, but
FIPS_mode() always returns 0, and FIPS_mode_set() can only be used to
turn FIPS mode off.

Reviewed-by: Stephen Henson <steve@openssl.org>
---
 Configure                     | 37 +++------------------------
 apps/openssl.c                | 10 --------
 crypto/aes/asm/aes-mips.pl    |  4 ---
 crypto/bn/asm/sparcv8plus.S   |  4 ---
 crypto/des/asm/des_enc.m4     |  4 ---
 crypto/err/err_all.c          |  9 -------
 crypto/evp/evp_cnf.c          |  8 ------
 crypto/o_fips.c               | 12 +--------
 crypto/o_init.c               | 19 +++-----------
 crypto/rand/md_rand.c         |  4 ---
 crypto/rand/rand_lib.c        |  5 ----
 crypto/sha/asm/sha1-mips.pl   |  4 ---
 crypto/sha/asm/sha512-mips.pl |  4 ---
 crypto/sparccpuid.S           |  4 ---
 doc/man5/config.pod           | 13 ++--------
 include/openssl/opensslv.h    |  6 +----
 ssl/record/ssl3_record.c      |  7 -----
 ssl/s3_cbc.c                  | 48 -----------------------------------
 ssl/ssl_ciph.c                |  8 +-----
 ssl/ssl_lib.c                 |  5 ----
 ssl/ssl_locl.h                |  4 ---
 ssl/statem/statem_lib.c       |  4 +--
 test/ssltest_old.c            | 19 --------------
 23 files changed, 12 insertions(+), 230 deletions(-)

diff --git a/Configure b/Configure
index 4404963aa7..f6d5a7cfd3 100755
--- a/Configure
+++ b/Configure
@@ -302,12 +302,9 @@ $config{openssldir}="";
 $config{processor}="";
 $config{libdir}="";
 $config{cross_compile_prefix}="";
-$config{fipslibdir}="/usr/local/ssl/fips-2.0/lib/";
-my $nofipscanistercheck=0;
 $config{baseaddr}="0xFB00000";
 my $auto_threads=1;    # enable threads automatically? true by default
 my $default_ranlib;
-$config{fips}=0;
 
 # Top level directories to build
 $config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ];
@@ -685,7 +682,7 @@ while (@argvcopy)
 		{ $config{processor}=386; }
 	elsif (/^fips$/)
 		{
-		$config{fips}=1;
+		die "FIPS mode not supported\n";
 		}
 	elsif (/^rsaref$/)
 		{
@@ -695,8 +692,7 @@ while (@argvcopy)
 		}
 	elsif (/^nofipscanistercheck$/)
 		{
-		$config{fips} = 1;
-		$nofipscanistercheck = 1;
+		die "FIPS mode not supported\n";
 		}
 	elsif (/^[-+]/)
 		{
@@ -734,10 +730,6 @@ while (@argvcopy)
 			{
 			$withargs{fuzzer_include}=$1;
 			}
-		elsif (/^--with-fipslibdir=(.*)$/)
-			{
-			$config{fipslibdir}="$1/";
-			}
 		elsif (/^--with-baseaddr=(.*)$/)
 			{
 			$config{baseaddr}="$1";
@@ -821,15 +813,6 @@ if ($libs =~ /(^|\s)-Wl,-rpath,/
 	"***** any of asan, msan or ubsan\n";
 }
 
-if ($config{fips})
-	{
-	delete $disabled{"shared"} if ($disabled{"shared"} =~ /^default/);
-	}
-else
-	{
-	@{$config{dirs}} = grep !/^fips$/, @{$config{dirs}};
-	}
-
 my @tocheckfor = (keys %disabled);
 while (@tocheckfor) {
     my %new_tocheckfor = ();
@@ -1058,15 +1041,6 @@ if (!$disabled{dso} && $target{dso_scheme} ne "")
 
 $config{ex_libs}="$libs$config{ex_libs}" if ($libs ne "");
 
-if ($disabled{asm})
-	{
-	if ($config{fips})
-		{
-		@{$config{defines}} = grep !/^[BL]_ENDIAN$/, @{$config{defines}};
-		@{$target{defines}} = grep !/^[BL]_ENDIAN$/, @{$target{defines}};
-		}
-	}
-
 # If threads aren't disabled, check how possible they are
 unless ($disabled{threads}) {
     if ($auto_threads) {
@@ -1107,8 +1081,7 @@ if (defined($disabled{"deprecated"})) {
 if ($target{shared_target} eq "")
 	{
 	$no_shared_warn = 1
-	    if ((!$disabled{shared} || !$disabled{"dynamic-engine"})
-		&& !$config{fips});
+	    if (!$disabled{shared} || !$disabled{"dynamic-engine"});
 	$disabled{shared} = "no-shared-target";
 	$disabled{pic} = $disabled{shared} = $disabled{"dynamic-engine"} =
 	    "no-shared-target";
@@ -1172,10 +1145,6 @@ unless ($disabled{asm}) {
     push @{$config{defines}}, "OPENSSL_BN_ASM_MONT5" if ($target{bn_asm_src} =~ /-mont5/);
     push @{$config{defines}}, "OPENSSL_BN_ASM_GF2m" if ($target{bn_asm_src} =~ /-gf2m/);
 
-    if ($config{fips}) {
-	push @{$config{openssl_other_defines}}, "OPENSSL_FIPS";
-    }
-
     if ($target{sha1_asm_src}) {
 	push @{$config{defines}}, "SHA1_ASM"   if ($target{sha1_asm_src} =~ /sx86/ || $target{sha1_asm_src} =~ /sha1/);
 	push @{$config{defines}}, "SHA256_ASM" if ($target{sha1_asm_src} =~ /sha256/);
diff --git a/apps/openssl.c b/apps/openssl.c
index bb776eb310..e42ee1e6e9 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -21,9 +21,6 @@
 # include <openssl/engine.h>
 #endif
 #include <openssl/err.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
 #define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
 #include "s_apps.h"
 /* Needed to get the other O_xxx flags. */
@@ -143,15 +140,8 @@ int main(int argc, char *argv[])
     CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 
     if (getenv("OPENSSL_FIPS")) {
-#ifdef OPENSSL_FIPS
-        if (!FIPS_mode_set(1)) {
-            ERR_print_errors(bio_err);
-            return 1;
-        }
-#else
         BIO_printf(bio_err, "FIPS mode not supported.\n");
         return 1;
-#endif
     }
 
     if (!apps_startup())
diff --git a/crypto/aes/asm/aes-mips.pl b/crypto/aes/asm/aes-mips.pl
index 0eb1474a3a..ba3e4545df 100644
--- a/crypto/aes/asm/aes-mips.pl
+++ b/crypto/aes/asm/aes-mips.pl
@@ -105,10 +105,6 @@ $code.=<<___;
 #include "mips_arch.h"
 
 .text
-#ifdef OPENSSL_FIPSCANISTER
-# include <openssl/fipssyms.h>
-#endif
-
 #if !defined(__mips_eabi) && (!defined(__vxworks) || defined(__pic__))
 .option	pic2
 #endif
diff --git a/crypto/bn/asm/sparcv8plus.S b/crypto/bn/asm/sparcv8plus.S
index 714a136675..f3c611ae31 100644
--- a/crypto/bn/asm/sparcv8plus.S
+++ b/crypto/bn/asm/sparcv8plus.S
@@ -144,10 +144,6 @@
  *	    }
  */
 
-#ifdef OPENSSL_FIPSCANISTER
-#include <openssl/fipssyms.h>
-#endif
-
 #if defined(__SUNPRO_C) && defined(__sparcv9)
   /* They've said -xarch=v9 at command line */
   .register	%g2,#scratch
diff --git a/crypto/des/asm/des_enc.m4 b/crypto/des/asm/des_enc.m4
index 2d794d3374..c1f6391f53 100644
--- a/crypto/des/asm/des_enc.m4
+++ b/crypto/des/asm/des_enc.m4
@@ -31,10 +31,6 @@
 
 #include <openssl/opensslconf.h>
 
-#ifdef OPENSSL_FIPSCANISTER
-#include <openssl/fipssyms.h>
-#endif
-
 #if defined(__SUNPRO_C) && defined(__sparcv9)
 # define ABI64  /* They've said -xarch=v9 at command line */
 #elif defined(__GNUC__) && defined(__arch64__)
diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c
index 3b1304f8e0..6cc8c8f20b 100644
--- a/crypto/err/err_all.c
+++ b/crypto/err/err_all.c
@@ -31,9 +31,6 @@
 #include <openssl/ui.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
 #include <openssl/ts.h>
 #include <openssl/cms.h>
 #include <openssl/ct.h>
@@ -43,9 +40,6 @@
 int err_load_crypto_strings_int(void)
 {
     if (
-#ifdef OPENSSL_FIPS
-        FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata) == 0 ||
-#endif
 #ifndef OPENSSL_NO_ERR
         ERR_load_ERR_strings() == 0 ||    /* include error strings for SYSerr */
         ERR_load_BN_strings() == 0 ||
@@ -91,9 +85,6 @@ int err_load_crypto_strings_int(void)
 #ifndef OPENSSL_NO_UI
         ERR_load_UI_strings() == 0 ||
 #endif
-# ifdef OPENSSL_FIPS
-        ERR_load_FIPS_strings() == 0 ||
-# endif
 # ifndef OPENSSL_NO_CMS
         ERR_load_CMS_strings() == 0 ||
 # endif
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
index 71d13b8df0..d0d61b28be 100644
--- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c
@@ -38,16 +38,8 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
                 return 0;
             }
             if (m > 0) {
-#ifdef OPENSSL_FIPS
-                if (!FIPS_mode() && !FIPS_mode_set(1)) {
-                    EVPerr(EVP_F_ALG_MODULE_INIT,
-                           EVP_R_ERROR_SETTING_FIPS_MODE);
-                    return 0;
-                }
-#else
                 EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED);
                 return 0;
-#endif
             }
         } else {
             EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION);
diff --git a/crypto/o_fips.c b/crypto/o_fips.c
index bf6db65fed..050ea9c216 100644
--- a/crypto/o_fips.c
+++ b/crypto/o_fips.c
@@ -8,27 +8,17 @@
  */
 
 #include "internal/cryptlib.h"
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
 
 int FIPS_mode(void)
 {
-#ifdef OPENSSL_FIPS
-    return FIPS_module_mode();
-#else
+    /* This version of the library does not support FIPS mode. */
     return 0;
-#endif
 }
 
 int FIPS_mode_set(int r)
 {
-#ifdef OPENSSL_FIPS
-    return FIPS_module_mode_set(r);
-#else
     if (r == 0)
         return 1;
     CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
     return 0;
-#endif
 }
diff --git a/crypto/o_init.c b/crypto/o_init.c
index 2e0c126095..5eb7654d32 100644
--- a/crypto/o_init.c
+++ b/crypto/o_init.c
@@ -9,26 +9,13 @@
 
 #include <e_os.h>
 #include <openssl/err.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-# include <openssl/rand.h>
-#endif
 
 /*
- * Perform any essential OpenSSL initialization operations. Currently only
- * sets FIPS callbacks
+ * Perform any essential OpenSSL initialization operations. Currently does
+ * nothing.
  */
 
 void OPENSSL_init(void)
 {
-    static int done = 0;
-    if (done)
-        return;
-    done = 1;
-#ifdef OPENSSL_FIPS
-    FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
-    FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
-    FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
-    RAND_init_fips();
-#endif
+    return;
 }
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 78da14a8e6..8cbfae170f 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -29,10 +29,6 @@
 
 #include <internal/thread_once.h>
 
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
-
 #if defined(BN_DEBUG) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
 # define PREDICT
 #endif
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 238712671b..fc47dc97a2 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -15,11 +15,6 @@
 
 #include <openssl/engine.h>
 
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-# include <openssl/fips_rand.h>
-#endif
-
 #ifndef OPENSSL_NO_ENGINE
 /* non-NULL if default_RAND_meth is ENGINE-provided */
 static ENGINE *funct_ref = NULL;
diff --git a/crypto/sha/asm/sha1-mips.pl b/crypto/sha/asm/sha1-mips.pl
index d9911c8503..ab2924070a 100644
--- a/crypto/sha/asm/sha1-mips.pl
+++ b/crypto/sha/asm/sha1-mips.pl
@@ -342,10 +342,6 @@ $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0xc0fff008" : "0xc0ff0000";
 $code=<<___;
 #include "mips_arch.h"
 
-#ifdef OPENSSL_FIPSCANISTER
-# include <openssl/fipssyms.h>
-#endif
-
 .text
 
 .set	noat
diff --git a/crypto/sha/asm/sha512-mips.pl b/crypto/sha/asm/sha512-mips.pl
index 5464543db8..e6fd2687f8 100644
--- a/crypto/sha/asm/sha512-mips.pl
+++ b/crypto/sha/asm/sha512-mips.pl
@@ -304,10 +304,6 @@ $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0xc0fff008" : "0xc0ff0000";
 $code.=<<___;
 #include "mips_arch.h"
 
-#ifdef OPENSSL_FIPSCANISTER
-# include <openssl/fipssyms.h>
-#endif
-
 .text
 .set	noat
 #if !defined(__mips_eabi) && (!defined(__vxworks) || defined(__pic__))
diff --git a/crypto/sparccpuid.S b/crypto/sparccpuid.S
index c6ca224738..95acd2f9d4 100644
--- a/crypto/sparccpuid.S
+++ b/crypto/sparccpuid.S
@@ -5,10 +5,6 @@
 ! in the file LICENSE in the source distribution or at
 ! https://www.openssl.org/source/license.html
 
-#ifdef OPENSSL_FIPSCANISTER
-#include <openssl/fipssyms.h>
-#endif
-
 #if defined(__SUNPRO_C) && defined(__sparcv9)
 # define ABI64  /* They've said -xarch=v9 at command line */
 #elif defined(__GNUC__) && defined(__arch64__)
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 9df0ecb1e4..24ebafb533 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -193,17 +193,8 @@ This modules has the name B<alg_section> which points to a section containing
 algorithm commands.
 
 Currently the only algorithm command supported is B<fips_mode> whose
-value should be a boolean string such as B<on> or B<off>. If the value is
-B<on> this attempt to enter FIPS mode. If the call fails or the library is
-not FIPS capable then an error occurs.
-
-For example:
-
- alg_section = evp_settings
-
- [evp_settings]
-
- fips_mode = on
+value can only be the boolean string B<off>. If B<fips_mode> is set to B<on>,
+an error occurs as this library version is not FIPS capable.
 
 =head2 SSL Configuration Module
 
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index df6e04523c..c6e15a5aa3 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -40,11 +40,7 @@ extern "C" {
  *  major minor fix final patch/beta)
  */
 # define OPENSSL_VERSION_NUMBER  0x10101000L
-# ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1-fips-dev  xx XXX xxxx"
-# else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1-dev  xx XXX xxxx"
-# endif
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1-dev  xx XXX xxxx"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index df7d012049..84f54cbabd 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1119,13 +1119,6 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
             EVP_MD_CTX_free(hmac);
             return 0;
         }
-        if (!send && !SSL_READ_ETM(ssl) && FIPS_mode())
-            if (!tls_fips_digest_extra(ssl->enc_read_ctx,
-                                       mac_ctx, rec->input,
-                                       rec->length, rec->orig_len)) {
-                EVP_MD_CTX_free(hmac);
-                return 0;
-            }
     }
 
     EVP_MD_CTX_free(hmac);
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 3a757455b0..186ab174ba 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -89,8 +89,6 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
  */
 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 {
-    if (FIPS_mode())
-        return 0;
     switch (EVP_MD_CTX_type(ctx)) {
     case NID_md5:
     case NID_sha1:
@@ -483,49 +481,3 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
     EVP_MD_CTX_free(md_ctx);
     return 0;
 }
-
-/*
- * Due to the need to use EVP in FIPS mode we can't reimplement digests but
- * we can ensure the number of blocks processed is equal for all cases by
- * digesting additional data.
- */
-
-int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
-                          EVP_MD_CTX *mac_ctx, const unsigned char *data,
-                          size_t data_len, size_t orig_len)
-{
-    size_t block_size, digest_pad, blocks_data, blocks_orig;
-    if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
-        return 1;
-    block_size = EVP_MD_CTX_block_size(mac_ctx);
-    /*-
-     * We are in FIPS mode if we get this far so we know we have only SHA*
-     * digests and TLS to deal with.
-     * Minimum digest padding length is 17 for SHA384/SHA512 and 9
-     * otherwise.
-     * Additional header is 13 bytes. To get the number of digest blocks
-     * processed round up the amount of data plus padding to the nearest
-     * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
-     * So we have:
-     * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
-     * equivalently:
-     * blocks = (payload_len + digest_pad + 12)/block_size + 1
-     * HMAC adds a constant overhead.
-     * We're ultimately only interested in differences so this becomes
-     * blocks = (payload_len + 29)/128
-     * for SHA384/SHA512 and
-     * blocks = (payload_len + 21)/64
-     * otherwise.
-     */
-    digest_pad = block_size == 64 ? 21 : 29;
-    blocks_orig = (orig_len + digest_pad) / block_size;
-    blocks_data = (data_len + digest_pad) / block_size;
-    /*
-     * MAC enough blocks to make up the difference between the original and
-     * actual lengths plus one extra block to ensure this is never a no op.
-     * The "data" pointer should always have enough space to perform this
-     * operation as it is large enough for a maximum length TLS buffer.
-     */
-    return EVP_DigestSignUpdate(mac_ctx, data,
-                                (blocks_orig - blocks_data + 1) * block_size);
-}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index e64e3da32e..0b60debdd9 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -577,9 +577,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
             s->ssl_version < TLS1_VERSION)
             return 1;
 
-        if (FIPS_mode())
-            return 1;
-
         if (c->algorithm_enc == SSL_RC4 &&
             c->algorithm_mac == SSL_MD5 &&
             (evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
@@ -687,8 +684,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
         /* drop those that use any of that is not available */
         if (c == NULL || !c->valid)
             continue;
-        if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
-            continue;
         if ((c->algorithm_mkey & disabled_mkey) ||
             (c->algorithm_auth & disabled_auth) ||
             (c->algorithm_enc & disabled_enc) ||
@@ -1495,8 +1490,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
      * to the resulting precedence to the STACK_OF(SSL_CIPHER).
      */
     for (curr = head; curr != NULL; curr = curr->next) {
-        if (curr->active
-            && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
+        if (curr->active) {
             if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
                 OPENSSL_free(co_list);
                 sk_SSL_CIPHER_free(cipherstack);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9382c2ed1d..39254f16f9 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2504,11 +2504,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
         return NULL;
 
-    if (FIPS_mode() && (meth->version < TLS1_VERSION)) {
-        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE);
-        return NULL;
-    }
-
     if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
         goto err;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index ac8c826a0a..565fa36f9b 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2358,10 +2358,6 @@ __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
                                   const unsigned char *mac_secret,
                                   size_t mac_secret_length, char is_sslv3);
 
-__owur int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
-                                 EVP_MD_CTX *mac_ctx, const unsigned char *data,
-                                 size_t data_len, size_t orig_len);
-
 __owur int srp_generate_server_master_secret(SSL *s);
 __owur int srp_generate_client_master_secret(SSL *s);
 __owur int srp_verify_server_param(SSL *s, int *al);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index c871c00c0c..ed1ecce160 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1321,8 +1321,6 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
         return SSL_R_UNSUPPORTED_PROTOCOL;
     if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
         return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
-    else if ((method->flags & SSL_METHOD_NO_FIPS) != 0 && FIPS_mode())
-        return SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE;
 
     return 0;
 }
@@ -1680,7 +1678,7 @@ int ssl_choose_client_version(SSL *s, int version)
  * Work out what version we should be using for the initial ClientHello if the
  * version is initially (D)TLS_ANY_VERSION.  We apply any explicit SSL_OP_NO_xxx
  * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
- * or FIPS_mode() constraints and any floor imposed by the security level here,
+ * constraints and any floor imposed by the security level here,
  * so we don't advertise the wrong protocol version to only reject the outcome later.
  *
  * Computing the right floor matters.  If, e.g., TLS 1.0 and 1.2 are enabled,
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 1bfa983122..649215d9b7 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -699,9 +699,6 @@ static void sv_usage(void)
 {
     fprintf(stderr, "usage: ssltest [args ...]\n");
     fprintf(stderr, "\n");
-#ifdef OPENSSL_FIPS
-    fprintf(stderr, "-F             - run test in FIPS mode\n");
-#endif
     fprintf(stderr, " -server_auth  - check server certificate\n");
     fprintf(stderr, " -client_auth  - do client authentication\n");
     fprintf(stderr, " -v            - more output\n");
@@ -988,9 +985,6 @@ int main(int argc, char *argv[])
     int n, comp = 0;
     COMP_METHOD *cm = NULL;
     STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
-#endif
-#ifdef OPENSSL_FIPS
-    int fips_mode = 0;
 #endif
     int no_protocol;
     int min_version = 0, max_version = 0;
@@ -1060,13 +1054,9 @@ int main(int argc, char *argv[])
 
     while (argc >= 1) {
         if (strcmp(*argv, "-F") == 0) {
-#ifdef OPENSSL_FIPS
-            fips_mode = 1;
-#else
             fprintf(stderr,
                     "not compiled with FIPS support, so exiting without running.\n");
             EXIT(0);
-#endif
         } else if (strcmp(*argv, "-server_auth") == 0)
             server_auth = 1;
         else if (strcmp(*argv, "-client_auth") == 0)
@@ -1383,15 +1373,6 @@ int main(int argc, char *argv[])
                 "to avoid protocol mismatch.\n");
         EXIT(1);
     }
-#ifdef OPENSSL_FIPS
-    if (fips_mode) {
-        if (!FIPS_mode_set(1)) {
-            ERR_print_errors(bio_err);
-            EXIT(1);
-        } else
-            fprintf(stderr, "*** IN FIPS MODE ***\n");
-    }
-#endif
 
     if (print_time) {
         if (bio_type != BIO_PAIR) {
-- 
2.40.0