From dbfbe10a1ffe6bf0ce53caf9814f624d1dd36276 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sun, 19 Oct 2014 01:11:59 +0100
Subject: [PATCH] remove FIPS module code from crypto/ecdsa

Reviewed-by: Tim Hudson <tjh@openssl.org>
---
 crypto/ec/ec_key.c      | 87 -----------------------------------------
 crypto/ecdsa/ecdsa.h    | 16 --------
 crypto/ecdsa/ecs_ossl.c | 26 ------------
 3 files changed, 129 deletions(-)

diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index b88094c19d..b276f9d23b 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -233,71 +233,6 @@ int EC_KEY_up_ref(EC_KEY *r)
 	return ((i > 1) ? 1 : 0);
 	}
 
-#ifdef OPENSSL_FIPS
-
-#include <openssl/evp.h>
-#include <openssl/fips.h>
-#include <openssl/fips_rand.h>
-
-static int fips_check_ec(EC_KEY *key)
-	{
-	EVP_PKEY pk;
-	unsigned char tbs[] = "ECDSA Pairwise Check Data";
-    	pk.type = EVP_PKEY_EC;
-    	pk.pkey.ec = key;
-
-	if (!fips_pkey_signature_test(FIPS_TEST_PAIRWISE,
-					&pk, tbs, 0, NULL, 0, NULL, 0, NULL))
-		{
-		FIPSerr(FIPS_F_FIPS_CHECK_EC,FIPS_R_PAIRWISE_TEST_FAILED);
-		fips_set_selftest_fail();
-		return 0;
-		}
-	return 1;
-	}
-
-int fips_check_ec_prng(EC_KEY *ec)
-	{
-	int bits, strength;
-	if (!FIPS_module_mode())
-		return 1;
-
-	if (ec->flags & (EC_FLAG_NON_FIPS_ALLOW|EC_FLAG_FIPS_CHECKED))
-		return 1;
-
-	if (!ec->group)
-		return 1;
-
-	bits = BN_num_bits(&ec->group->order);
-
-	if (bits < 160)
-		{
-	    	FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_KEY_TOO_SHORT);
-		return 0;
-		}
-	/* Comparable algorithm strengths: from SP800-57 table 2 */
-	if (bits >= 512)
-		strength = 256;
-	else if (bits >= 384)
-		strength = 192;
-	else if (bits >= 256)
-		strength = 128;
-	else if (bits >= 224)
-		strength = 112;
-	else
-		strength = 80;
-
-
-	if (FIPS_rand_strength() >= strength)
-		return 1;
-
-	FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_PRNG_STRENGTH_TOO_LOW);
-	return 0;
-
-	}
-
-#endif
-
 int EC_KEY_generate_key(EC_KEY *eckey)
 	{	
 	int	ok = 0;
@@ -305,14 +240,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
 	BIGNUM	*priv_key = NULL, *order = NULL;
 	EC_POINT *pub_key = NULL;
 
-#ifdef OPENSSL_FIPS
-	if(FIPS_selftest_failed())
-		{
-		FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
-		return 0;
-		}
-#endif
-
 	if (!eckey || !eckey->group)
 		{
 		ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
@@ -334,11 +261,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
 	if (!EC_GROUP_get_order(eckey->group, order, ctx))
 		goto err;
 
-#ifdef OPENSSL_FIPS
-	if (!fips_check_ec_prng(eckey))
-		goto err;
-#endif
-
 	do
 		if (!BN_rand_range(priv_key, order))
 			goto err;
@@ -359,15 +281,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
 	eckey->priv_key = priv_key;
 	eckey->pub_key  = pub_key;
 
-#ifdef OPENSSL_FIPS
-	if(!fips_check_ec(eckey))
-		{
-		eckey->priv_key = NULL;
-		eckey->pub_key  = NULL;
-	    	goto err;
-		}
-#endif
-
 	ok=1;
 
 err:	
diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h
index 4f8197c334..28a4d1c847 100644
--- a/crypto/ecdsa/ecdsa.h
+++ b/crypto/ecdsa/ecdsa.h
@@ -228,22 +228,6 @@ int 	  ECDSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new
 int 	  ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg);
 void 	  *ECDSA_get_ex_data(EC_KEY *d, int idx);
 
-#ifdef OPENSSL_FIPS
-/* Standalone FIPS signature operations */
-ECDSA_SIG * FIPS_ecdsa_sign_digest(EC_KEY *key,
-					const unsigned char *dig, int dlen);
-ECDSA_SIG * FIPS_ecdsa_sign_ctx(EC_KEY *key, EVP_MD_CTX *ctx);
-int FIPS_ecdsa_verify_digest(EC_KEY *key,
-			const unsigned char *dig, int dlen, ECDSA_SIG *s);
-int FIPS_ecdsa_verify_ctx(EC_KEY *key, EVP_MD_CTX *ctx, ECDSA_SIG *s);
-int FIPS_ecdsa_verify(EC_KEY *key, const unsigned char *msg, size_t msglen,
-			const EVP_MD *mhash, ECDSA_SIG *s);
-ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
-			const unsigned char *msg, size_t msglen,
-			const EVP_MD *mhash);
-#endif
-
-
 /** Allocates and initialize a ECDSA_METHOD structure
  *  \param ecdsa_method pointer to ECDSA_METHOD to copy.  (May be NULL)
  *  \return pointer to a ECDSA_METHOD structure or NULL if an error occurred
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index ec8e252342..af5d4c2468 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -144,11 +144,6 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
 		goto err;
 	}
 
-#ifdef OPENSSL_FIPS
-	if (!fips_check_ec_prng(eckey))
-		goto err;
-#endif
-	
 	do
 	{
 		/* get random k */	
@@ -289,14 +284,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 	ECDSA_DATA *ecdsa;
 	const BIGNUM *priv_key;
 
-#ifdef OPENSSL_FIPS
-	if(FIPS_selftest_failed())
-		{
-		FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
-		return NULL;
-		}
-#endif
-
 	ecdsa    = ecdsa_check(eckey);
 	group    = EC_KEY_get0_group(eckey);
 	priv_key = EC_KEY_get0_private_key(eckey);
@@ -307,11 +294,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 		return NULL;
 	}
 
-#ifdef OPENSSL_FIPS
-	if (!fips_check_ec_prng(eckey))
-		return NULL;
-#endif
-
 	ret = ECDSA_SIG_new();
 	if (!ret)
 	{
@@ -432,14 +414,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
 	const EC_GROUP *group;
 	const EC_POINT *pub_key;
 
-#ifdef OPENSSL_FIPS
-	if(FIPS_selftest_failed())
-		{
-		FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
-		return -1;
-		}
-#endif
-
 	/* check input values */
 	if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
 	    (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
-- 
2.40.0