Remove OPENSSL_FIPS blocks.

Done with unifdef with some manual edits to remove empty lines. Change-Id: I40d163539cab8ef0e01e45b7dc6a1a0a37733c3e Reviewed-on: https://boringssl-review.googlesource.com/1097 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2014-07-04 00:07:28 +0400
committer: Adam Langley <agl@google.com> 2014-07-08 00:31:50 +0400
commit: 64f4c91b8954b1f13c2cf20faba15382dbc0462d (patch)
tree: 359943dbbe45243def0f534e4fffe485dfcfa7c1
parent: 6dbd73db5d58ec44304266012d23ff8d297eca55 (diff)
7 files changed, 0 insertions, 104 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 3336d770..2047a219 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -377,13 +377,6 @@ static int ssl23_client_hello(SSL *s)
 			version_major = TLS1_VERSION_MAJOR;
 			version_minor = TLS1_VERSION_MINOR;
 			}
-#ifdef OPENSSL_FIPS
-		else if(FIPS_mode())
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl23_client_hello, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-			return -1;
-			}
-#endif
 		else if (version == SSL3_VERSION)
 			{
 			version_major = SSL3_VERSION_MAJOR;
@@ -610,13 +603,6 @@ static int ssl23_get_server_hello(SSL *s)
 		if ((p[2] == SSL3_VERSION_MINOR) &&
 			!(s->options & SSL_OP_NO_SSLv3))
 			{
-#ifdef OPENSSL_FIPS
-			if(FIPS_mode())
-				{
-				OPENSSL_PUT_ERROR(SSL, ssl23_get_server_hello, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-				goto err;
-				}
-#endif
 			s->version=SSL3_VERSION;
 			s->method=SSLv3_client_method();
 			}
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 55e503cf..3a40819e 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -423,14 +423,6 @@ int ssl23_get_client_hello(SSL *s)
 		goto err;
 		}
 
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode() && (s->version < TLS1_VERSION))
-		{
-		OPENSSL_PUT_ERROR(SSL, ssl23_get_client_hello, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-		goto err;
-		}
-#endif
-
 	if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
 		{
 		/* we have SSLv3/TLSv1 in an SSLv2 header
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index e37c4e76..e39d488e 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -388,10 +388,6 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
  * which ssl3_cbc_digest_record supports. */
 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 	{
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode())
-		return 0;
-#endif
 	switch (EVP_MD_CTX_type(ctx))
 		{
 		case NID_md5:
@@ -737,50 +733,3 @@ void ssl3_cbc_digest_record(
 		*md_out_size = md_out_size_u;
 	EVP_MD_CTX_cleanup(&md_ctx);
 	}
-
-#ifdef OPENSSL_FIPS
-
-/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
- * we can ensure the number of blocks processed is equal for all cases
- * by digesting additional data.
- */
-
-void tls_fips_digest_extra(
-	const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
-	const unsigned char *data, size_t data_len, size_t orig_len)
-	{
-	size_t block_size, digest_pad, blocks_data, blocks_orig;
-	if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
-		return;
-	block_size = EVP_MD_CTX_block_size(mac_ctx);
-	/* We are in FIPS mode if we get this far so we know we have only SHA*
-	 * digests and TLS to deal with.
-	 * Minimum digest padding length is 17 for SHA384/SHA512 and 9
-	 * otherwise.
-	 * Additional header is 13 bytes. To get the number of digest blocks
-	 * processed round up the amount of data plus padding to the nearest
-	 * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
-	 * So we have:
-	 * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
-	 * equivalently:
-	 * blocks = (payload_len + digest_pad + 12)/block_size + 1
-	 * HMAC adds a constant overhead.
-	 * We're ultimately only interested in differences so this becomes
-	 * blocks = (payload_len + 29)/128
-	 * for SHA384/SHA512 and
-	 * blocks = (payload_len + 21)/64
-	 * otherwise.
-	 */
-	digest_pad = block_size == 64 ? 21 : 29;
-	blocks_orig = (orig_len + digest_pad)/block_size;
-	blocks_data = (data_len + digest_pad)/block_size;
-	/* MAC enough blocks to make up the difference between the original
-	 * and actual lengths plus one extra block to ensure this is never a
-	 * no op. The "data" pointer should always have enough space to
-	 * perform this operation as it is large enough for a maximum
-	 * length TLS buffer. 
-	 */
-	EVP_DigestSignUpdate(mac_ctx, data,
-				(blocks_orig - blocks_data + 1) * block_size);
-	}
-#endif
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 0becd826..766cc851 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -473,11 +473,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		    s->ssl_version < TLS1_VERSION)
 			return 1;
 
-#ifdef OPENSSL_FIPS
-		if (FIPS_mode())
-			return 1;
-#endif
-
 		/* TODO(fork): enable the stitched cipher modes. */
 #if 0
 		if	(c->algorithm_enc == SSL_RC4 &&
@@ -677,9 +672,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 		c = ssl_method->get_cipher(i);
 		/* drop those that use any of that is not available */
 		if ((c != NULL) && c->valid &&
-#ifdef OPENSSL_FIPS
-		    (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
-#endif
 		    !(c->algorithm_mkey & disabled_mkey) &&
 		    !(c->algorithm_auth & disabled_auth) &&
 		    !(c->algorithm_enc & disabled_enc) &&
@@ -1504,11 +1496,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	 */
 	for (curr = head; curr != NULL; curr = curr->next)
 		{
-#ifdef OPENSSL_FIPS
-		if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
-#else
 		if (curr->active)
-#endif
 			{
 			sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 			in_group_flags[num_in_group_flags++] = curr->in_group;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index f0f81006..1e512cac 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1951,14 +1951,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 		return(NULL);
 		}
 
-#ifdef OPENSSL_FIPS
-	if (FIPS_mode() && (meth->version < TLS1_VERSION))	
-		{
-		OPENSSL_PUT_ERROR(SSL, SSL_CTX_new, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-		return NULL;
-		}
-#endif
-
 	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
 		{
 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_new, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index a995a490..dac71b4d 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -1255,13 +1255,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 		EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
 		t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
 		assert(t > 0);
-#ifdef OPENSSL_FIPS
-		if (!send && FIPS_mode())
-			tls_fips_digest_extra(
-	    				ssl->enc_read_ctx,
-					mac_ctx, rec->input,
-					rec->length, orig_len);
-#endif
 		}
 		
 	if (!stream_mac)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 0f37072b..b1f56a0f 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3169,10 +3169,6 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
 		{
 #ifndef OPENSSL_NO_MD5
 		case TLSEXT_hash_md5:
-#ifdef OPENSSL_FIPS
-		if (FIPS_mode())
-			return NULL;
-#endif
 		return EVP_md5();
 #endif
 #ifndef OPENSSL_NO_SHA
author	David Benjamin <davidben@chromium.org>	2014-07-04 00:07:28 +0400
committer	Adam Langley <agl@google.com>	2014-07-08 00:31:50 +0400
commit	64f4c91b8954b1f13c2cf20faba15382dbc0462d (patch)
tree	359943dbbe45243def0f534e4fffe485dfcfa7c1
parent	6dbd73db5d58ec44304266012d23ff8d297eca55 (diff)