remove FIPS module code from crypto/dsa

[openssl.git] / crypto / dsa / dsa_ossl.c

diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index fb82c16d010ea1c3be8bd2e7ebeb43044003f9a6..bec13541b91f34c5aa18c2e829d7a5ec374493ea 100644 (file)
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -67,13 +67,10 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
-static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
-static int dsa_sign_setup_with_digest(DSA *dsa, BN_CTX *ctx_in,
+static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
                                      BIGNUM **kinvp, BIGNUM **rp,
                                      const unsigned char *dgst, int dlen);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -84,7 +81,7 @@ static int dsa_finish(DSA *dsa);
 static DSA_METHOD openssl_dsa_meth = {
 "OpenSSL DSA method",
 dsa_do_sign,
-dsa_sign_setup,
+dsa_sign_setup_no_digest,
 dsa_do_verify,
 NULL, /* dsa_mod_exp, */
 NULL, /* dsa_bn_mod_exp, */
@@ -146,23 +143,6 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
        DSA_SIG *ret=NULL;
        int noredo = 0;
 
-#ifdef OPENSSL_FIPS
-       if(FIPS_selftest_failed())
-           {
-           FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
-           return NULL;
-           }
-
-       if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
-               && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-               {
-               DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
-               return NULL;
-               }
-       if (!fips_check_dsa_prng(dsa, 0, 0))
-               goto err;
-#endif
-
        BN_init(&m);
        BN_init(&xr);
 
@@ -179,7 +159,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 redo:
        if ((dsa->kinv == NULL) || (dsa->r == NULL))
                {
-               if (!dsa_sign_setup_with_digest(dsa,ctx,&kinv,&r,dgst,dlen))
+               if (!dsa_sign_setup(dsa,ctx,&kinv,&r,dgst,dlen))
                        goto err;
                }
        else
@@ -239,12 +219,12 @@ err:
        return(ret);
        }
 
-static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in,
                          BIGNUM **kinvp, BIGNUM **rp) {
-       return dsa_sign_setup_with_digest(dsa, ctx_in, kinvp, rp, NULL, 0);
+       return dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0);
 }
 
-static int dsa_sign_setup_with_digest(DSA *dsa, BN_CTX *ctx_in,
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
                                      BIGNUM **kinvp, BIGNUM **rp,
                                      const unsigned char *dgst, int dlen)
        {
@@ -372,21 +352,6 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                return -1;
                }
 
-#ifdef OPENSSL_FIPS
-       if(FIPS_selftest_failed())
-           {
-           FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
-           return -1;
-           }
-
-       if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
-               && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-               {
-               DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
-               return -1;
-               }
-#endif
-
        if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
                {
                DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
@@ -449,9 +414,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
        ret=(BN_ucmp(&u1, sig->r) == 0);
 
        err:
-       /* XXX: surely this is wrong - if ret is 0, it just didn't verify;
-          there is no error in BN. Test should be ret == -1 (Ben) */
-       if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
+       if (ret < 0) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
        if (ctx != NULL) BN_CTX_free(ctx);
        BN_free(&u1);
        BN_free(&u2);