Remove some unnecessary OPENSSL_FIPS references
authorDr. Stephen Henson <steve@openssl.org>
Sat, 18 Oct 2014 19:14:36 +0000 (20:14 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 8 Dec 2014 13:18:43 +0000 (13:18 +0000)
FIPS_mode() exists in all versions of OpenSSL but always returns 0 if OpenSSL is not FIPS
capable.
Reviewed-by: Tim Hudson <tjh@openssl.org>
ssl/s23_clnt.c
ssl/s23_srvr.c
ssl/s3_cbc.c
ssl/s3_clnt.c
ssl/s3_enc.c
ssl/ssl_ciph.c
ssl/ssl_lib.c
ssl/t1_enc.c
ssl/t1_lib.c

index 37b3e23..80dd2ca 100644 (file)
@@ -356,14 +356,12 @@ static int ssl23_client_hello(SSL *s)
                        version_major = TLS1_VERSION_MAJOR;
                        version_minor = TLS1_VERSION_MINOR;
                        }
-#ifdef OPENSSL_FIPS
                else if(FIPS_mode())
                        {
                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,
                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
                        return -1;
                        }
-#endif
                else if (version == SSL3_VERSION)
                        {
                        version_major = SSL3_VERSION_MAJOR;
@@ -519,14 +517,12 @@ static int ssl23_get_server_hello(SSL *s)
                if ((p[2] == SSL3_VERSION_MINOR) &&
                        !(s->options & SSL_OP_NO_SSLv3))
                        {
-#ifdef OPENSSL_FIPS
                        if(FIPS_mode())
                                {
                                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
                                goto err;
                                }
-#endif
                        s->version=SSL3_VERSION;
                        s->method=SSLv3_client_method();
                        }
index cc91cc2..08aa5b6 100644 (file)
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 
 static const SSL_METHOD *ssl23_get_server_method(int ver);
 int ssl23_get_client_hello(SSL *s);
@@ -419,14 +416,12 @@ int ssl23_get_client_hello(SSL *s)
                goto err;
                }
 
-#ifdef OPENSSL_FIPS
        if (FIPS_mode() && (s->version < TLS1_VERSION))
                {
                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
                goto err;
                }
-#endif
 
        if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL))
                {
index 27f309e..6087ee3 100644 (file)
@@ -353,10 +353,8 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
  * which ssl3_cbc_digest_record supports. */
 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
        {
-#ifdef OPENSSL_FIPS
        if (FIPS_mode())
                return 0;
-#endif
        switch (EVP_MD_CTX_type(ctx))
                {
                case NID_md5:
@@ -705,8 +703,6 @@ void ssl3_cbc_digest_record(
        EVP_MD_CTX_cleanup(&md_ctx);
        }
 
-#ifdef OPENSSL_FIPS
-
 /* Due to the need to use EVP in FIPS mode we can't reimplement digests but
  * we can ensure the number of blocks processed is equal for all cases
  * by digesting additional data.
@@ -750,4 +746,3 @@ void tls_fips_digest_extra(
        EVP_DigestSignUpdate(mac_ctx, data,
                                (blocks_orig - blocks_data + 1) * block_size);
        }
-#endif
index ee0493f..c5f6ceb 100644 (file)
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
index 7765de1..f7de30b 100644 (file)
@@ -630,13 +630,11 @@ int ssl3_digest_cached_records(SSL *s)
                if ((mask & ssl_get_algorithm2(s)) && md) 
                        {
                        s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
-#ifdef OPENSSL_FIPS
                        if (EVP_MD_nid(md) == NID_md5)
                                {
                                EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
                                                EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                }
-#endif
                        EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
                        EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
                        } 
index a846c75..1599d79 100644 (file)
@@ -643,10 +643,8 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                    s->ssl_version < TLS1_VERSION)
                        return 1;
 
-#ifdef OPENSSL_FIPS
                if (FIPS_mode())
                        return 1;
-#endif
 
                if      (c->algorithm_enc == SSL_RC4 &&
                         c->algorithm_mac == SSL_MD5 &&
@@ -826,9 +824,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                c = ssl_method->get_cipher(i);
                /* drop those that use any of that is not available */
                if ((c != NULL) && c->valid &&
-#ifdef OPENSSL_FIPS
                    (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
-#endif
                    !(c->algorithm_mkey & disabled_mkey) &&
                    !(c->algorithm_auth & disabled_auth) &&
                    !(c->algorithm_enc & disabled_enc) &&
@@ -1615,11 +1611,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        for (curr = head; curr != NULL; curr = curr->next)
                {
-#ifdef OPENSSL_FIPS
                if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
-#else
-               if (curr->active)
-#endif
                        {
                        if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
                                {
index 5543def..743204c 100644 (file)
@@ -1889,13 +1889,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
                return(NULL);
                }
 
-#ifdef OPENSSL_FIPS
        if (FIPS_mode() && (meth->version < TLS1_VERSION))      
                {
                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
                return NULL;
                }
-#endif
 
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                {
index 1358bfb..59b3fdb 100644 (file)
@@ -1054,13 +1054,11 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
                EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
                t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
                OPENSSL_assert(t > 0);
-#ifdef OPENSSL_FIPS
                if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
                        tls_fips_digest_extra(
                                        ssl->enc_read_ctx,
                                        mac_ctx, rec->input,
                                        rec->length, rec->orig_len);
-#endif
                }
                
        if (!stream_mac)
index 86c06e2..891cd1f 100644 (file)
@@ -3599,10 +3599,8 @@ static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
        {
        const tls12_hash_info *inf;
-#ifndef OPENSSL_FIPS
        if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
                return NULL;
-#endif
        inf = tls12_get_hash_info(hash_alg);
        if (!inf || !inf->mfunc)
                return NULL;