remove FIPS module code from crypto/ecdsa
authorDr. Stephen Henson <steve@openssl.org>
Sun, 19 Oct 2014 00:11:59 +0000 (01:11 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 8 Dec 2014 13:25:38 +0000 (13:25 +0000)
Reviewed-by: Tim Hudson <tjh@openssl.org>
crypto/ec/ec_key.c
crypto/ecdsa/ecdsa.h
crypto/ecdsa/ecs_ossl.c

index b88094c..b276f9d 100644 (file)
@@ -233,71 +233,6 @@ int EC_KEY_up_ref(EC_KEY *r)
        return ((i > 1) ? 1 : 0);
        }
 
-#ifdef OPENSSL_FIPS
-
-#include <openssl/evp.h>
-#include <openssl/fips.h>
-#include <openssl/fips_rand.h>
-
-static int fips_check_ec(EC_KEY *key)
-       {
-       EVP_PKEY pk;
-       unsigned char tbs[] = "ECDSA Pairwise Check Data";
-       pk.type = EVP_PKEY_EC;
-       pk.pkey.ec = key;
-
-       if (!fips_pkey_signature_test(FIPS_TEST_PAIRWISE,
-                                       &pk, tbs, 0, NULL, 0, NULL, 0, NULL))
-               {
-               FIPSerr(FIPS_F_FIPS_CHECK_EC,FIPS_R_PAIRWISE_TEST_FAILED);
-               fips_set_selftest_fail();
-               return 0;
-               }
-       return 1;
-       }
-
-int fips_check_ec_prng(EC_KEY *ec)
-       {
-       int bits, strength;
-       if (!FIPS_module_mode())
-               return 1;
-
-       if (ec->flags & (EC_FLAG_NON_FIPS_ALLOW|EC_FLAG_FIPS_CHECKED))
-               return 1;
-
-       if (!ec->group)
-               return 1;
-
-       bits = BN_num_bits(&ec->group->order);
-
-       if (bits < 160)
-               {
-               FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_KEY_TOO_SHORT);
-               return 0;
-               }
-       /* Comparable algorithm strengths: from SP800-57 table 2 */
-       if (bits >= 512)
-               strength = 256;
-       else if (bits >= 384)
-               strength = 192;
-       else if (bits >= 256)
-               strength = 128;
-       else if (bits >= 224)
-               strength = 112;
-       else
-               strength = 80;
-
-
-       if (FIPS_rand_strength() >= strength)
-               return 1;
-
-       FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_PRNG_STRENGTH_TOO_LOW);
-       return 0;
-
-       }
-
-#endif
-
 int EC_KEY_generate_key(EC_KEY *eckey)
        {       
        int     ok = 0;
@@ -305,14 +240,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
        BIGNUM  *priv_key = NULL, *order = NULL;
        EC_POINT *pub_key = NULL;
 
-#ifdef OPENSSL_FIPS
-       if(FIPS_selftest_failed())
-               {
-               FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
-               return 0;
-               }
-#endif
-
        if (!eckey || !eckey->group)
                {
                ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
@@ -334,11 +261,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
        if (!EC_GROUP_get_order(eckey->group, order, ctx))
                goto err;
 
-#ifdef OPENSSL_FIPS
-       if (!fips_check_ec_prng(eckey))
-               goto err;
-#endif
-
        do
                if (!BN_rand_range(priv_key, order))
                        goto err;
@@ -359,15 +281,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
        eckey->priv_key = priv_key;
        eckey->pub_key  = pub_key;
 
-#ifdef OPENSSL_FIPS
-       if(!fips_check_ec(eckey))
-               {
-               eckey->priv_key = NULL;
-               eckey->pub_key  = NULL;
-               goto err;
-               }
-#endif
-
        ok=1;
 
 err:   
index 4f8197c..28a4d1c 100644 (file)
@@ -228,22 +228,6 @@ int          ECDSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new
 int      ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg);
 void     *ECDSA_get_ex_data(EC_KEY *d, int idx);
 
-#ifdef OPENSSL_FIPS
-/* Standalone FIPS signature operations */
-ECDSA_SIG * FIPS_ecdsa_sign_digest(EC_KEY *key,
-                                       const unsigned char *dig, int dlen);
-ECDSA_SIG * FIPS_ecdsa_sign_ctx(EC_KEY *key, EVP_MD_CTX *ctx);
-int FIPS_ecdsa_verify_digest(EC_KEY *key,
-                       const unsigned char *dig, int dlen, ECDSA_SIG *s);
-int FIPS_ecdsa_verify_ctx(EC_KEY *key, EVP_MD_CTX *ctx, ECDSA_SIG *s);
-int FIPS_ecdsa_verify(EC_KEY *key, const unsigned char *msg, size_t msglen,
-                       const EVP_MD *mhash, ECDSA_SIG *s);
-ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
-                       const unsigned char *msg, size_t msglen,
-                       const EVP_MD *mhash);
-#endif
-
-
 /** Allocates and initialize a ECDSA_METHOD structure
  *  \param ecdsa_method pointer to ECDSA_METHOD to copy.  (May be NULL)
  *  \return pointer to a ECDSA_METHOD structure or NULL if an error occurred
index ec8e252..af5d4c2 100644 (file)
@@ -144,11 +144,6 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
                goto err;
        }
 
-#ifdef OPENSSL_FIPS
-       if (!fips_check_ec_prng(eckey))
-               goto err;
-#endif
-       
        do
        {
                /* get random k */      
@@ -289,14 +284,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
        ECDSA_DATA *ecdsa;
        const BIGNUM *priv_key;
 
-#ifdef OPENSSL_FIPS
-       if(FIPS_selftest_failed())
-               {
-               FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
-               return NULL;
-               }
-#endif
-
        ecdsa    = ecdsa_check(eckey);
        group    = EC_KEY_get0_group(eckey);
        priv_key = EC_KEY_get0_private_key(eckey);
@@ -307,11 +294,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
                return NULL;
        }
 
-#ifdef OPENSSL_FIPS
-       if (!fips_check_ec_prng(eckey))
-               return NULL;
-#endif
-
        ret = ECDSA_SIG_new();
        if (!ret)
        {
@@ -432,14 +414,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
        const EC_GROUP *group;
        const EC_POINT *pub_key;
 
-#ifdef OPENSSL_FIPS
-       if(FIPS_selftest_failed())
-               {
-               FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
-               return -1;
-               }
-#endif
-
        /* check input values */
        if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
            (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)