Commit 00b4ee76 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Remove some unnecessary OPENSSL_FIPS references 



FIPS_mode() exists in all versions of OpenSSL but always returns 0 if OpenSSL is not FIPS
capable.
Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
parent 0c1bd7f0

ssl/s23_clnt.c

+0 −4
Original line number Diff line number Diff line
@@ -356,14 +356,12 @@ static int ssl23_client_hello(SSL *s) 
			version_major = TLS1_VERSION_MAJOR;

			version_minor = TLS1_VERSION_MINOR;

			}

#ifdef OPENSSL_FIPS

		else if(FIPS_mode())

			{

			SSLerr(SSL_F_SSL23_CLIENT_HELLO,

					SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);

			return -1;

			}

#endif

		else if (version == SSL3_VERSION)

			{

			version_major = SSL3_VERSION_MAJOR;
@@ -519,14 +517,12 @@ static int ssl23_get_server_hello(SSL *s) 
		if ((p[2] == SSL3_VERSION_MINOR) &&

			!(s->options & SSL_OP_NO_SSLv3))

			{

#ifdef OPENSSL_FIPS

			if(FIPS_mode())

				{

				SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,

					SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);

				goto err;

				}

#endif

			s->version=SSL3_VERSION;

			s->method=SSLv3_client_method();

			}

ssl/s23_srvr.c

+0 −5
Original line number Diff line number Diff line
@@ -115,9 +115,6 @@ 
#include <openssl/rand.h>

#include <openssl/objects.h>

#include <openssl/evp.h>

#ifdef OPENSSL_FIPS

#include <openssl/fips.h>

#endif



static const SSL_METHOD *ssl23_get_server_method(int ver);

int ssl23_get_client_hello(SSL *s);
@@ -419,14 +416,12 @@ int ssl23_get_client_hello(SSL *s) 
		goto err;

		}



#ifdef OPENSSL_FIPS

	if (FIPS_mode() && (s->version < TLS1_VERSION))

		{

		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,

					SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);

		goto err;

		}

#endif



	if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL))

		{

ssl/s3_cbc.c

+0 −5
Original line number Diff line number Diff line
@@ -353,10 +353,8 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) 
 * which ssl3_cbc_digest_record supports. */

char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)

	{

#ifdef OPENSSL_FIPS

	if (FIPS_mode())

		return 0;

#endif

	switch (EVP_MD_CTX_type(ctx))

		{

		case NID_md5:
@@ -705,8 +703,6 @@ void ssl3_cbc_digest_record( 
	EVP_MD_CTX_cleanup(&md_ctx);

	}



#ifdef OPENSSL_FIPS



/* Due to the need to use EVP in FIPS mode we can't reimplement digests but

 * we can ensure the number of blocks processed is equal for all cases

 * by digesting additional data.
@@ -750,4 +746,3 @@ void tls_fips_digest_extra( 
	EVP_DigestSignUpdate(mac_ctx, data,

				(blocks_orig - blocks_data + 1) * block_size);

	}
 
#endif

ssl/s3_clnt.c

+0 −3
Original line number Diff line number Diff line
@@ -156,9 +156,6 @@ 
#include <openssl/objects.h>

#include <openssl/evp.h>

#include <openssl/md5.h>

#ifdef OPENSSL_FIPS

#include <openssl/fips.h>

#endif

#ifndef OPENSSL_NO_DH

#include <openssl/dh.h>

#endif

ssl/s3_enc.c

+0 −2
Original line number Diff line number Diff line
@@ -630,13 +630,11 @@ int ssl3_digest_cached_records(SSL *s) 
		if ((mask & ssl_get_algorithm2(s)) && md) 

			{

			s->s3->handshake_dgst[i]=EVP_MD_CTX_create();

#ifdef OPENSSL_FIPS

			if (EVP_MD_nid(md) == NID_md5)

				{

				EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],

						EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);

				}

#endif

			EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);

			EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);

			}