Clean up references to FIPS

This removes the fips configure option. This option is broken as the required FIPS code is not available. FIPS_mode() and FIPS_mode_set() are retained for compatibility, but FIPS_mode() always returns 0, and FIPS_mode_set() can only be used to turn FIPS mode off. Reviewed-by: Stephen Henson <steve@openssl.org>
author: Emilia Kasper <emilia@openssl.org> 2017-02-28 12:30:28 +0100
committer: Emilia Kasper <emilia@openssl.org> 2017-02-28 15:26:25 +0100
commit: b53338cbf8822dd774f9e4057307f347d2b63ff0 (patch)
tree: 762d5194d048f5ae4d156b769115ca8f3b5b4155 /crypto
parent: 223a90cc9a94d1f6abf04ef28dc30b03c3e5e0c1 (diff)
12 files changed, 4 insertions, 77 deletions
diff --git a/crypto/aes/asm/aes-mips.pl b/crypto/aes/asm/aes-mips.pl
index 0eb1474a3a..ba3e4545df 100644
--- a/crypto/aes/asm/aes-mips.pl
+++ b/crypto/aes/asm/aes-mips.pl
@@ -105,10 +105,6 @@ $code.=<<___;
 #include "mips_arch.h"
 
 .text
-#ifdef OPENSSL_FIPSCANISTER
-# include <openssl/fipssyms.h>
-#endif
-
 #if !defined(__mips_eabi) && (!defined(__vxworks) || defined(__pic__))
 .option	pic2
 #endif
diff --git a/crypto/bn/asm/sparcv8plus.S b/crypto/bn/asm/sparcv8plus.S
index 714a136675..f3c611ae31 100644
--- a/crypto/bn/asm/sparcv8plus.S
+++ b/crypto/bn/asm/sparcv8plus.S
@@ -144,10 +144,6 @@
  *	    }
  */
 
-#ifdef OPENSSL_FIPSCANISTER
-#include <openssl/fipssyms.h>
-#endif
-
 #if defined(__SUNPRO_C) && defined(__sparcv9)
   /* They've said -xarch=v9 at command line */
   .register	%g2,#scratch
diff --git a/crypto/des/asm/des_enc.m4 b/crypto/des/asm/des_enc.m4
index 2d794d3374..c1f6391f53 100644
--- a/crypto/des/asm/des_enc.m4
+++ b/crypto/des/asm/des_enc.m4
@@ -31,10 +31,6 @@
 
 #include <openssl/opensslconf.h>
 
-#ifdef OPENSSL_FIPSCANISTER
-#include <openssl/fipssyms.h>
-#endif
-
 #if defined(__SUNPRO_C) && defined(__sparcv9)
 # define ABI64  /* They've said -xarch=v9 at command line */
 #elif defined(__GNUC__) && defined(__arch64__)
diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c
index 3b1304f8e0..6cc8c8f20b 100644
--- a/crypto/err/err_all.c
+++ b/crypto/err/err_all.c
@@ -31,9 +31,6 @@
 #include <openssl/ui.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
 #include <openssl/ts.h>
 #include <openssl/cms.h>
 #include <openssl/ct.h>
@@ -43,9 +40,6 @@
 int err_load_crypto_strings_int(void)
 {
     if (
-#ifdef OPENSSL_FIPS
-        FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata) == 0 ||
-#endif
 #ifndef OPENSSL_NO_ERR
         ERR_load_ERR_strings() == 0 ||    /* include error strings for SYSerr */
         ERR_load_BN_strings() == 0 ||
@@ -91,9 +85,6 @@ int err_load_crypto_strings_int(void)
 #ifndef OPENSSL_NO_UI
         ERR_load_UI_strings() == 0 ||
 #endif
-# ifdef OPENSSL_FIPS
-        ERR_load_FIPS_strings() == 0 ||
-# endif
 # ifndef OPENSSL_NO_CMS
         ERR_load_CMS_strings() == 0 ||
 # endif
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
index 71d13b8df0..d0d61b28be 100644
--- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c
@@ -38,16 +38,8 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
                 return 0;
             }
             if (m > 0) {
-#ifdef OPENSSL_FIPS
-                if (!FIPS_mode() && !FIPS_mode_set(1)) {
-                    EVPerr(EVP_F_ALG_MODULE_INIT,
-                           EVP_R_ERROR_SETTING_FIPS_MODE);
-                    return 0;
-                }
-#else
                 EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED);
                 return 0;
-#endif
             }
         } else {
             EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION);
diff --git a/crypto/o_fips.c b/crypto/o_fips.c
index bf6db65fed..050ea9c216 100644
--- a/crypto/o_fips.c
+++ b/crypto/o_fips.c
@@ -8,27 +8,17 @@
  */
 
 #include "internal/cryptlib.h"
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
 
 int FIPS_mode(void)
 {
-#ifdef OPENSSL_FIPS
-    return FIPS_module_mode();
-#else
+    /* This version of the library does not support FIPS mode. */
     return 0;
-#endif
 }
 
 int FIPS_mode_set(int r)
 {
-#ifdef OPENSSL_FIPS
-    return FIPS_module_mode_set(r);
-#else
     if (r == 0)
         return 1;
     CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
     return 0;
-#endif
 }
diff --git a/crypto/o_init.c b/crypto/o_init.c
index 2e0c126095..5eb7654d32 100644
--- a/crypto/o_init.c
+++ b/crypto/o_init.c
@@ -9,26 +9,13 @@
 
 #include <e_os.h>
 #include <openssl/err.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-# include <openssl/rand.h>
-#endif
 
 /*
- * Perform any essential OpenSSL initialization operations. Currently only
- * sets FIPS callbacks
+ * Perform any essential OpenSSL initialization operations. Currently does
+ * nothing.
  */
 
 void OPENSSL_init(void)
 {
-    static int done = 0;
-    if (done)
-        return;
-    done = 1;
-#ifdef OPENSSL_FIPS
-    FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
-    FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
-    FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
-    RAND_init_fips();
-#endif
+    return;
 }
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 78da14a8e6..8cbfae170f 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -29,10 +29,6 @@
 
 #include <internal/thread_once.h>
 
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
-
 #if defined(BN_DEBUG) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
 # define PREDICT
 #endif
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 238712671b..fc47dc97a2 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -15,11 +15,6 @@
 
 #include <openssl/engine.h>
 
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-# include <openssl/fips_rand.h>
-#endif
-
 #ifndef OPENSSL_NO_ENGINE
 /* non-NULL if default_RAND_meth is ENGINE-provided */
 static ENGINE *funct_ref = NULL;
diff --git a/crypto/sha/asm/sha1-mips.pl b/crypto/sha/asm/sha1-mips.pl
index d9911c8503..ab2924070a 100644
--- a/crypto/sha/asm/sha1-mips.pl
+++ b/crypto/sha/asm/sha1-mips.pl
@@ -342,10 +342,6 @@ $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0xc0fff008" : "0xc0ff0000";
 $code=<<___;
 #include "mips_arch.h"
 
-#ifdef OPENSSL_FIPSCANISTER
-# include <openssl/fipssyms.h>
-#endif
-
 .text
 
 .set	noat
diff --git a/crypto/sha/asm/sha512-mips.pl b/crypto/sha/asm/sha512-mips.pl
index 5464543db8..e6fd2687f8 100644
--- a/crypto/sha/asm/sha512-mips.pl
+++ b/crypto/sha/asm/sha512-mips.pl
@@ -304,10 +304,6 @@ $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0xc0fff008" : "0xc0ff0000";
 $code.=<<___;
 #include "mips_arch.h"
 
-#ifdef OPENSSL_FIPSCANISTER
-# include <openssl/fipssyms.h>
-#endif
-
 .text
 .set	noat
 #if !defined(__mips_eabi) && (!defined(__vxworks) || defined(__pic__))
diff --git a/crypto/sparccpuid.S b/crypto/sparccpuid.S
index c6ca224738..95acd2f9d4 100644
--- a/crypto/sparccpuid.S
+++ b/crypto/sparccpuid.S
@@ -5,10 +5,6 @@
 ! in the file LICENSE in the source distribution or at
 ! https://www.openssl.org/source/license.html
 
-#ifdef OPENSSL_FIPSCANISTER
-#include <openssl/fipssyms.h>
-#endif
-
 #if defined(__SUNPRO_C) && defined(__sparcv9)
 # define ABI64  /* They've said -xarch=v9 at command line */
 #elif defined(__GNUC__) && defined(__arch64__)
author	Emilia Kasper <emilia@openssl.org>	2017-02-28 12:30:28 +0100
committer	Emilia Kasper <emilia@openssl.org>	2017-02-28 15:26:25 +0100
commit	b53338cbf8822dd774f9e4057307f347d2b63ff0 (patch)
tree	762d5194d048f5ae4d156b769115ca8f3b5b4155 /crypto
parent	223a90cc9a94d1f6abf04ef28dc30b03c3e5e0c1 (diff)