Remove some unnecessary OPENSSL_FIPS references
FIPS_mode() exists in all versions of OpenSSL but always returns 0 if OpenSSL is not FIPS capable. Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
Dr. Stephen Henson
parent
0c1bd7f03f
commit
00b4ee7664
@ -356,14 +356,12 @@ static int ssl23_client_hello(SSL *s)
|
|||||||
version_major = TLS1_VERSION_MAJOR;
|
version_major = TLS1_VERSION_MAJOR;
|
||||||
version_minor = TLS1_VERSION_MINOR;
|
version_minor = TLS1_VERSION_MINOR;
|
||||||
}
|
}
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
else if(FIPS_mode())
|
else if(FIPS_mode())
|
||||||
{
|
{
|
||||||
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
|
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
|
||||||
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
else if (version == SSL3_VERSION)
|
else if (version == SSL3_VERSION)
|
||||||
{
|
{
|
||||||
version_major = SSL3_VERSION_MAJOR;
|
version_major = SSL3_VERSION_MAJOR;
|
||||||
@ -519,14 +517,12 @@ static int ssl23_get_server_hello(SSL *s)
|
|||||||
if ((p[2] == SSL3_VERSION_MINOR) &&
|
if ((p[2] == SSL3_VERSION_MINOR) &&
|
||||||
!(s->options & SSL_OP_NO_SSLv3))
|
!(s->options & SSL_OP_NO_SSLv3))
|
||||||
{
|
{
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
if(FIPS_mode())
|
if(FIPS_mode())
|
||||||
{
|
{
|
||||||
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
|
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
|
||||||
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
s->version=SSL3_VERSION;
|
s->version=SSL3_VERSION;
|
||||||
s->method=SSLv3_client_method();
|
s->method=SSLv3_client_method();
|
||||||
}
|
}
|
||||||
|
|||||||
@ -115,9 +115,6 @@
|
|||||||
#include <openssl/rand.h>
|
#include <openssl/rand.h>
|
||||||
#include <openssl/objects.h>
|
#include <openssl/objects.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
#include <openssl/fips.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
static const SSL_METHOD *ssl23_get_server_method(int ver);
|
static const SSL_METHOD *ssl23_get_server_method(int ver);
|
||||||
int ssl23_get_client_hello(SSL *s);
|
int ssl23_get_client_hello(SSL *s);
|
||||||
@ -419,14 +416,12 @@ int ssl23_get_client_hello(SSL *s)
|
|||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
if (FIPS_mode() && (s->version < TLS1_VERSION))
|
if (FIPS_mode() && (s->version < TLS1_VERSION))
|
||||||
{
|
{
|
||||||
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
|
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
|
||||||
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
|
|
||||||
if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL))
|
if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL))
|
||||||
{
|
{
|
||||||
|
|||||||
@ -353,10 +353,8 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
|
|||||||
* which ssl3_cbc_digest_record supports. */
|
* which ssl3_cbc_digest_record supports. */
|
||||||
char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
|
char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
|
||||||
{
|
{
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
if (FIPS_mode())
|
if (FIPS_mode())
|
||||||
return 0;
|
return 0;
|
||||||
#endif
|
|
||||||
switch (EVP_MD_CTX_type(ctx))
|
switch (EVP_MD_CTX_type(ctx))
|
||||||
{
|
{
|
||||||
case NID_md5:
|
case NID_md5:
|
||||||
@ -705,8 +703,6 @@ void ssl3_cbc_digest_record(
|
|||||||
EVP_MD_CTX_cleanup(&md_ctx);
|
EVP_MD_CTX_cleanup(&md_ctx);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
|
|
||||||
/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
|
/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
|
||||||
* we can ensure the number of blocks processed is equal for all cases
|
* we can ensure the number of blocks processed is equal for all cases
|
||||||
* by digesting additional data.
|
* by digesting additional data.
|
||||||
@ -750,4 +746,3 @@ void tls_fips_digest_extra(
|
|||||||
EVP_DigestSignUpdate(mac_ctx, data,
|
EVP_DigestSignUpdate(mac_ctx, data,
|
||||||
(blocks_orig - blocks_data + 1) * block_size);
|
(blocks_orig - blocks_data + 1) * block_size);
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
|
|||||||
@ -156,9 +156,6 @@
|
|||||||
#include <openssl/objects.h>
|
#include <openssl/objects.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/md5.h>
|
#include <openssl/md5.h>
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
#include <openssl/fips.h>
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_DH
|
#ifndef OPENSSL_NO_DH
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -630,13 +630,11 @@ int ssl3_digest_cached_records(SSL *s)
|
|||||||
if ((mask & ssl_get_algorithm2(s)) && md)
|
if ((mask & ssl_get_algorithm2(s)) && md)
|
||||||
{
|
{
|
||||||
s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
|
s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
if (EVP_MD_nid(md) == NID_md5)
|
if (EVP_MD_nid(md) == NID_md5)
|
||||||
{
|
{
|
||||||
EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
|
EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
|
||||||
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
|
EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
|
||||||
EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
|
EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -643,10 +643,8 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
|
|||||||
s->ssl_version < TLS1_VERSION)
|
s->ssl_version < TLS1_VERSION)
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
if (FIPS_mode())
|
if (FIPS_mode())
|
||||||
return 1;
|
return 1;
|
||||||
#endif
|
|
||||||
|
|
||||||
if (c->algorithm_enc == SSL_RC4 &&
|
if (c->algorithm_enc == SSL_RC4 &&
|
||||||
c->algorithm_mac == SSL_MD5 &&
|
c->algorithm_mac == SSL_MD5 &&
|
||||||
@ -826,9 +824,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
|
|||||||
c = ssl_method->get_cipher(i);
|
c = ssl_method->get_cipher(i);
|
||||||
/* drop those that use any of that is not available */
|
/* drop those that use any of that is not available */
|
||||||
if ((c != NULL) && c->valid &&
|
if ((c != NULL) && c->valid &&
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
(!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
|
(!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
|
||||||
#endif
|
|
||||||
!(c->algorithm_mkey & disabled_mkey) &&
|
!(c->algorithm_mkey & disabled_mkey) &&
|
||||||
!(c->algorithm_auth & disabled_auth) &&
|
!(c->algorithm_auth & disabled_auth) &&
|
||||||
!(c->algorithm_enc & disabled_enc) &&
|
!(c->algorithm_enc & disabled_enc) &&
|
||||||
@ -1615,11 +1611,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
|||||||
*/
|
*/
|
||||||
for (curr = head; curr != NULL; curr = curr->next)
|
for (curr = head; curr != NULL; curr = curr->next)
|
||||||
{
|
{
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
|
if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
|
||||||
#else
|
|
||||||
if (curr->active)
|
|
||||||
#endif
|
|
||||||
{
|
{
|
||||||
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
|
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
|
||||||
{
|
{
|
||||||
|
|||||||
@ -1889,13 +1889,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
|||||||
return(NULL);
|
return(NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
if (FIPS_mode() && (meth->version < TLS1_VERSION))
|
if (FIPS_mode() && (meth->version < TLS1_VERSION))
|
||||||
{
|
{
|
||||||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
|
|
||||||
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
|
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -1054,13 +1054,11 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
|
|||||||
EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
|
EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
|
||||||
t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
|
t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
|
||||||
OPENSSL_assert(t > 0);
|
OPENSSL_assert(t > 0);
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
|
if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
|
||||||
tls_fips_digest_extra(
|
tls_fips_digest_extra(
|
||||||
ssl->enc_read_ctx,
|
ssl->enc_read_ctx,
|
||||||
mac_ctx, rec->input,
|
mac_ctx, rec->input,
|
||||||
rec->length, rec->orig_len);
|
rec->length, rec->orig_len);
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!stream_mac)
|
if (!stream_mac)
|
||||||
|
|||||||
@ -3599,10 +3599,8 @@ static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
|
|||||||
const EVP_MD *tls12_get_hash(unsigned char hash_alg)
|
const EVP_MD *tls12_get_hash(unsigned char hash_alg)
|
||||||
{
|
{
|
||||||
const tls12_hash_info *inf;
|
const tls12_hash_info *inf;
|
||||||
#ifndef OPENSSL_FIPS
|
|
||||||
if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
|
if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
|
||||||
return NULL;
|
return NULL;
|
||||||
#endif
|
|
||||||
inf = tls12_get_hash_info(hash_alg);
|
inf = tls12_get_hash_info(hash_alg);
|
||||||
if (!inf || !inf->mfunc)
|
if (!inf || !inf->mfunc)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user