Nuke OPENSSL_FIPS - having #ifdefs inside a #ifndef for the same thing

is amusing.

ok deraadt@

diff --git a/lib/libcrypto/evp/e_aes.c b/lib/libcrypto/evp/e_aes.c
index db0fdf8..fd1c345 100644 (file)
--- a/lib/libcrypto/evp/e_aes.c
+++ b/lib/libcrypto/evp/e_aes.c
@@ -56,7 +56,6 @@
 #include <assert.h>
 #include <openssl/aes.h>
 #include "evp_locl.h"
-#ifndef OPENSSL_FIPS
 #include "modes_lcl.h"
 #include <openssl/rand.h>
 
@@ -692,11 +691,6 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
        case EVP_CTRL_GCM_SET_IVLEN:
                if (arg <= 0)
                        return 0;
-#ifdef OPENSSL_FIPS
-               if (FIPS_module_mode() &&
-                   !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && arg < 12)
-                       return 0;
-#endif
                /* Allocate memory for IV if needed */
                if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
                        if (gctx->iv != c->iv)
@@ -1098,15 +1092,6 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        if (!out || !in || len < AES_BLOCK_SIZE)
                return 0;
 
-#ifdef OPENSSL_FIPS
-       /* Requirement of SP800-38E */
-       if (FIPS_module_mode() &&
-           !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
-           (len > (1UL << 20) * 16)) {
-               EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
-               return 0;
-       }
-#endif
        if (xctx->stream)
                (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
                    ctx->iv);
@@ -1279,4 +1264,3 @@ BLOCK_CIPHER_custom(NID_aes, 256, 1,12, ccm, CCM,
     EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
 
 #endif
-#endif

diff --git a/lib/libcrypto/evp/e_des3.c b/lib/libcrypto/evp/e_des3.c
index ddb069d..6463326 100644 (file)
--- a/lib/libcrypto/evp/e_des3.c
+++ b/lib/libcrypto/evp/e_des3.c
@@ -65,7 +65,6 @@
 #include <openssl/des.h>
 #include <openssl/rand.h>
 
-#ifndef OPENSSL_FIPS
 
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     const unsigned char *iv, int enc);
@@ -315,4 +314,3 @@ EVP_des_ede3(void)
        return &des_ede3_ecb;
 }
 #endif
-#endif

diff --git a/lib/libssl/src/crypto/evp/e_aes.c b/lib/libssl/src/crypto/evp/e_aes.c
index db0fdf8..fd1c345 100644 (file)
--- a/lib/libssl/src/crypto/evp/e_aes.c
+++ b/lib/libssl/src/crypto/evp/e_aes.c
@@ -56,7 +56,6 @@
 #include <assert.h>
 #include <openssl/aes.h>
 #include "evp_locl.h"
-#ifndef OPENSSL_FIPS
 #include "modes_lcl.h"
 #include <openssl/rand.h>
 
@@ -692,11 +691,6 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
        case EVP_CTRL_GCM_SET_IVLEN:
                if (arg <= 0)
                        return 0;
-#ifdef OPENSSL_FIPS
-               if (FIPS_module_mode() &&
-                   !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && arg < 12)
-                       return 0;
-#endif
                /* Allocate memory for IV if needed */
                if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
                        if (gctx->iv != c->iv)
@@ -1098,15 +1092,6 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        if (!out || !in || len < AES_BLOCK_SIZE)
                return 0;
 
-#ifdef OPENSSL_FIPS
-       /* Requirement of SP800-38E */
-       if (FIPS_module_mode() &&
-           !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
-           (len > (1UL << 20) * 16)) {
-               EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
-               return 0;
-       }
-#endif
        if (xctx->stream)
                (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
                    ctx->iv);
@@ -1279,4 +1264,3 @@ BLOCK_CIPHER_custom(NID_aes, 256, 1,12, ccm, CCM,
     EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
 
 #endif
-#endif

diff --git a/lib/libssl/src/crypto/evp/e_des3.c b/lib/libssl/src/crypto/evp/e_des3.c
index ddb069d..6463326 100644 (file)
--- a/lib/libssl/src/crypto/evp/e_des3.c
+++ b/lib/libssl/src/crypto/evp/e_des3.c
@@ -65,7 +65,6 @@
 #include <openssl/des.h>
 #include <openssl/rand.h>
 
-#ifndef OPENSSL_FIPS
 
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     const unsigned char *iv, int enc);
@@ -315,4 +314,3 @@ EVP_des_ede3(void)
        return &des_ede3_ecb;
 }
 #endif
-#endif