remove FIPS module code from crypto/ecdsa

Reviewed-by: N Tim Hudson <tjh@openssl.org>

remove FIPS module code from crypto/ecdsa
Reviewed-by: N Tim Hudson <tjh@openssl.org>
dbfbe10a · Dr. Stephen Henson · 1bfffe9b · dbfbe10a · dbfbe10a · dbfbe10a
隐藏空白更改
内联并排

Showing with 0 addition and 129 deletion

crypto/ec/ec_key.c crypto/ec/ec_key.c +0 -87

crypto/ecdsa/ecdsa.h crypto/ecdsa/ecdsa.h +0 -16

crypto/ecdsa/ecs_ossl.c crypto/ecdsa/ecs_ossl.c +0 -26

未找到文件。
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -233,71 +233,6 @@ int EC_KEY_up_ref(EC_KEY *r)
 	return ((i > 1) ? 1 : 0);
 	}

-#ifdef OPENSSL_FIPS
-
-#include <openssl/evp.h>
-#include <openssl/fips.h>
-#include <openssl/fips_rand.h>
-
-static int fips_check_ec(EC_KEY *key)
-	{
-	EVP_PKEY pk;
-	unsigned char tbs[] = "ECDSA Pairwise Check Data";
-    	pk.type = EVP_PKEY_EC;
-    	pk.pkey.ec = key;
-
-	if (!fips_pkey_signature_test(FIPS_TEST_PAIRWISE,
-					&pk, tbs, 0, NULL, 0, NULL, 0, NULL))
-		{
-		FIPSerr(FIPS_F_FIPS_CHECK_EC,FIPS_R_PAIRWISE_TEST_FAILED);
-		fips_set_selftest_fail();
-		return 0;
-		}
-	return 1;
-	}
-
-int fips_check_ec_prng(EC_KEY *ec)
-	{
-	int bits, strength;
-	if (!FIPS_module_mode())
-		return 1;
-
-	if (ec->flags & (EC_FLAG_NON_FIPS_ALLOW|EC_FLAG_FIPS_CHECKED))
-		return 1;
-
-	if (!ec->group)
-		return 1;
-
-	bits = BN_num_bits(&ec->group->order);
-
-	if (bits < 160)
-		{
-	    	FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_KEY_TOO_SHORT);
-		return 0;
-		}
-	/* Comparable algorithm strengths: from SP800-57 table 2 */
-	if (bits >= 512)
-		strength = 256;
-	else if (bits >= 384)
-		strength = 192;
-	else if (bits >= 256)
-		strength = 128;
-	else if (bits >= 224)
-		strength = 112;
-	else
-		strength = 80;
-
-
-	if (FIPS_rand_strength() >= strength)
-		return 1;
-
-	FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_PRNG_STRENGTH_TOO_LOW);
-	return 0;
-
-	}
-
-#endif
-
 int EC_KEY_generate_key(EC_KEY *eckey)
 	{	
 	int	ok = 0;
@@ -305,14 +240,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
 	BIGNUM	*priv_key = NULL, *order = NULL;
 	EC_POINT *pub_key = NULL;

-#ifdef OPENSSL_FIPS
-	if(FIPS_selftest_failed())
-		{
-		FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
-		return 0;
-		}
-#endif
-
 	if (!eckey || !eckey->group)
 		{
 		ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
@@ -334,11 +261,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
 	if (!EC_GROUP_get_order(eckey->group, order, ctx))
 		goto err;

-#ifdef OPENSSL_FIPS
-	if (!fips_check_ec_prng(eckey))
-		goto err;
-#endif
-
 	do
 		if (!BN_rand_range(priv_key, order))
 			goto err;
@@ -359,15 +281,6 @@ int EC_KEY_generate_key(EC_KEY *eckey)
 	eckey->priv_key = priv_key;
 	eckey->pub_key  = pub_key;

-#ifdef OPENSSL_FIPS
-	if(!fips_check_ec(eckey))
-		{
-		eckey->priv_key = NULL;
-		eckey->pub_key  = NULL;
-	    	goto err;
-		}
-#endif
-
 	ok=1;

 err:	

--- a/crypto/ecdsa/ecdsa.h
+++ b/crypto/ecdsa/ecdsa.h
@@ -228,22 +228,6 @@ int 	  ECDSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new
 int 	  ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg);
 void 	  *ECDSA_get_ex_data(EC_KEY *d, int idx);

-#ifdef OPENSSL_FIPS
-/* Standalone FIPS signature operations */
-ECDSA_SIG * FIPS_ecdsa_sign_digest(EC_KEY *key,
-					const unsigned char *dig, int dlen);
-ECDSA_SIG * FIPS_ecdsa_sign_ctx(EC_KEY *key, EVP_MD_CTX *ctx);
-int FIPS_ecdsa_verify_digest(EC_KEY *key,
-			const unsigned char *dig, int dlen, ECDSA_SIG *s);
-int FIPS_ecdsa_verify_ctx(EC_KEY *key, EVP_MD_CTX *ctx, ECDSA_SIG *s);
-int FIPS_ecdsa_verify(EC_KEY *key, const unsigned char *msg, size_t msglen,
-			const EVP_MD *mhash, ECDSA_SIG *s);
-ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
-			const unsigned char *msg, size_t msglen,
-			const EVP_MD *mhash);
-#endif
-
-
 /** Allocates and initialize a ECDSA_METHOD structure
 *  \param ecdsa_method pointer to ECDSA_METHOD to copy.  (May be NULL)
 *  \return pointer to a ECDSA_METHOD structure or NULL if an error occurred

--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -144,11 +144,6 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
 		goto err;
 	}

-#ifdef OPENSSL_FIPS
-	if (!fips_check_ec_prng(eckey))
-		goto err;
-#endif
-	
 	do
 	{
 		/* get random k */	
@@ -289,14 +284,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 	ECDSA_DATA *ecdsa;
 	const BIGNUM *priv_key;

-#ifdef OPENSSL_FIPS
-	if(FIPS_selftest_failed())
-		{
-		FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
-		return NULL;
-		}
-#endif
-
 	ecdsa    = ecdsa_check(eckey);
 	group    = EC_KEY_get0_group(eckey);
 	priv_key = EC_KEY_get0_private_key(eckey);
@@ -307,11 +294,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 		return NULL;
 	}

-#ifdef OPENSSL_FIPS
-	if (!fips_check_ec_prng(eckey))
-		return NULL;
-#endif
-
 	ret = ECDSA_SIG_new();
 	if (!ret)
 	{
@@ -432,14 +414,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
 	const EC_GROUP *group;
 	const EC_POINT *pub_key;

-#ifdef OPENSSL_FIPS
-	if(FIPS_selftest_failed())
-		{
-		FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
-		return -1;
-		}
-#endif
-
 	/* check input values */
 	if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
 	    (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)