Clean up references to FIPS

This removes the fips configure option. This option is broken as the
required FIPS code is not available.

FIPS_mode() and FIPS_mode_set() are retained for compatibility, but
FIPS_mode() always returns 0, and FIPS_mode_set() can only be used to
turn FIPS mode off.

Reviewed-by: Stephen Henson <steve@openssl.org>

6 files changed, 2 insertions, 74 deletions

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index df7d012049..84f54cbabd 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1119,13 +1119,6 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
             EVP_MD_CTX_free(hmac);
             return 0;
         }
-        if (!send && !SSL_READ_ETM(ssl) && FIPS_mode())
-            if (!tls_fips_digest_extra(ssl->enc_read_ctx,
-                                       mac_ctx, rec->input,
-                                       rec->length, rec->orig_len)) {
-                EVP_MD_CTX_free(hmac);
-                return 0;
-            }
     }
 
     EVP_MD_CTX_free(hmac);
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 3a757455b0..186ab174ba 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -89,8 +89,6 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
  */
 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 {
-    if (FIPS_mode())
-        return 0;
     switch (EVP_MD_CTX_type(ctx)) {
     case NID_md5:
     case NID_sha1:
@@ -483,49 +481,3 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
     EVP_MD_CTX_free(md_ctx);
     return 0;
 }
-
-/*
- * Due to the need to use EVP in FIPS mode we can't reimplement digests but
- * we can ensure the number of blocks processed is equal for all cases by
- * digesting additional data.
- */
-
-int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
-                          EVP_MD_CTX *mac_ctx, const unsigned char *data,
-                          size_t data_len, size_t orig_len)
-{
-    size_t block_size, digest_pad, blocks_data, blocks_orig;
-    if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
-        return 1;
-    block_size = EVP_MD_CTX_block_size(mac_ctx);
-    /*-
-     * We are in FIPS mode if we get this far so we know we have only SHA*
-     * digests and TLS to deal with.
-     * Minimum digest padding length is 17 for SHA384/SHA512 and 9
-     * otherwise.
-     * Additional header is 13 bytes. To get the number of digest blocks
-     * processed round up the amount of data plus padding to the nearest
-     * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
-     * So we have:
-     * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
-     * equivalently:
-     * blocks = (payload_len + digest_pad + 12)/block_size + 1
-     * HMAC adds a constant overhead.
-     * We're ultimately only interested in differences so this becomes
-     * blocks = (payload_len + 29)/128
-     * for SHA384/SHA512 and
-     * blocks = (payload_len + 21)/64
-     * otherwise.
-     */
-    digest_pad = block_size == 64 ? 21 : 29;
-    blocks_orig = (orig_len + digest_pad) / block_size;
-    blocks_data = (data_len + digest_pad) / block_size;
-    /*
-     * MAC enough blocks to make up the difference between the original and
-     * actual lengths plus one extra block to ensure this is never a no op.
-     * The "data" pointer should always have enough space to perform this
-     * operation as it is large enough for a maximum length TLS buffer.
-     */
-    return EVP_DigestSignUpdate(mac_ctx, data,
-                                (blocks_orig - blocks_data + 1) * block_size);
-}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index e64e3da32e..0b60debdd9 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -577,9 +577,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
             s->ssl_version < TLS1_VERSION)
             return 1;
 
-        if (FIPS_mode())
-            return 1;
-
         if (c->algorithm_enc == SSL_RC4 &&
             c->algorithm_mac == SSL_MD5 &&
             (evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
@@ -687,8 +684,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
         /* drop those that use any of that is not available */
         if (c == NULL || !c->valid)
             continue;
-        if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
-            continue;
         if ((c->algorithm_mkey & disabled_mkey) ||
             (c->algorithm_auth & disabled_auth) ||
             (c->algorithm_enc & disabled_enc) ||
@@ -1495,8 +1490,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
      * to the resulting precedence to the STACK_OF(SSL_CIPHER).
      */
     for (curr = head; curr != NULL; curr = curr->next) {
-        if (curr->active
-            && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
+        if (curr->active) {
             if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
                 OPENSSL_free(co_list);
                 sk_SSL_CIPHER_free(cipherstack);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9382c2ed1d..39254f16f9 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2504,11 +2504,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
         return NULL;
 
-    if (FIPS_mode() && (meth->version < TLS1_VERSION)) {
-        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE);
-        return NULL;
-    }
-
     if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
         goto err;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index ac8c826a0a..565fa36f9b 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2358,10 +2358,6 @@ __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
                                   const unsigned char *mac_secret,
                                   size_t mac_secret_length, char is_sslv3);
 
-__owur int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
-                                 EVP_MD_CTX *mac_ctx, const unsigned char *data,
-                                 size_t data_len, size_t orig_len);
-
 __owur int srp_generate_server_master_secret(SSL *s);
 __owur int srp_generate_client_master_secret(SSL *s);
 __owur int srp_verify_server_param(SSL *s, int *al);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index c871c00c0c..ed1ecce160 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1321,8 +1321,6 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
         return SSL_R_UNSUPPORTED_PROTOCOL;
     if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
         return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
-    else if ((method->flags & SSL_METHOD_NO_FIPS) != 0 && FIPS_mode())
-        return SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE;
 
     return 0;
 }
@@ -1680,7 +1678,7 @@ int ssl_choose_client_version(SSL *s, int version)
  * Work out what version we should be using for the initial ClientHello if the
  * version is initially (D)TLS_ANY_VERSION.  We apply any explicit SSL_OP_NO_xxx
  * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
- * or FIPS_mode() constraints and any floor imposed by the security level here,
+ * constraints and any floor imposed by the security level here,
  * so we don't advertise the wrong protocol version to only reject the outcome later.
  *
  * Computing the right floor matters.  If, e.g., TLS 1.0 and 1.2 are enabled,