#14465: Update openssl to tag android-4.0.4_r2.1
diff --git a/jni/openssl/crypto/dsa/dsa.h b/jni/openssl/crypto/dsa/dsa.h
index a6f6d0b..ac50a5c 100644
--- a/jni/openssl/crypto/dsa/dsa.h
+++ b/jni/openssl/crypto/dsa/dsa.h
@@ -97,21 +97,6 @@
* be used for all exponents.
*/
-/* If this flag is set the DSA method is FIPS compliant and can be used
- * in FIPS mode. This is set in the validated module method. If an
- * application sets this flag in its own methods it is its reposibility
- * to ensure the result is compliant.
- */
-
-#define DSA_FLAG_FIPS_METHOD 0x0400
-
-/* If this flag is set the operations normally disabled in FIPS mode are
- * permitted it is then the applications responsibility to ensure that the
- * usage is compliant.
- */
-
-#define DSA_FLAG_NON_FIPS_ALLOW 0x0400
-
#ifdef __cplusplus
extern "C" {
#endif
@@ -287,8 +272,6 @@
#define DSA_F_DSAPARAMS_PRINT_FP 101
#define DSA_F_DSA_DO_SIGN 112
#define DSA_F_DSA_DO_VERIFY 113
-#define DSA_F_DSA_GENERATE_KEY 124
-#define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
#define DSA_F_DSA_NEW_METHOD 103
#define DSA_F_DSA_PARAM_DECODE 119
#define DSA_F_DSA_PRINT_FP 105
@@ -299,7 +282,6 @@
#define DSA_F_DSA_SIGN 106
#define DSA_F_DSA_SIGN_SETUP 107
#define DSA_F_DSA_SIG_NEW 109
-#define DSA_F_DSA_SIG_PRINT 125
#define DSA_F_DSA_VERIFY 108
#define DSA_F_I2D_DSA_SIG 111
#define DSA_F_OLD_DSA_PRIV_DECODE 122
@@ -316,8 +298,6 @@
#define DSA_R_INVALID_DIGEST_TYPE 106
#define DSA_R_MISSING_PARAMETERS 101
#define DSA_R_MODULUS_TOO_LARGE 103
-#define DSA_R_NEED_NEW_SETUP_VALUES 110
-#define DSA_R_NON_FIPS_DSA_METHOD 111
#define DSA_R_NO_PARAMETERS_SET 107
#define DSA_R_PARAMETER_ENCODING_ERROR 105
diff --git a/jni/openssl/crypto/dsa/dsa_ameth.c b/jni/openssl/crypto/dsa/dsa_ameth.c
index 376156e..6413aae 100644
--- a/jni/openssl/crypto/dsa/dsa_ameth.c
+++ b/jni/openssl/crypto/dsa/dsa_ameth.c
@@ -542,52 +542,6 @@
return i2d_DSAPrivateKey(pkey->pkey.dsa, pder);
}
-static int dsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
- const ASN1_STRING *sig,
- int indent, ASN1_PCTX *pctx)
- {
- DSA_SIG *dsa_sig;
- const unsigned char *p;
- if (!sig)
- {
- if (BIO_puts(bp, "\n") <= 0)
- return 0;
- else
- return 1;
- }
- p = sig->data;
- dsa_sig = d2i_DSA_SIG(NULL, &p, sig->length);
- if (dsa_sig)
- {
- int rv = 0;
- size_t buf_len = 0;
- unsigned char *m=NULL;
- update_buflen(dsa_sig->r, &buf_len);
- update_buflen(dsa_sig->s, &buf_len);
- m = OPENSSL_malloc(buf_len+10);
- if (m == NULL)
- {
- DSAerr(DSA_F_DSA_SIG_PRINT,ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
- if (BIO_write(bp, "\n", 1) != 1)
- goto err;
-
- if (!ASN1_bn_print(bp,"r: ",dsa_sig->r,m,indent))
- goto err;
- if (!ASN1_bn_print(bp,"s: ",dsa_sig->s,m,indent))
- goto err;
- rv = 1;
- err:
- if (m)
- OPENSSL_free(m);
- DSA_SIG_free(dsa_sig);
- return rv;
- }
- return X509_signature_dump(bp, sig, indent);
- }
-
static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
{
switch (op)
@@ -693,7 +647,6 @@
dsa_copy_parameters,
dsa_cmp_parameters,
dsa_param_print,
- dsa_sig_print,
int_dsa_free,
dsa_pkey_ctrl,
diff --git a/jni/openssl/crypto/dsa/dsa_asn1.c b/jni/openssl/crypto/dsa/dsa_asn1.c
index 6058534..c37460b 100644
--- a/jni/openssl/crypto/dsa/dsa_asn1.c
+++ b/jni/openssl/crypto/dsa/dsa_asn1.c
@@ -61,7 +61,6 @@
#include <openssl/dsa.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
-#include <openssl/rand.h>
/* Override the default new methods */
static int sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -88,7 +87,7 @@
ASN1_SIMPLE(DSA_SIG, s, CBIGNUM)
} ASN1_SEQUENCE_END_cb(DSA_SIG, DSA_SIG)
-IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA_SIG, DSA_SIG, DSA_SIG)
+IMPLEMENT_ASN1_FUNCTIONS_const(DSA_SIG)
/* Override the default free and new methods */
static int dsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -149,40 +148,3 @@
{
return ASN1_item_dup(ASN1_ITEM_rptr(DSAparams), dsa);
}
-
-int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
- unsigned int *siglen, DSA *dsa)
- {
- DSA_SIG *s;
- RAND_seed(dgst, dlen);
- s=DSA_do_sign(dgst,dlen,dsa);
- if (s == NULL)
- {
- *siglen=0;
- return(0);
- }
- *siglen=i2d_DSA_SIG(s,&sig);
- DSA_SIG_free(s);
- return(1);
- }
-
-/* data has already been hashed (probably with SHA or SHA-1). */
-/* returns
- * 1: correct signature
- * 0: incorrect signature
- * -1: error
- */
-int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
- const unsigned char *sigbuf, int siglen, DSA *dsa)
- {
- DSA_SIG *s;
- int ret=-1;
-
- s = DSA_SIG_new();
- if (s == NULL) return(ret);
- if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
- ret=DSA_do_verify(dgst,dgst_len,s,dsa);
-err:
- DSA_SIG_free(s);
- return(ret);
- }
diff --git a/jni/openssl/crypto/dsa/dsa_err.c b/jni/openssl/crypto/dsa/dsa_err.c
index 00545b7..bba984e 100644
--- a/jni/openssl/crypto/dsa/dsa_err.c
+++ b/jni/openssl/crypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
/* crypto/dsa/dsa_err.c */
/* ====================================================================
- * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -76,8 +76,6 @@
{ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
{ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
{ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
-{ERR_FUNC(DSA_F_DSA_GENERATE_KEY), "DSA_generate_key"},
-{ERR_FUNC(DSA_F_DSA_GENERATE_PARAMETERS_EX), "DSA_generate_parameters_ex"},
{ERR_FUNC(DSA_F_DSA_NEW_METHOD), "DSA_new_method"},
{ERR_FUNC(DSA_F_DSA_PARAM_DECODE), "DSA_PARAM_DECODE"},
{ERR_FUNC(DSA_F_DSA_PRINT_FP), "DSA_print_fp"},
@@ -88,7 +86,6 @@
{ERR_FUNC(DSA_F_DSA_SIGN), "DSA_sign"},
{ERR_FUNC(DSA_F_DSA_SIGN_SETUP), "DSA_sign_setup"},
{ERR_FUNC(DSA_F_DSA_SIG_NEW), "DSA_SIG_new"},
-{ERR_FUNC(DSA_F_DSA_SIG_PRINT), "DSA_SIG_PRINT"},
{ERR_FUNC(DSA_F_DSA_VERIFY), "DSA_verify"},
{ERR_FUNC(DSA_F_I2D_DSA_SIG), "i2d_DSA_SIG"},
{ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE), "OLD_DSA_PRIV_DECODE"},
@@ -108,8 +105,6 @@
{ERR_REASON(DSA_R_INVALID_DIGEST_TYPE) ,"invalid digest type"},
{ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
{ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
-{ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
-{ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD) ,"non fips dsa method"},
{ERR_REASON(DSA_R_NO_PARAMETERS_SET) ,"no parameters set"},
{ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},
{0,NULL}
diff --git a/jni/openssl/crypto/dsa/dsa_gen.c b/jni/openssl/crypto/dsa/dsa_gen.c
index c398761..cb0b453 100644
--- a/jni/openssl/crypto/dsa/dsa_gen.c
+++ b/jni/openssl/crypto/dsa/dsa_gen.c
@@ -81,33 +81,13 @@
#include <openssl/sha.h>
#include "dsa_locl.h"
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
-
int DSA_generate_parameters_ex(DSA *ret, int bits,
const unsigned char *seed_in, int seed_len,
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
{
-#ifdef OPENSSL_FIPS
- if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
- && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW))
- {
- DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
- return 0;
- }
-#endif
if(ret->meth->dsa_paramgen)
return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
counter_ret, h_ret, cb);
-#ifdef OPENSSL_FIPS
- else if (FIPS_mode())
- {
- return FIPS_dsa_generate_parameters_ex(ret, bits,
- seed_in, seed_len,
- counter_ret, h_ret, cb);
- }
-#endif
else
{
const EVP_MD *evpmd;
@@ -125,13 +105,12 @@
}
return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
- seed_in, seed_len, NULL, counter_ret, h_ret, cb);
+ seed_in, seed_len, counter_ret, h_ret, cb);
}
}
int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
- unsigned char *seed_out,
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
{
int ok=0;
@@ -222,10 +201,8 @@
}
/* step 2 */
- if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
- goto err;
- if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
- goto err;
+ EVP_Digest(seed, qsize, md, NULL, evpmd, NULL);
+ EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL);
for (i = 0; i < qsize; i++)
md[i]^=buf2[i];
@@ -274,9 +251,7 @@
break;
}
- if (!EVP_Digest(buf, qsize, md ,NULL, evpmd,
- NULL))
- goto err;
+ EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL);
/* step 8 */
if (!BN_bin2bn(md, qsize, r0))
@@ -357,8 +332,6 @@
}
if (counter_ret != NULL) *counter_ret=counter;
if (h_ret != NULL) *h_ret=h;
- if (seed_out)
- memcpy(seed_out, seed, qsize);
}
if(ctx)
{
diff --git a/jni/openssl/crypto/dsa/dsa_key.c b/jni/openssl/crypto/dsa/dsa_key.c
index 9cf669b..c4aa86b 100644
--- a/jni/openssl/crypto/dsa/dsa_key.c
+++ b/jni/openssl/crypto/dsa/dsa_key.c
@@ -64,28 +64,12 @@
#include <openssl/dsa.h>
#include <openssl/rand.h>
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
-
static int dsa_builtin_keygen(DSA *dsa);
int DSA_generate_key(DSA *dsa)
{
-#ifdef OPENSSL_FIPS
- if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
- && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
- {
- DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
- return 0;
- }
-#endif
if(dsa->meth->dsa_keygen)
return dsa->meth->dsa_keygen(dsa);
-#ifdef OPENSSL_FIPS
- if (FIPS_mode())
- return FIPS_dsa_generate_key(dsa);
-#endif
return dsa_builtin_keygen(dsa);
}
diff --git a/jni/openssl/crypto/dsa/dsa_lib.c b/jni/openssl/crypto/dsa/dsa_lib.c
index 96d8d0c..e9b7590 100644
--- a/jni/openssl/crypto/dsa/dsa_lib.c
+++ b/jni/openssl/crypto/dsa/dsa_lib.c
@@ -70,10 +70,6 @@
#include <openssl/dh.h>
#endif
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
-
const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT;
static const DSA_METHOD *default_DSA_method = NULL;
@@ -86,16 +82,7 @@
const DSA_METHOD *DSA_get_default_method(void)
{
if(!default_DSA_method)
- {
-#ifdef OPENSSL_FIPS
- if (FIPS_mode())
- return FIPS_dsa_openssl();
- else
- return DSA_OpenSSL();
-#else
default_DSA_method = DSA_OpenSSL();
-#endif
- }
return default_DSA_method;
}
@@ -176,7 +163,7 @@
ret->method_mont_p=NULL;
ret->references=1;
- ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
+ ret->flags=ret->meth->flags;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
if ((ret->meth->init != NULL) && !ret->meth->init(ret))
{
@@ -289,8 +276,7 @@
DH *DSA_dup_DH(const DSA *r)
{
/* DSA has p, q, g, optional pub_key, optional priv_key.
- * DH has p, optional length, g, optional pub_key, optional priv_key,
- * optional q.
+ * DH has p, optional length, g, optional pub_key, optional priv_key.
*/
DH *ret = NULL;
@@ -304,11 +290,7 @@
if ((ret->p = BN_dup(r->p)) == NULL)
goto err;
if (r->q != NULL)
- {
ret->length = BN_num_bits(r->q);
- if ((ret->q = BN_dup(r->q)) == NULL)
- goto err;
- }
if (r->g != NULL)
if ((ret->g = BN_dup(r->g)) == NULL)
goto err;
diff --git a/jni/openssl/crypto/dsa/dsa_locl.h b/jni/openssl/crypto/dsa/dsa_locl.h
index 21e2e45..2b8cfee 100644
--- a/jni/openssl/crypto/dsa/dsa_locl.h
+++ b/jni/openssl/crypto/dsa/dsa_locl.h
@@ -56,5 +56,4 @@
int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
- unsigned char *seed_out,
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
diff --git a/jni/openssl/crypto/dsa/dsa_ossl.c b/jni/openssl/crypto/dsa/dsa_ossl.c
index b3d78e5..a3ddd7d 100644
--- a/jni/openssl/crypto/dsa/dsa_ossl.c
+++ b/jni/openssl/crypto/dsa/dsa_ossl.c
@@ -136,7 +136,6 @@
BN_CTX *ctx=NULL;
int reason=ERR_R_BN_LIB;
DSA_SIG *ret=NULL;
- int noredo = 0;
BN_init(&m);
BN_init(&xr);
@@ -151,7 +150,7 @@
if (s == NULL) goto err;
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
-redo:
+
if ((dsa->kinv == NULL) || (dsa->r == NULL))
{
if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
@@ -162,7 +161,6 @@
dsa->kinv=NULL;
r=dsa->r;
dsa->r=NULL;
- noredo = 1;
}
@@ -183,18 +181,6 @@
ret=DSA_SIG_new();
if (ret == NULL) goto err;
- /* Redo if r or s is zero as required by FIPS 186-3: this is
- * very unlikely.
- */
- if (BN_is_zero(r) || BN_is_zero(s))
- {
- if (noredo)
- {
- reason = DSA_R_NEED_NEW_SETUP_VALUES;
- goto err;
- }
- goto redo;
- }
ret->r = r;
ret->s = s;
diff --git a/jni/openssl/crypto/dsa/dsa_pmeth.c b/jni/openssl/crypto/dsa/dsa_pmeth.c
index 715d8d6..e2df54f 100644
--- a/jni/openssl/crypto/dsa/dsa_pmeth.c
+++ b/jni/openssl/crypto/dsa/dsa_pmeth.c
@@ -189,9 +189,7 @@
EVP_MD_type((const EVP_MD *)p2) != NID_dsa &&
EVP_MD_type((const EVP_MD *)p2) != NID_dsaWithSHA &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha256 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha384 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha512)
+ EVP_MD_type((const EVP_MD *)p2) != NID_sha256)
{
DSAerr(DSA_F_PKEY_DSA_CTRL, DSA_R_INVALID_DIGEST_TYPE);
return 0;
@@ -255,7 +253,7 @@
if (!dsa)
return 0;
ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
- NULL, 0, NULL, NULL, NULL, pcb);
+ NULL, 0, NULL, NULL, pcb);
if (ret)
EVP_PKEY_assign_DSA(pkey, dsa);
else
diff --git a/jni/openssl/crypto/dsa/dsa_sign.c b/jni/openssl/crypto/dsa/dsa_sign.c
index c3cc364..17555e5 100644
--- a/jni/openssl/crypto/dsa/dsa_sign.c
+++ b/jni/openssl/crypto/dsa/dsa_sign.c
@@ -61,54 +61,30 @@
#include "cryptlib.h"
#include <openssl/dsa.h>
#include <openssl/rand.h>
-#include <openssl/bn.h>
DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
{
-#ifdef OPENSSL_FIPS
- if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
- && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
- {
- DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD);
- return NULL;
- }
-#endif
return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
}
+int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
+ unsigned int *siglen, DSA *dsa)
+ {
+ DSA_SIG *s;
+ RAND_seed(dgst, dlen);
+ s=DSA_do_sign(dgst,dlen,dsa);
+ if (s == NULL)
+ {
+ *siglen=0;
+ return(0);
+ }
+ *siglen=i2d_DSA_SIG(s,&sig);
+ DSA_SIG_free(s);
+ return(1);
+ }
+
int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
{
-#ifdef OPENSSL_FIPS
- if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
- && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
- {
- DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD);
- return 0;
- }
-#endif
return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
}
-DSA_SIG *DSA_SIG_new(void)
- {
- DSA_SIG *sig;
- sig = OPENSSL_malloc(sizeof(DSA_SIG));
- if (!sig)
- return NULL;
- sig->r = NULL;
- sig->s = NULL;
- return sig;
- }
-
-void DSA_SIG_free(DSA_SIG *sig)
- {
- if (sig)
- {
- if (sig->r)
- BN_free(sig->r);
- if (sig->s)
- BN_free(sig->s);
- OPENSSL_free(sig);
- }
- }
-
diff --git a/jni/openssl/crypto/dsa/dsa_vrf.c b/jni/openssl/crypto/dsa/dsa_vrf.c
index 674cb5f..226a75f 100644
--- a/jni/openssl/crypto/dsa/dsa_vrf.c
+++ b/jni/openssl/crypto/dsa/dsa_vrf.c
@@ -64,13 +64,26 @@
int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
DSA *dsa)
{
-#ifdef OPENSSL_FIPS
- if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
- && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
- {
- DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD);
- return -1;
- }
-#endif
return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
}
+
+/* data has already been hashed (probably with SHA or SHA-1). */
+/* returns
+ * 1: correct signature
+ * 0: incorrect signature
+ * -1: error
+ */
+int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
+ const unsigned char *sigbuf, int siglen, DSA *dsa)
+ {
+ DSA_SIG *s;
+ int ret=-1;
+
+ s = DSA_SIG_new();
+ if (s == NULL) return(ret);
+ if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
+ ret=DSA_do_verify(dgst,dgst_len,s,dsa);
+err:
+ DSA_SIG_free(s);
+ return(ret);
+ }