Remove more (rest?) of FIPS build stuff.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-14 15:24:27 -05:00 · 2015-12-14 15:24:27 -05:00 · 700b4a4ae7
commit 700b4a4ae7
parent 0b0443af64
12 changed files with 13 additions and 402 deletions
--- a/README.FIPS
+++ b/README.FIPS
@ -1,130 +1 @@
-Preliminary status and build information for FIPS module v2.0
+This release does not support a FIPS 140-2 validated module.
 NB: if you are cross compiling you now need to use the latest "incore" script
 this can be found at util/incore in the tarballs.
 If you have any object files from a previous build do:
 make clean
 To build the module do:
 ./config fipscanisteronly
 make
 Build should complete without errors.
 Build test utilities:
 make build_tests
 Run test suite:
 test/fips_test_suite
 again should complete without errors.
 Run test vectors: 
 1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
   only the fips-2.0 testvector files are usable for complete tests.
 2. Extract the files to a suitable directory.
 3. Run the test vector perl script, for example:
   cd fips
   perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
 4. It should say "passed all tests" at the end. Report full details of any
   failures.
 If you wish to use the older 1.2.x testvectors (for example those from 2007)
 you need the command line switch --disable-v2 to fipsalgtest.pl
 Examine the external symbols in fips/fipscanister.o they should all begin
 with FIPS or fips. One way to check with GNU nm is:
 	nm -g --defined-only fips/fipscanister.o | grep -v -i fips
 If you get *any* output at all from this test (i.e. symbols not starting with
 fips or FIPS) please report it.
 Restricted tarball tests.
 The validated module will have its own tarball containing sufficient code to
 build fipscanister.o and the associated algorithm tests. You can create a
 similar tarball yourself for testing purposes using the commands below.
 Standard restricted tarball:
 make -f Makefile.fips dist
 Prime field field only ECC tarball:
 make NOEC2M=1 -f Makefile.fips dist
 Once you've created the tarball extract into a fresh directory and do:
 ./config
 make
 You can then run the algorithm tests as above. This build automatically uses
 fipscanisterbuild and no-ec2m as appropriate.
 FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
 At least initially the test module and FIPS capable OpenSSL may change and
 by out of sync. You are advised to check for any changes and pull the latest
 source from CVS if you have problems. See anon CVS and rsync instructions at:
 http://www.openssl.org/source/repos.html
 Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/
 If required set the environment variable FIPSDIR to an appropriate location
 to install the test module. If cross compiling set other environment
 variables too.
 In this restricted tarball on a Linux or U*ix like system run:
 ./config
 make
 make install
 On Windows from a VC++ environment do:
 ms\do_fips
 This will build and install the test module and some associated files.
 Now download the latest version of the OpenSSL 1.0.1 branch from either a
 snapshot or preferably CVS. For Linux do:
 ./config fips [other args]
 make
 For Windows:
 perl Configure VC-WIN32 fips [other args]
 ms\do_nasm
 nmake -f ms\ntdll.mak
 (or ms\nt.mak for a static build).
 Where [other args] can be any other arguments you use for an OpenSSL build
 such as "shared" or "zlib".
 This will build the fips capable OpenSSL and link it to the test module. You
 can now try linking and testing applications against the FIPS capable OpenSSL.
 Please report any problems to either the openssl-dev mailing list or directly
 to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate
 reports.
 Known issues:
 Code needs extensively reviewing to ensure it builds correctly on 
 supported platforms and is compliant with FIPS 140-2.
 The "FIPS capable OpenSSL" is still largely untested, it builds and runs
 some simple tests OK on some systems but needs far more "real world" testing.
--- a/apps/dgst.c
+++ b/apps/dgst.c
@ -80,7 +80,7 @@ typedef enum OPTION_choice {
    OPT_C, OPT_R, OPT_RAND, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY,
    OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL,
    OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
-    OPT_NON_FIPS_ALLOW, OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT,
+    OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT,
    OPT_DIGEST
 } OPTION_CHOICE;
@ -106,7 +106,6 @@ OPTIONS dgst_options[] = {
    {"d", OPT_DEBUG, '-', "Print debug info"},
    {"debug", OPT_DEBUG, '-'},
    {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-'},
    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
    {"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
    {"mac", OPT_MAC, 's', "Create MAC (not neccessarily HMAC)"},
    {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
@ -133,8 +132,7 @@ int dgst_main(int argc, char **argv)
    const char *sigfile = NULL, *randfile = NULL;
    OPTION_CHOICE o;
    int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0;
-    int i, ret = 1, out_bin = -1, want_pub = 0, do_verify =
+    int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0;
        0, non_fips_allow = 0;
    unsigned char *buf = NULL, *sigbuf = NULL;
    int engine_impl = 0;
@ -205,9 +203,6 @@ int dgst_main(int argc, char **argv)
        case OPT_FIPS_FINGERPRINT:
            hmac_key = "etaonrishdlcupfm";
            break;
        case OPT_NON_FIPS_ALLOW:
            non_fips_allow = 1;
            break;
        case OPT_HMAC:
            hmac_key = opt_arg();
            break;
@ -323,12 +318,6 @@ int dgst_main(int argc, char **argv)
            goto end;
    }
    if (non_fips_allow) {
        EVP_MD_CTX *md_ctx;
        BIO_get_md_ctx(bmd, &md_ctx);
        EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
    }
    if (hmac_key) {
        sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
                                      (unsigned char *)hmac_key, -1);
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@ -86,7 +86,7 @@ static int dsa_cb(int p, int n, BN_GENCB *cb);
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
-    OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_NON_FIPS_ALLOW, OPT_ENGINE,
+    OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_ENGINE,
    OPT_TIMEBOMB
 } OPTION_CHOICE;
@ -101,7 +101,6 @@ OPTIONS dsaparam_options[] = {
    {"noout", OPT_NOOUT, '-', "No output"},
    {"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
    {"rand", OPT_RAND, 's', "Files to use for random number input"},
    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
 # ifdef GENCB_TEST
    {"timebomb", OPT_TIMEBOMB, 'p', "Interrupt keygen after 'pnum' seconds"},
 # endif
@ -116,7 +115,7 @@ int dsaparam_main(int argc, char **argv)
    DSA *dsa = NULL;
    BIO *in = NULL, *out = NULL;
    BN_GENCB *cb = NULL;
-    int numbits = -1, num = 0, genkey = 0, need_rand = 0, non_fips_allow = 0;
+    int numbits = -1, num = 0, genkey = 0, need_rand = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
    int ret = 1, i, text = 0, private = 0;
 # ifdef GENCB_TEST
@ -175,9 +174,6 @@ int dsaparam_main(int argc, char **argv)
        case OPT_NOOUT:
            noout = 1;
            break;
        case OPT_NON_FIPS_ALLOW:
            non_fips_allow = 1;
            break;
        }
    }
    argc = opt_num_rest();
@ -219,8 +215,6 @@ int dsaparam_main(int argc, char **argv)
            BIO_printf(bio_err, "Error allocating DSA object\n");
            goto end;
        }
        if (non_fips_allow)
            dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
        BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
                   num);
        BIO_printf(bio_err, "This could take some time\n");
@ -309,8 +303,6 @@ int dsaparam_main(int argc, char **argv)
        assert(need_rand);
        if ((dsakey = DSAparams_dup(dsa)) == NULL)
            goto end;
        if (non_fips_allow)
            dsakey->flags |= DSA_FLAG_NON_FIPS_ALLOW;
        if (!DSA_generate_key(dsakey)) {
            ERR_print_errors(bio_err);
            DSA_free(dsakey);
--- a/apps/enc.c
+++ b/apps/enc.c
@ -84,7 +84,7 @@ typedef enum OPTION_choice {
    OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
    OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
    OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
-    OPT_UPPER_S, OPT_IV, OPT_MD, OPT_NON_FIPS_ALLOW, OPT_CIPHER
+    OPT_UPPER_S, OPT_IV, OPT_MD, OPT_CIPHER
 } OPTION_CHOICE;
 OPTIONS enc_options[] = {
@ -111,7 +111,6 @@ OPTIONS enc_options[] = {
    {"S", OPT_UPPER_S, 's', "Salt, in hex"},
    {"iv", OPT_IV, 's', "IV in hex"},
    {"md", OPT_MD, 's', "Use specified digest to create key from passphrase"},
    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
    {"none", OPT_NONE, '-', "Don't encrypt"},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
 #ifdef ZLIB
@ -140,7 +139,7 @@ int enc_main(int argc, char **argv)
    int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0;
    int enc = 1, printkey = 0, i, k;
    int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY;
-    int ret = 1, inl, nopad = 0, non_fips_allow = 0;
+    int ret = 1, inl, nopad = 0;
    unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
    unsigned char *buff = NULL, salt[PKCS5_SALT_LEN];
    unsigned long n;
@ -279,9 +278,6 @@ int enc_main(int argc, char **argv)
            if (!opt_md(opt_arg(), &dgst))
                goto opthelp;
            break;
        case OPT_NON_FIPS_ALLOW:
            non_fips_allow = 1;
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &c))
                goto opthelp;
@ -501,9 +497,6 @@ int enc_main(int argc, char **argv)
        BIO_get_cipher_ctx(benc, &ctx);
        if (non_fips_allow)
            EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
        if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
            BIO_printf(bio_err, "Error setting cipher %s\n",
                       EVP_CIPHER_name(cipher));
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@ -78,7 +78,7 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb);
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-    OPT_3, OPT_F4, OPT_NON_FIPS_ALLOW, OPT_ENGINE,
+    OPT_3, OPT_F4, OPT_ENGINE,
    OPT_OUT, OPT_RAND, OPT_PASSOUT, OPT_CIPHER
 } OPTION_CHOICE;
@ -87,7 +87,6 @@ OPTIONS genrsa_options[] = {
    {"3", OPT_3, '-', "Use 3 for the E value"},
    {"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
    {"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
    {"out", OPT_OUT, 's', "Output the key to specified file"},
    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
@ -108,7 +107,7 @@ int genrsa_main(int argc, char **argv)
    BIO *out = NULL;
    RSA *rsa = NULL;
    const EVP_CIPHER *enc = NULL;
-    int ret = 1, non_fips_allow = 0, num = DEFBITS, private = 0;
+    int ret = 1, num = DEFBITS, private = 0;
    unsigned long f4 = RSA_F4;
    char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
    char *inrand = NULL, *prog, *hexe, *dece;
@ -136,9 +135,6 @@ int genrsa_main(int argc, char **argv)
        case OPT_F4:
            f4 = RSA_F4;
            break;
        case OPT_NON_FIPS_ALLOW:
            non_fips_allow = 1;
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
@ -188,9 +184,6 @@ int genrsa_main(int argc, char **argv)
    if (rsa == NULL)
        goto end;
    if (non_fips_allow)
        rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
    if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, cb))
        goto end;
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@ -176,92 +176,3 @@ int RAND_status(void)
        return meth->status();
    return 0;
 }
 #ifdef OPENSSL_FIPS
 /*
 * FIPS DRBG initialisation code. This sets up the DRBG for use by the rest
 * of OpenSSL.
 */
 /*
 * Entropy gatherer: use standard OpenSSL PRNG to seed (this will gather
 * entropy internally through RAND_poll().
 */
 static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
                               int entropy, size_t min_len, size_t max_len)
 {
    /* Round up request to multiple of block size */
    min_len = ((min_len + 19) / 20) * 20;
    *pout = OPENSSL_malloc(min_len);
    if (*pout == NULL)
        return 0;
    if (RAND_OpenSSL()->bytes(*pout, min_len) <= 0) {
        OPENSSL_free(*pout);
        *pout = NULL;
        return 0;
    }
    return min_len;
 }
 static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen)
 {
    OPENSSL_clear_free(out, olen);
 }
 /*
 * Set "additional input" when generating random data. This uses the current
 * PID, a time value and a counter.
 */
 static size_t drbg_get_adin(DRBG_CTX *ctx, unsigned char **pout)
 {
    /* Use of static variables is OK as this happens under a lock */
    static unsigned char buf[16];
    static unsigned long counter;
    FIPS_get_timevec(buf, &counter);
    rand_hw_xor(buf, sizeof(buf));
    *pout = buf;
    return sizeof(buf);
 }
 /*
 * RAND_add() and RAND_seed() pass through to OpenSSL PRNG so it is
 * correctly seeded by RAND_poll().
 */
 static int drbg_rand_add(DRBG_CTX *ctx, const void *in, int inlen,
                         double entropy)
 {
    return RAND_OpenSSL()->add(in, inlen, entropy);
 }
 static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen)
 {
    return RAND_OpenSSL()->seed(in, inlen);
 }
 int RAND_init_fips(void)
 {
    DRBG_CTX *dctx;
    size_t plen;
    unsigned char pers[32], *p;
    dctx = FIPS_get_default_drbg();
    FIPS_drbg_init(dctx, NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
    FIPS_drbg_set_callbacks(dctx,
                            drbg_get_entropy, drbg_free_entropy, 20,
                            drbg_get_entropy, drbg_free_entropy);
    FIPS_drbg_set_rand_callbacks(dctx, drbg_get_adin, 0,
                                 drbg_rand_seed, drbg_rand_add);
    /* Personalisation string: a string followed by date time vector */
    strcpy((char *)pers, "OpenSSL DRBG2.0");
    plen = drbg_get_adin(dctx, &p);
    memcpy(pers + 16, p, plen);
    FIPS_drbg_instantiate(dctx, pers, sizeof(pers));
    FIPS_rand_set_method(FIPS_drbg_method());
    return 1;
 }
 #endif
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@ -13,7 +13,6 @@ B<openssl> B<dgst>
 [B<-hex>]
 [B<-binary>]
 [B<-r>]
 [B<-non-fips-allow>]
 [B<-out filename>]
 [B<-sign filename>]
 [B<-keyform arg>]
@ -22,7 +21,6 @@ B<openssl> B<dgst>
 [B<-prverify filename>]
 [B<-signature filename>]
 [B<-hmac key>]
 [B<-non-fips-allow>]
 [B<-fips-fingerprint>]
 [B<file...>]
@ -70,11 +68,6 @@ output the digest or signature in binary form.
 output the digest in the "coreutils" format used by programs like B<sha1sum>.
 =item B<-non-fips-allow>
 Allow use of non FIPS digest when in FIPS mode.  This has no effect when not in
 FIPS mode.
 =item B<-out filename>
 filename to output to, or standard output by default.
@ -159,10 +152,6 @@ Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others. 
 =item B<-non-fips-allow>
 enable use of non-FIPS algorithms such as MD5 even in FIPS mode.
 =item B<-fips-fingerprint>
 compute HMAC using a specific key
@ -219,5 +208,6 @@ prior to verification.
 =head1 HISTORY
 The default digest was changed from MD5 to SHA256 in Openssl 1.1.
 The FIPS-related options were removed in OpenSSL 1.1
 =cut
--- a/include/openssl/rand.h
+++ b/include/openssl/rand.h
@ -119,10 +119,6 @@ int RAND_event(UINT, WPARAM, LPARAM);
 # endif
 # ifdef OPENSSL_FIPS
 int RAND_init_fips(void);
 # endif
 /* BEGIN ERROR CODES */
 /*
 * The following lines are auto generated by the script mkerr.pl. Any changes
--- a/util/fipsdist.pl
+++ b/util/fipsdist.pl
@ -1,83 +0,0 @@
 # FIPS distribution filter. 
 # Takes tarball listing and removes unnecessary files and directories.
 #
 my $objs = "";
 foreach (split / /, "FIPS_EX_OBJ AES_ENC BN_ASM DES_ENC SHA1_ASM_OBJ MODES_ASM_OBJ")
 	{
 	$objs .= " $ENV{$_}";
 	}
 my $noec2m = 0;
 my @objlist = split / /, $objs;
 foreach (@objlist) { $tarobjs{"$1.c"} = 1 if /([^\/]+).o$/};
 $tarobjs{"ncbc_enc.c"} = 1;
 $tarobjs{"mem_clr.c"} = 1;
 $tarobjs{"ppccap.c"} = 1;
 $tarobjs{"sparcv9cap.c"} = 1;
 $tarobjs{"armcap.c"} = 1;
 foreach (split / /, $ENV{LINKDIRS} ) { $cdirs{$_} = 1 };
 $cdirs{perlasm} = 1;
 $noec2m = 1 if (exists $ENV{NOEC2M});
 if ($noec2m)
 	{
 	delete $tarobjs{"bn_gf2m.c"};
 	delete $tarobjs{"ec2_mult.c"};
 	delete $tarobjs{"ec2_smpl.c"};
 	}
 my %keep = 
 	(
 	"Makefile.fips" => 1,
 	"Makefile.shared" => 1,
 	"README.FIPS" => 1,
 	"README.ECC" => 1,
 	"e_os.h" => 1,
 	"e_os2.h" => 1,
 	"Configure" => 1,
 	"config" => 1,
 	);
 while (<STDIN>)
 	{
 	chomp;
 	# Keep top level files in list
 	if (!/\// && -f $_)
 		{
 		next unless exists $keep{$_};
 		}
 	else
 		{
 		next unless (/^(fips\/|crypto|util|test|include|ms)/);
 		}
 	if (/^crypto\/([^\/]+)/)
 		{
 		# Skip unused directories under crypto/
 		next if -d "crypto/$1" && !exists $cdirs{$1};
 		# Skip GF2m assembly language perl scripts
 		next if $noec2m && /gf2m\.pl/;
 		next if /vpaes-\w*\.pl/;
 		# Keep assembly language dir, Makefile or certain extensions
 		if (!/\/asm\// && !/\/Makefile$/ && !/\.(in|pl|h|S)$/)
 			{
 			# If C source file must be on list.
 			next if !/(\w+\.c)$/ || !exists $tarobjs{$1};
 			}
 		}
 	if (/^test\//)
 		{
 		next unless /Makefile/ || /dummytest.c/;
 		}
 	print "$_\n";
 	}
 exit 1;
--- a/util/fipsobj.pl
+++ b/util/fipsobj.pl
@ -1,31 +0,0 @@
 # Filter script. Take all FIPS object files from the environment
 # and print out only those in the given directory.
 my $dir = $ARGV[0];
 my $asmobjs = "";
 # Add any needed assembly language files.
 $asmobjs = $ENV{AES_ENC} if $dir eq "aes";
 $asmobjs = $ENV{BN_ASM} if $dir eq "bn";
 $asmobjs = $ENV{DES_ENC} if $dir eq "des";
 $asmobjs = $ENV{SHA1_ASM_OBJ} if $dir eq "sha";
 $asmobjs = $ENV{MODES_ASM_OBJ} if $dir eq "modes";
 # Get all other FIPS object files, filtered by directory.
 my @objlist = grep {/crypto\/$dir\//} split / /, $ENV{FIPS_EX_OBJ};
 push @objlist, split / /, $asmobjs;
 # Fatal error if no matches
 die "No objects in $dir!" if (scalar @objlist == 0);
 # Output all matches removing pathname.
 foreach (@objlist)
 	{
 	s|../crypto/$dir/||;
 	print "$_\n";
 	}
--- a/util/libeay.num
+++ b/util/libeay.num
@ -4231,7 +4231,7 @@ private_SEED_set_key                    4610	1_1_0	NOEXIST::FUNCTION:
 EVP_aes_192_gcm                         4611	1_1_0	EXIST::FUNCTION:AES
 X509_ALGOR_set_md                       4612	1_1_0	EXIST::FUNCTION:
 private_SHA256_Init                     4613	1_1_0	NOEXIST::FUNCTION:
-RAND_init_fips                          4614	1_1_0	EXIST:OPENSSL_FIPS:FUNCTION:
+RAND_init_fips                          4614	1_1_0	NOEXIST::FUNCTION:
 EVP_aes_256_gcm                         4615	1_1_0	EXIST::FUNCTION:AES
 private_SHA384_Init                     4616	1_1_0	NOEXIST::FUNCTION:
 EVP_aes_192_ccm                         4617	1_1_0	EXIST::FUNCTION:AES
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@ -63,8 +63,8 @@ my $linux=0;
 my $safe_stack_def = 0;
 my @known_platforms = ( "__FreeBSD__", "PERL5",
-			"EXPORT_VAR_AS_FUNCTION", "ZLIB",
+			"EXPORT_VAR_AS_FUNCTION", "ZLIB"
-			"OPENSSL_FIPS", "OPENSSL_FIPSCAPABLE" );
+			);
 my @known_ossl_platforms = ( "VMS", "WIN32", "WINNT", "OS2" );
 my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
 			 "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
@ -137,8 +137,6 @@ my $no_jpake; my $no_srp; my $no_ec2m; my $no_nistp_gcc;
 my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace;
 my $no_unit_test; my $no_ssl3_method; my $no_ocb;
 my $fips;
 my $zlib;
@ -164,7 +162,6 @@ foreach (@ARGV, split(/ /, $options))
 	}
 	$VMS=1 if $_ eq "VMS";
 	$OS2=1 if $_ eq "OS2";
 	$fips=1 if /^fips/;
 	if ($_ eq "zlib" || $_ eq "enable-zlib" || $_ eq "zlib-dynamic"
 			 || $_ eq "enable-zlib-dynamic") {
 		$zlib = 1;
@ -1165,12 +1162,6 @@ sub is_valid
 			if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32)) {
 				return 1;
 			}
 			if ($keyword eq "OPENSSL_FIPSCAPABLE") {
 				return 0;
 			}
 			if ($keyword eq "OPENSSL_FIPS" && $fips) {
 				return 1;
 			}
 			if ($keyword eq "ZLIB" && $zlib) { return 1; }
 			return 0;
 		} else {
@ -1555,7 +1546,6 @@ sub update_numbers
 		next if defined($rsyms{$sym});
 		die "ERROR: Symbol $sym had no info attached to it."
 		    if $i eq "";
 		next if $i =~ /OPENSSL_FIPSCAPABLE/;
 		if (!exists $nums{$s}) {
 			$new_syms++;
 			my $s2 = $s;