From: Pauli <ppzgs1@gmail.com>
Date: Thu, 17 Jul 2025 03:24:21 +0000 (+1000)
Subject: pbkdf2: remove second compiled file
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c07da07ebb59deacc3ebb7a8b01c27723c97c204;p=thirdparty%2Fopenssl.git

pbkdf2: remove second compiled file

The main source file now depends on FIPS_MODULE so there is no need to have
a second file with a fips flag defined.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27923)
---

diff --git a/providers/implementations/kdfs/build.info b/providers/implementations/kdfs/build.info
index 3b7687b8f3a..debfad12da1 100644
--- a/providers/implementations/kdfs/build.info
+++ b/providers/implementations/kdfs/build.info
@@ -27,9 +27,6 @@ SOURCE[$KRB5KDF_GOAL]=krb5kdf.c
 SOURCE[$PBKDF1_GOAL]=pbkdf1.c
 
 SOURCE[$PBKDF2_GOAL]=pbkdf2.c
-# Extra code to satisfy the FIPS and non-FIPS separation.
-# When the PBKDF2 moves to legacy, this can be removed.
-SOURCE[$PBKDF2_GOAL]=pbkdf2_fips.c
 
 SOURCE[$PBKDF1_GOAL]=pvkkdf.c
 
diff --git a/providers/implementations/kdfs/pbkdf2.c.in b/providers/implementations/kdfs/pbkdf2.c.in
index c40879041fd..e7c5fdc0b53 100644
--- a/providers/implementations/kdfs/pbkdf2.c.in
+++ b/providers/implementations/kdfs/pbkdf2.c.in
@@ -153,7 +153,6 @@ static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx)
 {
     OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
     OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
-    extern const int ossl_kdf_pbkdf2_default_checks;
 
     params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
                                                  SN_sha1, 0);
@@ -161,7 +160,11 @@ static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx)
         /* This is an error, but there is no way to indicate such directly */
         ossl_prov_digest_reset(&ctx->digest);
     ctx->iter = PKCS5_DEFAULT_ITER;
-    ctx->lower_bound_checks = ossl_kdf_pbkdf2_default_checks;
+#ifdef FIPS_MODULE
+    ctx->lower_bound_checks = 1;
+#else
+    ctx->lower_bound_checks = 0;
+#endif
 }
 
 static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
diff --git a/providers/implementations/kdfs/pbkdf2_fips.c b/providers/implementations/kdfs/pbkdf2_fips.c
deleted file mode 100644
index fb25f18e2a3..00000000000
--- a/providers/implementations/kdfs/pbkdf2_fips.c
+++ /dev/null
@@ -1,19 +0,0 @@
-/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * For backwards compatibility reasons,
- * Extra checks are done by default in fips mode only.
- */
-extern const int ossl_kdf_pbkdf2_default_checks;
-#ifdef FIPS_MODULE
-const int ossl_kdf_pbkdf2_default_checks = 1;
-#else
-const int ossl_kdf_pbkdf2_default_checks = 0;
-#endif /* FIPS_MODULE */