removed obsolete INTEGRITY_TEST and fips signer code

--enable-integrity-test now conditionally builds libchecksum

16 files changed, 7 insertions, 657 deletions

diff --git a/LICENSE b/LICENSE
index ce8c4ae30..abbefa545 100644
--- a/LICENSE
+++ b/LICENSE
@@ -22,10 +22,5 @@ so they must include the following phrase: "RSA Security Inc. PKCS#11
 Cryptographic Token Interface (Cryptoki)". The headers are not under the GPL;
 see details in src/pluto/rsaref/pkcs11.h.
 
-The FIPS_canister code in src/libstrongswan/fips that is used to determine
-the start (fips_canister_start.c) and end (fips_canister_end.c) of the
-libstrongswan TEXT and RODATA segments is under the OpenSSL licence. It is
-not under the GPL; see www.openssl.org. 
-
 In addition to the terms set out under the GPL, permission is granted to
 link the software against the libdes, MD2, and MD5 libraries just mentioned.  
diff --git a/configure.in b/configure.in
index 858914c14..433f736b7 100644
--- a/configure.in
+++ b/configure.in
@@ -588,7 +588,7 @@ AC_ARG_ENABLE(
 
 AC_ARG_ENABLE(
 	[integrity-test],
-	AS_HELP_STRING([--enable-integrity-test],[enable the integrity test of the crypto library (default is NO).]),
+	AS_HELP_STRING([--enable-integrity-test],[enable integrity testing of libstrongswan and plugins (default is NO).]),
 	[if test x$enableval = xyes; then
 		integrity_test=true 
 	fi]
@@ -1258,7 +1258,6 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/gcrypt/Makefile
 	src/libstrongswan/plugins/agent/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
-	src/libstrongswan/fips/Makefile
 	src/libfreeswan/Makefile
 	src/pluto/Makefile
 	src/whack/Makefile
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 3b5b9c068..356e0742f 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -128,10 +128,6 @@ if USE_ME
     sa/tasks/ike_me.c sa/tasks/ike_me.h
 endif
 
-if USE_INTEGRITY_TEST
-  AM_CFLAGS += -DINTEGRITY_TEST
-endif
-
 if USE_CAPABILITIES
   charon_LDADD += -lcap
 endif
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index f6f3ac17c..c672515a7 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -42,11 +42,6 @@
 #include <config/traffic_selector.h>
 #include <config/proposal.h>
 
-#ifdef INTEGRITY_TEST
-#include <fips/fips.h>
-#include <fips/fips_signature.h>
-#endif /* INTEGRITY_TEST */
-
 typedef struct private_daemon_t private_daemon_t;
 
 /**
@@ -487,19 +482,6 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 		lib->settings->get_str(lib->settings, "charon.load", PLUGINS));
 	
 	print_plugins();
-	
-#ifdef INTEGRITY_TEST
-	DBG1(DBG_DMN, "integrity test of libstrongswan code");
-	if (fips_verify_hmac_signature(hmac_key, hmac_signature))
-	{
-		DBG1(DBG_DMN, "  integrity test passed");
-	}
-	else
-	{
-		DBG1(DBG_DMN, "  integrity test failed");
-		return FALSE;
-	}
-#endif /* INTEGRITY_TEST */
 
 	this->public.ike_sa_manager = ike_sa_manager_create();
 	if (this->public.ike_sa_manager == NULL)
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 4de511e80..d190f351d 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -1,14 +1,6 @@
 lib_LTLIBRARIES = libstrongswan.la
 
-if USE_INTEGRITY_TEST
-  libstrongswan_la_SOURCES = \
-  fips/fips_canister_start.c \
-  fips/fips.c fips/fips.h
-else
-  libstrongswan_la_SOURCES =
-endif
-
-libstrongswan_la_SOURCES += \
+libstrongswan_la_SOURCES = \
 library.c library.h \
 chunk.c chunk.h \
 debug.c debug.h \
@@ -76,11 +68,6 @@ if USE_LOCK_PROFILER
   AM_CFLAGS += -DLOCK_PROFILER
 endif
 
-if USE_INTEGRITY_TEST
-  libstrongswan_la_SOURCES += \
-  fips/fips_canister_end.c
-endif
-
 if USE_VSTR
   libstrongswan_la_LIBADD += -lvstr
 endif
@@ -207,7 +194,5 @@ if USE_TEST_VECTORS
 endif
 
 if USE_INTEGRITY_TEST
-  SUBDIRS += fips
+  SUBDIRS += checksum
 endif
-
-SUBDIRS += checksum
diff --git a/src/libstrongswan/fips/.gitignore b/src/libstrongswan/fips/.gitignore
deleted file mode 100644
index ebb05cff9..000000000
--- a/src/libstrongswan/fips/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-fips_signature.h
-fips_signer
diff --git a/src/libstrongswan/fips/Makefile.am b/src/libstrongswan/fips/Makefile.am
deleted file mode 100644
index 22a35701b..000000000
--- a/src/libstrongswan/fips/Makefile.am
+++ /dev/null
@@ -1,19 +0,0 @@
-noinst_PROGRAMS = fips_signer
-fips_signer_SOURCES = fips_signer.c
-fips_signer_LDADD = ../libstrongswan.la
-
-BUILT_SOURCES = fips_signature.h
-CLEANFILES = fips_signature.h fips_signer
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-            -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\"
-if USE_SHA1
-  AM_CFLAGS += -DUSE_SHA1
-endif
-
-if USE_OPENSSL
-  AM_CFLAGS += -DUSE_OPENSSL
-endif
-
-fips_signature.h : fips_signer
-		   ./fips_signer
diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c
deleted file mode 100644
index d2296e5e9..000000000
--- a/src/libstrongswan/fips/fips.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-
-#include <debug.h>
-#include <crypto/signers/signer.h>
-#include "fips.h"
-
-extern const u_char FIPS_rodata_start[];
-extern const u_char FIPS_rodata_end[];
-extern const void *FIPS_text_start();
-extern const void *FIPS_text_end();
-
-/**
- * Described in header
- */
-bool fips_compute_hmac_signature(const char *key, char *signature)
-{
-	u_char *text_start = (u_char *)FIPS_text_start();
-	u_char *text_end   = (u_char *)FIPS_text_end();
-	size_t text_len, rodata_len;
-	signer_t *signer;
-
-	if (text_start > text_end)
-	{
-		DBG1("  TEXT start (%p) > TEXT end (%p",
-				text_start, text_end);
-		return FALSE;
-	}
-	text_len = text_end - text_start;
-    DBG1("  TEXT:   %p + %6d = %p",
-			text_start, (int)text_len, text_end);
-
-	if (FIPS_rodata_start > FIPS_rodata_end)
-	{
-		DBG1("  RODATA start (%p) > RODATA end (%p",
-				FIPS_rodata_start, FIPS_rodata_end);
-		return FALSE;
-	}
-	rodata_len = FIPS_rodata_end - FIPS_rodata_start;
-    DBG1("  RODATA: %p + %6d = %p",
-			FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end);
-
-    signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128);
-	if (signer == NULL)
-	{
-	    DBG1("  SHA-1 HMAC signer could not be created");
-		return FALSE;
-	}
-	else
-	{
-		chunk_t hmac_key = { (u_char *)key, strlen(key) };
-		chunk_t text_chunk = { text_start, text_len };
-		chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len };
-		chunk_t signature_chunk = chunk_empty;
-
-		signer->set_key(signer, hmac_key);
-		signer->allocate_signature(signer, text_chunk, NULL);
-		signer->allocate_signature(signer, rodata_chunk, &signature_chunk);
-		signer->destroy(signer);
-
-		sprintf(signature, "%#B", &signature_chunk);
-		DBG1("  SHA-1 HMAC key: %s", key);
-		DBG1("  SHA-1 HMAC sig: %s", signature);
-		free(signature_chunk.ptr);
-		return TRUE;
-	}
-}
-
-/**
- * Described in header
- */
-bool fips_verify_hmac_signature(const char *key,
-								const char *signature)
-{
-	char current_signature[BUF_LEN];
-
-	if (!fips_compute_hmac_signature(key, current_signature))
-	{
-		return FALSE;
-	}
-	return streq(signature, current_signature);
-}
diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h
deleted file mode 100644
index aae18e3b2..000000000
--- a/src/libstrongswan/fips/fips.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
- 
-/**
- * @defgroup fips1 fips
- * @{ @ingroup fips
- */
-
-#ifndef FIPS_H_
-#define FIPS_H_
-
-#include <library.h>
-
-/**
- * compute HMAC signature over RODATA and TEXT sections of libstrongswan
- *
- * @param key		key used for HMAC signature in ASCII string format
- * @param signature	HMAC signature in HEX string format
- * @return 			TRUE if HMAC signature computation was successful
- */
-bool fips_compute_hmac_signature(const char *key, char *signature);
-
-/**
- * verify HMAC signature over RODATA and TEXT sections of libstrongswan
- *
- * @param key		key used for HMAC signature in ASCII string format
- * @param signature	signature value from fips_signature.h in HEX string format
- * @return			TRUE if signatures agree
- */
-bool fips_verify_hmac_signature(const char *key, const char *signature);
-
-#endif /** FIPS_H_ @}*/
diff --git a/src/libstrongswan/fips/fips_canister_end.c b/src/libstrongswan/fips/fips_canister_end.c
deleted file mode 100644
index 247d48927..000000000
--- a/src/libstrongswan/fips/fips_canister_end.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/* ====================================================================
- * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
- * and usage in source and binary forms are granted according to the
- * OpenSSL license.
- */
-
-#include <stdio.h>
-#if defined(__DECC)
-# include <c_asm.h>
-# pragma __nostandard
-#endif
-
-#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-# if	(defined(__sun) && (defined(__sparc) || defined(__sparcv9)))	|| \
-	(defined(__sgi) && (defined(__mips) || defined(mips)))		|| \
-	(defined(__osf__) && defined(__alpha))				|| \
-	(defined(__linux) && (defined(__arm) || defined(__arm__)))	|| \
-	(defined(__i386) || defined(__i386__))				|| \
-	(defined(__x86_64) || defined(__x86_64__))			|| \
-	(defined(vax) || defined(__vax__))
-#  define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
-# endif
-#endif
-
-#define FIPS_ref_point FIPS_text_end
-/* Some compilers put string literals into a separate segment. As we
- * are mostly interested to hash AES tables in .rodata, we declare
- * reference points accordingly. In case you wonder, the values are
- * big-endian encoded variable names, just to prevent these arrays
- * from being merged by linker. */
-const unsigned int FIPS_rodata_end[]=
-	{ 0x46495053, 0x5f726f64, 0x6174615f, 0x656e645b };
-
-
-/*
- * I declare reference function as static in order to avoid certain
- * pitfalls in -dynamic linker behaviour...
- */
-static void *instruction_pointer(void)
-{
-  void *ret = NULL;
-
-/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means
- * that they are designed to work under any OS running on particular
- * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in
- * this function. */
-#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
-    INSTRUCTION_POINTER_IMPLEMENTED(ret);
-#elif	defined(__GNUC__) && __GNUC__>=2
-# if	defined(__alpha) || defined(__alpha__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"br	%0,1f\n1:" : "=r"(ret) );
-# elif	defined(__i386) || defined(__i386__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"call 1f\n1:	popl %0" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# elif	defined(__ia64) || defined(__ia64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"mov	%0=ip" : "=r"(ret) );
-# elif	defined(__hppa) || defined(__hppa__) || defined(__pa_risc)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"blr	%%r0,%0\n\tnop" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* mask privilege level */
-# elif	defined(__mips) || defined(__mips__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"move	%1,$31\n\t"	/* save ra */
-			"bal	.+8; nop\n\t"
-			"move	%0,$31\n\t"
-			"move	$31,%1"		/* restore ra */
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
-	defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
-	defined(__PPC64__) || defined(__powerpc64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"mfspr	%1,8\n\t"	/* save lr */
-			"bl	.+4\n\t"
-			"mfspr	%0,8\n\t"	/* mflr ret */
-			"mtspr	8,%1"		/* restore lr */
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"mov	%%o7,%1\n\t"
-			"call	.+8; nop\n\t"
-		  	"mov	%%o7,%0\n\t"
-			"mov	%1,%%o7"
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__x86_64) || defined(__x86_64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"leaq	0(%%rip),%0" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# endif
-#elif	defined(__DECC) && defined(__alpha)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    ret = (void *)(size_t)asm("br %v0,1f\n1:");
-#elif   defined(_MSC_VER) && defined(_M_IX86)
-#   undef INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    _asm {
-            call    self
-    self:   pop     eax
-            mov     scratch,eax
-         }
-    ret = (void *)((size_t)scratch&~3UL);
-#endif
-  return ret;
-}
-
-/*
- * This function returns pointer to an instruction in the vicinity of
- * its entry point, but not outside this object module. This guarantees
- * that sequestered code is covered...
- */
-void *FIPS_ref_point()
-{
-#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
-    return instruction_pointer();
-/* Below we essentially cover vendor compilers which do not support
- * inline assembler... */
-#elif	defined(_AIX)
-    struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer;
-    return p->ip;
-#elif	defined(_HPUX_SOURCE)
-# if	defined(__hppa) || defined(__hppa__)
-    struct { void *i[4]; } *p = (void *)FIPS_ref_point;
-
-    if (sizeof(p) == 8)	/* 64-bit */
-	return p->i[2];
-    else if ((size_t)p & 2)
-    {	p = (void *)((size_t)p&~3UL);
-	return p->i[0];
-    }
-    else
-	return (void *)p;
-# elif	defined(__ia64) || defined(__ia64__)
-    struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer;
-    return (void *)(size_t)p->ip;
-# endif
-#elif	(defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__))
-    /* applies to both alpha and ia64 */
-    struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer;
-    return (void *)(size_t)p->ip;
-#elif	defined(__VOS__)
-    /* applies to both pa-risc and ia32 */
-    struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer;
-    return p->ip;
-#elif	defined(_WIN32)
-# if	defined(_WIN64) && defined(_M_IA64)
-    struct { void *ip,*gp; } *p = (void *)FIPS_ref_point;
-    return p->ip;
-# else
-    return (void *)FIPS_ref_point;
-# endif
-/*
- * In case you wonder why there is no #ifdef __linux. All Linux targets
- * are GCC-based and therefore are covered by instruction_pointer above
- * [well, some are covered by by the one below]...
- */ 
-#elif	defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-    return (void *)instruction_pointer;
-#else
-    return NULL;
-#endif
-}
diff --git a/src/libstrongswan/fips/fips_canister_start.c b/src/libstrongswan/fips/fips_canister_start.c
deleted file mode 100644
index 4a5528a94..000000000
--- a/src/libstrongswan/fips/fips_canister_start.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/* ====================================================================
- * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
- * and usage in source and binary forms are granted according to the
- * OpenSSL license.
- */
-
-#include <stdio.h>
-#if defined(__DECC)
-# include <c_asm.h>
-# pragma __nostandard
-#endif
-
-#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-# if	(defined(__sun) && (defined(__sparc) || defined(__sparcv9)))	|| \
-	(defined(__sgi) && (defined(__mips) || defined(mips)))		|| \
-	(defined(__osf__) && defined(__alpha))				|| \
-	(defined(__linux) && (defined(__arm) || defined(__arm__)))	|| \
-	(defined(__i386) || defined(__i386__))				|| \
-	(defined(__x86_64) || defined(__x86_64__))			|| \
-	(defined(vax) || defined(__vax__))
-#  define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
-# endif
-#endif
-
-
-#define FIPS_ref_point FIPS_text_start
-/* Some compilers put string literals into a separate segment. As we
- * are mostly interested to hash AES tables in .rodata, we declare
- * reference points accordingly. In case you wonder, the values are
- * big-endian encoded variable names, just to prevent these arrays
- * from being merged by linker. */
-const unsigned int FIPS_rodata_start[]=
-	{ 0x46495053, 0x5f726f64, 0x6174615f, 0x73746172 };
-
-
-/*
- * I declare reference function as static in order to avoid certain
- * pitfalls in -dynamic linker behaviour...
- */
-static void *instruction_pointer(void)
-{
-  void *ret = NULL;
-
-/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means
- * that they are designed to work under any OS running on particular
- * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in
- * this function. */
-#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
-    INSTRUCTION_POINTER_IMPLEMENTED(ret);
-#elif	defined(__GNUC__) && __GNUC__>=2
-# if	defined(__alpha) || defined(__alpha__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"br	%0,1f\n1:" : "=r"(ret) );
-# elif	defined(__i386) || defined(__i386__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"call 1f\n1:	popl %0" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# elif	defined(__ia64) || defined(__ia64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"mov	%0=ip" : "=r"(ret) );
-# elif	defined(__hppa) || defined(__hppa__) || defined(__pa_risc)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"blr	%%r0,%0\n\tnop" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* mask privilege level */
-# elif	defined(__mips) || defined(__mips__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"move	%1,$31\n\t"	/* save ra */
-			"bal	.+8; nop\n\t"
-			"move	%0,$31\n\t"
-			"move	$31,%1"		/* restore ra */
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
-	defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
-	defined(__PPC64__) || defined(__powerpc64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"mfspr	%1,8\n\t"	/* save lr */
-			"bl	.+4\n\t"
-			"mfspr	%0,8\n\t"	/* mflr ret */
-			"mtspr	8,%1"		/* restore lr */
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"mov	%%o7,%1\n\t"
-			"call	.+8; nop\n\t"
-		  	"mov	%%o7,%0\n\t"
-			"mov	%1,%%o7"
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__x86_64) || defined(__x86_64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"leaq	0(%%rip),%0" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# endif
-#elif	defined(__DECC) && defined(__alpha)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    ret = (void *)(size_t)asm("br %v0,1f\n1:");
-#elif   defined(_MSC_VER) && defined(_M_IX86)
-#   undef INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    _asm {
-            call    self
-    self:   pop     eax
-            mov     scratch,eax
-         }
-    ret = (void *)((size_t)scratch&~3UL);
-#endif
-  return ret;
-}
-
-/*
- * This function returns pointer to an instruction in the vicinity of
- * its entry point, but not outside this object module. This guarantees
- * that sequestered code is covered...
- */
-void *FIPS_ref_point()
-{
-#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
-    return instruction_pointer();
-/* Below we essentially cover vendor compilers which do not support
- * inline assembler... */
-#elif	defined(_AIX)
-    struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer;
-    return p->ip;
-#elif	defined(_HPUX_SOURCE)
-# if	defined(__hppa) || defined(__hppa__)
-    struct { void *i[4]; } *p = (void *)FIPS_ref_point;
-
-    if (sizeof(p) == 8)	/* 64-bit */
-	return p->i[2];
-    else if ((size_t)p & 2)
-    {	p = (void *)((size_t)p&~3UL);
-	return p->i[0];
-    }
-    else
-	return (void *)p;
-# elif	defined(__ia64) || defined(__ia64__)
-    struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer;
-    return (void *)(size_t)p->ip;
-# endif
-#elif	(defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__))
-    /* applies to both alpha and ia64 */
-    struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer;
-    return (void *)(size_t)p->ip;
-#elif	defined(__VOS__)
-    /* applies to both pa-risc and ia32 */
-    struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer;
-    return p->ip;
-#elif	defined(_WIN32)
-# if	defined(_WIN64) && defined(_M_IA64)
-    struct { void *ip,*gp; } *p = (void *)FIPS_ref_point;
-    return p->ip;
-# else
-    return (void *)FIPS_ref_point;
-# endif
-/*
- * In case you wonder why there is no #ifdef __linux. All Linux targets
- * are GCC-based and therefore are covered by instruction_pointer above
- * [well, some are covered by by the one below]...
- */ 
-#elif	defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-    return (void *)instruction_pointer;
-#else
-    return NULL;
-#endif
-}
diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c
deleted file mode 100644
index 6f5fdcecf..000000000
--- a/src/libstrongswan/fips/fips_signer.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-
-#include <crypto/hashers/hasher.h>
-#include "fips.h"
-
-int main(int argc, char* argv[])
-{
-	FILE *f;
-	char *hmac_key = "strongSwan Version " VERSION;
-	char  hmac_signature[BUF_LEN];
-
-	/* initialize library */
-	library_init(STRONGSWAN_CONF);
-#ifdef USE_SHA1
-	lib->plugins->load(lib->plugins, PLUGINDIR "/sha1/.libs", "sha1");
-#endif
-#ifdef USE_OPENSSL
-	lib->plugins->load(lib->plugins, PLUGINDIR "/openssl/.libs", "openssl");
-#endif
-	lib->plugins->load(lib->plugins, PLUGINDIR "/hmac/.libs", "hmac");
-
-	if (!fips_compute_hmac_signature(hmac_key, hmac_signature))
-	{
-		exit(1);
-	}
-	
-	/**
-     * write computed HMAC signature to fips_signature.h
-	 */
-	f = fopen("fips_signature.h", "wt");
-
-	if (f == NULL)
-	{
-		exit(1);
-	}
-	fprintf(f, "/* SHA-1 HMAC signature computed over TEXT and RODATA of libstrongswan\n");
-	fprintf(f, " *\n");
-	fprintf(f, " * This file has been automatically generated by fips_signer\n");
-	fprintf(f, " * Do not edit manually!\n");
-	fprintf(f, " */\n");
-	fprintf(f, "\n");
-	fprintf(f, "#ifndef FIPS_SIGNATURE_H_\n");
-	fprintf(f, "#define FIPS_SIGNATURE_H_\n");
-	fprintf(f, "\n");
-	fprintf(f, "const char *hmac_key = \"%s\";\n", hmac_key);
-	fprintf(f, "const char *hmac_signature = \"%s\";\n", hmac_signature);
-	fprintf(f, "\n");
-	fprintf(f, "#endif /* FIPS_SIGNATURE_H_ @} */\n");
-	fclose(f);
-
-	library_deinit();
-	exit(0);
-}
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 3f62b24d5..eab56c42d 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -30,19 +30,16 @@
  *
  * @defgroup crypto crypto
  * @ingroup libstrongswan
- 
+ *
  * @defgroup database database
  * @ingroup libstrongswan
- 
+ *
  * @defgroup fetcher fetcher
  * @ingroup libstrongswan
- 
- * @defgroup fips fips
- * @ingroup libstrongswan
- 
+ *
  * @defgroup plugins plugins
  * @ingroup libstrongswan
- 
+ *
  * @defgroup utils utils
  * @ingroup libstrongswan
  */
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 3686c07ac..b7d303d12 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -40,11 +40,6 @@
 #include <credentials/keys/private_key.h>
 #include <utils/optionsfrom.h>
 
-#ifdef INTEGRITY_TEST
-#include <fips/fips.h>
-#include <fips_signature.h>
-#endif /* INTEGRITY_TEST */
-
 #define OPENAC_PATH   		IPSEC_CONFDIR "/openac"
 #define OPENAC_SERIAL 		IPSEC_CONFDIR "/openac/serial"
 
@@ -482,20 +477,6 @@ int main(int argc, char **argv)
 
 	DBG1("starting openac (strongSwan Version %s)", VERSION);
 
-#ifdef INTEGRITY_TEST
-	DBG1("integrity test of libstrongswan code");
-	if (fips_verify_hmac_signature(hmac_key, hmac_signature))
-	{
-		DBG1("  integrity test passed");
-	}
-	else
-	{
-		DBG1("  integrity test failed");
-		status = 3;
-		goto end;
-	}
-#endif /* INTEGRITY_TEST */
-
 	/* load the signer's RSA private key */
 	if (keyfile != NULL)
 	{
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 01237305b..c9cb6651f 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -110,11 +110,6 @@ if USE_SMARTCARD
   AM_CFLAGS += -DSMARTCARD
 endif
 
-# This compile option activates the integrity test of libstrongswan
-if USE_INTEGRITY_TEST
-  AM_CFLAGS += -DINTEGRITY_TEST
-endif
-
 if USE_CAPABILITIES
   pluto_LDADD += -lcap
 endif
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index a9377cba7..0ff9bfc0d 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -43,11 +43,6 @@
 #include <utils/enumerator.h>
 #include <utils/optionsfrom.h>
 
-#ifdef INTEGRITY_TEST
-#include <fips/fips.h>
-#include <fips/fips_signature.h>
-#endif /* INTEGRITY_TEST */
-
 #include <pfkeyv2.h>
 #include <pfkey.h>
 
@@ -645,19 +640,6 @@ int main(int argc, char **argv)
 		lib->settings->get_str(lib->settings, "pluto.load", PLUGINS));
 	print_plugins();
 
-#ifdef INTEGRITY_TEST
-	DBG1("integrity test of libstrongswan code");
-	if (fips_verify_hmac_signature(hmac_key, hmac_signature))
-	{
-		DBG1("  integrity test passed");
-	}
-	else
-	{
-		DBG1("  integrity test failed");
-		abort();
-	}
-#endif /* INTEGRITY_TEST */
-
 	init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
 	init_virtual_ip(virtual_private);
 	scx_init(pkcs11_module_path, pkcs11_init_args);