diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-04-26 18:49:45 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-04-26 18:49:45 +0000 |
commit | c76b7a1a82ba2cc04d3415804c20ccbb931598f0 (patch) | |
tree | b470daaaeecad2473e48a3101fb8163004fe3670 | |
parent | c940e07014fc135c95e0e81a126a0ece9adf45c5 (diff) | |
download | openssl-new-c76b7a1a82ba2cc04d3415804c20ccbb931598f0.tar.gz |
Don't try to use unvalidated composite ciphers in FIPS mode
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | ssl/ssl_ciph.c | 5 |
2 files changed, 8 insertions, 1 deletions
@@ -4,7 +4,9 @@ Changes between 1.0.1b and 1.0.1c [xx XXX xxxx] - *) + *) In FIPS mode don't try to use composite ciphers as they are not + approved. + [Steve Henson] Changes between 1.0.1a and 1.0.1b [26 Apr 2012] diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index b96d26faba..92d1e94d6a 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -620,6 +620,11 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, s->ssl_version < TLS1_VERSION) return 1; +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return 1; +#endif + if (c->algorithm_enc == SSL_RC4 && c->algorithm_mac == SSL_MD5 && (evp=EVP_get_cipherbyname("RC4-HMAC-MD5"))) |