summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDr. Stephen Henson <steve@openssl.org>2012-04-26 18:49:45 +0000
committerDr. Stephen Henson <steve@openssl.org>2012-04-26 18:49:45 +0000
commitc76b7a1a82ba2cc04d3415804c20ccbb931598f0 (patch)
treeb470daaaeecad2473e48a3101fb8163004fe3670
parentc940e07014fc135c95e0e81a126a0ece9adf45c5 (diff)
downloadopenssl-new-c76b7a1a82ba2cc04d3415804c20ccbb931598f0.tar.gz
Don't try to use unvalidated composite ciphers in FIPS mode
Diffstat
-rw-r--r--CHANGES4
-rw-r--r--ssl/ssl_ciph.c5
2 files changed, 8 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index d8c701c6fb..943502ec0b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,9 @@
Changes between 1.0.1b and 1.0.1c [xx XXX xxxx]
- *)
+ *) In FIPS mode don't try to use composite ciphers as they are not
+ approved.
+ [Steve Henson]
Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index b96d26faba..92d1e94d6a 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -620,6 +620,11 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
s->ssl_version < TLS1_VERSION)
return 1;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ return 1;
+#endif
+
if (c->algorithm_enc == SSL_RC4 &&
c->algorithm_mac == SSL_MD5 &&
(evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
View Lorry Controller Status