update ordinals

[oweals/openssl.git] / ssl / ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 1c3e9454d6b938a12b9fc7eeff9f02dbb7759e60..2cd78c13ccef9524410c3a49abd53ca9e9ecd3a9 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1532,6 +1532,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
                return(NULL);
                }
 
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+               {
+               SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+               return NULL;
+               }
+#endif
+
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -2086,7 +2094,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
                        SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
                        return 0;
                        }
-               if ((alg_k & SSL_kECDHe) && s->version < TLS1_2_VERSION)
+               if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
                        {
                        /* signature alg must be ECDSA */
                        if (signature_nid != NID_ecdsa_with_SHA1)
@@ -2095,7 +2103,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
                                return 0;
                                }
                        }
-               if ((alg_k & SSL_kECDHr) && s->version < TLS1_2_VERSION)
+               if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
                        {
                        /* signature alg must be RSA */