From c76b7a1a82ba2cc04d3415804c20ccbb931598f0 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 26 Apr 2012 18:49:45 +0000 Subject: [PATCH] Don't try to use unvalidated composite ciphers in FIPS mode --- CHANGES | 4 +++- ssl/ssl_ciph.c | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index d8c701c6fb..943502ec0b 100644 --- a/CHANGES +++ b/CHANGES @@ -4,7 +4,9 @@ Changes between 1.0.1b and 1.0.1c [xx XXX xxxx] - *) + *) In FIPS mode don't try to use composite ciphers as they are not + approved. + [Steve Henson] Changes between 1.0.1a and 1.0.1b [26 Apr 2012] diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index b96d26faba..92d1e94d6a 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -620,6 +620,11 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, s->ssl_version < TLS1_VERSION) return 1; +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return 1; +#endif + if (c->algorithm_enc == SSL_RC4 && c->algorithm_mac == SSL_MD5 && (evp=EVP_get_cipherbyname("RC4-HMAC-MD5"))) -- 2.25.1