Make ssl code consistent with FIPS branch. The new code has no effect

at present because it asserts either noop flags or is inside OPENSSL_FIPS #ifdef's.
author: Dr. Stephen Henson <steve@openssl.org> 2008-06-16 16:56:43 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2008-06-16 16:56:43 +0000
commit: 14748adb096f124d4101578afed8d26da4f15f53 (patch)
tree: d03ebb869552073f10d40b14910c9ab0b6a93af6 /ssl/s23_clnt.c
parent: ff2ab9e6bbca8d9eed37dda647e8a37254ef2107 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index c45a8e0a04..bc918170e1 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -257,6 +257,14 @@ static int ssl23_client_hello(SSL *s)
 			version_major = TLS1_VERSION_MAJOR;
 			version_minor = TLS1_VERSION_MINOR;
 			}
+#ifdef OPENSSL_FIPS
+		else if(FIPS_mode())
+			{
+			SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+					SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+			return -1;
+			}
+#endif
 		else if (version == SSL3_VERSION)
 			{
 			version_major = SSL3_VERSION_MAJOR;
@@ -536,6 +544,14 @@ static int ssl23_get_server_hello(SSL *s)
 		if ((p[2] == SSL3_VERSION_MINOR) &&
 			!(s->options & SSL_OP_NO_SSLv3))
 			{
+#ifdef OPENSSL_FIPS
+			if(FIPS_mode())
+				{
+				SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+					SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+				goto err;
+				}
+#endif
 			s->version=SSL3_VERSION;
 			s->method=SSLv3_client_method();
 			}
author	Dr. Stephen Henson <steve@openssl.org>	2008-06-16 16:56:43 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2008-06-16 16:56:43 +0000
commit	14748adb096f124d4101578afed8d26da4f15f53 (patch)
tree	d03ebb869552073f10d40b14910c9ab0b6a93af6 /ssl/s23_clnt.c
parent	ff2ab9e6bbca8d9eed37dda647e8a37254ef2107 (diff)