Make ssl code consistent with FIPS branch. The new code has no effect

at present because it asserts either noop flags or is inside OPENSSL_FIPS #ifdef's.
author: Dr. Stephen Henson <steve@openssl.org> 2008-06-16 16:56:43 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2008-06-16 16:56:43 +0000
commit: 14748adb096f124d4101578afed8d26da4f15f53 (patch)
tree: d03ebb869552073f10d40b14910c9ab0b6a93af6 /ssl/s23_srvr.c
parent: ff2ab9e6bbca8d9eed37dda647e8a37254ef2107 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 6637bb9549..ba06e7ae2e 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s)
 			}
 		}
 
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode() && (s->version < TLS1_VERSION))
+		{
+		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+					SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+		goto err;
+		}
+#endif
+
 	if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
 		{
 		/* we have SSLv3/TLSv1 in an SSLv2 header
author	Dr. Stephen Henson <steve@openssl.org>	2008-06-16 16:56:43 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2008-06-16 16:56:43 +0000
commit	14748adb096f124d4101578afed8d26da4f15f53 (patch)
tree	d03ebb869552073f10d40b14910c9ab0b6a93af6 /ssl/s23_srvr.c
parent	ff2ab9e6bbca8d9eed37dda647e8a37254ef2107 (diff)