diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2011-05-25 15:31:32 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2011-05-25 15:31:32 +0000 |
commit | ebc5e72fe55e4d39bad6a336603afe1501a54684 (patch) | |
tree | e97d8ac1810db5fa3232732303fdf423cb757f5e /ssl/t1_lib.c | |
parent | 3d52f1d52b813652c845887d17c69699a92086d7 (diff) |
Don't advertise or use MD5 for TLS v1.2 in FIPS mode
Diffstat (limited to 'ssl/t1_lib.c')
-rw-r--r-- | ssl/t1_lib.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index e673ec007c..43ca29adcd 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -317,9 +317,15 @@ static unsigned char tls12_sigalgs[] = { int tls12_get_req_sig_algs(SSL *s, unsigned char *p) { + size_t slen = sizeof(tls12_sigalgs); +#ifdef OPENSSL_FIPS + /* If FIPS mode don't include MD5 which is last */ + if (FIPS_mode()) + slen -= 2; +#endif if (p) - memcpy(p, tls12_sigalgs, sizeof(tls12_sigalgs)); - return (int)sizeof(tls12_sigalgs); + memcpy(p, tls12_sigalgs, slen); + return (int)slen; } unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) @@ -2066,6 +2072,10 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg) { #ifndef OPENSSL_NO_MD5 case TLSEXT_hash_md5: +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return NULL; +#endif return EVP_md5(); #endif #ifndef OPENSSL_NO_SHA |