Make ssl code consistent with FIPS branch. The new code has no effect

at present because it asserts either noop flags or is inside OPENSSL_FIPS #ifdef's.
2008-06-16 16:56:43 +00:00
parent ff2ab9e6bb
commit 14748adb09
17 changed files with 122 additions and 32 deletions
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1396,6 +1396,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
 		return(NULL);
 		}

+#ifdef OPENSSL_FIPS
+	if (FIPS_mode() && (meth->version < TLS1_VERSION))	
+		{
+		SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+		return NULL;
+		}
+#endif
+
 	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
 		{
 		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);