aboutsummaryrefslogtreecommitdiff
path: root/openssl/ssl/ssl_ciph.c
diff options
context:
space:
mode:
Diffstat (limited to 'openssl/ssl/ssl_ciph.c')
-rw-r--r--openssl/ssl/ssl_ciph.c18
1 files changed, 12 insertions, 6 deletions
diff --git a/openssl/ssl/ssl_ciph.c b/openssl/ssl/ssl_ciph.c
index ac643c928..92d1e94d6 100644
--- a/openssl/ssl/ssl_ciph.c
+++ b/openssl/ssl/ssl_ciph.c
@@ -616,18 +616,24 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
{
const EVP_CIPHER *evp;
- if (s->ssl_version >= TLS1_VERSION &&
- c->algorithm_enc == SSL_RC4 &&
+ if (s->ssl_version>>8 != TLS1_VERSION_MAJOR ||
+ s->ssl_version < TLS1_VERSION)
+ return 1;
+
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ return 1;
+#endif
+
+ if (c->algorithm_enc == SSL_RC4 &&
c->algorithm_mac == SSL_MD5 &&
(evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
*enc = evp, *md = NULL;
- else if (s->ssl_version >= TLS1_VERSION &&
- c->algorithm_enc == SSL_AES128 &&
+ else if (c->algorithm_enc == SSL_AES128 &&
c->algorithm_mac == SSL_SHA1 &&
(evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
*enc = evp, *md = NULL;
- else if (s->ssl_version >= TLS1_VERSION &&
- c->algorithm_enc == SSL_AES256 &&
+ else if (c->algorithm_enc == SSL_AES256 &&
c->algorithm_mac == SSL_SHA1 &&
(evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
*enc = evp, *md = NULL;