remove FIPS mode support. people who require FIPS can buy something that

meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

1 files changed, 1 insertions, 14 deletions

diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index ed2e78bdcc..ed5ac725a2 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -617,11 +617,6 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                         s->ssl_version < TLS1_VERSION)
                 return 1;
 
-#ifdef OPENSSL_FIPS
-                if (FIPS_mode())
-                        return 1;
-#endif
-
                 if (c->algorithm_enc == SSL_RC4 &&
                         c->algorithm_mac == SSL_MD5 &&
                 (evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
@@ -798,9 +793,6 @@ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
                 c = ssl_method->get_cipher(i);
                 /* drop those that use any of that is not available */
                 if ((c != NULL) && c->valid &&
-#ifdef OPENSSL_FIPS
-                (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
-#endif
                 !(c->algorithm_mkey & disabled_mkey) &&
                 !(c->algorithm_auth & disabled_auth) &&
                 !(c->algorithm_enc & disabled_enc) &&
@@ -1461,12 +1453,7 @@ const char *rule_str)
          * to the resulting precedence to the STACK_OF(SSL_CIPHER).
          */
         for (curr = head; curr != NULL; curr = curr->next) {
-#ifdef OPENSSL_FIPS
-                if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
-#else
-                if (curr->active)
-#endif
-                {
+                if (curr->active) {
                         sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
                         printf("<%s>\n", curr->cipher->name);