remove FIPS mode support. people who require FIPS can buy something that

meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

1 files changed, 1 insertions, 14 deletions

diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c
index ed2e78bdcc9..ed5ac725a23 100644
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c
@@ -617,11 +617,6 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 			s->ssl_version < TLS1_VERSION)
 		return 1;
 
-#ifdef OPENSSL_FIPS
-		if (FIPS_mode())
-			return 1;
-#endif
-
 		if (c->algorithm_enc == SSL_RC4 &&
 			c->algorithm_mac == SSL_MD5 &&
 		(evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
@@ -798,9 +793,6 @@ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
 		c = ssl_method->get_cipher(i);
 		/* drop those that use any of that is not available */
 		if ((c != NULL) && c->valid &&
-#ifdef OPENSSL_FIPS
-		(!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
-#endif
 		!(c->algorithm_mkey & disabled_mkey) &&
 		!(c->algorithm_auth & disabled_auth) &&
 		!(c->algorithm_enc & disabled_enc) &&
@@ -1461,12 +1453,7 @@ const char *rule_str)
 	 * to the resulting precedence to the STACK_OF(SSL_CIPHER).
 	 */
 	for (curr = head; curr != NULL; curr = curr->next) {
-#ifdef OPENSSL_FIPS
-		if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
-#else
-		if (curr->active)
-#endif
-		{
+		if (curr->active) {
 			sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
 			printf("<%s>\n", curr->cipher->name);