From d0eb8a0b4edebadbbe5e5235611d6a7b32ea15a9 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 1 Aug 2015 18:09:41 +0300
Subject: [PATCH] OpenSSL: Allow server/client random to be fetched in FIPS
 mode

tls_connection_get_keys() used to return TLS master secret, but that
part was removed in commit 94f1fe6f6384a2ef379ef5b8cdc32a2fa01f8d13
('Remove master key extraction from tls_connection_get_keys()'). Since
then, there is no real need for preventing this function from being used
in FIPS mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/crypto/tls_openssl.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 1dce157d0..7dc41a532 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2642,11 +2642,6 @@ static int tls_global_dh(SSL_CTX *ssl_ctx, const char *dh_file)
 int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn,
 			    struct tls_keys *keys)
 {
-#ifdef CONFIG_FIPS
-	wpa_printf(MSG_ERROR, "OpenSSL: TLS keys cannot be exported in FIPS "
-		   "mode");
-	return -1;
-#else /* CONFIG_FIPS */
 	SSL *ssl;
 
 	if (conn == NULL || keys == NULL)
@@ -2675,7 +2670,6 @@ int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn,
 #endif
 
 	return 0;
-#endif /* CONFIG_FIPS */
 }