You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by bc...@apache.org on 2015/05/01 03:45:09 UTC

[2/2] trafficserver git commit: TS-3576: Remove the need for FIPS locking for OpenSSL

TS-3576: Remove the need for FIPS locking for OpenSSL


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/d41e96fa
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/d41e96fa
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/d41e96fa

Branch: refs/heads/master
Commit: d41e96fafb097c0918c7c57728adf1afd08f3e91
Parents: ba1d6f7
Author: Bryan Call <bc...@apache.org>
Authored: Thu Apr 30 18:42:30 2015 -0700
Committer: Bryan Call <bc...@apache.org>
Committed: Thu Apr 30 18:44:45 2015 -0700

----------------------------------------------------------------------
 iocore/net/SSLUtils.cc | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d41e96fa/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 2fae482..0b73244 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -137,10 +137,17 @@ SSL_pthreads_thread_id()
 }
 
 static void
-SSL_locking_callback(int mode, int type, const char * /* file ATS_UNUSED */, int /* line ATS_UNUSED */)
+SSL_locking_callback(int mode, int type, const char *file, int line)
 {
+  Debug("ssl_lock", "file: %s line: %d type: %d", file, line, type);
   ink_assert(type < CRYPTO_num_locks());
 
+#ifdef OPENSSL_FIPS
+  if (type == CRYPTO_LOCK_FIPS || type == CRYPTO_LOCK_FIPS2) {
+    return;
+  }
+#endif
+
   if (mode & CRYPTO_LOCK) {
     pthread_mutex_lock(&mutex_buf[type]);
   } else if (mode & CRYPTO_UNLOCK) {
@@ -151,6 +158,7 @@ SSL_locking_callback(int mode, int type, const char * /* file ATS_UNUSED */, int
   }
 }
 
+
 static bool
 SSL_CTX_add_extra_chain_cert_file(SSL_CTX *ctx, const char *chainfile)
 {
@@ -757,6 +765,12 @@ SSLInitializeLibrary()
     SSL_load_error_strings();
     SSL_library_init();
 
+#ifdef OPENSSL_FIPS
+    int mode = FIPS_mode();
+    FIPS_mode_set(mode);
+    Debug("ssl", "FIPS_mode: %d", mode);
+#endif
+
     mutex_buf = (pthread_mutex_t *)OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
 
     for (int i = 0; i < CRYPTO_num_locks(); i++) {