You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2015/05/01 03:45:09 UTC
[2/2] trafficserver git commit: TS-3576: Remove the need for FIPS
locking for OpenSSL
TS-3576: Remove the need for FIPS locking for OpenSSL
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/d41e96fa
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/d41e96fa
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/d41e96fa
Branch: refs/heads/master
Commit: d41e96fafb097c0918c7c57728adf1afd08f3e91
Parents: ba1d6f7
Author: Bryan Call <bc...@apache.org>
Authored: Thu Apr 30 18:42:30 2015 -0700
Committer: Bryan Call <bc...@apache.org>
Committed: Thu Apr 30 18:44:45 2015 -0700
----------------------------------------------------------------------
iocore/net/SSLUtils.cc | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d41e96fa/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 2fae482..0b73244 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -137,10 +137,17 @@ SSL_pthreads_thread_id()
}
static void
-SSL_locking_callback(int mode, int type, const char * /* file ATS_UNUSED */, int /* line ATS_UNUSED */)
+SSL_locking_callback(int mode, int type, const char *file, int line)
{
+ Debug("ssl_lock", "file: %s line: %d type: %d", file, line, type);
ink_assert(type < CRYPTO_num_locks());
+#ifdef OPENSSL_FIPS
+ if (type == CRYPTO_LOCK_FIPS || type == CRYPTO_LOCK_FIPS2) {
+ return;
+ }
+#endif
+
if (mode & CRYPTO_LOCK) {
pthread_mutex_lock(&mutex_buf[type]);
} else if (mode & CRYPTO_UNLOCK) {
@@ -151,6 +158,7 @@ SSL_locking_callback(int mode, int type, const char * /* file ATS_UNUSED */, int
}
}
+
static bool
SSL_CTX_add_extra_chain_cert_file(SSL_CTX *ctx, const char *chainfile)
{
@@ -757,6 +765,12 @@ SSLInitializeLibrary()
SSL_load_error_strings();
SSL_library_init();
+#ifdef OPENSSL_FIPS
+ int mode = FIPS_mode();
+ FIPS_mode_set(mode);
+ Debug("ssl", "FIPS_mode: %d", mode);
+#endif
+
mutex_buf = (pthread_mutex_t *)OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
for (int i = 0; i < CRYPTO_num_locks(); i++) {