You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/06/01 14:57:30 UTC
[tomcat-native] branch 1.2.x updated: Map the OpenSSL 3.x FIPS behaviour to the 1.x API
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 1.2.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/1.2.x by this push:
new 375eb456f Map the OpenSSL 3.x FIPS behaviour to the 1.x API
375eb456f is described below
commit 375eb456fff6bd9fe9b08feac450e6a430ee3abd
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 1 15:57:25 2022 +0100
Map the OpenSSL 3.x FIPS behaviour to the 1.x API
---
native/include/ssl_private.h | 3 +++
native/src/ssl.c | 22 ++++++++++++++++++++++
xdocs/miscellaneous/changelog.xml | 5 +++++
3 files changed, 30 insertions(+)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index f6b2840a8..f01fc2190 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -46,6 +46,9 @@
#include <openssl/x509v3.h>
#include <openssl/dh.h>
#include <openssl/bn.h>
+#if (OPENSSL_VERSION_NUMBER > 0x2FFFFFFFL)
+#include <openssl/provider.h>
+#endif
/* Avoid tripping over an engine build installed globally and detected
* when the user points at an explicit non-engine flavor of OpenSSL
*/
diff --git a/native/src/ssl.c b/native/src/ssl.c
index 6d248550f..c44ef0f79 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -929,6 +929,25 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeGet)(TCN_STDARGS)
UNREFERENCED(o);
#ifdef OPENSSL_FIPS
return FIPS_mode();
+#elif (OPENSSL_VERSION_NUMBER > 0x2FFFFFFFL)
+ EVP_MD *md;
+ const OSSL_PROVIDER *provider;
+ const char *name;
+
+ // Maps the OpenSSL 3. x onwards behaviour to theOpenSSL 1.x API
+
+ // Checks that FIPS is the default provider
+ md = EVP_MD_fetch(NULL, "SHA-512", NULL);
+ provider = EVP_MD_get0_provider(md);
+ name = OSSL_PROVIDER_get0_name(provider);
+ // Clean up
+ EVP_MD_free(md);
+
+ if (strcmp("fips", name)) {
+ return 0;
+ } else {
+ return 1;
+ }
#else
/* FIPS is unavailable */
tcn_ThrowException(e, "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS.");
@@ -954,6 +973,9 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeSet)(TCN_STDARGS, jint mode)
tcn_ThrowException(e, msg);
}
+#elif (OPENSSL_VERSION_NUMBER > 0x2FFFFFFFL)
+ /* This method should never be called when using OpenSSL 3.x onwards */
+ tcn_ThrowException(e, "fipsModeSet is not supported in OpenSSL 3.x onwards.");
#else
/* FIPS is unavailable */
tcn_ThrowException(e, "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS.");
diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml
index 59ab613bc..4ad8aa595 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -40,6 +40,11 @@
Refactor library initialization so it is compatible with Tomcat 10.1.x
onwards where a number of Java classes have been removed. (markt)
</scode>
+ <add>
+ Map the OpenSSL 3.x FIPS behaviour to the OpenSSL 1.x API to allow clients
+ to determine if the FIPS provider is being used when Tomcat Native is
+ compiled against OpenSSL 3.x. (markt)
+ </add>
</changelog>
</section>
<section name="Changes in 1.2.33">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org