You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2022/05/31 23:01:24 UTC
svn commit: r1901470 - in /httpd/httpd/trunk: changes-entries/ssl_fips_30.txt modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h
Author: ylavic
Date: Tue May 31 23:01:24 2022
New Revision: 1901470
URL: http://svn.apache.org/viewvc?rev=1901470&view=rev
Log:
mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.
* modules/ssl/ssl_private.h():
#define modssl_fips_is_enabled() and modssl_fips_enable() to wrap the
native OpenSSL FIPS functions available on OPENSSL_VERSION_NUMBER.
* modules/ssl/ssl_engine_init.c(ssl_init_Module, modssl_fips_cleanup):
Use the new wrappers instead of the OPENSSL_VERSION_NUMBER < 3.0 functions.
Submitted by: Petr Sumbera <petr.sumbera oracle.com>, ylavic
Added:
httpd/httpd/trunk/changes-entries/ssl_fips_30.txt
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Added: httpd/httpd/trunk/changes-entries/ssl_fips_30.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/ssl_fips_30.txt?rev=1901470&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/ssl_fips_30.txt (added)
+++ httpd/httpd/trunk/changes-entries/ssl_fips_30.txt Tue May 31 23:01:24 2022
@@ -0,0 +1,2 @@
+ *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.
+ [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
\ No newline at end of file
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1901470&r1=1901469&r2=1901470&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Tue May 31 23:01:24 2022
@@ -216,7 +216,7 @@ int ssl_is_challenge(conn_rec *c, const
#ifdef HAVE_FIPS
static apr_status_t modssl_fips_cleanup(void *data)
{
- FIPS_mode_set(0);
+ modssl_fips_enable(0);
return APR_SUCCESS;
}
#endif
@@ -348,8 +348,8 @@ apr_status_t ssl_init_Module(apr_pool_t
}
#ifdef HAVE_FIPS
- if (!FIPS_mode() && mc->fips == TRUE) {
- if (!FIPS_mode_set(1)) {
+ if (!modssl_fips_is_enabled() && mc->fips == TRUE) {
+ if (!modssl_fips_enable(1)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, base_server, APLOGNO(01885)
"Could not enable FIPS mode");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, base_server);
@@ -363,7 +363,7 @@ apr_status_t ssl_init_Module(apr_pool_t
/* Log actual FIPS mode which the SSL library is operating under,
* which may have been set outside of the mod_ssl
* configuration. */
- if (FIPS_mode()) {
+ if (modssl_fips_is_enabled()) {
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, base_server, APLOGNO(01884)
MODSSL_LIBRARY_NAME " has FIPS mode enabled");
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1901470&r1=1901469&r2=1901470&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Tue May 31 23:01:24 2022
@@ -266,6 +266,16 @@ void free_bio_methods(void);
#define HAVE_OPENSSL_KEYLOG
#endif
+#ifdef HAVE_FIPS
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define modssl_fips_is_enabled() EVP_default_properties_is_fips_enabled(NULL)
+#define modssl_fips_enable(to) EVP_default_properties_enable_fips(NULL, (to))
+#else
+#define modssl_fips_is_enabled() FIPS_mode()
+#define modssl_fips_enable(to) FIPS_mode_set((to))
+#endif
+#endif /* HAVE_FIPS */
+
/* mod_ssl headers */
#include "ssl_util_ssl.h"