Merge Pull 321 (trunk: r1874005, r1877261, r1901470):

author Stefan Eissing <icing@apache.org>

Fri, 3 Jun 2022 08:27:07 +0000 (08:27 +0000)

committer Stefan Eissing <icing@apache.org>

Fri, 3 Jun 2022 08:27:07 +0000 (08:27 +0000)
author Stefan Eissing <icing@apache.org>
Fri, 3 Jun 2022 08:27:07 +0000 (08:27 +0000)
committer Stefan Eissing <icing@apache.org>
Fri, 3 Jun 2022 08:27:07 +0000 (08:27 +0000)
diff --git a/changes-entries/ssl_fips_30.txt b/changes-entries/ssl_fips_30.txt

new file mode 100644 (file)

index 0000000..b5f35ec
--- /dev/null
+++ b/changes-entries/ssl_fips_30.txt
@@ -0,0 +1,2 @@
+  *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0.  PR 66063.
+     [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
+\ No newline at end of file
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c

index 0a59afd9446a1fd1e3dfcac0146ad17d67b36501..7e950259eaaaf38eb72d742c87576aa76a317543 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -78,6 +78,9 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
  #ifdef HAVE_OPENSSL_KEYLOG
      mc->keylog_file = NULL;
  #endif
+#ifdef HAVE_FIPS
+    mc->fips = UNSET;
+#endif
  
      apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
                            apr_pool_cleanup_null,
@@ -224,9 +227,6 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
  #ifdef HAVE_TLSEXT
      sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
  #endif
-#ifdef HAVE_FIPS
-    sc->fips                   = UNSET;
-#endif
  #ifndef OPENSSL_NO_COMP
      sc->compression            = UNSET;
  #endif
@@ -399,9 +399,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
  #ifdef HAVE_TLSEXT
      cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
  #endif
-#ifdef HAVE_FIPS
-    cfgMergeBool(fips);
-#endif
  #ifndef OPENSSL_NO_COMP
      cfgMergeBool(compression);
  #endif
@@ -749,7 +746,7 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg)
  const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
  {
  #ifdef HAVE_FIPS
-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    SSLModConfigRec *mc = myModConfig(cmd->server);
  #endif
      const char *err;
  
@@ -758,9 +755,9 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
      }
  
  #ifdef HAVE_FIPS
-    if ((sc->fips != UNSET) && (sc->fips != (BOOL)(flag ? TRUE : FALSE)))
+    if ((mc->fips != UNSET) && (mc->fips != (BOOL)(flag ? TRUE : FALSE)))
          return "Conflicting SSLFIPS options, cannot be both On and Off";
-    sc->fips = flag ? TRUE : FALSE;
+    mc->fips = flag ? TRUE : FALSE;
  #else
      if (flag)
          return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS";
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c

index 43119046a94ba9452355a6f84a63e209a30e1179..35c34d35cf3000b832cb44113c6d41cc4bd08ebf 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -213,7 +213,7 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
  #ifdef HAVE_FIPS
  static apr_status_t modssl_fips_cleanup(void *data)
  {
-    FIPS_mode_set(0);
+    modssl_fips_enable(0);
      return APR_SUCCESS;
  }
  #endif
@@ -304,12 +304,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
          if (sc->server && sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) {
              sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
          }
-
-#ifdef HAVE_FIPS
-        if (sc->fips == UNSET) {
-            sc->fips = FALSE;
-        }
-#endif
      }
  
  #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
@@ -336,24 +330,28 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
      ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
  
  #ifdef HAVE_FIPS
-    if (sc->fips) {
-        if (!FIPS_mode()) {
-            if (FIPS_mode_set(1)) {
-                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
-                             "Operating in SSL FIPS mode");
-                apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
-                                          apr_pool_cleanup_null);
-            }
-            else {
-                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
-                ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                return ssl_die(s);
-            }
+    if (!modssl_fips_is_enabled() && mc->fips == TRUE) {
+        if (!modssl_fips_enable(1)) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, base_server, APLOGNO(01885)
+                         "Could not enable FIPS mode");
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, base_server);
+            return ssl_die(base_server);
          }
+
+        apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
+                                  apr_pool_cleanup_null);
+    }
+
+    /* Log actual FIPS mode which the SSL library is operating under,
+     * which may have been set outside of the mod_ssl
+     * configuration. */
+    if (modssl_fips_is_enabled()) {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, base_server, APLOGNO(01884)
+                     MODSSL_LIBRARY_NAME " has FIPS mode enabled");
      }
      else {
-        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01886)
-                     "SSL FIPS mode disabled");
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(01886)
+                     MODSSL_LIBRARY_NAME " has FIPS mode disabled");
      }
  #endif
  
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h

index a329d99a0315c803fcf3068c3f1f01601e8e0b19..5d238b79644060b76e3e26d6a8a1691c11940fa4 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -258,6 +258,16 @@ void free_bio_methods(void);
  #define HAVE_OPENSSL_KEYLOG
  #endif
  
+#ifdef HAVE_FIPS
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define modssl_fips_is_enabled() EVP_default_properties_is_fips_enabled(NULL)
+#define modssl_fips_enable(to)   EVP_default_properties_enable_fips(NULL, (to))
+#else
+#define modssl_fips_is_enabled() FIPS_mode()
+#define modssl_fips_enable(to)   FIPS_mode_set((to))
+#endif
+#endif /* HAVE_FIPS */
+
  /* mod_ssl headers */
  #include "ssl_util_ssl.h"
  
@@ -629,6 +639,10 @@ typedef struct {
      /* Used for logging if SSLKEYLOGFILE is set at startup. */
      apr_file_t      *keylog_file;
  #endif
+
+#ifdef HAVE_FIPS
+    BOOL             fips;
+#endif
  } SSLModConfigRec;
  
  /** Structure representing configured filenames for certs and keys for
@@ -784,9 +798,6 @@ struct SSLSrvConfigRec {
  #ifdef HAVE_TLSEXT
      ssl_enabled_t    strict_sni_vhost_check;
  #endif
-#ifdef HAVE_FIPS
-    BOOL             fips;
-#endif
  #ifndef OPENSSL_NO_COMP
      BOOL             compression;
  #endif
author	Stefan Eissing <icing@apache.org>
	Fri, 3 Jun 2022 08:27:07 +0000 (08:27 +0000)
committer	Stefan Eissing <icing@apache.org>
	Fri, 3 Jun 2022 08:27:07 +0000 (08:27 +0000)
changes-entries/ssl_fips_30.txt	[new file with mode: 0644]	patch \| blob
modules/ssl/ssl_engine_config.c		patch \| blob \| blame \| history
modules/ssl/ssl_engine_init.c		patch \| blob \| blame \| history
modules/ssl/ssl_private.h		patch \| blob \| blame \| history