mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.

author Yann Ylavic <ylavic@apache.org>

Tue, 31 May 2022 23:01:24 +0000 (23:01 +0000)

committer Yann Ylavic <ylavic@apache.org>

Tue, 31 May 2022 23:01:24 +0000 (23:01 +0000)
author Yann Ylavic <ylavic@apache.org>
Tue, 31 May 2022 23:01:24 +0000 (23:01 +0000)
committer Yann Ylavic <ylavic@apache.org>
Tue, 31 May 2022 23:01:24 +0000 (23:01 +0000)
diff --git a/changes-entries/ssl_fips_30.txt b/changes-entries/ssl_fips_30.txt

new file mode 100644 (file)

index 0000000..b5f35ec
--- /dev/null
+++ b/changes-entries/ssl_fips_30.txt
@@ -0,0 +1,2 @@
+  *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0.  PR 66063.
+     [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
+\ No newline at end of file
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c

index 11099e7fbce60dc47b4556cfab9b70e13b9a8d24..5e8ee6abcb49181ccda53f6b9159436991100a37 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -216,7 +216,7 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
  #ifdef HAVE_FIPS
  static apr_status_t modssl_fips_cleanup(void *data)
  {
-    FIPS_mode_set(0);
+    modssl_fips_enable(0);
      return APR_SUCCESS;
  }
  #endif
@@ -348,8 +348,8 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
      }
  
  #ifdef HAVE_FIPS
-    if (!FIPS_mode() && mc->fips == TRUE) {
-        if (!FIPS_mode_set(1)) {
+    if (!modssl_fips_is_enabled() && mc->fips == TRUE) {
+        if (!modssl_fips_enable(1)) {
              ap_log_error(APLOG_MARK, APLOG_EMERG, 0, base_server, APLOGNO(01885)
                           "Could not enable FIPS mode");
              ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, base_server);
@@ -363,7 +363,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
      /* Log actual FIPS mode which the SSL library is operating under,
       * which may have been set outside of the mod_ssl
       * configuration. */
-    if (FIPS_mode()) {
+    if (modssl_fips_is_enabled()) {
          ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, base_server, APLOGNO(01884)
                       MODSSL_LIBRARY_NAME " has FIPS mode enabled");
      }
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h

index d48f3027f1ce9048ca4e98001437df39b44ef734..2bebde1981f728217f83607524b4babae6092fd5 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -266,6 +266,16 @@ void free_bio_methods(void);
  #define HAVE_OPENSSL_KEYLOG
  #endif
  
+#ifdef HAVE_FIPS
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define modssl_fips_is_enabled() EVP_default_properties_is_fips_enabled(NULL)
+#define modssl_fips_enable(to)   EVP_default_properties_enable_fips(NULL, (to))
+#else
+#define modssl_fips_is_enabled() FIPS_mode()
+#define modssl_fips_enable(to)   FIPS_mode_set((to))
+#endif
+#endif /* HAVE_FIPS */
+
  /* mod_ssl headers */
  #include "ssl_util_ssl.h"
author	Yann Ylavic <ylavic@apache.org>
	Tue, 31 May 2022 23:01:24 +0000 (23:01 +0000)
committer	Yann Ylavic <ylavic@apache.org>
	Tue, 31 May 2022 23:01:24 +0000 (23:01 +0000)
changes-entries/ssl_fips_30.txt	[new file with mode: 0644]	patch \| blob
modules/ssl/ssl_engine_init.c		patch \| blob \| blame \| history
modules/ssl/ssl_private.h		patch \| blob \| blame \| history