FIPS_mode() has been removed in OpenSSL 3.0

 Load "legacy" provider for MD4

diff --git a/src/bin/radiusd.c b/src/bin/radiusd.c
index e5603e07d2c3e25b7f94ace8be26f6a163986295..6b3f1a869d5bc06e32734b137086bcf34f16e6d3 100644 (file)
--- a/src/bin/radiusd.c
+++ b/src/bin/radiusd.c
@@ -457,7 +457,6 @@ int main(int argc, char *argv[])
 
        if (rad_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) EXIT_WITH_FAILURE;
 
-
 #ifdef HAVE_OPENSSL_CRYPTO_H
        /*
         *  Mismatch between build time OpenSSL and linked SSL, better to die
@@ -607,15 +606,10 @@ int main(int argc, char *argv[])
 
 #ifdef HAVE_OPENSSL_CRYPTO_H
        /*
-        *  Toggle OpenSSL FIPS mode
+        *  Toggle FIPS mode
         */
-       if (config->openssl_fips_mode_is_set) {
-               if (FIPS_mode_set(config->openssl_fips_mode ? 1 : 0) == 0) {
-                       fr_tls_log_error(NULL, "Failed %s OpenSSL FIPS mode",
-                                     config->openssl_fips_mode ? "enabling" : "disabling");
-                       EXIT_WITH_FAILURE;
-               }
-       }
+       if (config->openssl_fips_mode_is_set &&
+           (fr_openssl_fips_mode(config->openssl_fips_mode) < 0)) EXIT_WITH_FAILURE;
 #endif
 
        /*

diff --git a/src/bin/unit_test_attribute.c b/src/bin/unit_test_attribute.c
index b7d3ab448b558937abed0b3961fe328214dc114f..eb473df39f5cf6532b657bc62d6c3ce7bdaac0df 100644 (file)
--- a/src/bin/unit_test_attribute.c
+++ b/src/bin/unit_test_attribute.c
@@ -3181,7 +3181,7 @@ int main(int argc, char *argv[])
                fr_perror("unit_test_attribute");
                EXIT_WITH_FAILURE;
        }
-       
+
        unlang_thread_instantiate(autofree);
 
        if (!xlat_register(NULL, "test", xlat_test, false)) {

diff --git a/src/lib/tls/base-h b/src/lib/tls/base-h
index e14053ad39483458cb7ad43fc7ad718932522a47..41394fc68b23efce16f98d294d9fe1a390c89e61 100644 (file)
--- a/src/lib/tls/base-h
+++ b/src/lib/tls/base-h
@@ -178,6 +178,8 @@ int         fr_openssl_thread_init(size_t async_pool_size_init, size_t async_pool_size_
 
 int            fr_openssl_init(void);
 
+int            fr_openssl_fips_mode(bool enabled);
+
 void           fr_openssl_free(void);
 
 int            fr_tls_dict_init(void);

diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index 94c01dd241904f9e83cfdeecd4533bd2411fabec..0d8d7b1ec78c18f7691c213c32cbb60a741a23bb 100644 (file)
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -31,6 +31,9 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 #define LOG_PREFIX "tls - "
 
 #include <openssl/conf.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#  include <openssl/provider.h>
+#endif
 
 #include <freeradius-devel/server/base.h>
 #include <freeradius-devel/tls/attrs.h>
@@ -422,6 +425,28 @@ int fr_openssl_init(void)
                return -1;
        }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+       /*
+        *      Load the default provider for most algorithms
+        */
+       if (!OSSL_PROVIDER_load(NULL, "default")) {
+               fr_tls_log_error(NULL, "Failed loading default provider");
+               return -1;
+       }
+
+       /*
+        *      Needed for MD4
+        *
+        *      https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Legacy-Algorithms
+        */
+       if (!OSSL_PROVIDER_load(NULL, "legacy")) {
+               fr_tls_log_error(NULL, "Failed loading legacy provider");
+               return -1;
+       }
+#endif
+
+       OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
        /*
         *      SHA256 is in all versions of OpenSSL, but isn't
         *      initialized by default.  It's needed for WiMAX
@@ -429,8 +454,6 @@ int fr_openssl_init(void)
         */
        EVP_add_digest(EVP_sha256());
 
-       OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
-
        /*
         *      FIXME - This should be done _after_
         *      running any engine controls.
@@ -446,6 +469,30 @@ int fr_openssl_init(void)
        return 0;
 }
 
+/** Enable or disable fips mode
+ *
+ * @param[in] enabled          If true enable fips mode if false disable fips mode.
+ * @return
+ *     - 0 on success.
+ *      - -1 on failure
+ */
+int fr_openssl_fips_mode(bool enabled)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+       if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
+               fr_tls_log_error(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
+               return -1;
+       }
+#else
+       if (!FIPS_mode_set(enabled ? 1 : 0)) {
+               fr_tls_log_error(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
+               return -1;
+       }
+#endif
+
+       return 0;
+}
+
 /** Load dictionary attributes
  *
  * This is a separate function because of ordering issues.

diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c
index 92a922e3b3ca27bd4dedb961f98ff871062d9b57..dd70219b1268b04aa56afff4faf5e88150c90349 100644 (file)
--- a/src/lib/tls/ctx.c
+++ b/src/lib/tls/ctx.c
@@ -38,6 +38,9 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 
 #include <openssl/rand.h>
 #include <openssl/dh.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#  include <openssl/provider.h>
+#endif
 
 #include "base.h"
 #include "utils.h"
@@ -89,7 +92,11 @@ static int ctx_dh_params_load(SSL_CTX *ctx, char *file)
         * Change suggested by @t8m
         */
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#  if OPENSSL_VERSION_NUMBER >= 0x30000000L
+       if (EVP_default_properties_is_fips_enabled(NULL)) {
+#  else
        if (FIPS_mode() > 0) {
+#endif
                WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
                return 0;
        }

diff --git a/src/lib/util/md4.c b/src/lib/util/md4.c
index 7ae2c81f8d8aa3dc65be4188350efefedc684bc0..5589504d3ade42a07b43acc6f5cfecb0e070da06 100644 (file)
--- a/src/lib/util/md4.c
+++ b/src/lib/util/md4.c
@@ -26,8 +26,14 @@ static _Thread_local fr_md4_ctx_t *md4_ctx;
  *     be operating in FIPS mode where MD4 digest functions are unavailable.
  */
 #ifdef HAVE_OPENSSL_EVP_H
+
 #  include <openssl/evp.h>
 #  include <openssl/crypto.h>
+#  include <openssl/err.h>
+
+#  if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#    include <openssl/provider.h>
+#  endif
 
 static int have_openssl_md4 = -1;
 
@@ -74,7 +80,18 @@ static fr_md4_ctx_t *fr_md4_openssl_ctx_alloc(bool thread_local)
                                return NULL;
                        }
                        fr_atexit_thread_local(md4_ctx, _md4_ctx_openssl_free_on_exit, md_ctx);
-                       EVP_DigestInit_ex(md_ctx, EVP_md4(), NULL);
+                       if (unlikely(EVP_DigestInit_ex(md_ctx, EVP_md4(), NULL) != 1)) {
+                               char buffer[256];
+                       error:
+
+                               ERR_error_string_n(ERR_get_error(), buffer, sizeof(buffer));
+
+                               fr_strerror_printf("Failed initialising MD4 ctx: %s", buffer);
+                               EVP_MD_CTX_free(md_ctx);
+                               md_ctx = NULL;
+
+                               return NULL;
+                       }
                } else {
                        md_ctx = md4_ctx;
                }
@@ -86,7 +103,7 @@ static fr_md4_ctx_t *fr_md4_openssl_ctx_alloc(bool thread_local)
        } else {
                md_ctx = EVP_MD_CTX_new();
                if (unlikely(!md_ctx)) goto oom;
-               EVP_DigestInit_ex(md_ctx, EVP_md4(), NULL);
+               if (EVP_DigestInit_ex(md_ctx, EVP_md4(), NULL) != 1) goto error;
        }
 
        return md_ctx;
@@ -339,7 +356,11 @@ static fr_md4_ctx_t *fr_md4_local_ctx_alloc(bool thread_local)
                 *      md4 functions, and call the OpenSSL init
                 *      function.
                 */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+               if (!EVP_default_properties_is_fips_enabled(NULL)) {
+#else
                if (FIPS_mode() == 0) {
+#endif
                        have_openssl_md4 = 1;
 
                        /*

diff --git a/src/lib/util/md5.c b/src/lib/util/md5.c
index e73ea84b60261abec2a5c7bfcde9374d5ebe03d7..ac9f4b6f97afaee66066686c5bb830a58ba0e5be 100644 (file)
--- a/src/lib/util/md5.c
+++ b/src/lib/util/md5.c
@@ -35,10 +35,15 @@ typedef struct {
        bool            used;
        fr_md5_ctx_t    *md_ctx;
 } fr_md5_free_list_t;
-static _Thread_local fr_md5_free_list_t * md5_array;
+static _Thread_local fr_md5_free_list_t *md5_array;
 
 #  include <openssl/evp.h>
 #  include <openssl/crypto.h>
+#  include <openssl/err.h>
+
+#  if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#    include <openssl/provider.h>
+#  endif
 
 static int have_openssl_md5 = -1;
 
@@ -96,7 +101,18 @@ static fr_md5_ctx_t *fr_md5_openssl_ctx_alloc(bool thread_local)
                        fr_strerror_const("Out of memory");
                        return NULL;
                }
-               EVP_DigestInit_ex(md_ctx, EVP_md5(), NULL);
+               if (unlikely(EVP_DigestInit_ex(md_ctx, EVP_md5(), NULL) != 1)) {
+                       char buffer[256];
+               error:
+
+                       ERR_error_string_n(ERR_get_error(), buffer, sizeof(buffer));
+
+                       fr_strerror_printf("Failed initialising MD5 ctx: %s", buffer);
+                       EVP_MD_CTX_free(md_ctx);
+                       md_ctx = NULL;
+
+                       return NULL;
+               }
                return md_ctx;
        }
 
@@ -110,9 +126,11 @@ static fr_md5_ctx_t *fr_md5_openssl_ctx_alloc(bool thread_local)
                 *      Initialize all MD5 contexts
                 */
                for (i = 0; i < ARRAY_SIZE; i++) {
-                       free_list[i].md_ctx = EVP_MD_CTX_new();
-                       if (!free_list[i].md_ctx ) goto oom;
-                       EVP_DigestInit_ex(free_list[i].md_ctx, EVP_md5(), NULL);
+                       md_ctx = EVP_MD_CTX_new();
+                       if (unlikely(md_ctx == NULL)) goto oom;
+
+                       if (unlikely(EVP_DigestInit_ex(md_ctx, EVP_md5(), NULL) != 1)) goto error;
+                       free_list[i].md_ctx = md_ctx;
                }
        } else {
                free_list = md5_array;
@@ -378,7 +396,11 @@ static fr_md5_ctx_t *fr_md5_local_ctx_alloc(bool thread_local)
                 *      md5 functions, and call the OpenSSL init
                 *      function.
                 */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+               if (!EVP_default_properties_is_fips_enabled(NULL)) {
+#else
                if (FIPS_mode() == 0) {
+#endif
                        have_openssl_md5 = 1;
 
                        /*

diff --git a/src/lib/util/md5.h b/src/lib/util/md5.h
index 46bdfeee8565bbdeb2f6f85671c9c97cc00248bc..6da77ec54683623c6da17bd77f6ba8e7b775f1f7 100644 (file)
--- a/src/lib/util/md5.h
+++ b/src/lib/util/md5.h
@@ -85,7 +85,7 @@ extern                fr_md5_final_t          fr_md5_final;
 void           fr_md5_calc(uint8_t out[static MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen);
 
 /* hmac.c */
-void           fr_hmac_md5(uint8_t digest[static MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen,
+int            fr_hmac_md5(uint8_t digest[static MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen,
                            uint8_t const *key, size_t key_len);
 #ifdef __cplusplus
 }

diff --git a/src/lib/util/sha1.h b/src/lib/util/sha1.h
index a58879b3cbb6ea75ef8b4b387990d46c59aa89e9..8906e1f68bdca20b85b7aa97a1026dbc75a2cb93 100644 (file)
--- a/src/lib/util/sha1.h
+++ b/src/lib/util/sha1.h
@@ -57,8 +57,8 @@ USES_APPLE_DEPRECATED_API
 
 /* hmacsha1.c */
 
-void fr_hmac_sha1(uint8_t digest[static SHA1_DIGEST_LENGTH], uint8_t const *in, size_t inlen,
-                 uint8_t const *key, size_t key_len);
+int fr_hmac_sha1(uint8_t digest[static SHA1_DIGEST_LENGTH], uint8_t const *in, size_t inlen,
+                uint8_t const *key, size_t key_len);
 
 #ifdef __cplusplus
 }