From: Stefan Eissing Date: Fri, 3 Jun 2022 08:27:07 +0000 (+0000) Subject: Merge Pull 321 (trunk: r1874005, r1877261, r1901470): X-Git-Tag: 2.4.54-rc1-candidate~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5129665ae9271a6e1bef17019f0bb826d3be2590;p=thirdparty%2Fapache%2Fhttpd.git Merge Pull 321 (trunk: r1874005, r1877261, r1901470): *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063. [Petr Sumbera , Yann Ylavic] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901586 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/ssl_fips_30.txt b/changes-entries/ssl_fips_30.txt new file mode 100644 index 00000000000..b5f35ec0d2d --- /dev/null +++ b/changes-entries/ssl_fips_30.txt @@ -0,0 +1,2 @@ + *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063. + [Petr Sumbera , Yann Ylavic] \ No newline at end of file diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 0a59afd9446..7e950259eaa 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -78,6 +78,9 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s) #ifdef HAVE_OPENSSL_KEYLOG mc->keylog_file = NULL; #endif +#ifdef HAVE_FIPS + mc->fips = UNSET; +#endif apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY, apr_pool_cleanup_null, @@ -224,9 +227,6 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) #ifdef HAVE_TLSEXT sc->strict_sni_vhost_check = SSL_ENABLED_UNSET; #endif -#ifdef HAVE_FIPS - sc->fips = UNSET; -#endif #ifndef OPENSSL_NO_COMP sc->compression = UNSET; #endif @@ -399,9 +399,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) #ifdef HAVE_TLSEXT cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET); #endif -#ifdef HAVE_FIPS - cfgMergeBool(fips); -#endif #ifndef OPENSSL_NO_COMP cfgMergeBool(compression); #endif @@ -749,7 +746,7 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) { #ifdef HAVE_FIPS - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + SSLModConfigRec *mc = myModConfig(cmd->server); #endif const char *err; @@ -758,9 +755,9 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) } #ifdef HAVE_FIPS - if ((sc->fips != UNSET) && (sc->fips != (BOOL)(flag ? TRUE : FALSE))) + if ((mc->fips != UNSET) && (mc->fips != (BOOL)(flag ? TRUE : FALSE))) return "Conflicting SSLFIPS options, cannot be both On and Off"; - sc->fips = flag ? TRUE : FALSE; + mc->fips = flag ? TRUE : FALSE; #else if (flag) return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS"; diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 43119046a94..35c34d35cf3 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -213,7 +213,7 @@ int ssl_is_challenge(conn_rec *c, const char *servername, #ifdef HAVE_FIPS static apr_status_t modssl_fips_cleanup(void *data) { - FIPS_mode_set(0); + modssl_fips_enable(0); return APR_SUCCESS; } #endif @@ -304,12 +304,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, if (sc->server && sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) { sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN; } - -#ifdef HAVE_FIPS - if (sc->fips == UNSET) { - sc->fips = FALSE; - } -#endif } #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API @@ -336,24 +330,28 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: "); #ifdef HAVE_FIPS - if (sc->fips) { - if (!FIPS_mode()) { - if (FIPS_mode_set(1)) { - ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884) - "Operating in SSL FIPS mode"); - apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup, - apr_pool_cleanup_null); - } - else { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - return ssl_die(s); - } + if (!modssl_fips_is_enabled() && mc->fips == TRUE) { + if (!modssl_fips_enable(1)) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, base_server, APLOGNO(01885) + "Could not enable FIPS mode"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, base_server); + return ssl_die(base_server); } + + apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup, + apr_pool_cleanup_null); + } + + /* Log actual FIPS mode which the SSL library is operating under, + * which may have been set outside of the mod_ssl + * configuration. */ + if (modssl_fips_is_enabled()) { + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, base_server, APLOGNO(01884) + MODSSL_LIBRARY_NAME " has FIPS mode enabled"); } else { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01886) - "SSL FIPS mode disabled"); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(01886) + MODSSL_LIBRARY_NAME " has FIPS mode disabled"); } #endif diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index a329d99a031..5d238b79644 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -258,6 +258,16 @@ void free_bio_methods(void); #define HAVE_OPENSSL_KEYLOG #endif +#ifdef HAVE_FIPS +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#define modssl_fips_is_enabled() EVP_default_properties_is_fips_enabled(NULL) +#define modssl_fips_enable(to) EVP_default_properties_enable_fips(NULL, (to)) +#else +#define modssl_fips_is_enabled() FIPS_mode() +#define modssl_fips_enable(to) FIPS_mode_set((to)) +#endif +#endif /* HAVE_FIPS */ + /* mod_ssl headers */ #include "ssl_util_ssl.h" @@ -629,6 +639,10 @@ typedef struct { /* Used for logging if SSLKEYLOGFILE is set at startup. */ apr_file_t *keylog_file; #endif + +#ifdef HAVE_FIPS + BOOL fips; +#endif } SSLModConfigRec; /** Structure representing configured filenames for certs and keys for @@ -784,9 +798,6 @@ struct SSLSrvConfigRec { #ifdef HAVE_TLSEXT ssl_enabled_t strict_sni_vhost_check; #endif -#ifdef HAVE_FIPS - BOOL fips; -#endif #ifndef OPENSSL_NO_COMP BOOL compression; #endif