From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 31 May 2022 23:01:24 +0000 (+0000)
Subject: mod_ssl: SSLFIPS compatible with OpenSSL 3.0.  PR 66063.
X-Git-Tag: 2.5.0-alpha2-ci-test-only~323
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5af4eef2fd20507611db42121b5a4e22bdf97528;p=thirdparty%2Fapache%2Fhttpd.git

mod_ssl: SSLFIPS compatible with OpenSSL 3.0.  PR 66063.

* modules/ssl/ssl_private.h():
  #define modssl_fips_is_enabled() and modssl_fips_enable() to wrap the
  native OpenSSL FIPS functions available on OPENSSL_VERSION_NUMBER.

* modules/ssl/ssl_engine_init.c(ssl_init_Module, modssl_fips_cleanup):
  Use the new wrappers instead of the OPENSSL_VERSION_NUMBER < 3.0 functions.


Submitted by: Petr Sumbera <petr.sumbera oracle.com>, ylavic



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1901470 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/changes-entries/ssl_fips_30.txt b/changes-entries/ssl_fips_30.txt
new file mode 100644
index 00000000000..b5f35ec0d2d
--- /dev/null
+++ b/changes-entries/ssl_fips_30.txt
@@ -0,0 +1,2 @@
+  *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0.  PR 66063.
+     [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
\ No newline at end of file
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 11099e7fbce..5e8ee6abcb4 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -216,7 +216,7 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
 #ifdef HAVE_FIPS
 static apr_status_t modssl_fips_cleanup(void *data)
 {
-    FIPS_mode_set(0);
+    modssl_fips_enable(0);
     return APR_SUCCESS;
 }
 #endif
@@ -348,8 +348,8 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
     }
 
 #ifdef HAVE_FIPS
-    if (!FIPS_mode() && mc->fips == TRUE) {
-        if (!FIPS_mode_set(1)) {
+    if (!modssl_fips_is_enabled() && mc->fips == TRUE) {
+        if (!modssl_fips_enable(1)) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, base_server, APLOGNO(01885)
                          "Could not enable FIPS mode");
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, base_server);
@@ -363,7 +363,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
     /* Log actual FIPS mode which the SSL library is operating under,
      * which may have been set outside of the mod_ssl
      * configuration. */
-    if (FIPS_mode()) {
+    if (modssl_fips_is_enabled()) {
         ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, base_server, APLOGNO(01884)
                      MODSSL_LIBRARY_NAME " has FIPS mode enabled");
     }
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index d48f3027f1c..2bebde1981f 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -266,6 +266,16 @@ void free_bio_methods(void);
 #define HAVE_OPENSSL_KEYLOG
 #endif
 
+#ifdef HAVE_FIPS
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define modssl_fips_is_enabled() EVP_default_properties_is_fips_enabled(NULL)
+#define modssl_fips_enable(to)   EVP_default_properties_enable_fips(NULL, (to))
+#else
+#define modssl_fips_is_enabled() FIPS_mode()
+#define modssl_fips_enable(to)   FIPS_mode_set((to))
+#endif
+#endif /* HAVE_FIPS */
+
 /* mod_ssl headers */
 #include "ssl_util_ssl.h"