From: Yann Ylavic Date: Thu, 7 Feb 2019 13:38:12 +0000 (+0000) Subject: mod_ssl: unset FIPS mode only if we set it. X-Git-Tag: 2.5.0-alpha2-ci-test-only~2173 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=96b6041d70493676524769485d749f54fa93ea42;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl: unset FIPS mode only if we set it. If FIPS mode is set by default per openssl lib/module, we should not unset it on restart or it might never be set again. PR 63136 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1853133 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 605d987c3df..d804db09d69 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -348,9 +348,6 @@ static apr_status_t ssl_cleanup_pre_config(void *data) /* * Try to kill the internals of the SSL library. */ -#ifdef HAVE_FIPS - FIPS_mode_set(0); -#endif /* Corresponds to OBJ_create()s */ OBJ_cleanup(); /* Corresponds to OPENSSL_load_builtin_modules() */ diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 972ce1adc48..a5a3d41c5fa 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -190,6 +190,14 @@ int ssl_is_challenge(conn_rec *c, const char *servername, return 0; } +#ifdef HAVE_FIPS +static apr_status_t modssl_fips_cleanup(void *data) +{ + FIPS_mode_set(0); + return APR_SUCCESS; +} +#endif + /* * Per-module initialization */ @@ -314,11 +322,13 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: "); #ifdef HAVE_FIPS - if(sc->fips) { + if (sc->fips) { if (!FIPS_mode()) { if (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884) "Operating in SSL FIPS mode"); + apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup, + apr_pool_cleanup_null); } else { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");