This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new 101eda32b Map the OpenSSL 3.x FIPS behaviour to the 1.x API
101eda32b is described below
commit 101eda32be49559cc75622cb15fbfd128e02572a
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 1 12:36:18 2022 +0100
Map the OpenSSL 3.x FIPS behaviour to the 1.x API
---
native/BUILDING | 49 +++++----------------------------------
native/include/ssl_private.h | 1 +
native/src/ssl.c | 44 ++++++++++++++++++-----------------
xdocs/miscellaneous/changelog.xml | 4 ++++
4 files changed, 34 insertions(+), 64 deletions(-)
diff --git a/native/BUILDING b/native/BUILDING
index 7059e8de7..9bf7cc6e9 100644
--- a/native/BUILDING
+++ b/native/BUILDING
@@ -148,48 +148,11 @@ Windows
Note: Use ENABLE_OCSP=1 to create OCSP enabled builds
-Windows with FIPS
-=================
+FIPS
+====
-The steps are broadly the same as the non-FIPS build with the following
additions and changes.
+No additional build steps are required. Configure OpenSSL to use the FIPS
+certified provider as the default provider as described in the OpenSSL
+documentation:
-Note: The build process has only been verified with 64-bit Windows. The process
- for 32-bit Windows should be very similar.
-
-1. Build the FIPS object module
-
- This step should be completed immediately before building OpenSSL.
-
- Unpack the openssl-fips-2.0.x.tar.gz distribution into
native\srclib\openssl-fips
- The tar.gz contains symbolic links. Ensure you unpack the archive with a
tool
- that replaces these with the linked file or manually replace the symbolic
- links with associated the linked file before continuing.
-
- > c:\cmsc\setenv.bat /x64
- > set FIPSDIR=%cd%\lib-x64
- > ms\do_fips
-
-2. Modify the OpenSSL build configuration
-
- Add 'fips' to the OpenSSL build configuration
-
- > perl Configure VC-WIN64A fips
-
-3. Test the OpenSSL build
-
- This step should be completed immediately after building OpenSSL.
-
- > SET OPENSSL_FIPS=1
- > openssl md5 openssl.exe
-
- This should fail since MD5 is disabled in FIPS mode.
-
- > SET OPENSSL_FIPS=
- > openssl md5 openssl.exe
-
- This should work.
-
-4. Modify the tc-native build configuration
-
- > c:\cmsc\setenv.bat /x64
- > nmake -f NMAKEMakefile WITH_APR=srclib\apr\WINXP_X64_LIB_RELEASE
WITH_OPENSSL=srclib\openssl\release-x64 WITH_FIPS=srclib\openssl-fips\lib-x64
APR_DECLARE_STATIC=1
+ https://www.openssl.org/docs/man3.0/man7/fips_module.html
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index be0c7d563..3a14ce01f 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -46,6 +46,7 @@
#include <openssl/x509v3.h>
#include <openssl/dh.h>
#include <openssl/bn.h>
+#include <openssl/provider.h>
/* Avoid tripping over an engine build installed globally and detected
* when the user points at an explicit non-engine flavor of OpenSSL
*/
diff --git a/native/src/ssl.c b/native/src/ssl.c
index d6f19ef44..9fe4d9980 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -913,13 +913,29 @@ TCN_IMPLEMENT_CALL(void, SSL, randSet)(TCN_STDARGS,
jstring file)
TCN_IMPLEMENT_CALL(jint, SSL, fipsModeGet)(TCN_STDARGS)
{
UNREFERENCED(o);
-#ifdef OPENSSL_FIPS
- return FIPS_mode();
-#else
- /* FIPS is unavailable */
- tcn_ThrowException(e, "FIPS was not available to tcnative at build time.
You will need to re-build tcnative against an OpenSSL with FIPS.");
+#if defined(LIBRESSL_VERSION_NUMBER)
+ /* LibreSSL doesn't support FIPS */
return 0;
+#else
+ EVP_MD *md;
+ const OSSL_PROVIDER *provider;
+ const char *name;
+
+ // Maps the OpenSSL 3. x onwards behaviour to theOpenSSL 1.x API
+
+ // Checks that FIPS is the default provider
+ md = EVP_MD_fetch(NULL, "SHA-512", NULL);
+ provider = EVP_MD_get0_provider(md);
+ name = OSSL_PROVIDER_get0_name(provider);
+ // Clean up
+ EVP_MD_free(md);
+
+ if (strcmp("fips", name)) {
+ return 0;
+ } else {
+ return 1;
+ }
#endif
}
@@ -928,22 +944,8 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeSet)(TCN_STDARGS,
jint mode)
int r = 0;
UNREFERENCED(o);
-#ifdef OPENSSL_FIPS
- if(1 != (r = (jint)FIPS_mode_set((int)mode))) {
- /* arrange to get a human-readable error message */
- unsigned long err = SSL_ERR_get();
- char msg[256];
-
- /* ERR_load_crypto_strings() already called in initialize() */
-
- ERR_error_string_n(err, msg, 256);
-
- tcn_ThrowException(e, msg);
- }
-#else
- /* FIPS is unavailable */
- tcn_ThrowException(e, "FIPS was not available to tcnative at build time.
You will need to re-build tcnative against an OpenSSL with FIPS.");
-#endif
+ /* This method should never be called when using Tomcat Native 2.x onwards
*/
+ tcn_ThrowException(e, "fipsModeSet is not supported in Tomcat Native 2.x
onwards.");
return r;
}
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index c1d0fcc65..ce0b03557 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -48,6 +48,10 @@
Remove NPN support as NPN was never standardised and browser support was
removed in 2019. (markt)
</design>
+ <add>
+ Add support for using OpenSSL when the FIPS provider is configured as the
+ default provider. (markt)
+ </add>
</changelog>
</section>
<section name="Changes in 1.2.x">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
