1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
--- src/ssl.c.orig 2024-02-04 19:32:52 UTC
+++ src/ssl.c
@@ -395,30 +395,14 @@ TCN_IMPLEMENT_CALL(void, SSL, randSet)(TCN_STDARGS, js
TCN_IMPLEMENT_CALL(jint, SSL, fipsModeGet)(TCN_STDARGS)
{
-#if defined(LIBRESSL_VERSION_NUMBER)
UNREFERENCED(o);
- /* LibreSSL doesn't support FIPS */
- return 0;
+#ifdef OPENSSL_FIPS
+ return FIPS_mode();
#else
- EVP_MD *md;
- const OSSL_PROVIDER *provider;
- const char *name;
- UNREFERENCED(o);
+ /* FIPS is unavailable */
+ tcn_ThrowException(e, "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS.");
- // Maps the OpenSSL 3. x onwards behaviour to theOpenSSL 1.x API
-
- // Checks that FIPS is the default provider
- md = EVP_MD_fetch(NULL, "SHA-512", NULL);
- provider = EVP_MD_get0_provider(md);
- name = OSSL_PROVIDER_get0_name(provider);
- // Clean up
- EVP_MD_free(md);
-
- if (strcmp("fips", name)) {
- return 0;
- } else {
- return 1;
- }
+ return 0;
#endif
}
@@ -427,8 +411,22 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeSet)(TCN_STDARGS
int r = 0;
UNREFERENCED(o);
- /* This method should never be called when using Tomcat Native 2.x onwards */
- tcn_ThrowException(e, "fipsModeSet is not supported in Tomcat Native 2.x onwards.");
+#ifdef OPENSSL_FIPS
+ if(1 != (r = (jint)FIPS_mode_set((int)mode))) {
+ /* arrange to get a human-readable error message */
+ unsigned long err = SSL_ERR_get();
+ char msg[256];
+
+ /* ERR_load_crypto_strings() already called in initialize() */
+
+ ERR_error_string_n(err, msg, 256);
+
+ tcn_ThrowException(e, msg);
+ }
+#else
+ /* FIPS is unavailable */
+ tcn_ThrowException(e, "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS.");
+#endif
return r;
}
|
