File 5999427a728f5f87ccd3e7957a1e347a1ac6ace3.patch of Package libest
From 5999427a728f5f87ccd3e7957a1e347a1ac6ace3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Sch=C3=A4rtl?= <andreas.schaertl@unicon.com>
Date: Mon, 29 Jan 2024 11:34:34 +0100
Subject: [PATCH] Use new OpenSSL FIPS API
---
example/client-brski/estclient-brski.c | 3 ++-
example/client/estclient.c | 3 ++-
example/proxy/estproxy.c | 3 ++-
example/server/estserver.c | 3 ++-
java/jni/client.c | 3 ++-
src/est/est_client.c | 13 +++++++------
src/est/est_server.c | 3 ++-
test/UT/US1864/us1864.c | 5 +++--
8 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/example/client-brski/estclient-brski.c b/example/client-brski/estclient-brski.c
index 9e63af5..b7bb606 100644
--- a/example/client-brski/estclient-brski.c
+++ b/example/client-brski/estclient-brski.c
@@ -17,6 +17,7 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/crypto.h>
+#include <openssl/evp.h>
#ifndef WIN32
#include <strings.h>
#endif
@@ -388,7 +389,7 @@ int main (int argc, char **argv)
break;
case 'f':
/* Turn FIPS on if requested and exit if failure */
- set_fips_return = FIPS_mode_set(1);
+ set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
if (!set_fips_return) {
printf("\nERROR setting FIPS MODE ON ...\n");
ERR_load_crypto_strings();
diff --git a/example/client/estclient.c b/example/client/estclient.c
index a8a2d6f..44d5082 100644
--- a/example/client/estclient.c
+++ b/example/client/estclient.c
@@ -24,6 +24,7 @@
#include <sys/stat.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
#include <openssl/crypto.h>
#include <openssl/pem.h>
#ifndef WIN32
@@ -1280,7 +1281,7 @@ int main (int argc, char **argv)
break;
case 'f':
/* Turn FIPS on if requested and exit if failure */
- set_fips_return = FIPS_mode_set(1);
+ set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
if (!set_fips_return) {
printf("\nERROR setting FIPS MODE ON ...\n");
ERR_load_crypto_strings();
diff --git a/example/proxy/estproxy.c b/example/proxy/estproxy.c
index 114bd65..03015e5 100644
--- a/example/proxy/estproxy.c
+++ b/example/proxy/estproxy.c
@@ -27,6 +27,7 @@
#include <getopt.h>
#include <openssl/ssl.h>
#include <openssl/bio.h>
+#include <openssl/evp.h>
#include <est.h>
#include <sys/types.h>
#ifndef WIN32
@@ -593,7 +594,7 @@ int main (int argc, char **argv)
/*
* Turn FIPS on if user requested it and exit if failure
*/
- set_fips_return = FIPS_mode_set(1);
+ set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
if (set_fips_return != 1) {
set_fips_error = ERR_get_error();
printf("\nERROR WHILE SETTING FIPS MODE ON exiting ....\n");
diff --git a/example/server/estserver.c b/example/server/estserver.c
index 3539dc4..635f420 100644
--- a/example/server/estserver.c
+++ b/example/server/estserver.c
@@ -31,6 +31,7 @@
#include <openssl/conf.h>
#include <openssl/ssl.h>
#include <openssl/bio.h>
+#include <openssl/evp.h>
#include <openssl/crypto.h>
#include <openssl/pem.h>
#include <openssl/md5.h>
@@ -2285,7 +2286,7 @@ int main (int argc, char **argv)
/* turn FIPS on if user requested it
* and exit if failure.
*/
- set_fips_return = FIPS_mode_set(1);
+ set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
if (set_fips_return != 1) {
set_fips_error = ERR_get_error();
printf("\nERROR WHILE SETTING FIPS MODE ON exiting ....\n");
diff --git a/java/jni/client.c b/java/jni/client.c
index c5bc28e..d213776 100644
--- a/java/jni/client.c
+++ b/java/jni/client.c
@@ -14,6 +14,7 @@
#include <est/est.h>
#include <openssl/x509v3.h>
#include <openssl/bio.h>
+#include <openssl/evp.h>
#include "safe_mem_lib.h"
#define EST_CLASS_ENROLL_EXCEPTION "com/cisco/c3m/est/EnrollException"
@@ -179,7 +180,7 @@ static int jni_est_client_X509_REQ_sign (X509_REQ *x, EVP_PKEY *pkey, const EVP_
*/
JNIEXPORT jint JNICALL Java_com_cisco_c3m_est_ESTClient_enable_1fips(
JNIEnv *env, jclass obj) {
- if (!FIPS_mode() && !FIPS_mode_set(1)) {
+ if (!EVP_default_properties_is_fips_enabled(NULL) && !EVP_default_properties_enable_fips(NULL, 1)) {
ERR_print_errors_fp(stderr);
return -1;
} else {
diff --git a/src/est/est_client.c b/src/est/est_client.c
index 8dff9d9..282eab8 100644
--- a/src/est/est_client.c
+++ b/src/est/est_client.c
@@ -40,6 +40,7 @@
#include <openssl/ssl.h>
#include <openssl/cms.h>
#include <openssl/rand.h>
+#include <openssl/evp.h>
#include "est.h"
#include "est_locl.h"
#include "est_ossl_util.h"
@@ -3182,7 +3183,7 @@ EST_ERROR est_client_enroll_internal (EST_CTX *ctx, char *cn, int *pkcs7_len, in
* HTTPS digest mode requires the use of MD5. Make sure we're not
* in FIPS mode and can use MD5
*/
- if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+ if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
rv = EST_ERR_BAD_MODE;
goto err;
@@ -3593,7 +3594,7 @@ EST_ERROR est_client_reenroll (EST_CTX *ctx, X509 *cert, int *pkcs7_len, EVP_PKE
* HTTPS digest mode requires the use of MD5. Make sure we're not
* in FIPS mode and can use MD5
*/
- if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+ if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
rv = EST_ERR_BAD_MODE;
goto err;
@@ -3679,7 +3680,7 @@ static EST_ERROR est_client_enroll_csr_internal (EST_CTX *ctx, X509_REQ *csr, in
* HTTPS digest mode requires the use of MD5. Make sure we're not
* in FIPS mode and can use MD5
*/
- if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+ if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
rv = EST_ERR_BAD_MODE;
goto err;
@@ -5871,7 +5872,7 @@ static EST_ERROR est_client_brski_send_get_voucher (EST_CTX *ctx, int *cacert_le
* HTTPS digest mode requires the use of MD5. Make sure we're not
* in FIPS mode and can use MD5
*/
- if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+ if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
rv = EST_ERR_BAD_MODE;
goto err;
@@ -6365,7 +6366,7 @@ EST_ERROR est_client_brski_send_voucher_status (EST_CTX *ctx, EST_BRSKI_STATUS_V
* HTTPS digest mode requires the use of MD5. Make sure we're not
* in FIPS mode and can use MD5
*/
- if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+ if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
rv = EST_ERR_BAD_MODE;
goto err;
@@ -6534,7 +6535,7 @@ EST_ERROR est_client_brski_send_enroll_status (EST_CTX *ctx, EST_BRSKI_STATUS_VA
* HTTPS digest mode requires the use of MD5. Make sure we're not
* in FIPS mode and can use MD5
*/
- if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+ if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
rv = EST_ERR_BAD_MODE;
goto err;
diff --git a/src/est/est_server.c b/src/est/est_server.c
index d047b48..751a0f1 100644
--- a/src/est/est_server.c
+++ b/src/est/est_server.c
@@ -30,6 +30,7 @@
#include <openssl/x509v3.h>
#include <openssl/cms.h>
#include <openssl/bio.h>
+#include <openssl/evp.h>
static ASN1_OBJECT *o_cmcRA = NULL;
@@ -3355,7 +3356,7 @@ EST_ERROR est_server_set_auth_mode (EST_CTX *ctx, EST_HTTP_AUTH_MODE amode)
/*
* Since HTTP digest auth uses MD5, make sure we're not in FIPS mode.
*/
- if (FIPS_mode()) {
+ if (EVP_default_properties_is_fips_enabled(NULL)) {
EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
return (EST_ERR_BAD_MODE);
}
diff --git a/test/UT/US1864/us1864.c b/test/UT/US1864/us1864.c
index 3e41cd7..8d89ab2 100644
--- a/test/UT/US1864/us1864.c
+++ b/test/UT/US1864/us1864.c
@@ -17,6 +17,7 @@
#include "test_utils.h"
#include "st_server.h"
#include <openssl/ssl.h>
+#include <openssl/evp.h>
#ifdef HAVE_CUNIT
#include "CUnit/Basic.h"
@@ -218,12 +219,12 @@ static void us1864_test1 (void)
/*
* Make sure we don't allow DIGEST mode when in FIPS mode
*/
- if (!FIPS_mode_set(1)) {
+ if (!EVP_default_properties_enable_fips(NULL, 1)) {
printf("FIPS mode not supported, skipping test to prevent digest auth when in FIPS mode");
} else {
est_rv = est_server_set_auth_mode(ctx, AUTH_DIGEST);
CU_ASSERT(est_rv == EST_ERR_BAD_MODE);
- FIPS_mode_set(0);
+ EVP_default_properties_enable_fips(NULL, 0)
}
X509_free(x);
