File fips_not_available.patch of Package libest
diff -Naur a/example/client/estclient.c b/example/client/estclient.c
--- a/example/client/estclient.c 2024-09-19 16:04:24.682309317 -0300
+++ b/example/client/estclient.c 2024-09-19 16:05:58.169867676 -0300
@@ -1105,7 +1105,6 @@
#else
THREAD_CTX *tctx;
#endif
- int set_fips_return = 0;
char file_name[MAX_FILENAME_LEN];
BIO *certin;
static struct option long_options[] = {
@@ -1280,17 +1279,11 @@
est_port = atoi(optarg);
break;
case 'f':
- /* Turn FIPS on if requested and exit if failure */
- set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
- if (!set_fips_return) {
- printf("\nERROR setting FIPS MODE ON ...\n");
- ERR_load_crypto_strings();
- ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
- exit(1);
- } else {
- printf("\nRunning EST Sample Client with FIPS MODE = ON\n");
- };
- break;
+ /* FIPS is not available, exit with failure */
+ printf("\nERROR setting FIPS MODE ON: FIPS is not available ...\n");
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ exit(1);
case 't':
num_threads = atoi(optarg);
if (num_threads > MAX_THREADS) {
diff -Naur a/example/proxy/estproxy.c b/example/proxy/estproxy.c
--- a/example/proxy/estproxy.c 2024-09-19 16:04:24.682309317 -0300
+++ b/example/proxy/estproxy.c 2024-09-19 16:20:56.737416880 -0300
@@ -87,8 +87,6 @@
static int set_enhcd_cert_truststore = 0;
static int set_cert_auth_mfg_nid = 0;
static int set_path_seg = 0;
-static int set_fips_return = 0;
-static unsigned long set_fips_error = 0;
static int server_set = 0;
static int read_timeout = EST_SSL_READ_TIMEOUT_DEF;
static int perf_timers_on = 0;
@@ -591,18 +589,8 @@
listen_port = atoi(optarg);
break;
case 'f':
- /*
- * Turn FIPS on if user requested it and exit if failure
- */
- set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
- if (set_fips_return != 1) {
- set_fips_error = ERR_get_error();
- printf("\nERROR WHILE SETTING FIPS MODE ON exiting ....\n");
- exit(1);
- } else {
- printf("\nRunning EST Sample Proxy with FIPS MODE = ON !\n");
- }
- break;
+ printf("\nERROR WHILE SETTING UNAVAILABLE FIPS MODE ON exiting ....\n");
+ exit(1);
default:
show_usage_and_exit();
break;
diff -Naur a/example/server/estserver.c b/example/server/estserver.c
--- a/example/server/estserver.c 2024-09-19 16:04:24.682309317 -0300
+++ b/example/server/estserver.c 2024-09-19 16:19:07.483141432 -0300
@@ -102,8 +102,6 @@
static int set_cert_auth_mfg_name = 0;
static int set_enhcd_cert_truststore = 0;
static int set_cert_auth_mfg_nid = 0;
-static int set_fips_return = 0;
-static unsigned long set_fips_error = 0;
static int test_app_data = 0xDEADBEEF;
static char priv_key_pwd[MAX_PWD_LEN];
#if ENABLE_BRSKI
@@ -2283,19 +2281,8 @@
strncpy(realm, optarg, MAX_REALM_LEN);
break;
case 'f':
- /* turn FIPS on if user requested it
- * and exit if failure.
- */
- set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
- if (set_fips_return != 1) {
- set_fips_error = ERR_get_error();
- printf("\nERROR WHILE SETTING FIPS MODE ON exiting ....\n");
- exit(1);
- } else {
- printf("\nRunning EST Sample Server with FIPS MODE = ON !\n");
- }
- ;
- break;
+ printf("\nERROR WHILE SETTING UNAVAILABLE FIPS MODE ON exiting ....\n");
+ exit(1);
default:
show_usage_and_exit();
break;
diff -Naur a/src/est/est_client.c b/src/est/est_client.c
--- a/src/est/est_client.c 2024-09-19 16:04:24.668975856 -0300
+++ b/src/est/est_client.c 2024-09-19 16:15:43.978053246 -0300
@@ -3179,16 +3179,6 @@
ctx->auth_mode == AUTH_BASIC ||
ctx->auth_mode == AUTH_TOKEN)) {
- /*
- * HTTPS digest mode requires the use of MD5. Make sure we're not
- * in FIPS mode and can use MD5
- */
- if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
- EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
- rv = EST_ERR_BAD_MODE;
- goto err;
- }
-
/* Try one more time if we're doing HTTP auth */
EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials");
rv = est_client_connect(ctx, &ssl);
@@ -3590,16 +3580,6 @@
ctx->auth_mode == AUTH_BASIC ||
ctx->auth_mode == AUTH_TOKEN)) {
- /*
- * HTTPS digest mode requires the use of MD5. Make sure we're not
- * in FIPS mode and can use MD5
- */
- if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
- EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
- rv = EST_ERR_BAD_MODE;
- goto err;
- }
-
/* Try one more time if we're doing Digest auth */
EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials");
rv = est_client_connect(ctx, &ssl);
@@ -3676,16 +3656,6 @@
ctx->auth_mode == AUTH_BASIC ||
ctx->auth_mode == AUTH_TOKEN)) {
- /*
- * HTTPS digest mode requires the use of MD5. Make sure we're not
- * in FIPS mode and can use MD5
- */
- if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
- EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
- rv = EST_ERR_BAD_MODE;
- goto err;
- }
-
/* Try one more time if we're doing Digest auth */
EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials");
rv = est_client_connect(ctx, &ssl);
@@ -5868,16 +5838,6 @@
ctx->auth_mode == AUTH_BASIC ||
ctx->auth_mode == AUTH_TOKEN)) {
- /*
- * HTTPS digest mode requires the use of MD5. Make sure we're not
- * in FIPS mode and can use MD5
- */
- if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
- EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
- rv = EST_ERR_BAD_MODE;
- goto err;
- }
-
/* Try one more time if we're doing Digest auth */
EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials");
rv = est_client_connect(ctx, &ssl);
@@ -6362,16 +6322,6 @@
ctx->auth_mode == AUTH_BASIC ||
ctx->auth_mode == AUTH_TOKEN)) {
- /*
- * HTTPS digest mode requires the use of MD5. Make sure we're not
- * in FIPS mode and can use MD5
- */
- if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
- EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
- rv = EST_ERR_BAD_MODE;
- goto err;
- }
-
/* Try one more time if we're doing Digest auth */
EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials");
rv = est_client_connect(ctx, &ssl);
@@ -6531,16 +6481,6 @@
ctx->auth_mode == AUTH_BASIC ||
ctx->auth_mode == AUTH_TOKEN)) {
- /*
- * HTTPS digest mode requires the use of MD5. Make sure we're not
- * in FIPS mode and can use MD5
- */
- if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
- EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
- rv = EST_ERR_BAD_MODE;
- goto err;
- }
-
/* Try one more time if we're doing Digest auth */
EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials");
rv = est_client_connect(ctx, &ssl);
diff -Naur a/src/est/est_server.c b/src/est/est_server.c
--- a/src/est/est_server.c 2024-09-19 16:04:24.668975856 -0300
+++ b/src/est/est_server.c 2024-09-19 16:16:25.315076368 -0300
@@ -3353,14 +3353,6 @@
switch (amode) {
case AUTH_DIGEST:
- /*
- * Since HTTP digest auth uses MD5, make sure we're not in FIPS mode.
- */
- if (EVP_default_properties_is_fips_enabled(NULL)) {
- EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
- return (EST_ERR_BAD_MODE);
- }
- /* fallthrough */
case AUTH_BASIC:
case AUTH_TOKEN:
ctx->auth_mode = amode;