This is an automated email from the ASF dual-hosted git repository. alexey pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/kudu.git
commit c24629083e520614af50d0c4242e3d30f55689b6 Author: Ádám Bakai <[email protected]> AuthorDate: Fri Nov 11 11:15:29 2022 +0100 Follow-up on OpenSSL 3 FIPS_mode removal According to OpenSSL documentation[1], FIPS is now part of OpenSSL and checking should be done with EVP_default_properties_is_fips_enabled(3)[2], but it's not a trivial change. [1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module [2] https://www.openssl.org/docs/man3.0/man7/migration_guide.html Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a Reviewed-on: http://gerrit.cloudera.org:8080/19232 Tested-by: Kudu Jenkins Reviewed-by: Zoltan Chovan <[email protected]> Reviewed-by: Alexey Serbin <[email protected]> --- src/kudu/server/webserver-test.cc | 6 ++++++ src/kudu/server/webserver.cc | 6 +++++- src/kudu/util/openssl_util.cc | 5 ++++- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/src/kudu/server/webserver-test.cc b/src/kudu/server/webserver-test.cc index e765ee8ed..5f42677e0 100644 --- a/src/kudu/server/webserver-test.cc +++ b/src/kudu/server/webserver-test.cc @@ -66,6 +66,12 @@ TAG_FLAG(test_sensitive_flag, sensitive); DECLARE_bool(webserver_enable_csp); +// FIPS_mode is removed from OpenSSL3 for test purposes, a fake one is created and +// set to disabled. +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +int FIPS_mode() { return 0; } +#endif + namespace kudu { namespace { diff --git a/src/kudu/server/webserver.cc b/src/kudu/server/webserver.cc index 79732357f..2eb3e91c8 100644 --- a/src/kudu/server/webserver.cc +++ b/src/kudu/server/webserver.cc @@ -291,7 +291,11 @@ Status Webserver::Start() { } if (!opts_.password_file.empty()) { - if (FIPS_mode()) { + int fips_mode = 0; +#if OPENSSL_VERSION_NUMBER < 0x30000000L + fips_mode = FIPS_mode(); +#endif + if (fips_mode) { return Status::IllegalState( "Webserver cannot be started with Digest authentication in FIPS approved mode"); } diff --git a/src/kudu/util/openssl_util.cc b/src/kudu/util/openssl_util.cc index b210f3d66..7073c8ebe 100644 --- a/src/kudu/util/openssl_util.cc +++ b/src/kudu/util/openssl_util.cc @@ -95,7 +95,10 @@ void ThreadIdCB(CRYPTO_THREADID* tid) { #endif void CheckFIPSMode() { - auto fips_mode = FIPS_mode(); + int fips_mode = 0; +#if OPENSSL_VERSION_NUMBER < 0x30000000L + fips_mode = FIPS_mode(); +#endif // If the environment variable KUDU_REQUIRE_FIPS_MODE is set to "1", we // check if FIPS approved mode is enabled. If not, we crash the process. // As this is used in clients as well, we can't use gflags to set this.
