aboutsummaryrefslogtreecommitdiff
path: root/www/tomcat-native2/files/patch-src_ssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'www/tomcat-native2/files/patch-src_ssl.c')
-rw-r--r--www/tomcat-native2/files/patch-src_ssl.c63
1 files changed, 63 insertions, 0 deletions
diff --git a/www/tomcat-native2/files/patch-src_ssl.c b/www/tomcat-native2/files/patch-src_ssl.c
new file mode 100644
index 000000000000..b3b37819b955
--- /dev/null
+++ b/www/tomcat-native2/files/patch-src_ssl.c
@@ -0,0 +1,63 @@
+--- src/ssl.c.orig 2024-02-04 19:32:52 UTC
++++ src/ssl.c
+@@ -395,30 +395,14 @@ TCN_IMPLEMENT_CALL(void, SSL, randSet)(TCN_STDARGS, js
+
+ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeGet)(TCN_STDARGS)
+ {
+-#if defined(LIBRESSL_VERSION_NUMBER)
+ UNREFERENCED(o);
+- /* LibreSSL doesn't support FIPS */
+- return 0;
++#ifdef OPENSSL_FIPS
++ return FIPS_mode();
+ #else
+- EVP_MD *md;
+- const OSSL_PROVIDER *provider;
+- const char *name;
+- UNREFERENCED(o);
++ /* FIPS is unavailable */
++ tcn_ThrowException(e, "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS.");
+
+- // Maps the OpenSSL 3. x onwards behaviour to theOpenSSL 1.x API
+-
+- // Checks that FIPS is the default provider
+- md = EVP_MD_fetch(NULL, "SHA-512", NULL);
+- provider = EVP_MD_get0_provider(md);
+- name = OSSL_PROVIDER_get0_name(provider);
+- // Clean up
+- EVP_MD_free(md);
+-
+- if (strcmp("fips", name)) {
+- return 0;
+- } else {
+- return 1;
+- }
++ return 0;
+ #endif
+ }
+
+@@ -427,8 +411,22 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeSet)(TCN_STDARGS
+ int r = 0;
+ UNREFERENCED(o);
+
+- /* This method should never be called when using Tomcat Native 2.x onwards */
+- tcn_ThrowException(e, "fipsModeSet is not supported in Tomcat Native 2.x onwards.");
++#ifdef OPENSSL_FIPS
++ if(1 != (r = (jint)FIPS_mode_set((int)mode))) {
++ /* arrange to get a human-readable error message */
++ unsigned long err = SSL_ERR_get();
++ char msg[256];
++
++ /* ERR_load_crypto_strings() already called in initialize() */
++
++ ERR_error_string_n(err, msg, 256);
++
++ tcn_ThrowException(e, msg);
++ }
++#else
++ /* FIPS is unavailable */
++ tcn_ThrowException(e, "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS.");
++#endif
+
+ return r;
+ }
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-20 02:16:07 +0000