diff options
Diffstat (limited to 'www/tomcat-native2/files')
-rw-r--r-- | www/tomcat-native2/files/patch-include_ssl__private.h | 12 | ||||
-rw-r--r-- | www/tomcat-native2/files/patch-src_ssl.c | 63 | ||||
-rw-r--r-- | www/tomcat-native2/files/patch-src_sslutils.c | 14 |
3 files changed, 89 insertions, 0 deletions
diff --git a/www/tomcat-native2/files/patch-include_ssl__private.h b/www/tomcat-native2/files/patch-include_ssl__private.h new file mode 100644 index 000000000000..80ff3e5c8cd9 --- /dev/null +++ b/www/tomcat-native2/files/patch-include_ssl__private.h @@ -0,0 +1,12 @@ +--- include/ssl_private.h.orig 2024-02-04 19:32:52 UTC ++++ include/ssl_private.h +@@ -46,9 +46,6 @@ + #include <openssl/x509v3.h> + #include <openssl/dh.h> + #include <openssl/bn.h> +-#ifndef LIBRESSL_VERSION_NUMBER +-#include <openssl/provider.h> +-#endif + /* Avoid tripping over an engine build installed globally and detected + * when the user points at an explicit non-engine flavor of OpenSSL + */ diff --git a/www/tomcat-native2/files/patch-src_ssl.c b/www/tomcat-native2/files/patch-src_ssl.c new file mode 100644 index 000000000000..b3b37819b955 --- /dev/null +++ b/www/tomcat-native2/files/patch-src_ssl.c @@ -0,0 +1,63 @@ +--- src/ssl.c.orig 2024-02-04 19:32:52 UTC ++++ src/ssl.c +@@ -395,30 +395,14 @@ TCN_IMPLEMENT_CALL(void, SSL, randSet)(TCN_STDARGS, js + + TCN_IMPLEMENT_CALL(jint, SSL, fipsModeGet)(TCN_STDARGS) + { +-#if defined(LIBRESSL_VERSION_NUMBER) + UNREFERENCED(o); +- /* LibreSSL doesn't support FIPS */ +- return 0; ++#ifdef OPENSSL_FIPS ++ return FIPS_mode(); + #else +- EVP_MD *md; +- const OSSL_PROVIDER *provider; +- const char *name; +- UNREFERENCED(o); ++ /* FIPS is unavailable */ ++ tcn_ThrowException(e, "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS."); + +- // Maps the OpenSSL 3. x onwards behaviour to theOpenSSL 1.x API +- +- // Checks that FIPS is the default provider +- md = EVP_MD_fetch(NULL, "SHA-512", NULL); +- provider = EVP_MD_get0_provider(md); +- name = OSSL_PROVIDER_get0_name(provider); +- // Clean up +- EVP_MD_free(md); +- +- if (strcmp("fips", name)) { +- return 0; +- } else { +- return 1; +- } ++ return 0; + #endif + } + +@@ -427,8 +411,22 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeSet)(TCN_STDARGS + int r = 0; + UNREFERENCED(o); + +- /* This method should never be called when using Tomcat Native 2.x onwards */ +- tcn_ThrowException(e, "fipsModeSet is not supported in Tomcat Native 2.x onwards."); ++#ifdef OPENSSL_FIPS ++ if(1 != (r = (jint)FIPS_mode_set((int)mode))) { ++ /* arrange to get a human-readable error message */ ++ unsigned long err = SSL_ERR_get(); ++ char msg[256]; ++ ++ /* ERR_load_crypto_strings() already called in initialize() */ ++ ++ ERR_error_string_n(err, msg, 256); ++ ++ tcn_ThrowException(e, msg); ++ } ++#else ++ /* FIPS is unavailable */ ++ tcn_ThrowException(e, "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS."); ++#endif + + return r; + } diff --git a/www/tomcat-native2/files/patch-src_sslutils.c b/www/tomcat-native2/files/patch-src_sslutils.c new file mode 100644 index 000000000000..39d22ddc7850 --- /dev/null +++ b/www/tomcat-native2/files/patch-src_sslutils.c @@ -0,0 +1,14 @@ +--- src/sslutils.c.orig 2024-02-04 19:32:52 UTC ++++ src/sslutils.c +@@ -946,11 +946,7 @@ static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, + int ok = 0; + apr_socket_t *apr_sock = NULL; + apr_pool_t *mp; +-#ifdef LIBRESSL_VERSION_NUMBER + if (OCSP_parse_url(url, &hostname, &c_port, &path, &use_ssl) == 0) +-#else +- if (OSSL_HTTP_parse_url(url, &use_ssl, NULL, &hostname, &c_port, NULL, &path, NULL, NULL) == 0) +-#endif + goto end; + + if (sscanf(c_port, "%d", &port) != 1) |