commit 9636575: [Minor] Add explicit checks for FIPS mode presence

Vsevolod Stakhov vsevolod at highsecure.ru
Fri Feb 7 13:21:06 UTC 2020


Author: Vsevolod Stakhov
Date: 2020-02-07 13:18:32 +0000
URL: https://github.com/rspamd/rspamd/commit/963657514d24c29604e0b873c17dcee0d3efd345 (HEAD -> master)

[Minor] Add explicit checks for FIPS mode presence

---
 CMakeLists.txt     | 11 +++++++++++
 config.h.in        |  1 +
 src/libutil/util.c |  4 ++++
 3 files changed, 16 insertions(+)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 29986a740..a41dd8abb 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -331,8 +331,19 @@ CHECK_SYMBOL_EXISTS(I_SETSIG "sys/types.h;sys/ioctl.h" HAVE_SETSIG)
 CHECK_SYMBOL_EXISTS(O_ASYNC "sys/types.h;sys/fcntl.h" HAVE_OASYNC)
 CHECK_SYMBOL_EXISTS(O_NOFOLLOW "sys/types.h;sys/fcntl.h" HAVE_ONOFOLLOW)
 CHECK_SYMBOL_EXISTS(O_CLOEXEC "sys/types.h;sys/fcntl.h" HAVE_OCLOEXEC)
+
+# OpenSSL specific stuff
 LIST(APPEND CMAKE_REQUIRED_INCLUDES "${LIBSSL_INCLUDE}")
+IF(LIBCRYPT_LIBRARY_PATH)
+	SET(CMAKE_REQUIRED_LIBRARIES "${CMAKE_REQUIRED_LIBRARIES};-L${LIBCRYPT_LIBRARY_PATH};${LIBCRYPT_LIBRARY}")
+	SET(CMAKE_REQUIRED_LIBRARIES "${CMAKE_REQUIRED_LIBRARIES};-L${LIBSSL_LIBRARY_PATH};${LIBSSL_LIBRARY}")
+ELSE()
+	SET(CMAKE_REQUIRED_LIBRARIES "${CMAKE_REQUIRED_LIBRARIES};-lcrypt;-lssl")
+ENDIF()
+
 CHECK_SYMBOL_EXISTS(SSL_set_tlsext_host_name "openssl/ssl.h" HAVE_SSL_TLSEXT_HOSTNAME)
+CHECK_SYMBOL_EXISTS(FIPS_mode "openssl/crypto.h" HAVE_FIPS_MODE)
+
 CHECK_SYMBOL_EXISTS(dirfd "sys/types.h;unistd.h;dirent.h" HAVE_DIRFD)
 CHECK_SYMBOL_EXISTS(fpathconf "sys/types.h;unistd.h" HAVE_FPATHCONF)
 CHECK_SYMBOL_EXISTS(sigaltstack "signal.h" HAVE_SIGALTSTACK)
diff --git a/config.h.in b/config.h.in
index c2d73a0a9..b3aefd980 100644
--- a/config.h.in
+++ b/config.h.in
@@ -32,6 +32,7 @@
 #cmakedefine HAVE_FCNTL_H        1
 #cmakedefine HAVE_FDATASYNC      1
 #cmakedefine HAVE_FETCH_H        1
+#cmakedefine HAVE_FIPS_MODE      1
 #cmakedefine HAVE_FLOCK          1
 #cmakedefine HAVE_FPATHCONF      1
 #cmakedefine HAVE_GETPAGESIZE    1
diff --git a/src/libutil/util.c b/src/libutil/util.c
index 3256becb9..119082964 100644
--- a/src/libutil/util.c
+++ b/src/libutil/util.c
@@ -2484,6 +2484,7 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
 		}
 
 		if (cfg->fips_mode) {
+#ifdef HAVE_FIPS_MODE
 			int mode = FIPS_mode ();
 			unsigned long err = (unsigned long)-1;
 
@@ -2505,6 +2506,9 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
 			else {
 				msg_info_config ("OpenSSL FIPS mode is enabled");
 			}
+#else
+			msg_warn_config ("SSL FIPS mode is enabled but not supported by OpenSSL library!");
+#endif
 		}
 
 		if (cfg->ssl_ca_path) {


More information about the Commits mailing list