From 922a0fa495cbb6f6f9a04ea494fa7676bd4e9684 Mon Sep 17 00:00:00 2001 From: Brent Collins Date: Tue, 11 Apr 2017 12:02:17 -0500 Subject: [PATCH] Fix checks for openssl version numbers around fips changes, they were using an incorrect version matching 1.1.0 and not 1.0.1 Simplify the logic to enable openssl fips mode --- winpr/libwinpr/crypto/cipher.c | 4 ++-- winpr/libwinpr/utils/ssl.c | 14 ++++++-------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c index 841c68c21..78a65019c 100644 --- a/winpr/libwinpr/crypto/cipher.c +++ b/winpr/libwinpr/crypto/cipher.c @@ -65,8 +65,8 @@ WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOOL overr EVP_CIPHER_CTX_init((EVP_CIPHER_CTX *) ctx); EVP_EncryptInit_ex((EVP_CIPHER_CTX *) ctx, evp, NULL, NULL, NULL); - /* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist in openssl 1.0.0 */ -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + /* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist before openssl 1.0.1 */ +#if !(OPENSSL_VERSION_NUMBER < 0x10001000L) if (override_fips == TRUE) EVP_CIPHER_CTX_set_flags((EVP_CIPHER_CTX *) ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW); #endif diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c index 1d9a6da58..c9890fe07 100644 --- a/winpr/libwinpr/utils/ssl.c +++ b/winpr/libwinpr/utils/ssl.c @@ -239,7 +239,6 @@ static BOOL _winpr_openssl_cleanup_locking(void) static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVOID* context) { DWORD flags = param ? *(PDWORD)param : WINPR_SSL_INIT_DEFAULT; - int ret = 0; if (flags & WINPR_SSL_INIT_ALREADY_INITIALIZED) { @@ -274,18 +273,17 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO if (flags & WINPR_SSL_INIT_ENABLE_FIPS) { -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) +#if (OPENSSL_VERSION_NUMBER < 0x10001000L) + WLog_ERR(TAG, "Openssl fips mode ENable not available on openssl versions less than 1.0.1!"); +#else WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled"); if (FIPS_mode() != 1) { - ret = FIPS_mode_set(1); - if (ret != 1) - WLog_ERR(TAG, "Openssl fips mode ENable failed!"); + if (FIPS_mode_set(1)) + WLog_INFO(TAG, "Openssl fips mode ENabled!"); else - WLog_INFO(TAG, "Openssl fips mode ENabled!"); + WLog_ERR(TAG, "Openssl fips mode ENable failed!"); } -#else - WLog_ERR(TAG, "Openssl fips mode ENable not available on openssl versions less than 1.0.1!"); #endif } return TRUE;