Fix checks for openssl version numbers around fips changes, they were using an incorrect version matching 1.1.0 and not 1.0.1

Simplify the logic to enable openssl fips mode
This commit is contained in:
Brent Collins 2017-04-11 12:02:17 -05:00 committed by Armin Novak
parent e47123f05a
commit 922a0fa495
2 changed files with 8 additions and 10 deletions

View File

@ -65,8 +65,8 @@ WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOOL overr
EVP_CIPHER_CTX_init((EVP_CIPHER_CTX *) ctx);
EVP_EncryptInit_ex((EVP_CIPHER_CTX *) ctx, evp, NULL, NULL, NULL);
/* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist in openssl 1.0.0 */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
/* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist before openssl 1.0.1 */
#if !(OPENSSL_VERSION_NUMBER < 0x10001000L)
if (override_fips == TRUE)
EVP_CIPHER_CTX_set_flags((EVP_CIPHER_CTX *) ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
#endif

View File

@ -239,7 +239,6 @@ static BOOL _winpr_openssl_cleanup_locking(void)
static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVOID* context)
{
DWORD flags = param ? *(PDWORD)param : WINPR_SSL_INIT_DEFAULT;
int ret = 0;
if (flags & WINPR_SSL_INIT_ALREADY_INITIALIZED)
{
@ -274,18 +273,17 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO
if (flags & WINPR_SSL_INIT_ENABLE_FIPS)
{
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
#if (OPENSSL_VERSION_NUMBER < 0x10001000L)
WLog_ERR(TAG, "Openssl fips mode ENable not available on openssl versions less than 1.0.1!");
#else
WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
if (FIPS_mode() != 1)
{
ret = FIPS_mode_set(1);
if (ret != 1)
WLog_ERR(TAG, "Openssl fips mode ENable failed!");
else
if (FIPS_mode_set(1))
WLog_INFO(TAG, "Openssl fips mode ENabled!");
else
WLog_ERR(TAG, "Openssl fips mode ENable failed!");
}
#else
WLog_ERR(TAG, "Openssl fips mode ENable not available on openssl versions less than 1.0.1!");
#endif
}
return TRUE;