This is an automated email from the ASF dual-hosted git repository.
laiyingchun pushed a commit to branch branch-1.17.x
in repository https://gitbox.apache.org/repos/asf/kudu.git
commit 837a0857deb8b43070466a139b08abc02fba8a8f
Author: Marton Greber <greber...@gmail.com>
AuthorDate: Wed May 24 19:18:26 2023 +0000
Fix OpenSSL3 FIPS_mode() issue on RHEL9.1
The function FIPS_mode() has been removed in OpenSSL3. Commit
c24629083e520614af50d0c4242e3d30f55689b6 addressed this issue, however a
build failure came up on RHEL9.1. webserver-test.cc fails to build on
RHEL9.1, with OpenSSL version 3.0.1. According to the OpenSSL
repository, FIPS_mode() has been removed with version 3.0.0 [1]. However
on RHEL9.1 OpenSSL contains a fips.h compatibility header, which maps
the new function to the old FIPS_mode function:
#define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL).
This means that the workaround in webserver-test.cc won't work as
FIPS_mode() is already defined in the compatibility header. This patch
refactors occurences of FIPS_mode() to
EVP_default_properties_is_fips_enabled(NULL) where OpenSSL version is
greater or equal to 3.
[1] https://github.com/openssl/openssl/\
commit/31b069ecea2c567de22b3874c8e71cc37c921ec9
Change-Id: Ib0728846afb07ee937fbe7d99f0057bd8197dd9a
Reviewed-on: http://gerrit.cloudera.org:8080/19951
Tested-by: Kudu Jenkins
Reviewed-by: Ashwani Raina <ara...@cloudera.com>
Reviewed-by: Attila Bukor <abu...@apache.org>
(cherry picked from commit acac73ecda83ec2390b5990cc132ca6968bfefdf)
Reviewed-on: http://gerrit.cloudera.org:8080/20059
Reviewed-by: Yingchun Lai <laiyingc...@apache.org>
---
src/kudu/server/webserver-test.cc | 19 +++++++++++--------
src/kudu/server/webserver.cc | 8 ++++++--
src/kudu/util/openssl_util.cc | 5 +++--
src/kudu/util/openssl_util.h | 4 ++++
4 files changed, 24 insertions(+), 12 deletions(-)
diff --git a/src/kudu/server/webserver-test.cc
b/src/kudu/server/webserver-test.cc
index 5f42677e0..a86016258 100644
--- a/src/kudu/server/webserver-test.cc
+++ b/src/kudu/server/webserver-test.cc
@@ -18,6 +18,9 @@
#include "kudu/server/webserver.h"
#include <openssl/crypto.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/ssl.h>
+#endif
#include <cstdlib>
#include <functional>
@@ -66,10 +69,10 @@ TAG_FLAG(test_sensitive_flag, sensitive);
DECLARE_bool(webserver_enable_csp);
-// FIPS_mode is removed from OpenSSL3 for test purposes, a fake one is created
and
-// set to disabled.
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-int FIPS_mode() { return 0; }
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+int fips_mode = FIPS_mode();
+#else
+int fips_mode = EVP_default_properties_is_fips_enabled(NULL);
#endif
namespace kudu {
@@ -115,7 +118,7 @@ class WebserverTest : public KuduTest {
AddPreInitializedDefaultPathHandlers(server_.get());
AddPostInitializedDefaultPathHandlers(server_.get());
- if (!use_htpasswd() || !FIPS_mode()) {
+ if (!use_htpasswd() || !fips_mode) {
ASSERT_OK(server_->Start());
vector<Sockaddr> addrs;
@@ -168,7 +171,7 @@ class PasswdWebserverTest : public WebserverTest {
// Send a HTTP request with no username and password. It should reject
// the request as the .htpasswd is presented to webserver.
TEST_F(PasswdWebserverTest, TestPasswdMissing) {
- if (FIPS_mode()) {
+ if (fips_mode) {
return;
}
Status status = curl_.FetchURL(url_, &buf_);
@@ -176,7 +179,7 @@ TEST_F(PasswdWebserverTest, TestPasswdMissing) {
}
TEST_F(PasswdWebserverTest, TestPasswdPresent) {
- if (FIPS_mode()) {
+ if (fips_mode) {
return;
}
ASSERT_OK(curl_.set_auth(CurlAuthType::DIGEST, security::kTestAuthUsername,
@@ -185,7 +188,7 @@ TEST_F(PasswdWebserverTest, TestPasswdPresent) {
}
TEST_F(PasswdWebserverTest, TestCrashInFIPSMode) {
- if (!FIPS_mode()) {
+ if (!fips_mode) {
return;
}
diff --git a/src/kudu/server/webserver.cc b/src/kudu/server/webserver.cc
index d94b1db1d..3ee571dd6 100644
--- a/src/kudu/server/webserver.cc
+++ b/src/kudu/server/webserver.cc
@@ -19,6 +19,9 @@
#include <netinet/in.h>
#include <openssl/crypto.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/ssl.h>
+#endif
#include <sys/socket.h>
#include <algorithm>
@@ -291,9 +294,10 @@ Status Webserver::Start() {
}
if (!opts_.password_file.empty()) {
- int fips_mode = 0;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
- fips_mode = FIPS_mode();
+ int fips_mode = FIPS_mode();
+#else
+ int fips_mode = EVP_default_properties_is_fips_enabled(NULL);
#endif
if (fips_mode) {
return Status::IllegalState(
diff --git a/src/kudu/util/openssl_util.cc b/src/kudu/util/openssl_util.cc
index 7073c8ebe..33e985b62 100644
--- a/src/kudu/util/openssl_util.cc
+++ b/src/kudu/util/openssl_util.cc
@@ -95,9 +95,10 @@ void ThreadIdCB(CRYPTO_THREADID* tid) {
#endif
void CheckFIPSMode() {
- int fips_mode = 0;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
- fips_mode = FIPS_mode();
+ int fips_mode = FIPS_mode();
+#else
+ int fips_mode = EVP_default_properties_is_fips_enabled(NULL);
#endif
// If the environment variable KUDU_REQUIRE_FIPS_MODE is set to "1", we
// check if FIPS approved mode is enabled. If not, we crash the process.
diff --git a/src/kudu/util/openssl_util.h b/src/kudu/util/openssl_util.h
index 2a077933b..643e54562 100644
--- a/src/kudu/util/openssl_util.h
+++ b/src/kudu/util/openssl_util.h
@@ -17,9 +17,13 @@
#pragma once
+#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/types.h>
+#endif
#include <openssl/x509.h>
#include <functional>
