This is an automated email from the ASF dual-hosted git repository. laiyingchun pushed a commit to branch branch-1.17.x in repository https://gitbox.apache.org/repos/asf/kudu.git
commit 837a0857deb8b43070466a139b08abc02fba8a8f Author: Marton Greber <greber...@gmail.com> AuthorDate: Wed May 24 19:18:26 2023 +0000 Fix OpenSSL3 FIPS_mode() issue on RHEL9.1 The function FIPS_mode() has been removed in OpenSSL3. Commit c24629083e520614af50d0c4242e3d30f55689b6 addressed this issue, however a build failure came up on RHEL9.1. webserver-test.cc fails to build on RHEL9.1, with OpenSSL version 3.0.1. According to the OpenSSL repository, FIPS_mode() has been removed with version 3.0.0 [1]. However on RHEL9.1 OpenSSL contains a fips.h compatibility header, which maps the new function to the old FIPS_mode function: #define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL). This means that the workaround in webserver-test.cc won't work as FIPS_mode() is already defined in the compatibility header. This patch refactors occurences of FIPS_mode() to EVP_default_properties_is_fips_enabled(NULL) where OpenSSL version is greater or equal to 3. [1] https://github.com/openssl/openssl/\ commit/31b069ecea2c567de22b3874c8e71cc37c921ec9 Change-Id: Ib0728846afb07ee937fbe7d99f0057bd8197dd9a Reviewed-on: http://gerrit.cloudera.org:8080/19951 Tested-by: Kudu Jenkins Reviewed-by: Ashwani Raina <ara...@cloudera.com> Reviewed-by: Attila Bukor <abu...@apache.org> (cherry picked from commit acac73ecda83ec2390b5990cc132ca6968bfefdf) Reviewed-on: http://gerrit.cloudera.org:8080/20059 Reviewed-by: Yingchun Lai <laiyingc...@apache.org> --- src/kudu/server/webserver-test.cc | 19 +++++++++++-------- src/kudu/server/webserver.cc | 8 ++++++-- src/kudu/util/openssl_util.cc | 5 +++-- src/kudu/util/openssl_util.h | 4 ++++ 4 files changed, 24 insertions(+), 12 deletions(-) diff --git a/src/kudu/server/webserver-test.cc b/src/kudu/server/webserver-test.cc index 5f42677e0..a86016258 100644 --- a/src/kudu/server/webserver-test.cc +++ b/src/kudu/server/webserver-test.cc @@ -18,6 +18,9 @@ #include "kudu/server/webserver.h" #include <openssl/crypto.h> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include <openssl/ssl.h> +#endif #include <cstdlib> #include <functional> @@ -66,10 +69,10 @@ TAG_FLAG(test_sensitive_flag, sensitive); DECLARE_bool(webserver_enable_csp); -// FIPS_mode is removed from OpenSSL3 for test purposes, a fake one is created and -// set to disabled. -#if OPENSSL_VERSION_NUMBER >= 0x30000000L -int FIPS_mode() { return 0; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L +int fips_mode = FIPS_mode(); +#else +int fips_mode = EVP_default_properties_is_fips_enabled(NULL); #endif namespace kudu { @@ -115,7 +118,7 @@ class WebserverTest : public KuduTest { AddPreInitializedDefaultPathHandlers(server_.get()); AddPostInitializedDefaultPathHandlers(server_.get()); - if (!use_htpasswd() || !FIPS_mode()) { + if (!use_htpasswd() || !fips_mode) { ASSERT_OK(server_->Start()); vector<Sockaddr> addrs; @@ -168,7 +171,7 @@ class PasswdWebserverTest : public WebserverTest { // Send a HTTP request with no username and password. It should reject // the request as the .htpasswd is presented to webserver. TEST_F(PasswdWebserverTest, TestPasswdMissing) { - if (FIPS_mode()) { + if (fips_mode) { return; } Status status = curl_.FetchURL(url_, &buf_); @@ -176,7 +179,7 @@ TEST_F(PasswdWebserverTest, TestPasswdMissing) { } TEST_F(PasswdWebserverTest, TestPasswdPresent) { - if (FIPS_mode()) { + if (fips_mode) { return; } ASSERT_OK(curl_.set_auth(CurlAuthType::DIGEST, security::kTestAuthUsername, @@ -185,7 +188,7 @@ TEST_F(PasswdWebserverTest, TestPasswdPresent) { } TEST_F(PasswdWebserverTest, TestCrashInFIPSMode) { - if (!FIPS_mode()) { + if (!fips_mode) { return; } diff --git a/src/kudu/server/webserver.cc b/src/kudu/server/webserver.cc index d94b1db1d..3ee571dd6 100644 --- a/src/kudu/server/webserver.cc +++ b/src/kudu/server/webserver.cc @@ -19,6 +19,9 @@ #include <netinet/in.h> #include <openssl/crypto.h> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include <openssl/ssl.h> +#endif #include <sys/socket.h> #include <algorithm> @@ -291,9 +294,10 @@ Status Webserver::Start() { } if (!opts_.password_file.empty()) { - int fips_mode = 0; #if OPENSSL_VERSION_NUMBER < 0x30000000L - fips_mode = FIPS_mode(); + int fips_mode = FIPS_mode(); +#else + int fips_mode = EVP_default_properties_is_fips_enabled(NULL); #endif if (fips_mode) { return Status::IllegalState( diff --git a/src/kudu/util/openssl_util.cc b/src/kudu/util/openssl_util.cc index 7073c8ebe..33e985b62 100644 --- a/src/kudu/util/openssl_util.cc +++ b/src/kudu/util/openssl_util.cc @@ -95,9 +95,10 @@ void ThreadIdCB(CRYPTO_THREADID* tid) { #endif void CheckFIPSMode() { - int fips_mode = 0; #if OPENSSL_VERSION_NUMBER < 0x30000000L - fips_mode = FIPS_mode(); + int fips_mode = FIPS_mode(); +#else + int fips_mode = EVP_default_properties_is_fips_enabled(NULL); #endif // If the environment variable KUDU_REQUIRE_FIPS_MODE is set to "1", we // check if FIPS approved mode is enabled. If not, we crash the process. diff --git a/src/kudu/util/openssl_util.h b/src/kudu/util/openssl_util.h index 2a077933b..643e54562 100644 --- a/src/kudu/util/openssl_util.h +++ b/src/kudu/util/openssl_util.h @@ -17,9 +17,13 @@ #pragma once +#include <openssl/crypto.h> #include <openssl/err.h> #include <openssl/pem.h> #include <openssl/ssl.h> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include <openssl/types.h> +#endif #include <openssl/x509.h> #include <functional>