From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Fri, 7 Feb 2020 13:18:32 +0000 (+0000)
Subject: [Minor] Add explicit checks for FIPS mode presence
X-Git-Tag: 2.4~88
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=963657514d24c29604e0b873c17dcee0d3efd345;p=rspamd.git

[Minor] Add explicit checks for FIPS mode presence
---

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 29986a740..a41dd8abb 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -331,8 +331,19 @@ CHECK_SYMBOL_EXISTS(I_SETSIG "sys/types.h;sys/ioctl.h" HAVE_SETSIG)
 CHECK_SYMBOL_EXISTS(O_ASYNC "sys/types.h;sys/fcntl.h" HAVE_OASYNC)
 CHECK_SYMBOL_EXISTS(O_NOFOLLOW "sys/types.h;sys/fcntl.h" HAVE_ONOFOLLOW)
 CHECK_SYMBOL_EXISTS(O_CLOEXEC "sys/types.h;sys/fcntl.h" HAVE_OCLOEXEC)
+
+# OpenSSL specific stuff
 LIST(APPEND CMAKE_REQUIRED_INCLUDES "${LIBSSL_INCLUDE}")
+IF(LIBCRYPT_LIBRARY_PATH)
+	SET(CMAKE_REQUIRED_LIBRARIES "${CMAKE_REQUIRED_LIBRARIES};-L${LIBCRYPT_LIBRARY_PATH};${LIBCRYPT_LIBRARY}")
+	SET(CMAKE_REQUIRED_LIBRARIES "${CMAKE_REQUIRED_LIBRARIES};-L${LIBSSL_LIBRARY_PATH};${LIBSSL_LIBRARY}")
+ELSE()
+	SET(CMAKE_REQUIRED_LIBRARIES "${CMAKE_REQUIRED_LIBRARIES};-lcrypt;-lssl")
+ENDIF()
+
 CHECK_SYMBOL_EXISTS(SSL_set_tlsext_host_name "openssl/ssl.h" HAVE_SSL_TLSEXT_HOSTNAME)
+CHECK_SYMBOL_EXISTS(FIPS_mode "openssl/crypto.h" HAVE_FIPS_MODE)
+
 CHECK_SYMBOL_EXISTS(dirfd "sys/types.h;unistd.h;dirent.h" HAVE_DIRFD)
 CHECK_SYMBOL_EXISTS(fpathconf "sys/types.h;unistd.h" HAVE_FPATHCONF)
 CHECK_SYMBOL_EXISTS(sigaltstack "signal.h" HAVE_SIGALTSTACK)
diff --git a/config.h.in b/config.h.in
index c2d73a0a9..b3aefd980 100644
--- a/config.h.in
+++ b/config.h.in
@@ -32,6 +32,7 @@
 #cmakedefine HAVE_FCNTL_H        1
 #cmakedefine HAVE_FDATASYNC      1
 #cmakedefine HAVE_FETCH_H        1
+#cmakedefine HAVE_FIPS_MODE      1
 #cmakedefine HAVE_FLOCK          1
 #cmakedefine HAVE_FPATHCONF      1
 #cmakedefine HAVE_GETPAGESIZE    1
diff --git a/src/libutil/util.c b/src/libutil/util.c
index 3256becb9..119082964 100644
--- a/src/libutil/util.c
+++ b/src/libutil/util.c
@@ -2484,6 +2484,7 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
 		}
 
 		if (cfg->fips_mode) {
+#ifdef HAVE_FIPS_MODE
 			int mode = FIPS_mode ();
 			unsigned long err = (unsigned long)-1;
 
@@ -2505,6 +2506,9 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
 			else {
 				msg_info_config ("OpenSSL FIPS mode is enabled");
 			}
+#else
+			msg_warn_config ("SSL FIPS mode is enabled but not supported by OpenSSL library!");
+#endif
 		}
 
 		if (cfg->ssl_ca_path) {