Fix checks for openssl version numbers around fips changes, they were using an incorr...

author Brent Collins <bcollins@forcepoint.com>

Tue, 11 Apr 2017 17:02:17 +0000 (12:02 -0500)

committer Armin Novak <armin.novak@thincast.com>

Fri, 17 Nov 2017 11:43:07 +0000 (12:43 +0100)
author Brent Collins <bcollins@forcepoint.com>
Tue, 11 Apr 2017 17:02:17 +0000 (12:02 -0500)
committer Armin Novak <armin.novak@thincast.com>
Fri, 17 Nov 2017 11:43:07 +0000 (12:43 +0100)
diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c

index 841c68c..78a6501 100644 (file)
--- a/winpr/libwinpr/crypto/cipher.c
+++ b/winpr/libwinpr/crypto/cipher.c
@@ -65,8 +65,8 @@ WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOOL overr
         EVP_CIPHER_CTX_init((EVP_CIPHER_CTX *) ctx);
         EVP_EncryptInit_ex((EVP_CIPHER_CTX *) ctx, evp, NULL, NULL, NULL);
  
-       /* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist in openssl 1.0.0 */
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+       /* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist before openssl 1.0.1 */
+#if !(OPENSSL_VERSION_NUMBER < 0x10001000L)
         if (override_fips == TRUE)
                 EVP_CIPHER_CTX_set_flags((EVP_CIPHER_CTX *) ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
  #endif
diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c

index 1d9a6da..c9890fe 100644 (file)
--- a/winpr/libwinpr/utils/ssl.c
+++ b/winpr/libwinpr/utils/ssl.c
@@ -239,7 +239,6 @@ static BOOL _winpr_openssl_cleanup_locking(void)
  static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVOID* context)
  {
         DWORD flags = param ? *(PDWORD)param : WINPR_SSL_INIT_DEFAULT;
-       int ret = 0;
  
         if (flags & WINPR_SSL_INIT_ALREADY_INITIALIZED)
         {
@@ -274,18 +273,17 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO
  
         if (flags & WINPR_SSL_INIT_ENABLE_FIPS)
         {
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#if (OPENSSL_VERSION_NUMBER < 0x10001000L)
+               WLog_ERR(TAG, "Openssl fips mode ENable not available on openssl versions less than 1.0.1!");
+#else
                 WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
                 if (FIPS_mode() != 1)
                 {
-                       ret = FIPS_mode_set(1);
-                       if (ret != 1)
-                               WLog_ERR(TAG, "Openssl fips mode ENable failed!");
+                       if (FIPS_mode_set(1))
+                                WLog_INFO(TAG, "Openssl fips mode ENabled!");
                         else
-                               WLog_INFO(TAG, "Openssl fips mode ENabled!");
+                               WLog_ERR(TAG, "Openssl fips mode ENable failed!");
                 }
-#else
-               WLog_ERR(TAG, "Openssl fips mode ENable not available on openssl versions less than 1.0.1!");
  #endif
         }
         return TRUE;
author	Brent Collins <bcollins@forcepoint.com>
	Tue, 11 Apr 2017 17:02:17 +0000 (12:02 -0500)
committer	Armin Novak <armin.novak@thincast.com>
	Fri, 17 Nov 2017 11:43:07 +0000 (12:43 +0100)
winpr/libwinpr/crypto/cipher.c		patch \| blob \| history
winpr/libwinpr/utils/ssl.c		patch \| blob \| history