Add missing header file in kexgexc.c and remove it from kexgex.c

Also change definition of FIPS_mode() to the one done in the OpenSSL 3.x packages of Fedora/RHEL/CentOS/... Fixes gridcf#207
fscheiner · Feb 1, 2023 · 8440ae2 · 8440ae2
1 parent 50fc40b
commit 8440ae2
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 7 deletions.
diff --git a/gsi_openssh/source/fips_mode_replacement.h b/gsi_openssh/source/fips_mode_replacement.h
@@ -14,12 +14,16 @@
  * limitations under the License.
  */
 
+#ifndef FIPS_MODE_REPLACEMENT_H
+#define FIPS_MODE_REPLACEMENT_H
+
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 /*
- * OpenSSL version 3.0 and up no longer has FIPS_mode().
- * Making a replacement function is not feasible since FIPS would need to be
- * initialized differently in any case.
- * See https://www.openssl.org/docs/manmaster/man7/fips_module.html for details
+ * OpenSSL versions 3.0 and up no longer have FIPS_mode(). To support both
+ * OpenSSL 3.x and older versions for other OSes, we use the replacement
+ * function as shipped by Fedora/RHEL/CentOS in their OpenSSL 3.x packages.
  */
-# define FIPS_mode() 0
-#endif
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
+#endif
+
+#endif /* FIPS_MODE_REPLACEMENT_H */
diff --git a/gsi_openssh/source/kexgex.c b/gsi_openssh/source/kexgex.c
@@ -34,7 +34,6 @@
 #include <signal.h>
 
 #include "openbsd-compat/openssl-compat.h"
-#include "fips_mode_replacement.h"
 
 #include "sshkey.h"
 #include "cipher.h"

diff --git a/gsi_openssh/source/kexgexc.c b/gsi_openssh/source/kexgexc.c
@@ -39,6 +39,7 @@
 #include <signal.h>
 
 #include "openbsd-compat/openssl-compat.h"
+#include "fips_mode_replacement.h"
 
 #include "sshkey.h"
 #include "cipher.h"