diff --git a/mysys/my_md5.cc b/mysys/my_md5.cc index dea997b252c..81484f0652b 100644 --- a/mysys/my_md5.cc +++ b/mysys/my_md5.cc @@ -35,6 +35,10 @@ #include #include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif + static void my_md5_hash(unsigned char *digest, unsigned const char *buf, int len) { MD5_CTX ctx; @@ -56,7 +60,11 @@ static void my_md5_hash(unsigned char *digest, unsigned const char *buf, int compute_md5_hash(char *digest, const char *buf, int len) { int retval = 0; int fips_mode = 0; + #if OPENSSL_VERSION_NUMBER < 0x30000000L fips_mode = FIPS_mode(); + #else + fips_mode = EVP_default_properties_is_fips_enabled(NULL); + #endif /* If fips mode is ON/STRICT restricted method calls will result into abort, * skipping call. */ if (fips_mode == 0) { diff --git a/plugin/x/client/xconnection_impl.cc b/plugin/x/client/xconnection_impl.cc index 13bc6794ea5..8752bcea9bf 100644 --- a/plugin/x/client/xconnection_impl.cc +++ b/plugin/x/client/xconnection_impl.cc @@ -51,6 +51,10 @@ #include "plugin/x/src/config/config.h" #include "sql-common/net_ns.h" +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif + #ifndef WIN32 #include #include @@ -524,12 +528,20 @@ int set_fips_mode(const uint32_t fips_mode, if (fips_mode > 2) { goto EXIT; } + #if OPENSSL_VERSION_NUMBER < 0x30000000L fips_mode_old = FIPS_mode(); + #else + fips_mode_old = EVP_default_properties_is_fips_enabled(NULL); + #endif if (fips_mode_old == fips_mode) { rc = 1; goto EXIT; } + #if OPENSSL_VERSION_NUMBER < 0x30000000L if (!(rc = FIPS_mode_set(fips_mode))) { + #else + if (!(rc = EVP_default_properties_enable_fips(fips_mode))) { + #endif err_library = ERR_get_error(); ERR_error_string_n(err_library, err_string, OPENSSL_ERROR_LENGTH - 1); err_string[OPENSSL_ERROR_LENGTH - 1] = '\0'; diff --git a/vio/viosslfactories.cc b/vio/viosslfactories.cc index 6c04029ccb0..164b727e3dc 100644 --- a/vio/viosslfactories.cc +++ b/vio/viosslfactories.cc @@ -40,6 +40,10 @@ #include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif + #if OPENSSL_VERSION_NUMBER < 0x10002000L #include #endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */ @@ -498,12 +502,20 @@ int set_fips_mode(const uint fips_mode, char err_string[OPENSSL_ERROR_LENGTH]) { if (fips_mode > 2) { goto EXIT; } + #if OPENSSL_VERSION_NUMBER < 0x30000000L fips_mode_old = FIPS_mode(); + #else + fips_mode_old = EVP_default_properties_is_fips_enabled(NULL); + #endif if (fips_mode_old == fips_mode) { rc = 1; goto EXIT; } + #if OPENSSL_VERSION_NUMBER < 0x30000000L if (!(rc = FIPS_mode_set(fips_mode))) { + #else + if (!(rc = EVP_default_properties_enable_fips(NULL, fips_mode))) { + #endif /* If OS doesn't have FIPS enabled openssl library and user sets FIPS mode ON, It fails with proper error. But in the same time it doesn't allow to @@ -511,7 +523,11 @@ int set_fips_mode(const uint fips_mode, char err_string[OPENSSL_ERROR_LENGTH]) { error, setting old working FIPS mode value in the OpenSSL library. It will allow successful cryptographic operation and will not abort the server. */ + #if OPENSSL_VERSION_NUMBER < 0x30000000L FIPS_mode_set(fips_mode_old); + #else + EVP_default_properties_enable_fips(NULL, fips_mode_old); + #endif err_library = ERR_get_error(); ERR_error_string_n(err_library, err_string, OPENSSL_ERROR_LENGTH - 1); err_string[OPENSSL_ERROR_LENGTH - 1] = '\0'; @@ -525,7 +541,13 @@ EXIT: @returns openssl current fips mode */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L uint get_fips_mode() { return FIPS_mode(); } +#else +uint get_fips_mode() { + return EVP_default_properties_is_fips_enabled(NULL); +} +#endif long process_tls_version(const char *tls_version) { const char *separator = ",";