From 3a03e59048d6b3e62f56baf4b4bd0cba5f26fe17 Mon Sep 17 00:00:00 2001 From: Ricky Leverence Date: Fri, 12 Apr 2019 11:53:12 -0700 Subject: [PATCH] OpenSSL: Report -fips in version if OpenSSL is built with FIPS Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS define. It uses this define to determine whether to publish -fips at the end of the version displayed. Applications that utilize the version reported by OpenSSL will see a mismatch if they compare it to what curl reports, as curl is not modifying the version in the same way. This change simply adds a check to see if OPENSSL_FIPS is defined, and will alter the reported version to match what OpenSSL itself provides. This only appears to be applicable in versions of OpenSSL <1.1.1 Closes #3771 --- lib/vtls/openssl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index e50f929ef..9b1b5d3be 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3826,7 +3826,11 @@ static size_t Curl_ossl_version(char *buffer, size_t size) sub[0]='\0'; } - return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s", + return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s" +#ifdef OPENSSL_FIPS + "-fips" +#endif + , OSSL_PACKAGE, (ssleay_value>>28)&0xf, (ssleay_value>>20)&0xff,