Blame otp-0010-Allow-openssl-3.0.0-FIPS-compilation.patch

061f38
From: Michele Baldessari <michele@acksyn.org>
061f38
Date: Tue, 28 Sep 2021 17:26:16 +0200
061f38
Subject: [PATCH] Allow openssl-3.0.0 FIPS compilation
061f38
061f38
Openssl 3.0.0 dropped support for the old way of adding fips
061f38
and in particular it dropped support for FIPS_mode() and
061f38
FIPS_mode_set().
061f38
061f38
In RHEL9, openssl-3.0.0 ships a compat macro for FIPS_mode(), so
061f38
this change focuses on replacing FIPS_mode_set()
061f38
061f38
Compiled erlang-erts-24.1-1.el9.x86_64 with this patch and then tested as follows:
061f38
A. Booted the system with fips enabled:
061f38
[root@rhel9 ~]# fips-mode-setup --check
061f38
FIPS mode is enabled.
061f38
061f38
B. Set up a fips config file:
061f38
cat > fips.config<
061f38
[{crypto, [{fips_mode, true}]}]
061f38
.
061f38
EOF
061f38
061f38
C. Ran the following:
061f38
$ erl -config fips
061f38
1> crypto:info_fips().
061f38
not_enabled
061f38
2> crypto:enable_fips_mode(true).
061f38
true
061f38
3> crypto:info_fips().
061f38
enabled
061f38
061f38
D. Verified that the ciphers when using fips are a subset of the usual
061f38
ciphers:
061f38
061f38
4> crypto:supports().
061f38
[{hashs,[sha,sha224,sha256,sha384,sha512,sha3_224,sha3_256,
061f38
         sha3_384,sha3_512,blake2b,blake2s]},
061f38
 {ciphers,[aes_cbc,aes_ccm,aes_cfb128,aes_cfb8,aes_ctr,
061f38
           aes_ecb,aes_gcm,des_ede3_cfb,aes_128_cbc,aes_192_cbc,
061f38
           aes_256_cbc,aes_128_cfb128,aes_192_cfb128,aes_256_cfb128,
061f38
           aes_128_cfb8,aes_192_cfb8,aes_256_cfb8,aes_128_ecb,
061f38
           aes_192_ecb,aes_256_ecb,aes_256_gcm,aes_256_ccm,aes_192_gcm,
061f38
           aes_192_ccm,aes_128_gcm|...]},
061f38
 {public_keys,[rsa,dss,dh,ecdsa,ecdh]},
061f38
 {macs,[cmac,hmac,poly1305]},
061f38
 {curves,[]},
061f38
 {rsa_opts,[rsa_pkcs1_pss_padding,rsa_pss_saltlen,
061f38
            rsa_mgf1_md,rsa_pkcs1_oaep_padding,rsa_oaep_label,
061f38
            rsa_oaep_md,signature_md,rsa_pkcs1_padding,rsa_x931_padding,
061f38
            rsa_no_padding]}]
061f38
061f38
Note that we could probably just have patched out the FIPS_mode_set()
061f38
calls as FIPS gets enforced on the system. The automatism is going to
061f38
come with a version of openssl that is later than > openssl-3.0.0-2.
061f38
061f38
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
061f38
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
061f38
061f38
[1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module
061f38
061f38
diff --git a/lib/crypto/c_src/openssl_config.h b/lib/crypto/c_src/openssl_config.h
061f38
index 9ef04fca3c..59f6e94b23 100644
061f38
--- a/lib/crypto/c_src/openssl_config.h
061f38
+++ b/lib/crypto/c_src/openssl_config.h
061f38
@@ -427,6 +427,10 @@ do {                                                    \
061f38
 # undef FIPS_SUPPORT
061f38
 #endif
061f38
 
061f38
+#if defined(FIPS_SUPPORT) \
061f38
+    && OPENSSL_VERSION_NUMBER  >= (PACKED_OPENSSL_VERSION_PLAIN(3,0,0) & ~0xff)
061f38
+#define FIPS_mode_set(fips_mode) EVP_default_properties_enable_fips(NULL, fips_mode)
061f38
+#endif
061f38
 
061f38
 #ifdef FIPS_SUPPORT
061f38
 /* In FIPS mode non-FIPS algorithms are disabled and return badarg. */