|
|
061f38 |
From: Michele Baldessari <michele@acksyn.org>
|
|
|
061f38 |
Date: Tue, 28 Sep 2021 17:26:16 +0200
|
|
|
061f38 |
Subject: [PATCH] Allow openssl-3.0.0 FIPS compilation
|
|
|
061f38 |
|
|
|
061f38 |
Openssl 3.0.0 dropped support for the old way of adding fips
|
|
|
061f38 |
and in particular it dropped support for FIPS_mode() and
|
|
|
061f38 |
FIPS_mode_set().
|
|
|
061f38 |
|
|
|
061f38 |
In RHEL9, openssl-3.0.0 ships a compat macro for FIPS_mode(), so
|
|
|
061f38 |
this change focuses on replacing FIPS_mode_set()
|
|
|
061f38 |
|
|
|
061f38 |
Compiled erlang-erts-24.1-1.el9.x86_64 with this patch and then tested as follows:
|
|
|
061f38 |
A. Booted the system with fips enabled:
|
|
|
061f38 |
[root@rhel9 ~]# fips-mode-setup --check
|
|
|
061f38 |
FIPS mode is enabled.
|
|
|
061f38 |
|
|
|
061f38 |
B. Set up a fips config file:
|
|
|
061f38 |
cat > fips.config<
|
|
|
061f38 |
[{crypto, [{fips_mode, true}]}]
|
|
|
061f38 |
.
|
|
|
061f38 |
EOF
|
|
|
061f38 |
|
|
|
061f38 |
C. Ran the following:
|
|
|
061f38 |
$ erl -config fips
|
|
|
061f38 |
1> crypto:info_fips().
|
|
|
061f38 |
not_enabled
|
|
|
061f38 |
2> crypto:enable_fips_mode(true).
|
|
|
061f38 |
true
|
|
|
061f38 |
3> crypto:info_fips().
|
|
|
061f38 |
enabled
|
|
|
061f38 |
|
|
|
061f38 |
D. Verified that the ciphers when using fips are a subset of the usual
|
|
|
061f38 |
ciphers:
|
|
|
061f38 |
|
|
|
061f38 |
4> crypto:supports().
|
|
|
061f38 |
[{hashs,[sha,sha224,sha256,sha384,sha512,sha3_224,sha3_256,
|
|
|
061f38 |
sha3_384,sha3_512,blake2b,blake2s]},
|
|
|
061f38 |
{ciphers,[aes_cbc,aes_ccm,aes_cfb128,aes_cfb8,aes_ctr,
|
|
|
061f38 |
aes_ecb,aes_gcm,des_ede3_cfb,aes_128_cbc,aes_192_cbc,
|
|
|
061f38 |
aes_256_cbc,aes_128_cfb128,aes_192_cfb128,aes_256_cfb128,
|
|
|
061f38 |
aes_128_cfb8,aes_192_cfb8,aes_256_cfb8,aes_128_ecb,
|
|
|
061f38 |
aes_192_ecb,aes_256_ecb,aes_256_gcm,aes_256_ccm,aes_192_gcm,
|
|
|
061f38 |
aes_192_ccm,aes_128_gcm|...]},
|
|
|
061f38 |
{public_keys,[rsa,dss,dh,ecdsa,ecdh]},
|
|
|
061f38 |
{macs,[cmac,hmac,poly1305]},
|
|
|
061f38 |
{curves,[]},
|
|
|
061f38 |
{rsa_opts,[rsa_pkcs1_pss_padding,rsa_pss_saltlen,
|
|
|
061f38 |
rsa_mgf1_md,rsa_pkcs1_oaep_padding,rsa_oaep_label,
|
|
|
061f38 |
rsa_oaep_md,signature_md,rsa_pkcs1_padding,rsa_x931_padding,
|
|
|
061f38 |
rsa_no_padding]}]
|
|
|
061f38 |
|
|
|
061f38 |
Note that we could probably just have patched out the FIPS_mode_set()
|
|
|
061f38 |
calls as FIPS gets enforced on the system. The automatism is going to
|
|
|
061f38 |
come with a version of openssl that is later than > openssl-3.0.0-2.
|
|
|
061f38 |
|
|
|
061f38 |
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
|
|
|
061f38 |
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
|
|
|
061f38 |
|
|
|
061f38 |
[1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module
|
|
|
061f38 |
|
|
|
061f38 |
diff --git a/lib/crypto/c_src/openssl_config.h b/lib/crypto/c_src/openssl_config.h
|
|
|
061f38 |
index 9ef04fca3c..59f6e94b23 100644
|
|
|
061f38 |
--- a/lib/crypto/c_src/openssl_config.h
|
|
|
061f38 |
+++ b/lib/crypto/c_src/openssl_config.h
|
|
|
061f38 |
@@ -427,6 +427,10 @@ do { \
|
|
|
061f38 |
# undef FIPS_SUPPORT
|
|
|
061f38 |
#endif
|
|
|
061f38 |
|
|
|
061f38 |
+#if defined(FIPS_SUPPORT) \
|
|
|
061f38 |
+ && OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(3,0,0) & ~0xff)
|
|
|
061f38 |
+#define FIPS_mode_set(fips_mode) EVP_default_properties_enable_fips(NULL, fips_mode)
|
|
|
061f38 |
+#endif
|
|
|
061f38 |
|
|
|
061f38 |
#ifdef FIPS_SUPPORT
|
|
|
061f38 |
/* In FIPS mode non-FIPS algorithms are disabled and return badarg. */
|