Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't try to override system FIPS mode and use openssl.FIPSCapable #1496

Merged
merged 2 commits into from
Jan 17, 2025
Merged

Don't try to override system FIPS mode and use openssl.FIPSCapable #1496

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ff3db2b
don't try to override system FIPS mode and use openssl.FIPSCapable
qmuntal Jan 16, 2025
594c7ae
Merge branch 'microsoft/main' into dev/qmuntal/fipspanic
qmuntal Jan 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 9 additions & 11 deletions patches/0003-Implement-crypto-internal-backend.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Subject: [PATCH] Implement crypto/internal/backend
.../backend/fips140/nosystemcrypto.go | 11 +
.../internal/backend/fips140/openssl.go | 41 ++
src/crypto/internal/backend/nobackend.go | 240 ++++++++++++
src/crypto/internal/backend/openssl_linux.go | 362 ++++++++++++++++++
src/crypto/internal/backend/openssl_linux.go | 360 ++++++++++++++++++
src/crypto/internal/backend/stub.s | 10 +
src/go/build/deps_test.go | 7 +-
.../exp_allowcryptofallback_off.go | 9 +
Expand All @@ -45,7 +45,7 @@ Subject: [PATCH] Implement crypto/internal/backend
...ckenderr_gen_requirefips_nosystemcrypto.go | 17 +
.../backenderr_gen_systemcrypto_nobackend.go | 16 +
src/runtime/runtime_boring.go | 5 +
41 files changed, 2493 insertions(+), 1 deletion(-)
41 files changed, 2491 insertions(+), 1 deletion(-)
create mode 100644 src/crypto/internal/backend/backend_test.go
create mode 100644 src/crypto/internal/backend/backendgen.go
create mode 100644 src/crypto/internal/backend/backendgen_test.go
Expand Down Expand Up @@ -2079,10 +2079,10 @@ index 00000000000000..7c3a95c2c64a2d
+}
diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go
new file mode 100644
index 00000000000000..57293ff2128dd6
index 00000000000000..5ddcf98ea682a5
--- /dev/null
+++ b/src/crypto/internal/backend/openssl_linux.go
@@ -0,0 +1,362 @@
@@ -0,0 +1,360 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
Expand Down Expand Up @@ -2149,16 +2149,14 @@ index 00000000000000..57293ff2128dd6
+ panic("opensslcrypto: can't initialize OpenSSL " + lcrypto + ": " + err.Error())
+ }
+ if fips140.Enabled() {
+ if !openssl.FIPS() {
+ if err := openssl.SetFIPS(true); err != nil {
+ panic("opensslcrypto: can't enable FIPS mode for " + openssl.VersionText() + ": " + err.Error())
+ }
+ // Use openssl.FIPSCapable instead of openssl.FIPS because some providers, e.g. SCOSSL, are FIPS compliant
+ // even when FIPS mode is not enabled.
+ if !openssl.FIPSCapable() {
+ panic("opensslcrypto: FIPS mode requested (" + fips140.Message + ") but not available in " + openssl.VersionText())
+ }
+ } else if fips140.Disabled() {
+ if openssl.FIPS() {
+ if err := openssl.SetFIPS(false); err != nil {
+ panic("opensslcrypto: can't disable FIPS mode for " + openssl.VersionText() + ": " + err.Error())
+ }
+ panic("opensslcrypto: FIPS mode explicitly disabled (" + fips140.Message + ") but enabled in " + openssl.VersionText())
+ }
+ }
+ sig.BoringCrypto()
Expand Down
Loading