Always available FIPS options
This is continuation of #35019, rebased on current master. I have taken it over from @voxik.
Additional changes
fipsMode
constant was replaced by (hopefully) internal binding to FIPS_selftest()
OpenSSL function.
The binding is called testFipsCrypto()
and it simply returns 1 or 0 based on the FIPS status reported by OpenSSL.
The relevant tests were adjusted to rely on this in place of the original constant.
Open problems
There is still the issue of reporting errors in InitCryptoOnce()
:
/* Override FIPS settings in cnf file, if needed. */
unsigned long err = 0; // NOLINT(runtime/int)
if (per_process::cli_options->enable_fips_crypto ||
per_process::cli_options->force_fips_crypto) {
if (0 == FIPS_mode() && !FIPS_mode_set(1)) {
err = ERR_get_error();
}
}
if (0 != err) {
fprintf(stderr,
"openssl fips failed: %s\n",
ERR_error_string(err, nullptr));
UNREACHABLE();
}
The UNREACHABLE()
section is not so unreachable anymore return ThrowCryptoError(env, err)
requires a reference to the environment, which AFAIK is not available in the InitCryptoOnce()
.
Any pointers?
Fixes #34903 (closed); obsoletes/closes #35019.