Skip to content

Always available FIPS options

Rodrigo Muino Tomonari requested to merge github/fork/khardix/always-available-fips-options into master

This is continuation of #35019, rebased on current master. I have taken it over from @voxik.

Additional changes

fipsMode constant was replaced by (hopefully) internal binding to FIPS_selftest() OpenSSL function. The binding is called testFipsCrypto() and it simply returns 1 or 0 based on the FIPS status reported by OpenSSL. The relevant tests were adjusted to rely on this in place of the original constant.

Open problems

There is still the issue of reporting errors in InitCryptoOnce():

/* Override FIPS settings in cnf file, if needed. */
unsigned long err = 0;  // NOLINT(runtime/int)
if (per_process::cli_options->enable_fips_crypto ||
    per_process::cli_options->force_fips_crypto) {
  if (0 == FIPS_mode() && !FIPS_mode_set(1)) {
    err = ERR_get_error();
  }
}
if (0 != err) {
  fprintf(stderr,
          "openssl fips failed: %s\n",
          ERR_error_string(err, nullptr));
  UNREACHABLE();
}

The UNREACHABLE() section is not so unreachable anymore 😉. Unfortunately, I was not able to figure out better way to report an error – anything similar to return ThrowCryptoError(env, err) requires a reference to the environment, which AFAIK is not available in the InitCryptoOnce().

Any pointers?

Fixes #34903 (closed); obsoletes/closes #35019.

Merge request reports