Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why enabling OpenSSL FIPS ? #654

Closed
stac47 opened this issue Mar 3, 2021 · 1 comment · Fixed by #657
Closed

Why enabling OpenSSL FIPS ? #654

stac47 opened this issue Mar 3, 2021 · 1 comment · Fixed by #657

Comments

@stac47
Copy link

stac47 commented Mar 3, 2021
edited
Loading

Hello,
I tried to build this library against OpenSSL v3. Now, FIPS certified algorithms were moved to dedicated 'provider' and the function FIPS_mode_set has been removed.
The following lines in librabbitmq/amqp_openssl.c in fact do not seem good:

#ifndef LIBRESSL_VERSION_NUMBER
  FIPS_mode_set(0);
#endif

In fact, the effects of such a call has changed across the OpenSSL revision:

  • 1.0.2 series was the only on that were FIPS-capable. But with some constraints amongst them it could not be dynamically loaded (no shared libraries are available when you build openssl with fips). See here
  • 1.1.x series is not FIPS-capable. They let the API which does nothing as you can see in openssl branch 1.1.1 (crypto/o_fips.c):
int FIPS_mode_set(int r)
{
    if (r == 0)
        return 1;
    CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
    return 0;
}
  • 3.x series have finally removed this deprecated API.

To me, those lines should be removed, but as I have no background on this library, there is perhaps a reason why this was added. But reading the commit 6726405, it is just to deinit openssl, but probably useless as FIPS mode has never been enabled.
Regards,
@alanxz
Copy link
Owner

alanxz commented Mar 5, 2021

You are correct in that FIPS mode has never been used in rabbitmq-c, this was cargo-culted from somewhere else when figuring out how to do this (I think it came from the OpenSSL wiki).

I believe this can be safely removed.

alanxz added a commit that referenced this issue Mar 5, 2021
@alanxz
ssl: remove reference to FIPS_set_mode
c5622b1 
This was cargo-culted from the OpenSSL wiki for uninitializing OpenSSL.
This API has been removed v3.x and newer of OpenSSL, additionally
rabbitmq-c doesn't use FIPS mode, so this is likely a no-op even using
older OpenSSL.

Fixes #654
Fixes #627

Signed-off-by: GitHub <noreply@github.com>
@alanxz alanxz closed this as completed in 23856b8 Mar 5, 2021
@alanxz alanxz mentioned this issue Mar 5, 2021
Merged
gitting-around added a commit to gitting-around/rabbitmq-c that referenced this issue May 24, 2022
@gitting-around
commented out fips_mode_set(0) as advised in alanxz#654
967236e
reunanen pushed a commit to reunanen/rabbitmq-c that referenced this issue Nov 21, 2023
@alanxz @reunanen
ssl: remove reference to FIPS_set_mode
7a175ad 
This was cargo-culted from the OpenSSL wiki for uninitializing OpenSSL.
This API has been removed v3.x and newer of OpenSSL, additionally
rabbitmq-c doesn't use FIPS mode, so this is likely a no-op even using
older OpenSSL.

Fixes alanxz#654
Fixes alanxz#627

Signed-off-by: GitHub <noreply@github.com>

(cherry picked from commit c5622b1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove FIPS_set_mode in OpenSSL uninitialize logic alanxz/rabbitmq-c
2 participants
@alanxz @stac47