Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL: Report -fips in version if OpenSSL is built with FIPS #3771

Closed
wants to merge 3 commits into from

Conversation

rickz0rz
Copy link

Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
define. It uses this define to determine whether to publish -fips at
the end of the version displayed. Applications that utilize the version
reported by OpenSSL will see a mismatch if they compare it to what curl
reports, as curl is not modifying the version in the same way. This
change simply adds a check to see if OPENSSL_FIPS is defined, and will
alter the reported version to match what OpenSSL itself provides. This
only appears to be applicable in versions of OpenSSL <1.1.1

Reported-by: Ricky Leverence Jr

Copy link
Member

@jay jay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only appears to be applicable in versions of OpenSSL <1.1.1

Ok but your changes don't make a distinction so what happens with OpenSSL 1.1.1+ does it already append -fips and then wouldn't it look like 1.1.1-fips-fips or something

@rickz0rz
Copy link
Author

This only appears to be applicable in versions of OpenSSL <1.1.1

Ok but your changes don't make a distinction so what happens with OpenSSL 1.1.1+ does it already append -fips and then wouldn't it look like 1.1.1-fips-fips or something

Doesn't appear so. 1.1.1 doesn't seem to support it at all, given this line in their 1.1.1 stable branch:
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/o_fips.c#L14
Compare that to 1.1.0 which does:
https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/crypto/o_fips.c#L17

On the 1.1.0 branch, you'll see the OPENSSL_FIPS define being used to determine the FIPS support. This is what's used to programmatically change the version here:
https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/include/openssl/opensslv.h#L43
(That appears to be the case in 1.1.0, 1.0.2, etc.)
...which again, on the same file in 1.1.1, doesn't have that change at all.
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/include/openssl/opensslv.h#L43

So.. long answer short, it shouldn't do -fips-fips as 1.1.1 doesn't seem to support FIPS at all.

Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
define. It uses this define to determine whether to publish -fips at
the end of the version displayed. Applications that utilize the version
reported by OpenSSL will see a mismatch if they compare it to what curl
reports, as curl is not modifying the version in the same way. This
change simply adds a check to see if OPENSSL_FIPS is defined, and will
alter the reported version to match what OpenSSL itself provides. This
only appears to be applicable in versions of OpenSSL <1.1.1

Reported-by: Ricky Leverence Jr
@jgowdy
Copy link

jgowdy commented Apr 29, 2019

Is this good to go? The AppVeyor failure seems like an unrelated test.

@Jan-E
Copy link
Contributor

Jan-E commented Apr 30, 2019

Is this good to go? The AppVeyor failure seems like an unrelated test.

OpenSSL 1.1.0 does not have FIPS support either. See the end of https://www.openssl.org/blog/blog/2018/09/25/fips/

The upcoming OpenSSL 3.0.0 will be the first version that will have FIPS support:
https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/

But the patch is good to go.

@jgowdy
Copy link

jgowdy commented May 8, 2019

@Jan-E Thanks for verifying the patch is good. Can you clarify what you mean by OpenSSL not having FIPS support presently? The effort your links are referring to seem to be the effort to build the next generation FIPS module.

Are you saying that you believe that existing builds of OpenSSL don't report -fips if it has the existing FIPS 140-2 validated cryptographic module, the OpenSSL FIPS Object Module 2.0?

There is existing FIPS support here that works with OpenSSL 1.0.1 and 1.0.2.
https://wiki.openssl.org/index.php/FIPS_module_2.0

We are running into this issue presently with a combination of open source packages, so I don't want it to seem like this patch isn't valuable until OpenSSL 3.0.

Thanks!

@Jan-E
Copy link
Contributor

Jan-E commented May 8, 2019

The FIPS 2.0 module is for 1.0.1 and 1.0.2, but 1.1.0 has no FIPS module. And neither has 1.1.1.

@jgowdy
Copy link

jgowdy commented May 8, 2019

I follow you now, thanks!

@bagder
Copy link
Member

bagder commented May 8, 2019

Thanks!

@bagder bagder closed this in 3a03e59 May 8, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Aug 6, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants