New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL: Report -fips in version if OpenSSL is built with FIPS #3771
Conversation
d24e8b5
to
2e9270b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This only appears to be applicable in versions of OpenSSL <1.1.1
Ok but your changes don't make a distinction so what happens with OpenSSL 1.1.1+ does it already append -fips and then wouldn't it look like 1.1.1-fips-fips or something
Doesn't appear so. 1.1.1 doesn't seem to support it at all, given this line in their 1.1.1 stable branch: On the 1.1.0 branch, you'll see the So.. long answer short, it shouldn't do |
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS define. It uses this define to determine whether to publish -fips at the end of the version displayed. Applications that utilize the version reported by OpenSSL will see a mismatch if they compare it to what curl reports, as curl is not modifying the version in the same way. This change simply adds a check to see if OPENSSL_FIPS is defined, and will alter the reported version to match what OpenSSL itself provides. This only appears to be applicable in versions of OpenSSL <1.1.1 Reported-by: Ricky Leverence Jr
1fa210b
to
1349b17
Compare
Is this good to go? The AppVeyor failure seems like an unrelated test. |
OpenSSL 1.1.0 does not have FIPS support either. See the end of https://www.openssl.org/blog/blog/2018/09/25/fips/ The upcoming OpenSSL 3.0.0 will be the first version that will have FIPS support: But the patch is good to go. |
@Jan-E Thanks for verifying the patch is good. Can you clarify what you mean by OpenSSL not having FIPS support presently? The effort your links are referring to seem to be the effort to build the next generation FIPS module. Are you saying that you believe that existing builds of OpenSSL don't report -fips if it has the existing FIPS 140-2 validated cryptographic module, the OpenSSL FIPS Object Module 2.0? There is existing FIPS support here that works with OpenSSL 1.0.1 and 1.0.2. We are running into this issue presently with a combination of open source packages, so I don't want it to seem like this patch isn't valuable until OpenSSL 3.0. Thanks! |
The FIPS 2.0 module is for 1.0.1 and 1.0.2, but 1.1.0 has no FIPS module. And neither has 1.1.1. |
I follow you now, thanks! |
Thanks! |
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
define. It uses this define to determine whether to publish -fips at
the end of the version displayed. Applications that utilize the version
reported by OpenSSL will see a mismatch if they compare it to what curl
reports, as curl is not modifying the version in the same way. This
change simply adds a check to see if OPENSSL_FIPS is defined, and will
alter the reported version to match what OpenSSL itself provides. This
only appears to be applicable in versions of OpenSSL <1.1.1
Reported-by: Ricky Leverence Jr