Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL: Report -fips in version if OpenSSL is built with FIPS #3771

Closed
wants to merge 3 commits into from

Conversation

@rickz0rz
Copy link

commented Apr 12, 2019

Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
define. It uses this define to determine whether to publish -fips at
the end of the version displayed. Applications that utilize the version
reported by OpenSSL will see a mismatch if they compare it to what curl
reports, as curl is not modifying the version in the same way. This
change simply adds a check to see if OPENSSL_FIPS is defined, and will
alter the reported version to match what OpenSSL itself provides. This
only appears to be applicable in versions of OpenSSL <1.1.1

Reported-by: Ricky Leverence Jr

@rickz0rz rickz0rz force-pushed the rickz0rz:showFipsInVersion branch from d24e8b5 to 2e9270b Apr 12, 2019
Copy link
Member

left a comment

This only appears to be applicable in versions of OpenSSL <1.1.1

Ok but your changes don't make a distinction so what happens with OpenSSL 1.1.1+ does it already append -fips and then wouldn't it look like 1.1.1-fips-fips or something

@rickz0rz

This comment has been minimized.

Copy link
Author

commented Apr 13, 2019

This only appears to be applicable in versions of OpenSSL <1.1.1

Ok but your changes don't make a distinction so what happens with OpenSSL 1.1.1+ does it already append -fips and then wouldn't it look like 1.1.1-fips-fips or something

Doesn't appear so. 1.1.1 doesn't seem to support it at all, given this line in their 1.1.1 stable branch:
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/o_fips.c#L14
Compare that to 1.1.0 which does:
https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/crypto/o_fips.c#L17

On the 1.1.0 branch, you'll see the OPENSSL_FIPS define being used to determine the FIPS support. This is what's used to programmatically change the version here:
https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/include/openssl/opensslv.h#L43
(That appears to be the case in 1.1.0, 1.0.2, etc.)
...which again, on the same file in 1.1.1, doesn't have that change at all.
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/include/openssl/opensslv.h#L43

So.. long answer short, it shouldn't do -fips-fips as 1.1.1 doesn't seem to support FIPS at all.

lib/vtls/openssl.c Show resolved Hide resolved
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
define. It uses this define to determine whether to publish -fips at
the end of the version displayed. Applications that utilize the version
reported by OpenSSL will see a mismatch if they compare it to what curl
reports, as curl is not modifying the version in the same way. This
change simply adds a check to see if OPENSSL_FIPS is defined, and will
alter the reported version to match what OpenSSL itself provides. This
only appears to be applicable in versions of OpenSSL <1.1.1

Reported-by: Ricky Leverence Jr
@rickz0rz rickz0rz force-pushed the rickz0rz:showFipsInVersion branch from 1fa210b to 1349b17 Apr 23, 2019
@jgowdy

This comment has been minimized.

Copy link

commented Apr 29, 2019

Is this good to go? The AppVeyor failure seems like an unrelated test.

@Jan-E

This comment has been minimized.

Copy link
Contributor

commented Apr 30, 2019

Is this good to go? The AppVeyor failure seems like an unrelated test.

OpenSSL 1.1.0 does not have FIPS support either. See the end of https://www.openssl.org/blog/blog/2018/09/25/fips/

The upcoming OpenSSL 3.0.0 will be the first version that will have FIPS support:
https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/

But the patch is good to go.

@jgowdy

This comment has been minimized.

Copy link

commented May 8, 2019

@Jan-E Thanks for verifying the patch is good. Can you clarify what you mean by OpenSSL not having FIPS support presently? The effort your links are referring to seem to be the effort to build the next generation FIPS module.

Are you saying that you believe that existing builds of OpenSSL don't report -fips if it has the existing FIPS 140-2 validated cryptographic module, the OpenSSL FIPS Object Module 2.0?

There is existing FIPS support here that works with OpenSSL 1.0.1 and 1.0.2.
https://wiki.openssl.org/index.php/FIPS_module_2.0

We are running into this issue presently with a combination of open source packages, so I don't want it to seem like this patch isn't valuable until OpenSSL 3.0.

Thanks!

@Jan-E

This comment has been minimized.

Copy link
Contributor

commented May 8, 2019

The FIPS 2.0 module is for 1.0.1 and 1.0.2, but 1.1.0 has no FIPS module. And neither has 1.1.1.

@jgowdy

This comment has been minimized.

Copy link

commented May 8, 2019

I follow you now, thanks!

@bagder

This comment has been minimized.

Copy link
Member

commented May 8, 2019

Thanks!

@bagder bagder closed this in 3a03e59 May 8, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Aug 6, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
6 participants
You can’t perform that action at this time.