You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
In FIPS-enabled mode when EdDSA algorithm is available the crypto:sign() treats any algorithm as "Unsupported algorithm in FIPS mode".
To Reproduce
> ./configure --enable-fips --prefix=$(pwd)/installed
> make && make install
> ~/proj/otp-upstream $ ERL_TOP=installed installed/bin/erl
Erlang/OTP 26 [RELEASE CANDIDATE 2] [erts-13.2] [source-88439d7b75] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit:ns]
1> crypto:enable_fips_mode(true).
true
2> crypto:info_fips().
enabled
3> crypto:sign(rsa, sha, <<1,1,1>>, [65537, 1]).
** exception error: {notsup,{"pkey.c",104},"Unsupported algorithm in FIPS mode"}
in function crypto:sign/5 (crypto.erl, line 1474)
*** argument 1: Unsupported algorithm in FIPS mode
*** (Found in the internal file pkey.c at line 104)
Expected behavior
3> crypto:sign(rsa, sha, <<1,1,1>>, [65537, 1]).
** exception error: {badarg,{"pkey.c",357},"Couldn't get RSA private key"}
in function crypto:sign/5 (crypto.erl, line 1474)
*** argument 4: Couldn't get RSA private key
*** (Found in the internal file pkey.c at line 357)
Affected versions
OTP-25.3, OTP-26 RC2
Additional context
The patch that can fix the issue:
diff --git a/lib/crypto/c_src/pkey.c b/lib/crypto/c_src/pkey.c
index bfdcfe3553..0d05ffd338 100644
--- a/lib/crypto/c_src/pkey.c
+++ b/lib/crypto/c_src/pkey.c
@@ -100,8 +100,11 @@ static int check_pkey_algorithm_type(ErlNifEnv *env,
#ifdef HAVE_EDDSA
- if (FIPS_MODE())
- assign_goto(*err_return, err, EXCP_NOTSUP_N(env, alg_arg_num, "Unsupported algorithm in FIPS mode"));
+ if (algorithm == atom_eddsa)
+ {
+ if (FIPS_MODE())
+ assign_goto(*err_return, err, EXCP_NOTSUP_N(env, alg_arg_num, "Unsupported algorithm in FIPS mode"));
+ }
#endif
The text was updated successfully, but these errors were encountered:
yarisx
changed the title
FIPS mode broken when EdDSA algorithm is available (present in OpenSSL)
FIPS mode broken when EdDSA algorithm is available
Apr 3, 2023
Describe the bug
In FIPS-enabled mode when EdDSA algorithm is available the crypto:sign() treats any algorithm as "Unsupported algorithm in FIPS mode".
To Reproduce
Expected behavior
Affected versions
OTP-25.3, OTP-26 RC2
Additional context
The patch that can fix the issue:
The text was updated successfully, but these errors were encountered: