New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a comment to indicate ineffective macro #17484
Conversation
Hi @DDvO / @mattcaswell / @t8m, Is there any way I can sign the CLA online? I don't have a printer with me to scan and sign the pdf doc. Please assist. |
The FIPS provider does not have an MD5 implementation - so it is entirely correct behaviour for This does not look like a bug to me. |
Then what is the use of "-fips" or "fips=no" parameter? |
I'm a beginner with openssl code base but my question is how does md5 work when I pass the OSSL_LIB_CTX parameter? It works fine when fips is enabled. |
This modifies the default property selection string to remove any "fips=yes" requirement. Note what I said:
If the FIPS provider is the only one configured then "-fips" has no effect at all. We will still only consider algorithms from the FIPS provider and hence an attempt to fetch md5 is expected to fail. Another perfectly valid configuration is to have both the FIPS and the default providers loaded at the same time. In that case you may well want to use the "fips=yes" default property to force most fetches to only consider the FIPS provider and ignore the default provider. In that case a fetch such as this one which uses the "-fips" property will allow the fetch to consider all loaded providers (including the default provider) and hence the fetch will work. |
In this case you are using a non-default libctx so any configuration you may have applied to make the default libctx only use the fips provider is not being used. The new libctx has no providers loaded at all when the fetch function is called. If a fetch is attempted and no providers have been loaded then OpenSSL will automatically load the default provider for you. So by making the change you have, you are simply avoiding the default configuration. |
I recommend reading this man page: |
Thanks for the info and pointers. I have one more query, how to use Line 208 in a4e0118
And why is this macro still kept even though it's unused. |
That macro does nothing in 3.0 so you cannot use it. It is a carry over from 1.0.x where it used to mean something. It probably should have been removed from 3.0 but got forgotten about. |
Is it possible to achieve the same behaviour in 3.0? Is it possible? I will at least modify this PR to remove that macro :) |
OpenSSL 3.0 is much more capable in this regards than the old module. With the old module you were either in FIPS mode or you weren't. The flag EVP_MD_CTX_FLAG_NON_FIPS_ALLOW allowed you to work around the restrictions of FIPS for some situations. In 3.0 it is perfectly possible to have an application use some algorithms from the FIPS provider and other algorithms from other providers and so the flag is not really relevant. Read the section "Loading the FIPS module at the same time as other providers" in the man page link I sent you for more information on this.
Unfortunately it is too late to remove it now. We don't remove macros (even unused ones) from headers in a stable branch as a matter of policy. |
Or actually even in the master branch where master is targeting a minor release. Minor releases must maintain source and binary compatibility with the previous release. Removal of a macro is not source compatible and only suitable when we are targeting a major release next. |
Instead of removing the macro add a comment that the macro has no effect. |
Done. Can you help me to sign the CLA? or shall I mark it as trivial fix? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would be acceptable under CLA: trivial
- If you want please modify the commit to add CLA: trivial
on a separate line in the commit message.
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW macro is obsolete and unused from openssl-3.0 onwards CLA: trivial Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
Thanks @t8m |
I agree this is trivial. |
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
No idea what the bot is on about. This looks ok to me - no updates were made. |
Pushed to master and 3.0 |
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW macro is obsolete and unused from openssl-3.0 onwards CLA: trivial Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #17484)
Signed-off-by: Shreenidhi Shedi sshedi@vmware.com
Checklist