Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent gocrypto fallback for historical algorithms in FIPS mode #1348

Draft
wants to merge 1 commit into
base: microsoft/main
Choose a base branch
from

Commits on Oct 2, 2024

  1. Prevent gocrypto fallback for historical algorithms in FIPS mode

    Add a new boring.FIPS() API to query if the boring backend is or is
    not in FIPS mode.
    
    Note that currently some openssl FIPS modules return true for
    SupportedHash queries, for algorithms that will be blocked at
    runtime. Other modules choose to instead report such algorithms as not
    available at all, as they have become historical.
    
    Update boring backend logic for MD5, RC4, DES, 3DES to attempt to use
    boring backend when supported; but also when boring backend is in FIPS
    mode. This way FIPS module gets to decide how it is configured, and
    whether or not it will allow the operation.
    
    This ensures that binaries that use these algorithms, correctly fail
    at runtime against FIPS OpenSSL v3+ modules, like they already fail at
    runtime against FIPS OpenSSL 1.1.1 and earlier modules.
    
    No build/runtime behaviour changes for boringcrypto, nobackend,
    openssl/cng backends in non-FIPS modes.
    xnox committed Oct 2, 2024
    Configuration menu
    Copy the full SHA
    0e1c92c View commit details
    Browse the repository at this point in the history