G_STRUCT_OFFSET (struct rspamd_config, disable_monitored),
0,
"Disable monitoring completely");
+ rspamd_rcl_add_default_handler (sub,
+ "fips_mode",
+ rspamd_rcl_parse_struct_boolean,
+ G_STRUCT_OFFSET (struct rspamd_config, fips_mode),
+ 0,
+ "Enable FIPS 140-2 mode in OpenSSL");
rspamd_rcl_add_default_handler (sub,
"dynamic_conf",
rspamd_rcl_parse_struct_string,
}
#endif
-void
+gboolean
rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
struct rspamd_config *cfg)
{
static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
size_t r;
+ gboolean ret = TRUE;
g_assert (cfg != NULL);
NULL);
}
- if (cfg->ssl_ca_path) {
- if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path,
- NULL) != 1) {
- msg_err_config ("cannot load CA certs from %s: %s",
- cfg->ssl_ca_path,
- ERR_error_string (ERR_get_error (), NULL));
- }
- } else {
- msg_debug_config ("ssl_ca_path is not set, using default CA path");
- SSL_CTX_set_default_verify_paths (ctx->ssl_ctx);
- }
-
- if (cfg->ssl_ciphers) {
- if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) {
- msg_err_config (
- "cannot set ciphers set to %s: %s; fallback to %s",
- cfg->ssl_ciphers,
- ERR_error_string (ERR_get_error (), NULL),
- secure_ciphers);
- /* Default settings */
- SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers);
- }
- }
-
rspamd_free_zstd_dictionary (ctx->in_dict);
rspamd_free_zstd_dictionary (ctx->out_dict);
}
}
+ if (cfg->fips_mode) {
+ int mode = FIPS_mode ();
+ unsigned long err = (unsigned long)-1;
+
+ /* Toggle FIPS mode */
+ if (mode == 0) {
+ if (FIPS_mode_set (1) != 1) {
+ err = ERR_get_error ();
+ }
+ }
+ else {
+ msg_info_config ("OpenSSL FIPS mode is already enabled");
+ }
+
+ if (err != (unsigned long)-1) {
+ msg_err_config ("FIPS_mode_set failed: %s",
+ ERR_error_string (err, NULL));
+ ret = FALSE;
+ }
+ else {
+ msg_info_config ("OpenSSL FIPS mode is enabled");
+ }
+ }
+
+ if (cfg->ssl_ca_path) {
+ if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path,
+ NULL) != 1) {
+ msg_err_config ("cannot load CA certs from %s: %s",
+ cfg->ssl_ca_path,
+ ERR_error_string (ERR_get_error (), NULL));
+ }
+ }
+ else {
+ msg_debug_config ("ssl_ca_path is not set, using default CA path");
+ SSL_CTX_set_default_verify_paths (ctx->ssl_ctx);
+ }
+
+ if (cfg->ssl_ciphers) {
+ if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) {
+ msg_err_config (
+ "cannot set ciphers set to %s: %s; fallback to %s",
+ cfg->ssl_ciphers,
+ ERR_error_string (ERR_get_error (), NULL),
+ secure_ciphers);
+ /* Default settings */
+ SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers);
+ }
+ }
+
/* Init decompression */
ctx->in_zstream = ZSTD_createDStream ();
r = ZSTD_initDStream (ctx->in_zstream);
openblas_set_num_threads (cfg->max_blas_threads);
#endif
}
+
+ return ret;
}
gboolean
projects / rspamd.git / commitdiff