From: Vsevolod Stakhov Date: Tue, 28 Jan 2020 16:39:28 +0000 (+0000) Subject: [Minor] Support explicit enabling of the FIPS mode in OpenSSL X-Git-Tag: 2.3~31 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=1a90ff5e2731f4b10edc4b1725bd9aa7d1be5508;p=rspamd.git [Minor] Support explicit enabling of the FIPS mode in OpenSSL --- diff --git a/src/libserver/cfg_file.h b/src/libserver/cfg_file.h index a6d37de00..07aedb6f8 100644 --- a/src/libserver/cfg_file.h +++ b/src/libserver/cfg_file.h @@ -431,6 +431,7 @@ struct rspamd_config { gdouble monitored_interval; /**< interval between monitored checks */ gboolean disable_monitored; /**< disable monitoring completely */ + gboolean fips_mode; /**< turn on fips mode for openssl */ struct rspamd_symcache *cache; /**< symbols cache object */ gchar *cache_filename; /**< filename of cache file */ diff --git a/src/libserver/cfg_rcl.c b/src/libserver/cfg_rcl.c index ebca34563..9a88bd39c 100644 --- a/src/libserver/cfg_rcl.c +++ b/src/libserver/cfg_rcl.c @@ -1951,6 +1951,12 @@ rspamd_rcl_config_init (struct rspamd_config *cfg, GHashTable *skip_sections) G_STRUCT_OFFSET (struct rspamd_config, disable_monitored), 0, "Disable monitoring completely"); + rspamd_rcl_add_default_handler (sub, + "fips_mode", + rspamd_rcl_parse_struct_boolean, + G_STRUCT_OFFSET (struct rspamd_config, fips_mode), + 0, + "Enable FIPS 140-2 mode in OpenSSL"); rspamd_rcl_add_default_handler (sub, "dynamic_conf", rspamd_rcl_parse_struct_string, diff --git a/src/libutil/util.c b/src/libutil/util.c index 9c788587a..3256becb9 100644 --- a/src/libutil/util.c +++ b/src/libutil/util.c @@ -2432,12 +2432,13 @@ RSPAMD_CONSTRUCTOR (openblas_stupidity_fix_ctor) } #endif -void +gboolean rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, struct rspamd_config *cfg) { static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"; size_t r; + gboolean ret = TRUE; g_assert (cfg != NULL); @@ -2450,30 +2451,6 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, NULL); } - if (cfg->ssl_ca_path) { - if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path, - NULL) != 1) { - msg_err_config ("cannot load CA certs from %s: %s", - cfg->ssl_ca_path, - ERR_error_string (ERR_get_error (), NULL)); - } - } else { - msg_debug_config ("ssl_ca_path is not set, using default CA path"); - SSL_CTX_set_default_verify_paths (ctx->ssl_ctx); - } - - if (cfg->ssl_ciphers) { - if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) { - msg_err_config ( - "cannot set ciphers set to %s: %s; fallback to %s", - cfg->ssl_ciphers, - ERR_error_string (ERR_get_error (), NULL), - secure_ciphers); - /* Default settings */ - SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers); - } - } - rspamd_free_zstd_dictionary (ctx->in_dict); rspamd_free_zstd_dictionary (ctx->out_dict); @@ -2506,6 +2483,55 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, } } + if (cfg->fips_mode) { + int mode = FIPS_mode (); + unsigned long err = (unsigned long)-1; + + /* Toggle FIPS mode */ + if (mode == 0) { + if (FIPS_mode_set (1) != 1) { + err = ERR_get_error (); + } + } + else { + msg_info_config ("OpenSSL FIPS mode is already enabled"); + } + + if (err != (unsigned long)-1) { + msg_err_config ("FIPS_mode_set failed: %s", + ERR_error_string (err, NULL)); + ret = FALSE; + } + else { + msg_info_config ("OpenSSL FIPS mode is enabled"); + } + } + + if (cfg->ssl_ca_path) { + if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path, + NULL) != 1) { + msg_err_config ("cannot load CA certs from %s: %s", + cfg->ssl_ca_path, + ERR_error_string (ERR_get_error (), NULL)); + } + } + else { + msg_debug_config ("ssl_ca_path is not set, using default CA path"); + SSL_CTX_set_default_verify_paths (ctx->ssl_ctx); + } + + if (cfg->ssl_ciphers) { + if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) { + msg_err_config ( + "cannot set ciphers set to %s: %s; fallback to %s", + cfg->ssl_ciphers, + ERR_error_string (ERR_get_error (), NULL), + secure_ciphers); + /* Default settings */ + SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers); + } + } + /* Init decompression */ ctx->in_zstream = ZSTD_createDStream (); r = ZSTD_initDStream (ctx->in_zstream); @@ -2531,6 +2557,8 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, openblas_set_num_threads (cfg->max_blas_threads); #endif } + + return ret; } gboolean diff --git a/src/libutil/util.h b/src/libutil/util.h index d6f023205..c52f640aa 100644 --- a/src/libutil/util.h +++ b/src/libutil/util.h @@ -368,8 +368,8 @@ gpointer rspamd_init_ssl_ctx_noverify (void); /** * Configure libraries */ -void rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, - struct rspamd_config *cfg); +gboolean rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, + struct rspamd_config *cfg); /** * Reset and initialize decompressor