From 1a90ff5e2731f4b10edc4b1725bd9aa7d1be5508 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 28 Jan 2020 16:39:28 +0000
Subject: [PATCH] [Minor] Support explicit enabling of the FIPS mode in OpenSSL

---
 src/libserver/cfg_file.h |  1 +
 src/libserver/cfg_rcl.c  |  6 ++++
 src/libutil/util.c       | 78 +++++++++++++++++++++++++++-------------
 src/libutil/util.h       |  4 +--
 4 files changed, 62 insertions(+), 27 deletions(-)

diff --git a/src/libserver/cfg_file.h b/src/libserver/cfg_file.h
index a6d37de00..07aedb6f8 100644
--- a/src/libserver/cfg_file.h
+++ b/src/libserver/cfg_file.h
@@ -431,6 +431,7 @@ struct rspamd_config {
 
 	gdouble monitored_interval;                     /**< interval between monitored checks					*/
 	gboolean disable_monitored;                     /**< disable monitoring completely						*/
+	gboolean fips_mode;                             /**< turn on fips mode for openssl						*/
 
 	struct rspamd_symcache *cache;                    /**< symbols cache object								*/
 	gchar *cache_filename;                          /**< filename of cache file								*/
diff --git a/src/libserver/cfg_rcl.c b/src/libserver/cfg_rcl.c
index ebca34563..9a88bd39c 100644
--- a/src/libserver/cfg_rcl.c
+++ b/src/libserver/cfg_rcl.c
@@ -1951,6 +1951,12 @@ rspamd_rcl_config_init (struct rspamd_config *cfg, GHashTable *skip_sections)
 				G_STRUCT_OFFSET (struct rspamd_config, disable_monitored),
 				0,
 				"Disable monitoring completely");
+		rspamd_rcl_add_default_handler (sub,
+				"fips_mode",
+				rspamd_rcl_parse_struct_boolean,
+				G_STRUCT_OFFSET (struct rspamd_config, fips_mode),
+				0,
+				"Enable FIPS 140-2 mode in OpenSSL");
 		rspamd_rcl_add_default_handler (sub,
 				"dynamic_conf",
 				rspamd_rcl_parse_struct_string,
diff --git a/src/libutil/util.c b/src/libutil/util.c
index 9c788587a..3256becb9 100644
--- a/src/libutil/util.c
+++ b/src/libutil/util.c
@@ -2432,12 +2432,13 @@ RSPAMD_CONSTRUCTOR (openblas_stupidity_fix_ctor)
 }
 #endif
 
-void
+gboolean
 rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
 		struct rspamd_config *cfg)
 {
 	static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
 	size_t r;
+	gboolean ret = TRUE;
 
 	g_assert (cfg != NULL);
 
@@ -2450,30 +2451,6 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
 					NULL);
 		}
 
-		if (cfg->ssl_ca_path) {
-			if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path,
-					NULL) != 1) {
-				msg_err_config ("cannot load CA certs from %s: %s",
-						cfg->ssl_ca_path,
-						ERR_error_string (ERR_get_error (), NULL));
-			}
-		} else {
-			msg_debug_config ("ssl_ca_path is not set, using default CA path");
-			SSL_CTX_set_default_verify_paths (ctx->ssl_ctx);
-		}
-
-		if (cfg->ssl_ciphers) {
-			if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) {
-				msg_err_config (
-						"cannot set ciphers set to %s: %s; fallback to %s",
-						cfg->ssl_ciphers,
-						ERR_error_string (ERR_get_error (), NULL),
-						secure_ciphers);
-				/* Default settings */
-				SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers);
-			}
-		}
-
 		rspamd_free_zstd_dictionary (ctx->in_dict);
 		rspamd_free_zstd_dictionary (ctx->out_dict);
 
@@ -2506,6 +2483,55 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
 			}
 		}
 
+		if (cfg->fips_mode) {
+			int mode = FIPS_mode ();
+			unsigned long err = (unsigned long)-1;
+
+			/* Toggle FIPS mode */
+			if (mode == 0) {
+				if (FIPS_mode_set (1) != 1) {
+					err = ERR_get_error ();
+				}
+			}
+			else {
+				msg_info_config ("OpenSSL FIPS mode is already enabled");
+			}
+
+			if (err != (unsigned long)-1) {
+				msg_err_config ("FIPS_mode_set failed: %s",
+						ERR_error_string (err, NULL));
+				ret = FALSE;
+			}
+			else {
+				msg_info_config ("OpenSSL FIPS mode is enabled");
+			}
+		}
+
+		if (cfg->ssl_ca_path) {
+			if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path,
+					NULL) != 1) {
+				msg_err_config ("cannot load CA certs from %s: %s",
+						cfg->ssl_ca_path,
+						ERR_error_string (ERR_get_error (), NULL));
+			}
+		}
+		else {
+			msg_debug_config ("ssl_ca_path is not set, using default CA path");
+			SSL_CTX_set_default_verify_paths (ctx->ssl_ctx);
+		}
+
+		if (cfg->ssl_ciphers) {
+			if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) {
+				msg_err_config (
+						"cannot set ciphers set to %s: %s; fallback to %s",
+						cfg->ssl_ciphers,
+						ERR_error_string (ERR_get_error (), NULL),
+						secure_ciphers);
+				/* Default settings */
+				SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers);
+			}
+		}
+
 		/* Init decompression */
 		ctx->in_zstream = ZSTD_createDStream ();
 		r = ZSTD_initDStream (ctx->in_zstream);
@@ -2531,6 +2557,8 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
 		openblas_set_num_threads (cfg->max_blas_threads);
 #endif
 	}
+
+	return ret;
 }
 
 gboolean
diff --git a/src/libutil/util.h b/src/libutil/util.h
index d6f023205..c52f640aa 100644
--- a/src/libutil/util.h
+++ b/src/libutil/util.h
@@ -368,8 +368,8 @@ gpointer rspamd_init_ssl_ctx_noverify (void);
 /**
  * Configure libraries
  */
-void rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
-						 struct rspamd_config *cfg);
+gboolean rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
+							 struct rspamd_config *cfg);
 
 /**
  * Reset and initialize decompressor
-- 
2.39.5