diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2020-01-28 16:39:28 +0000 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2020-01-28 16:39:28 +0000 |
| commit | 1a90ff5e2731f4b10edc4b1725bd9aa7d1be5508 (patch) | |
| tree | 916274559485ab6e155bccd081423cde7f9a6684 /src/libutil/util.c | |
| parent | 4fe834a29f6592cfd3a11a4c231b5c9ca13cb49d (diff) | |
| download | rspamd-1a90ff5e2731f4b10edc4b1725bd9aa7d1be5508.tar.gz rspamd-1a90ff5e2731f4b10edc4b1725bd9aa7d1be5508.zip | |
[Minor] Support explicit enabling of the FIPS mode in OpenSSL
Diffstat (limited to 'src/libutil/util.c')
| -rw-r--r-- | src/libutil/util.c | 78 |
1 files changed, 53 insertions, 25 deletions
diff --git a/src/libutil/util.c b/src/libutil/util.c index 9c788587a..3256becb9 100644 --- a/src/libutil/util.c +++ b/src/libutil/util.c @@ -2432,12 +2432,13 @@ RSPAMD_CONSTRUCTOR (openblas_stupidity_fix_ctor) } #endif -void +gboolean rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, struct rspamd_config *cfg) { static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"; size_t r; + gboolean ret = TRUE; g_assert (cfg != NULL); @@ -2450,30 +2451,6 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, NULL); } - if (cfg->ssl_ca_path) { - if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path, - NULL) != 1) { - msg_err_config ("cannot load CA certs from %s: %s", - cfg->ssl_ca_path, - ERR_error_string (ERR_get_error (), NULL)); - } - } else { - msg_debug_config ("ssl_ca_path is not set, using default CA path"); - SSL_CTX_set_default_verify_paths (ctx->ssl_ctx); - } - - if (cfg->ssl_ciphers) { - if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) { - msg_err_config ( - "cannot set ciphers set to %s: %s; fallback to %s", - cfg->ssl_ciphers, - ERR_error_string (ERR_get_error (), NULL), - secure_ciphers); - /* Default settings */ - SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers); - } - } - rspamd_free_zstd_dictionary (ctx->in_dict); rspamd_free_zstd_dictionary (ctx->out_dict); @@ -2506,6 +2483,55 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, } } + if (cfg->fips_mode) { + int mode = FIPS_mode (); + unsigned long err = (unsigned long)-1; + + /* Toggle FIPS mode */ + if (mode == 0) { + if (FIPS_mode_set (1) != 1) { + err = ERR_get_error (); + } + } + else { + msg_info_config ("OpenSSL FIPS mode is already enabled"); + } + + if (err != (unsigned long)-1) { + msg_err_config ("FIPS_mode_set failed: %s", + ERR_error_string (err, NULL)); + ret = FALSE; + } + else { + msg_info_config ("OpenSSL FIPS mode is enabled"); + } + } + + if (cfg->ssl_ca_path) { + if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path, + NULL) != 1) { + msg_err_config ("cannot load CA certs from %s: %s", + cfg->ssl_ca_path, + ERR_error_string (ERR_get_error (), NULL)); + } + } + else { + msg_debug_config ("ssl_ca_path is not set, using default CA path"); + SSL_CTX_set_default_verify_paths (ctx->ssl_ctx); + } + + if (cfg->ssl_ciphers) { + if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) { + msg_err_config ( + "cannot set ciphers set to %s: %s; fallback to %s", + cfg->ssl_ciphers, + ERR_error_string (ERR_get_error (), NULL), + secure_ciphers); + /* Default settings */ + SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers); + } + } + /* Init decompression */ ctx->in_zstream = ZSTD_createDStream (); r = ZSTD_initDStream (ctx->in_zstream); @@ -2531,6 +2557,8 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, openblas_set_num_threads (cfg->max_blas_threads); #endif } + + return ret; } gboolean |