Describe the bug
When the kernel is running in FIPS mode, the OpenSSL 3 default properties doesn't contain fips=1, which makes EVP_default_properties_is_fips_enabled return false. The Go Microsoft toolchain needs to know if the FIPS mode is enabled or not to apply some additional logic on top of what's provided by OpenSSL.
To Reproduce
Steps to reproduce the behavior:
Set OPENSSL_FORCE_FIPS_MODE=1 to simulate kernel FIPS mode.
Compile and run a C program that calls EVP_default_properties_is_fips_enabled and check if it returns true:
#include <stdio.h>
#include "openssl/evp.h"
int main(int ac, char **av)
{
int ret = EVP_default_properties_is_fips_enabled(NULL);
if (ret == 1)
printf("FIPS enabled\n");
else
printf("FIPS not enabled\n");
return 0;
}
Describe the bug When the kernel is running in FIPS mode, the OpenSSL 3 default properties doesn't contain
fips=1
, which makes EVP_default_properties_is_fips_enabled return false. The Go Microsoft toolchain needs to know if the FIPS mode is enabled or not to apply some additional logic on top of what's provided by OpenSSL.To Reproduce Steps to reproduce the behavior:
OPENSSL_FORCE_FIPS_MODE=1
to simulate kernel FIPS mode.EVP_default_properties_is_fips_enabled
and check if it returns true:Expected behavior
FIPS enabled
Real behavior
FIPS not enabled
Notes
There is a patch file that defines
FIPS_mope
asEVP_default_properties_is_fips_enabled
: https://github.com/microsoft/azurelinux/blob/ba13b467104263b5740cdca3054ea5121d8160ab/SPECS/openssl/0008-Add-FIPS_mode-compatibility-macro.patch#L43C11-L43C20. I would expectfips=yes
to be set when the kernel is running in FIPS mode.@microsoft/golang-compiler