Describe the bug
When the kernel is running in FIPS mode, the OpenSSL 3 default properties doesn't contain fips=1, which makes EVP_default_properties_is_fips_enabled return false. The Go Microsoft toolchain needs to know if the FIPS mode is enabled or not to apply some additional logic on top of what's provided by OpenSSL.
To Reproduce
Steps to reproduce the behavior:
Set OPENSSL_FORCE_FIPS_MODE=1 to simulate kernel FIPS mode.
Compile and run a C program that calls EVP_default_properties_is_fips_enabled and check if it returns true:
#include <stdio.h>
#include "openssl/evp.h"
int main(int ac, char **av)
{
int ret = EVP_default_properties_is_fips_enabled(NULL);
if (ret == 1)
printf("FIPS enabled\n");
else
printf("FIPS not enabled\n");
return 0;
}
mfrw
commented
3 weeks ago
Describe the bug When the kernel is running in FIPS mode, the OpenSSL 3 default properties doesn't contain
fips=1, which makes EVP_default_properties_is_fips_enabled return false. The Go Microsoft toolchain needs to know if the FIPS mode is enabled or not to apply some additional logic on top of what's provided by OpenSSL.To Reproduce Steps to reproduce the behavior:
OPENSSL_FORCE_FIPS_MODE=1to simulate kernel FIPS mode.EVP_default_properties_is_fips_enabledand check if it returns true:Expected behavior
FIPS enabledReal behavior
FIPS not enabledNotes
There is a patch file that defines
FIPS_mopeasEVP_default_properties_is_fips_enabled: https://github.com/microsoft/azurelinux/blob/ba13b467104263b5740cdca3054ea5121d8160ab/SPECS/openssl/0008-Add-FIPS_mode-compatibility-macro.patch#L43C11-L43C20. I would expectfips=yesto be set when the kernel is running in FIPS mode.@microsoft/golang-compiler