Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove openssl.SetFIPS(true) call #1513

Open
wants to merge 8 commits into
base: microsoft/main
Choose a base branch
from
Open

Remove openssl.SetFIPS(true) call #1513

wants to merge 8 commits into from
+53 −18

Conversation

qmuntal
Copy link
Member

@qmuntal qmuntal commented Jan 24, 2025
edited
Loading

As agreed in https://github.com/microsoft/go-lab/blob/main/docs/adr/0012-remove-gofips.md, we shouldn't try to modify the OpenSSL FIPS mode.

This PR removes the openssl.SetFIPS(true) call and update our build scripts to enable FIPS mode system-wide.

Our CI Mariner 2 image is not FIPS-enabled by default, so we need to force FIPS mode by setting OPENSSL_FORCE_FIPS_MODE. That flag should be passes to the TestScript child processes as they only inherit a filtered set of environment variables, which includes GODEBUG.

Note that since we switched from GOFIPS to GODEBUG=fips140, our test FIPS test coverage has increased, as GOFIPS was not being passed to TestScript child processes, making them not aware of the required FIPS mode.

Also, this is unlikely that users need to update their code to also pass OPENSSL_FORCE_FIPS_MODE to child processes that don't inherit all environment variables. Mainly because they should be running a FIPS-enabled Mariner image on production. If they don't, possible for testing purposes, then child processes won't inherit the GODEBUG env var neither.

For #1445.

@qmuntal
Copy link
Member Author

qmuntal commented Jan 24, 2025

Looks like Mariner 2 hasn't ported forward-ported the code to enable FIPS mode from the config file. OpenSSL only officially supports FIPS mode in v1.0.2, so the relevant code was removed in OpenSSL 1.1. Will have to find another way.

@qmuntal qmuntal closed this Jan 24, 2025
@qmuntal qmuntal reopened this Jan 24, 2025
@qmuntal qmuntal marked this pull request as ready for review January 24, 2025 19:33
@qmuntal qmuntal requested review from dagood, mertakman and gdams January 24, 2025 19:34
dagood
dagood reviewed Jan 24, 2025
View reviewed changes
patches/0004-Use-crypto-backends.patch
"HGRCPATH=",
"GOTOOLCHAIN=auto",
"newline=\n",
+ "OPENSSL_FORCE_FIPS_MODE=" + os.Getenv("OPENSSL_FORCE_FIPS_MODE"), // useful for testing on Mariner 2.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like this would fit better in extraEnvKeys. (Unless there's a reason that it must be set to empty string even if the env var is unassigned?)

eng/_util/cmd/run-builder/systemfips_linux.go
"os"
)

// enableSystemWideFIPS enables Mariner and Azure Linux 3 process-wide FIPS mode.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think in context what's here is plenty, but I figure a bit more explicit detail doesn't hurt:

Suggested change
// enableSystemWideFIPS enables Mariner and Azure Linux 3 process-wide FIPS mode.
// enableSystemWideFIPS enables Mariner and Azure Linux 3 process-wide FIPS mode
// for any process that inherits the current process' environment variables.

eng/_util/cmd/run-builder/systemfips_linux.go
// FIPS mode is enabled if OPENSSL_FORCE_FIPS_MODE is set, regardless of the value.
_, ok := os.LookupEnv("OPENSSL_FORCE_FIPS_MODE")
if ok {
log.Println("FIPS mode already enabled.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be confusing if you only see the log because there are a few things "FIPS mode" could mean.

Suggested change
log.Println("FIPS mode already enabled.")
log.Println("Mariner and Azure Linux 3 forced FIPS mode (OPENSSL_FORCE_FIPS_MODE) already enabled.")

eng/_util/cmd/run-builder/systemfips_linux.go
}

env("OPENSSL_FORCE_FIPS_MODE", "1")
log.Println("Enabled Mariner and Azure Linux 3 FIPS mode.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

env will have just logged a message, but it doesn't hurt to make this a bit more explicit too.

Suggested change
log.Println("Enabled Mariner and Azure Linux 3 FIPS mode.")
log.Println("Enabled Mariner and Azure Linux 3 FIPS mode (OPENSSL_FORCE_FIPS_MODE).")

@dagood
Copy link
Member

dagood commented Jan 24, 2025

Also, this is unlikely that users need to update their code to also pass OPENSSL_FORCE_FIPS_MODE to child processes that don't inherit all environment variables. Mainly because they should be running a FIPS-enabled Mariner image on production. If they don't, possible for testing purposes, then child processes won't inherit the GODEBUG env var neither.

To make sure I have this right: for a user to run a test with forced FIPS mode, this will work:

GODEBUG=fips140=on OPENSSL_FORCE_FIPS_MODE=1 go test .

For the user to have an issue with passthrough, they'd have to be using yet another custom test runner that passes through GODEBUG but not OPENSSL_FORCE_FIPS_MODE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dagood dagood dagood left review comments

@microsoft-golang-review-bot microsoft-golang-review-bot Awaiting requested review from microsoft-golang-review-bot microsoft-golang-review-bot is a code owner

@mertakman mertakman Awaiting requested review from mertakman

@gdams gdams Awaiting requested review from gdams

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@qmuntal @dagood