MINIFICPP-2524 Add FIPS compliancy support #1925
Conversation
lordgamez
force-pushed
the
MINIFICPP-2524
branch
from
ea9a9f1 to
910161e
Compare
lordgamez
force-pushed
the
MINIFICPP-2524
branch
from
910161e to
993eb20
Compare
lordgamez
force-pushed
the
MINIFICPP-2524
branch
from
993eb20 to
7f3d4db
Compare
lordgamez
force-pushed
the
MINIFICPP-2524
branch
from
7f3d4db to
a893f09
Compare
cmake/BundledOpenSSL.cmake
Outdated
| @@ -59,7 +65,8 @@ function(use_openssl SOURCE_DIR BINARY_DIR) | |||
| no-module # disable dynamically loadable engines | |||
| no-pinshared # don't pin shared libraries in the process memory | |||
| enable-tfo # Enable TCP Fast Open | |||
| no-ssl) # disable SSLv3 | |||
| no-ssl # disable SSLv3 | |||
| no-engine) | |||
There was a problem hiding this comment.
What does this exactly do? INSTALL.md says:
Don't build support for loading engines.
But I'm not sure what loadable engines are. Is it related to FIPS in any way? Also, the FIPS target omits most of these, probably leading to some unnecessary extra build steps, consider adding some more options there, like no-tests, no-docs.
There was a problem hiding this comment.
I'm not that familiar with it, but there is an Engine API in OpenSSL that is controlled by this option. An engine that is loaded in OpenSSL is a hardware or software implementation used for performing cryptographic operations. Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0, so for FIPS compliancy we should remove the engine support as well. (According to the documention it is also a good guidline for FIPS compliancy to remove anything that is deprecated in OpenSSL 3.0 as that is probably not FIPS compatible.)
lordgamez
force-pushed
the
MINIFICPP-2524
branch
from
4de32c6 to
6633f77
Compare
| no-apps # disable executables | ||
| no-capieng # disable CAPI engine (legacy) | ||
| no-dso # disable dynamic libraries | ||
| no-docs # disable docs and manpages | ||
| no-legacy # disable legacy modules | ||
| no-module # disable dynamically loadable engines | ||
| no-pinshared # don't pin shared libraries in the process memory |
There was a problem hiding this comment.
- no-apps is removed because we need the openssl binary to be packaged with fips
- no-dso and no-module need to be enabled for shared libraries to be loaded in our case the fips provider which cannot be statically linked
- IMO no-pinshared should not be enabled to have the loaded fips provider available through the lifetime of the application and avoid the accidental unloading of the fips shared library
There was a problem hiding this comment.
It's fine with fips, but these are the library options, not the fips target options.
There was a problem hiding this comment.
But these options are meant for the OpenSSL library options for loading the FIPS module, not for the FIPS target.
- We need the binary of the latest OpenSSL target, not the FIPS target
- Without the options to be able to load shared libraries, loading of the FIPS module fails with the following error:
Failed to load FIPS module
INSTALL FAILED
4077F3DFF87D0000:error:07880025:common libcrypto routines:provider_init:reason(37):crypto/provider_core.c:949:name=fips
There was a problem hiding this comment.
aah ok. I thought both the binary and the fips module come from the fips target.
What about no-pinshared, is removing that necessary too?
lordgamez
force-pushed
the
MINIFICPP-2524
branch
from
cbf74e0 to
6167694
Compare
This change adds the option to enable FIPS mode in the OpenSSL library for cryptographic functions used by MiNiFi C++. This includes the following:
nifi.openssl.fips.support.enableoption inminifi.propertiesto enable this option, if the option is enabled MiNiFi C++ will try to load theopenssl.cnfthat loads the FIPS provider and then enables FIPS mode in OpenSSL.openssl.cnffiles to the install package under the $MINIFI_HOME/fips directoryopensslbinary to the install package under the $MINIFI_HOME/fips directory for running the module tests and generating the fipsmodule.cnf file on the target platform as required for the FIPS compliancy, referenced in these sources: OpenSSL FIPS module distribution openssl/openssl#25036, https://openssl-library.org/source/fips-doc/openssl-3.0.9-security-policy-2024-01-12.pdf Appendix Ano-engineflag for OpenSSL compilation to remove legacy API usage required for FIPS compliancy as referenced here: https://docs.openssl.org/master/man7/fips_module/#descriptionOpenSSL discussion about this issue: openssl/openssl#26378
https://issues.apache.org/jira/browse/MINIFICPP-2524
Thank you for submitting a contribution to Apache NiFi - MiNiFi C++.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
Does your PR title start with MINIFICPP-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically main)?
Is your initial contribution a single, squashed commit?
For code changes:
For documentation related changes:
Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI results for build issues and submit an update to your PR as soon as possible.