use OPENSSL_FORCE_FIPS_MODE

microsoft · Jan 24, 2025 · ddbfdf3 · ddbfdf3
1 parent 589f89f
commit ddbfdf3
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 54 deletions.
diff --git a/eng/_util/cmd/run-builder/systemfips_linux.go b/eng/_util/cmd/run-builder/systemfips_linux.go
@@ -1,73 +1,31 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-//go:build linux
-
 package main
 
 import (
-	"fmt"
 	"log"
 	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
 )
 
-// enableSystemWideFIPS fallback is a no-op because the current platform either doesn't support or
-// doesn't require system-wide FIPS to be enabled to run tests.
+// enableSystemWideFIPS enables Mariner and Azure Linux 3 process-wide FIPS mode.
 func enableSystemWideFIPS() (restore func(), err error) {
-	cmd := exec.Command("openssl", "version", "-a")
-	log.Printf("---- Running command: %v\n", cmd.Args)
-	out, err := cmd.CombinedOutput()
-	sout := string(out)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check openssl version: %v, %v", err, string(out))
-	}
-	log.Print(sout)
-
-	lines := strings.Split(sout, "\n")
-	if !strings.Contains(sout, "OpenSSL 1.") {
-		// Only OpenSSL 1 needs special handling for FIPS mode,
-		// at least on the platforms we test on.
-		log.Println("Using fallback (no-op) for enableSystemWideFIPS. It either isn't supported on this platform or isn't necessary.")
-		//return nil, nil
-	}
-
-	// Search for the OPENSSLDIR path in the output.
-	var ossldir string
-	for _, line := range lines {
-		var found bool
-		if ossldir, found = strings.CutPrefix(line, "OPENSSLDIR: "); found {
-			break
-		}
-	}
-	if ossldir == "" {
-		return nil, fmt.Errorf("failed to find OPENSSLDIR in openssl version output")
-	}
-	ossldir = strings.Trim(ossldir, `"`)
-
-	// Append the FIPS configuration to the openssl.cnf file.
-	// OpenSSL will merge duplicated sections, so we don't need
-	// to check if the section already exists.
-	opensslcnf := filepath.Join(ossldir, "openssl.cnf")
-	prevContent, err := os.ReadFile(opensslcnf)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read openssl.cnf file: %v", err)
-	}
-	err = os.WriteFile(opensslcnf, append(prevContent, []byte("\n\n[evp_sect]\nfips_mode = yes\n")...), 0644)
-	if err != nil {
-		return nil, fmt.Errorf("failed to write to openssl.cnf file: %v", err)
+	// FIPS mode is enabled if OPENSSL_FORCE_FIPS_MODE is set, regardless of the value.
+	_, ok := os.LookupEnv("OPENSSL_FORCE_FIPS_MODE")
+	if ok {
+		log.Println("FIPS mode already enabled.")
+		return nil, nil
 	}
 
-	log.Println("Enabled FIPS mode.")
+	env("OPENSSL_FORCE_FIPS_MODE", "1")
+	log.Println("Enabled Mariner and Azure Linux 3 FIPS mode.")
 
 	return func() {
-		err := os.WriteFile(opensslcnf, prevContent, 0644)
+		err := os.Unsetenv("OPENSSL_FORCE_FIPS_MODE")
 		if err != nil {
-			log.Printf("Unable to restore openssl.cnf file: %v\n", err)
+			log.Printf("Unable to unset OPENSSL_FORCE_FIPS_MODE: %v\n", err)
 			return
 		}
-		log.Println("Successfully restored openssl.cnf file.")
+		log.Println("Successfully unset OPENSSL_FORCE_FIPS_MODE.")
 	}, nil
 }
diff --git a/patches/0004-Use-crypto-backends.patch b/patches/0004-Use-crypto-backends.patch
@@ -8,6 +8,7 @@ Subject: [PATCH] Use crypto backends
  src/cmd/dist/build.go                         |  13 ++
  src/cmd/dist/test.go                          |  10 +-
  src/cmd/go/go_boring_test.go                  |  11 +-
+ src/cmd/go/script_test.go                     |   1 +
  src/cmd/go/testdata/script/darwin_no_cgo.txt  |   2 +
  .../go/testdata/script/gopath_std_vendor.txt  |   9 +
  src/cmd/link/internal/ld/config.go            |   8 +
@@ -83,7 +84,7 @@ Subject: [PATCH] Use crypto backends
  src/net/smtp/smtp_test.go                     |  72 ++++---
  src/os/exec/exec_test.go                      |   9 +
  src/runtime/pprof/vminfo_darwin_test.go       |   6 +
- 79 files changed, 1118 insertions(+), 111 deletions(-)
+ 80 files changed, 1119 insertions(+), 111 deletions(-)
  create mode 100644 src/crypto/dsa/boring.go
  create mode 100644 src/crypto/dsa/notboring.go
  create mode 100644 src/crypto/ecdsa/badlinkname.go
@@ -198,6 +199,18 @@ index ed0fbf3d53d75b..8111b143a1295b 100644
  	tg := testgo(t)
  	defer tg.cleanup()
  	tg.parallel()
+diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go
+index 390a36723787f4..105bac4e1c627b 100644
+--- a/src/cmd/go/script_test.go
++++ b/src/cmd/go/script_test.go
+@@ -254,6 +254,7 @@ func scriptEnv(srv *vcstest.Server, srvCertFile string) ([]string, error) {
+ 		"HGRCPATH=",
+ 		"GOTOOLCHAIN=auto",
+ 		"newline=\n",
++		"OPENSSL_FORCE_FIPS_MODE=" + os.Getenv("OPENSSL_FORCE_FIPS_MODE"), // useful for testing on Mariner 2.
+ 	}
+
+ 	if testenv.Builder() != "" || os.Getenv("GIT_TRACE_CURL") == "1" {
 diff --git a/src/cmd/go/testdata/script/darwin_no_cgo.txt b/src/cmd/go/testdata/script/darwin_no_cgo.txt
 index fa445925b7c374..e36ac86fcaa58d 100644
 --- a/src/cmd/go/testdata/script/darwin_no_cgo.txt