diff options
author | Dániel Szoboszlay <[email protected]> | 2014-04-28 17:20:24 +0200 |
---|---|---|
committer | Magnus Henoch <[email protected]> | 2016-09-28 15:08:31 +0100 |
commit | 0a1feff48388c8430f5eebd1531f769605601fab (patch) | |
tree | e21885594ce82dac0a7327a6222b959efbc4f4be /erts | |
parent | 867ef8aab0a32d76e6e66b317ef39c75e84e177e (diff) | |
download | otp-0a1feff48388c8430f5eebd1531f769605601fab.tar.gz otp-0a1feff48388c8430f5eebd1531f769605601fab.tar.bz2 otp-0a1feff48388c8430f5eebd1531f769605601fab.zip |
Support using OpenSSL in FIPS mode
FIPS mode support needs to be enabled at compile time, by configuring
Erlang/OTP with --enable-fips option. In FIPS mode the non-FIPS
algorithms are disabled and raise error notsup.
The supported protocols list is properly updated in FIPS mode to
advertise only the enabled protocols.
FIPS mode is off by default even if Erlang/OTP was built with FIPS
support. It needs to be turned on at runtime.
The official approach is to set the fips_mode application environment
parameter of the crypto application to true. This would turn FIPS mode
on when the NIF is loaded and would prevent loading the module on
error.
Another method is provided via the crypto:enable_fips_mode/1
function, but it is not recommended to be used in production, as it
won't prevent the use of the crypto module in case of an error, and
would risk OpenSSL crashing the emulator. It is very useful for test
suites however that need to check both validated and non-validated
functionality.
This commit is based on commit
00b3a04d17a653b4abddeebd6dd8a2c38df532d0.
Diffstat (limited to 'erts')
-rw-r--r-- | erts/configure.in | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/erts/configure.in b/erts/configure.in index 7db501e5b9..3b18c499dc 100644 --- a/erts/configure.in +++ b/erts/configure.in @@ -3905,6 +3905,7 @@ dnl use "PATH/include" and "PATH/lib". AC_SUBST(SSL_INCLUDE) AC_SUBST(SSL_INCDIR) AC_SUBST(SSL_LIBDIR) +AC_SUBST(SSL_DEFINE) AC_SUBST(SSL_CRYPTO_LIBNAME) AC_SUBST(SSL_SSL_LIBNAME) AC_SUBST(SSL_CC_RUNTIME_LIBRARY_PATH) @@ -4594,6 +4595,31 @@ no) # Use no ssl runtime library path esac +AC_ARG_ENABLE(fips, +AS_HELP_STRING([--enable-fips], [enable OpenSSL FIPS mode support]) +AS_HELP_STRING([--disable-fips], [disable OpenSSL FIPS mode support (default)]), +[ case "$enableval" in + yes) enable_fips_support=yes ;; + *) enable_fips_support=no ;; + esac ], enable_fips_support=no) + +if test "x$enable_fips_support" = "xyes" && test "$CRYPTO_APP" != ""; then + saveCFLAGS="$CFLAGS" + saveLDFLAGS="$LDFLAGS" + saveLIBS="$LIBS" + CFLAGS="$CFLAGS $SSL_INCLUDE" + LDFLAGS="$LDFLAGS $SSL_LD_RUNTIME_LIBRARY_PATH -L$SSL_LIBDIR" + LIBS="-lcrypto" + AC_CHECK_FUNC([FIPS_mode_set], + [SSL_DEFINE="-DFIPS_SUPPORT"], + [SSL_DEFINE=]) + CFLAGS="$saveCFLAGS" + LDFLAGS="$saveLDFLAGS" + LIBS="$saveLIBS" +else + SSL_DEFINE= +fi + #-------------------------------------------------------------------- # Os mon stuff. #-------------------------------------------------------------------- |