Overview

File 1053-crypto-Warn-if-FIPS-supported-but-application-not-lo.patch of Package erlang

From 04ce711a192ced0b7e35ff498e60149b9845e6a2 Mon Sep 17 00:00:00 2001
From: Sverker Eriksson <sverker@erlang.org>
Date: Mon, 17 Jun 2024 17:10:26 +0200
Subject: [PATCH] crypto: Warn if FIPS supported but application not loaded

in which case FIPS is disabled by default.
---
 lib/crypto/src/crypto.app.src |  2 +-
 lib/crypto/src/crypto.erl     | 27 +++++++++++++++++++++++++--
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/lib/crypto/src/crypto.app.src b/lib/crypto/src/crypto.app.src
index 30e804c7e2..2c87902015 100644
--- a/lib/crypto/src/crypto.app.src
+++ b/lib/crypto/src/crypto.app.src
@@ -25,6 +25,6 @@
     {registered, []},
     {applications, [kernel, stdlib]},
     {env, [{fips_mode, false}, {rand_cache_size, 896}]},
-    {runtime_dependencies, ["erts-9.0","stdlib-3.9","kernel-5.3"]}]}.
+    {runtime_dependencies, ["erts-9.0","stdlib-3.9","kernel-6.0"]}]}.
 
 
diff --git a/lib/crypto/src/crypto.erl b/lib/crypto/src/crypto.erl
index 1cc11aa6eb..f6187b969b 100644
--- a/lib/crypto/src/crypto.erl
+++ b/lib/crypto/src/crypto.erl
@@ -2139,7 +2139,15 @@ on_load() ->
 	      end,
     Lib = filename:join([PrivDir, "lib", LibName]),
     LibBin   = path2bin(Lib),
-    FipsMode = application:get_env(crypto, fips_mode, false) == true,
+    {FipsMode,AppLoaded} =
+        case application:get_env(crypto, fips_mode) of
+            {ok, true} -> {true, loaded};
+            {ok, _} -> {false, loaded};
+            undefined ->
+                %% We assume application crypto has a default value for fips_mode.
+                %% If undefined the application has not been loaded.
+                {false, unloaded}
+        end,
     Status = case erlang:load_nif(Lib, {?CRYPTO_NIF_VSN,LibBin,FipsMode}) of
 		 ok -> ok;
 		 {error, {load_failed, _}}=Error1 ->
@@ -2161,7 +2169,9 @@ on_load() ->
 		 Error1 -> Error1
 	     end,
     case Status of
-	ok -> ok;
+	ok ->
+            warn_app_not_loaded_maybe(AppLoaded),
+            ok;
 	{error, {E, Str}} ->
             Fmt = "Unable to load crypto library. Failed with error:~n\"~p, ~s\"~n~s",
             Extra = case E of
@@ -2173,6 +2183,19 @@ on_load() ->
 	    Status
     end.
 
+warn_app_not_loaded_maybe(loaded) ->
+    ok;
+warn_app_not_loaded_maybe(unloaded) ->
+    %% For backward compatible reasons we allow application crypto
+    %% not being loaded.
+    case info_fips() of
+        not_enabled ->
+            logger:warning("Module 'crypto' loaded without application 'crypto' being loaded.\n"
+                           "Without application config 'fips_mode' loaded, FIPS mode is disabled by default.");
+        _ ->
+            ok
+    end.
+
 path2bin(Path) when is_list(Path) ->
     Encoding = file:native_name_encoding(),
     case unicode:characters_to_binary(Path,Encoding,Encoding) of
-- 
2.35.3
openSUSE Build Service is sponsored by
Places