Skip to content

Commit 31d7b24

Browse files
authored
fips: prefer self-reported status over a build flag (envoyproxy#39036)
Change-Id: I27552abf959a501cd592fe7fa1e5ac7d67e4ddff Commit Message: Directly pass through boringssl's `FIPS_mode` status instead of depending on the build flag. This is useful when boringssl is forced to compile in the FIPS mode (e.g. by source code modification to set the build flag). Additional Description: none Risk Level: low, a release assert was already present. Testing: yes Docs Changes: none Release Notes: none Signed-off-by: Kuat Yessenov <kuat@google.com>
1 parent b0b550f commit 31d7b24

2 files changed

Lines changed: 2 additions & 15 deletions

File tree

source/common/version/BUILD

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -59,10 +59,7 @@ envoy_cc_library(
5959
name = "version_lib",
6060
srcs = ["version.cc"],
6161
copts = envoy_select_boringssl(
62-
[
63-
"-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\"",
64-
"-DENVOY_SSL_FIPS",
65-
],
62+
["-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\""],
6663
["-DENVOY_SSL_VERSION=\\\"BoringSSL\\\""],
6764
),
6865
external_deps = ["ssl"],

source/common/version/version.cc

Lines changed: 1 addition & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,7 @@
1111
#include "absl/strings/numbers.h"
1212
#include "absl/strings/str_split.h"
1313
#include "absl/strings/string_view.h"
14-
15-
#ifdef ENVOY_SSL_FIPS
1614
#include "openssl/crypto.h"
17-
#endif
1815

1916
extern const char build_scm_revision[];
2017
extern const char build_scm_status[];
@@ -40,14 +37,7 @@ const envoy::config::core::v3::BuildVersion& VersionInfo::buildVersion() {
4037
return *result;
4138
}
4239

43-
bool VersionInfo::sslFipsCompliant() {
44-
#ifdef ENVOY_SSL_FIPS
45-
RELEASE_ASSERT(FIPS_mode() == 1, "FIPS mode must be enabled in Envoy FIPS configuration.");
46-
return true;
47-
#else
48-
return false;
49-
#endif
50-
}
40+
bool VersionInfo::sslFipsCompliant() { return FIPS_mode() == 1; }
5141

5242
const std::string& VersionInfo::buildType() {
5343
#ifdef NDEBUG

0 commit comments

Comments
 (0)