mirror of
https://github.com/haproxy/haproxy.git
synced 2026-07-10 01:34:36 -04:00
MEDIUM: ssl: set FIPS-approved sigalgs defaults for AWS-LC FIPS builds
When AWS-LC is built in FIPS mode, unconditionally override the
compile-time signature algorithm defaults with the FIPS-approved set
before config parsing. Explicit ssl-default-{bind,server}-sigalgs
keywords in the global section still take precedence over these
defaults.
The approved set is defined as macros in include/haproxy/defaults.h
alongside the existing CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS family:
CONNECT/LISTEN_DEFAULT_FIPS_SIGALGS - ECDSA (P-256/384/521),
RSA-PSS and RSA-PKCS1
with SHA-256/384/512
CONNECT/LISTEN_DEFAULT_FIPS_CLIENT_SIGALGS - same set for client
certificate sigalgs
SHA-1 based algorithms and non-FIPS primitives (ed25519, ed448) are
excluded from the defaults.
This commit is contained in:
parent
6647a59f06
commit
1aee4ccd25
2 changed files with 39 additions and 0 deletions
|
|
@ -469,6 +469,35 @@
|
|||
#define LISTEN_DEFAULT_FIPS_CURVES "P-256:P-384:P-521"
|
||||
#endif
|
||||
|
||||
/* FIPS-approved signature algorithms for AWS-LC FIPS builds */
|
||||
#ifndef CONNECT_DEFAULT_FIPS_SIGALGS
|
||||
#define CONNECT_DEFAULT_FIPS_SIGALGS \
|
||||
"ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512:" \
|
||||
"rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:" \
|
||||
"rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512"
|
||||
#endif
|
||||
|
||||
#ifndef LISTEN_DEFAULT_FIPS_SIGALGS
|
||||
#define LISTEN_DEFAULT_FIPS_SIGALGS \
|
||||
"ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512:" \
|
||||
"rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:" \
|
||||
"rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512"
|
||||
#endif
|
||||
|
||||
#ifndef CONNECT_DEFAULT_FIPS_CLIENT_SIGALGS
|
||||
#define CONNECT_DEFAULT_FIPS_CLIENT_SIGALGS \
|
||||
"ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512:" \
|
||||
"rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:" \
|
||||
"rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512"
|
||||
#endif
|
||||
|
||||
#ifndef LISTEN_DEFAULT_FIPS_CLIENT_SIGALGS
|
||||
#define LISTEN_DEFAULT_FIPS_CLIENT_SIGALGS \
|
||||
"ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512:" \
|
||||
"rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:" \
|
||||
"rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512"
|
||||
#endif
|
||||
|
||||
/* named curve used as defaults for ECDHE ciphers */
|
||||
#ifndef ECDHE_DEFAULT_CURVE
|
||||
#define ECDHE_DEFAULT_CURVE "prime256v1"
|
||||
|
|
|
|||
|
|
@ -8544,6 +8544,16 @@ static void __ssl_sock_init(void)
|
|||
global_ssl.listen_default_curves = strdup(LISTEN_DEFAULT_FIPS_CURVES);
|
||||
free(global_ssl.connect_default_curves);
|
||||
global_ssl.connect_default_curves = strdup(CONNECT_DEFAULT_FIPS_CURVES);
|
||||
#if defined(SSL_CTX_set1_sigalgs_list)
|
||||
free(global_ssl.listen_default_sigalgs);
|
||||
global_ssl.listen_default_sigalgs = strdup(LISTEN_DEFAULT_FIPS_SIGALGS);
|
||||
free(global_ssl.connect_default_sigalgs);
|
||||
global_ssl.connect_default_sigalgs = strdup(CONNECT_DEFAULT_FIPS_SIGALGS);
|
||||
free(global_ssl.listen_default_client_sigalgs);
|
||||
global_ssl.listen_default_client_sigalgs = strdup(LISTEN_DEFAULT_FIPS_CLIENT_SIGALGS);
|
||||
free(global_ssl.connect_default_client_sigalgs);
|
||||
global_ssl.connect_default_client_sigalgs = strdup(CONNECT_DEFAULT_FIPS_CLIENT_SIGALGS);
|
||||
#endif
|
||||
}
|
||||
#endif /* OPENSSL_IS_AWSLC */
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue