display fips mode status in the UI, requires temporary fix for openss…

…l gem
cyberark · Jul 17, 2023 · 546126b · 546126b
1 parent 4793f28
commit 546126b
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/app/views/status/index.html.erb b/app/views/status/index.html.erb
@@ -24,7 +24,7 @@
       <div class="left-panel">
         <h1>Status</h1>
         <p class="status-text">Your Conjur server is running!</p>
-        
+
         <h2>Security Check:</h2>
         <p>Does your browser show a green lock icon on the left side of the address bar?</p>
 
@@ -58,6 +58,7 @@
           <dt>Details:</dt>
           <dd>Version <%= ENV["CONJUR_VERSION_DISPLAY"] %></dd>
           <dd>API Version <a href="https://github.com/cyberark/conjur-openapi-spec/releases/tag/v<%= ENV["API_VERSION"] %>"><%= ENV["API_VERSION"] %></a>
+          <dd>FIPS mode <%= ENV["FIPS_MODE_STATUS"] %></a>
           <dt>More Info:</dt>
           <dd>
             <ul>
@@ -70,7 +71,7 @@
 
       </div>
     </main>
-    
+
     <footer>
       <div class="logo-cont">
         <img src="/img/cyberark-white.png"/>

diff --git a/config/initializers/fips.rb b/config/initializers/fips.rb
@@ -1,5 +1,6 @@
 require "openssl"
 require "digest"
+require "ffi"
 
 # Suppress warning messages
 original_verbose = $VERBOSE
@@ -12,9 +13,27 @@
 # Activate warning messages again
 $VERBOSE = original_verbose
 
-# by default FIPS mode is enabled
-# disable FIPS mode only if OPENSSL_FIPS_ENABLED environment variable is present and has false value
-# OpenSSL.fips_mode = !(ENV["OPENSSL_FIPS_ENABLED"].present? && ENV["OPENSSL_FIPS_ENABLED"] == 'false')
+# This is a temporary workaround to support OpenSSL v3 until ruby openssl gem properly handles fips mode state
+# https://github.com/ruby/openssl/issues/369
+if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with?("OpenSSL 3")
+  module OpenSSL
+    extend FFI::Library
+      ffi_lib 'libssl.so'
+      attach_function :EVP_default_properties_is_fips_enabled, [:pointer], :int
+
+    def self.fips_mode
+      EVP_default_properties_is_fips_enabled(nil) == 1
+    end
+
+    def self.fips_mode=(mode)
+      raise "Changing FIPS state in OpenSSL 3 needs to be done with OpenSSL configuration"
+    end
+  end
+else
+  # by default FIPS mode is enabled
+  # disable FIPS mode only if OPENSSL_FIPS_ENABLED environment variable is present and has false value
+  OpenSSL.fips_mode = !(ENV.fetch('OPENSSL_FIPS_ENABLED', 'true') == 'false')
+end
 
 # each of the following 3rd party overridden is required since a non FIPS complaint encryption method is used
 # if a non-complaint FIPS method like MD5 is used or a direct use of Digest::encryption-method

diff --git a/config/initializers/status.rb b/config/initializers/status.rb
@@ -4,3 +4,4 @@
 
 ENV["CONJUR_VERSION_DISPLAY"] = File.read(File.expand_path("../../VERSION", File.dirname(__FILE__)))
 ENV["API_VERSION"] = File.read(File.expand_path("../../API_VERSION", File.dirname(__FILE__)))
+ENV["FIPS_MODE_STATUS"] = OpenSSL.fips_mode ? "enabled" : "disabled"