Skip to content

Crypto: Hide forbidden algorithms when FIPS enabled #10312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Crypto: Hide forbidden algorithms when FIPS enabled #10312

wants to merge 9 commits into from

Conversation

kvakvs
Copy link
Collaborator

@kvakvs kvakvs commented Oct 21, 2025
edited
Loading

Fixes #9520

Problem

crypto:supports/0 is currently undocumented but i will add a doc string to it.
Crypto returns some algorithms which are indirectly forbidden under FIPS (i.e. listed as available but not working).

The Expectation

Expected: All algorithms returned by crypto:supports/0 will be available at least in one way.
Bonus points for returning forbidden algorithm names separately so that the users will not complain that something "has disappeared" and will see the reason.

Solution

The call to crypto:supports/0 under FIPS build with fips=enabled in crypto app settings, will filter the algorithms by their availability in a much more strict way (by actually trying to initialize each algorithm and recording the failures as a sign of unavailability) and will return an additional section in the results containing disabled algorithms:

[{hashs,[...
 {ciphers, ...
 {kems,[]},
 {public_keys, ...
 {macs, ...
 {curves, ...
 {rsa_opts, ...
 {fips_forbidden,[{hashs,[blake2s,blake2b,sm3,ripemd160,md5,
                          md4]},
                  {ciphers,[chacha20,sm4_ctr,sm4_ofb,sm4_cfb,sm4_ecb,sm4_cbc,
                            blowfish_ecb,blowfish_ofb64,blowfish_cfb64,blowfish_cbc,
                            des_ede3_cfb,des_ecb,des_cfb,des_cbc,rc4|...]},
                  {kems,[mlkem1024,mlkem768,mlkem512]},
                  {public_keys,[srp,eddh,eddsa,ecdh,ecdsa,ec_gf2m,dss]},
                  {macs,[hmac,poly1305]},
                  {curves,[secp256r1]},
                  {rsa_opts,[]}]}]

Note this will only appear if FIPS is enabled. And this will only appear if SSL API is 3.0 or later.
The behaviour with FIPS disabled or older SSL will remain unchanged.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 21, 2025
edited
Loading

CT Test Results

No tests were run for this PR. This is either because the build failed, or the PR is based on a branch without GH actions tests configured.

Results for commit afd9a2b

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

@kvakvs kvakvs added the team:PS Assigned to OTP team PS label Oct 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IngelaAndin IngelaAndin Awaiting requested review from IngelaAndin

@sverker sverker Awaiting requested review from sverker

At least 1 approving review is required to merge this pull request.

Assignees

@kvakvs kvakvs

Labels

team:PS Assigned to OTP team PS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

FIPS 140-3 vs supported algorithms in ssh

1 participant

@kvakvs