Skip to content

config: fips: bin: Initial implementation to enable FIPS compliance#12024

Open
cosmo0920 wants to merge 8 commits into
masterfrom
cosmo0920-making-fips-compliant-stage1
Open

config: fips: bin: Initial implementation to enable FIPS compliance#12024
cosmo0920 wants to merge 8 commits into
masterfrom
cosmo0920-making-fips-compliant-stage1

Conversation

@cosmo0920

@cosmo0920 cosmo0920 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

This PR implements the first step to enable FIPS compliance of OpenSSL component.
On trying to enable FIPS components, we need to failed to launch on exception to load FIPS module with turning on FIPS setting.
Plus, on enabled FIPS, we also need to block to use MD5 hash on out_s3 plugin.

This is related to #4640.


Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
  • Debug log output from testing the change
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

  • New Features
    • Added optional OpenSSL-backed FIPS mode enabled via --enable-fips.
    • Added startup-time FIPS initialization when enabled.
  • Bug Fixes
    • Prevented S3 output startup when FIPS mode conflicts with MD5 content handling.
    • Added safer Azure block-blob handling when block ID generation fails.
  • Enhancements
    • Updated Azure block blob ID generation in FIPS mode to use SHA-256-derived IDs (output format remains fixed-width).
  • Tests
    • Added coverage to verify Azure block blob IDs match expected SHA-256-based FIPS formatting.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a36ac9fd-6996-4466-8964-dc8a667a8a9b

📥 Commits

Reviewing files that changed from the base of the PR and between 19dc71a and a2bf4af.

📒 Files selected for processing (11)
  • include/fluent-bit/flb_config.h
  • include/fluent-bit/flb_fips.h
  • plugins/out_azure_blob/azure_blob.c
  • plugins/out_azure_blob/azure_blob_blockblob.c
  • plugins/out_s3/s3.c
  • src/CMakeLists.txt
  • src/flb_config.c
  • src/flb_engine.c
  • src/flb_fips.c
  • src/fluent-bit.c
  • tests/internal/azure_blob_path.c
✅ Files skipped from review due to trivial changes (1)
  • src/CMakeLists.txt
🚧 Files skipped from review as they are similar to previous changes (10)
  • include/fluent-bit/flb_fips.h
  • src/flb_engine.c
  • src/flb_fips.c
  • plugins/out_s3/s3.c
  • src/fluent-bit.c
  • plugins/out_azure_blob/azure_blob.c
  • include/fluent-bit/flb_config.h
  • src/flb_config.c
  • plugins/out_azure_blob/azure_blob_blockblob.c
  • tests/internal/azure_blob_path.c

📝 Walkthrough

Walkthrough

This PR adds FIPS mode configuration, initialization, and startup wiring, plus Azure Blob block ID changes for FIPS mode and an S3 output validation check. It also adds a CLI flag to enable FIPS and a test covering Azure Blob ID generation.

Changes

FIPS mode support

Layer / File(s) Summary
FIPS config fields and defaults
include/fluent-bit/flb_config.h, src/flb_config.c
Adds fips_mode/fips_mode_active fields and FLB_CONF_STR_FIPS_MODE, registers the service config property, and initializes both fields to FLB_FALSE.
FIPS init implementation and header
include/fluent-bit/flb_fips.h, src/flb_fips.c, src/CMakeLists.txt
Declares and implements flb_fips_init, including OpenSSL error logging, version/provider checks, FIPS default-property activation, and build wiring.
Engine and CLI startup wiring
src/flb_engine.c, src/fluent-bit.c
Engine startup now calls flb_fips_init; the CLI adds --enable-fips, sets the service property, and aborts startup on FIPS initialization failure.
Azure Blob FIPS hashing
plugins/out_azure_blob/azure_blob_blockblob.c, plugins/out_azure_blob/azure_blob.c, tests/internal/azure_blob_path.c
Azure Blob block IDs switch to SHA-256-derived values in FIPS mode, add NULL handling on block ID generation failures, and add a test covering FIPS vs non-FIPS output.
S3 output plugin compatibility guard
plugins/out_s3/s3.c
Adds a check that fails initialization when FIPS mode is enabled with send_content_md5.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant CLI
  participant flb_engine_start
  participant flb_fips_init
  participant OpenSSL

  CLI->>flb_engine_start: start with config
  flb_engine_start->>flb_fips_init: flb_fips_init(config)
  flb_fips_init->>OpenSSL: load base provider
  flb_fips_init->>OpenSSL: load fips provider
  flb_fips_init->>OpenSSL: enable FIPS default properties
  OpenSSL-->>flb_fips_init: verify properties
  flb_fips_init-->>flb_engine_start: status and active flag
  flb_engine_start-->>CLI: continue or abort
Loading

Suggested reviewers: edsiper, niedbalski

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is clearly related to the PR and summarizes the new FIPS enablement work.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cosmo0920-making-fips-compliant-stage1

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e609bd5506

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/flb_fips.c

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/internal/azure_blob_path.c`:
- Around line 501-511: The current test for azb_block_blob_id_blob only checks
that the FIPS ID differs from the default ID, which does not verify the SHA-256
contract. Update the test in azure_blob_path.c to compare fips_id against a
known-good SHA-256-derived block ID, or compute the expected value using
FLB_HASH_SHA256, so the assertion directly validates the digest used by
azb_block_blob_id_blob when config.fips_mode is enabled.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 88b39125-649e-46f9-bc15-097fb3cce5b3

📥 Commits

Reviewing files that changed from the base of the PR and between e609bd5 and 536bf7a.

📒 Files selected for processing (3)
  • plugins/out_azure_blob/azure_blob.c
  • plugins/out_azure_blob/azure_blob_blockblob.c
  • tests/internal/azure_blob_path.c

Comment thread tests/internal/azure_blob_path.c
cosmo0920 added 2 commits July 2, 2026 09:38
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
cosmo0920 added 6 commits July 2, 2026 09:38
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant