Skip to content

config: fips: bin: Initial implementation to enable FIPS compliance#12024

Open
cosmo0920 wants to merge 8 commits into
masterfrom
cosmo0920-making-fips-compliant-stage1
Open

config: fips: bin: Initial implementation to enable FIPS compliance#12024
cosmo0920 wants to merge 8 commits into
masterfrom
cosmo0920-making-fips-compliant-stage1

Conversation

@cosmo0920

@cosmo0920 cosmo0920 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

This PR implements the first step to enable FIPS compliance of OpenSSL component.
On trying to enable FIPS components, we need to failed to launch on exception to load FIPS module with turning on FIPS setting.
Plus, on enabled FIPS, we also need to block to use MD5 hash on out_s3 plugin.

This is related to #4640.


Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
  • Debug log output from testing the change
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

  • New Features
    • Added optional OpenSSL-backed FIPS mode via --enable-fips, including startup-time initialization.
  • Bug Fixes
    • Prevented startup issues when FIPS mode conflicts with MD5 usage in the S3 output.
    • Improved Azure block-blob reliability with additional validation and error handling when block ID generation fails.
  • Enhancements
    • Updated Azure block-blob block ID generation in FIPS mode to use SHA-256-derived IDs (same fixed-width naming format).
  • Tests
    • Added tests covering SHA-256-based Azure block-blob ID behavior in FIPS mode.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c20e4e4e-fcb5-47e1-ae51-6545608c3163

📥 Commits

Reviewing files that changed from the base of the PR and between a2bf4af and b2d97ad.

📒 Files selected for processing (2)
  • include/fluent-bit/flb_config.h
  • include/fluent-bit/flb_fips.h
✅ Files skipped from review due to trivial changes (1)
  • include/fluent-bit/flb_fips.h

📝 Walkthrough

Walkthrough

This PR adds FIPS mode configuration and startup initialization, wires a CLI enable flag, updates Azure Blob block ID generation for FIPS mode, and adds an S3 initialization guard for an incompatible setting.

Changes

FIPS mode support

Layer / File(s) Summary
FIPS config fields and defaults
include/fluent-bit/flb_config.h, src/flb_config.c
Adds fips_mode and fips_mode_active, registers security.fips_mode, and initializes both values to FLB_FALSE.
FIPS init implementation and header
include/fluent-bit/flb_fips.h, src/flb_fips.c, src/CMakeLists.txt
Declares and implements flb_fips_init, adds OpenSSL error logging, provider/default-property setup, and builds the new source file.
Engine and CLI startup wiring
src/flb_engine.c, src/fluent-bit.c
Engine startup and the CLI now invoke FIPS initialization, and --enable-fips sets security.fips_mode on.
Azure Blob FIPS hashing
plugins/out_azure_blob/azure_blob_blockblob.c, plugins/out_azure_blob/azure_blob.c, tests/internal/azure_blob_path.c
Azure Blob block IDs switch to SHA-256-derived values in FIPS mode, add NULL handling on generation failures, and add a test for FIPS vs non-FIPS output.
S3 output plugin compatibility guard
plugins/out_s3/s3.c
Fails S3 initialization when FIPS mode is enabled together with send_content_md5.

Estimated code review effort: 4 (Complex) | ~45 minutes

Suggested reviewers: niedbalski, patrick-stephens

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is clearly related to the PR’s main change: adding initial FIPS support/compliance work.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cosmo0920-making-fips-compliant-stage1

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e609bd5506

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/flb_fips.c

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/internal/azure_blob_path.c`:
- Around line 501-511: The current test for azb_block_blob_id_blob only checks
that the FIPS ID differs from the default ID, which does not verify the SHA-256
contract. Update the test in azure_blob_path.c to compare fips_id against a
known-good SHA-256-derived block ID, or compute the expected value using
FLB_HASH_SHA256, so the assertion directly validates the digest used by
azb_block_blob_id_blob when config.fips_mode is enabled.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 88b39125-649e-46f9-bc15-097fb3cce5b3

📥 Commits

Reviewing files that changed from the base of the PR and between e609bd5 and 536bf7a.

📒 Files selected for processing (3)
  • plugins/out_azure_blob/azure_blob.c
  • plugins/out_azure_blob/azure_blob_blockblob.c
  • tests/internal/azure_blob_path.c

Comment thread tests/internal/azure_blob_path.c

@edsiper edsiper left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's verify the configuration option name/prefix

Comment thread include/fluent-bit/flb_config.h Outdated
#define FLB_CONF_STR_STREAMS_FILE "Streams_File"
#define FLB_CONF_STR_STREAMS_STR_CONV "sp.convert_from_str_to_num"
#define FLB_CONF_STR_CONV_NAN "json.convert_nan_to_null"
#define FLB_CONF_STR_FIPS_MODE "FIPS_Mode"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should get rid of camel case and just use lowercase for simplicity. also I think we need a prefix for those options, maybe security.* ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, good point. I fix to use security.fips_mode here.

cosmo0920 added 8 commits July 9, 2026 09:49
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants