Skip to content

Crypto library C code converted to C++14 with focus on FIPS and algorithm probing#11011

Open
kvakvs wants to merge 12 commits intoerlang:maintfrom
kvakvs:9520-crypto-fips-c++
Open

Crypto library C code converted to C++14 with focus on FIPS and algorithm probing#11011
kvakvs wants to merge 12 commits intoerlang:maintfrom
kvakvs:9520-crypto-fips-c++

Conversation

@kvakvs
Copy link
Copy Markdown
Contributor

@kvakvs kvakvs commented Apr 13, 2026
edited
Loading

Summary

  • This PR is a preparation for solving FIPS 140-3 vs supported algorithms in ssh #9520, done separately from the actual changes to make review easier.
  • This PR changes programming language used in lib/crypto from C89 to C++14 and modernizes some code aspects to make it safer and cleaner (research was done to find that this will be supported on oldest systems still used in testing lab)
  • The next step (not in this PR): When FIPS mode is enabled, all (cipher, digest, pubkey, mac, etc..) algorithms will be challenged against FIPS requirements and removed from the available list if they are forbidden.

Changes

  • Attempted to keep the changes to the minimum and leave most code untouched to allow easier review
  • Makefile template updated to use CXX compiler instead of CC
  • C files renamed to CPP with compile errors and most non-fatal warnings addressed (such as 'argument/variable can be made const', etc)
  • struct and enum in typenames is not necessary. Integer NULL become appropriately typed nullptr
  • C-style casts become static_cast (for simple conversions), const_cast (for adding or removing const qualifier), and reinterpret_cast (for incompatible value type changes)
  • Arrays used for algorithms now are C++ dynamic arrays, removed related support code, loops now use array iteration for (auto &p: array_name) {}
  • Enums and bit flags used for algorithms are now bool-type bitfields
  • Include file guards now become #pragma once supported for a very long time by all compilers
  • Some macros became constexpr or INLINE functions
  • Tested on OpenSSL 1.0.1u, 1.1.1, 3.0.0, 3.4.0 (non-FIPS and, where supported, FIPS)
  • No changes in documentation, user-facing API or library behaviors.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 13, 2026
edited
Loading

CT Test Results

  2 files   14 suites   4m 41s ⏱️
191 tests 171 ✅  18 💤 2 ❌
479 runs  334 ✅ 143 💤 2 ❌

For more details on these failures, see this check.

Results for commit 55f1a6e.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kvakvs