[openssl-users] Enabling FIPS on an custom embedded system.

Eric Tremblay fremeneric at gmail.com
Wed Oct 26 22:06:20 UTC 2016


Hi Steve,

Thanks for the quick reply.

That is what I had understand from my reading but wasn't sure.

My next question is about OpenSSH.  There is no official support in OpenSSH
for FIPS at the moment right ?

Thanks

Eric



On Wed, Oct 26, 2016 at 5:04 PM, Steve Marquess <marquess at openssl.com>
wrote:

> On 10/26/2016 04:37 PM, Eric Tremblay wrote:
> > Hi all,____
> >
> > __ __
> >
> > I have built the FIPS module into our Platform but I am stuck at the
> > point to enable it.____
> >
> > __ __
> >
> > We need FIPS to be enabled « Platform wide » not just for one
> > application.____
> >
> > __ __
> >
> > I have read the documentation and search on the web for answer but it
> > seem that I would have ____
> >
> > to modify a package or write a small application just to enable FIPS.____
> >
> > __ __
> >
> > Is there another way to enable it on startup of Linux ?  or maybe
> > something in OpenSSH ?____
> >
> > __ __
> >
> > I also read about the OPENSSL_Config in the User Guide but I’m not sure
> > if/who and how it is called.____
> >
> > __ __
> >
> > I am working with OpenSSL 1.0.2j and FIPS 2.0.9.____
> >
> > __ __
> >
> > Thanks____
> >
> > __ __
> >
> > Eric
> >
> >
> >
>
>
> Hmmm ... where to start.
>
> First there is really no such thing as "enabling FIPS" for a platform.
> The FIPS module is executable code that runs in the context of a
> process, and to be righteous FIPS-wise each process (that uses
> cryptography) must invoke the FIPS_mode_set() call that performs the
> mandatory POST (Power Up Self Test). Note that is true even when the
> FIPS module is embedded in a shared library (the "FIPS enabled"
> OpenSSL), as each process using said shared library maps writable data
> into its own private address space.
>
> So to make the sweeping claim that a "platform" is FIPS enabled, you
> must make sure that *every* process for that platform enables FIPS mode
> via a FIPS_mode_set() call (whether directly or indirectly). Note that
> for your typical general purpose (e.g. Windows or Linux-like) operating
> system that is an essentially unachievable goal, as not all of the many
> crypto-using applications are readily converted to use the FIPS enabled
> OpenSSL (for instance OpenSSH needs non-trivial hacks). Likewise
> kernel-mode crypto can't be addressed with the OpenSSL FIPS module.
>
> For that reason the wise and prudent vendor does not attempt to "enable
> FIPS" for an entire platform (for Level 1 validations), but rather only
> makes claims about specific individual applications running on that
> platform.
>
> In the case where all processes of interest are compatible with the FIPS
> capable OpenSSL (specifically, not referencing any other crypto
> implementations, or non-approved cryptographic operations), then
> OPENSSL_config() can in principle be used to indirectly call
> FIPS_mode_set() for each such application. That is only *after* every
> such application/process has *first* been modified for compatibility
> with the FIPS capable OpenSSL. Very few applications not already
> designed to support the OpenSSL FIPS module will be compatible without
> some degree of modification.
>
> -Steve M.
>
> --
> Steve Marquess
> OpenSSL Validation Services, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161026/67311bf5/attachment.html>


More information about the openssl-users mailing list