[openssl-users] Enable the FIPS mode in the library level
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Mon Mar 5 10:57:40 UTC 2018
On 05.03.2018 10:46, Alan Dean wrote:
> Question 1: Is it even feasible to make the FIPS mode always enabled
> for the whole OpenSSL library (i.e. for both libcrypto and libssl), so
> that most the applications which dynamically linked to libcrypto and
> libssl will be automatically use OpenSSL FIPS mode without the need of
> changes to add the FIPS_mode_set invocation (with some exception such
> as OpenSSH which may still need some fixes). (Assuming from
> certification's perspective we are ok if we may these changes)
>
>
> Question 2: If the above idea is feasible, where in the OpenSSL
> library will be the best entry to invoke FIPS_mode_set API, so that we
> can make the whole OpenSSL library always in FIPS mode? Any potebtial
> issues for this solution?
>
>
> Any suggestions will be greatly appreciated.
>
The optimal location for inserting the FIPS_mode_set(1) call is probably
OPENSSL_init() (openssl-1.0.2/crypto/o_fips.c), see code snippet below.
void OPENSSL_init(void)
{
static int done = 0;
if (done)
return;
done = 1;
#ifdef OPENSSL_FIPS
FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
# ifndef OPENSSL_NO_DEPRECATED
FIPS_crypto_set_id_callback(CRYPTO_thread_id);
# endif
FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
RAND_init_fips();
FIPS_mode_set(1); <<< ENABLE FIPS MODE HERE <<<
#endif
#if 0
fprintf(stderr, "Called OPENSSL_init\n");
#endif
However, I am sceptical whether this approach will be accepted, because
there are (at least) two potential problems:
* Normally, it is mandatory to check the result of FIPS_mode_set() or
FIPS_mode() to ensure that the FIPS initialization succeeded. However,
an application which is not FIPS-aware won't check the result.
* It can happen that applications which have their own configuration and
enable/disable FIPS mode explicitely, call FIPS_mode_set(0) afterwards.
HTH,
Matthias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180305/6157501d/attachment-0001.html>
More information about the openssl-users
mailing list