[openssl-users] Enable the FIPS mode in the library level

Dr. Matthias St. Pierre Matthias.St.Pierre at ncp-e.com
Mon Mar 5 10:57:40 UTC 2018



On 05.03.2018 10:46, Alan Dean wrote:
> Question 1: Is it even feasible to make the FIPS mode always enabled
> for the whole OpenSSL library (i.e. for both libcrypto and libssl), so
> that most the applications which dynamically linked to libcrypto and
> libssl will be automatically use OpenSSL FIPS mode without the need of
> changes to add the FIPS_mode_set invocation (with some exception such
> as OpenSSH which may still need some fixes). (Assuming from
> certification's perspective we are ok if we may these changes)
>
>
> Question 2: If the above idea is feasible, where in the OpenSSL
> library will be the best entry to invoke FIPS_mode_set API, so that we
> can make the whole OpenSSL library always in FIPS mode? Any potebtial
> issues for this solution?
>
>
> Any suggestions will be greatly appreciated.
>


The optimal location for inserting the FIPS_mode_set(1) call is probably
OPENSSL_init()  (openssl-1.0.2/crypto/o_fips.c), see code snippet below.

void OPENSSL_init(void)
{
    static int done = 0;
    if (done)
        return;
    done = 1;
#ifdef OPENSSL_FIPS
    FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
# ifndef OPENSSL_NO_DEPRECATED
    FIPS_crypto_set_id_callback(CRYPTO_thread_id);
# endif
    FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
    FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
    RAND_init_fips();
    FIPS_mode_set(1);   <<< ENABLE FIPS MODE HERE <<<
#endif
#if 0
    fprintf(stderr, "Called OPENSSL_init\n");
#endif


However, I am sceptical whether this approach will be accepted, because
there are (at least) two potential problems:

* Normally, it is mandatory to check the result of FIPS_mode_set() or
FIPS_mode() to ensure that the FIPS initialization succeeded. However,
an application which is not FIPS-aware won't check the result.
* It can happen that applications which have their own configuration and
enable/disable FIPS mode explicitely, call FIPS_mode_set(0) afterwards.


HTH,
Matthias


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180305/6157501d/attachment-0001.html>


More information about the openssl-users mailing list