[openssl-users] Enable the FIPS mode in the library level
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Mon Mar 5 19:20:40 UTC 2018
Am 05.03.2018 um 20:07 schrieb Salz, Rich via openssl-users:
>
> * Did you mean if an application uses the low level crypto algorithm
> functions (e.g. SHA256_Init/ SHA256_Update/ SHA256_Final) then
> they won't work under FIPS mode (and hence may cause unpredictable
> issues)?
>
>
>
> Yes.
>
>
>
> It’s not unpredictable issues, but rather that your application cannot
> claim to be FIPS validated.
>
>
>
>
>
It's even worse: If you force an application which is not fips-aware
into FIPS mode and that application uses low level algorithms, then it
will be aborted by OpenSSL, because it is forbidden to use the low level
algorithms directly. To understand how this happens, search the source
code for 'fips_md_init' and 'fips_cipher_abort'. They are defined in
crypto.h, see end of mail.
Changing applications from the low level api is not a simple bugfix.
It's a nontrivial task.
So the situation is hopeless, I would say.
Matthias
crypto.h:
=======
# define fips_md_init(alg) fips_md_init_ctx(alg, alg)
# ifdef OPENSSL_FIPS
# define fips_md_init_ctx(alg, cx) \
int alg##_Init(cx##_CTX *c) \
{ \
if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
"Low level API call to digest " #alg " forbidden in FIPS
mode!"); \
return private_##alg##_Init(c); \
} \
int private_##alg##_Init(cx##_CTX *c)
# define fips_cipher_abort(alg) \
if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
"Low level API call to cipher " #alg " forbidden in FIPS
mode!")
# else
# define fips_md_init_ctx(alg, cx) \
int alg##_Init(cx##_CTX *c)
# define fips_cipher_abort(alg) while(0)
# endif
More information about the openssl-users
mailing list