Using EVP api in fips mode (openssl3.0)

Matt Caswell matt at openssl.org
Wed Feb 26 03:48:32 UTC 2020



On 25/02/2020 11:12, Manish Patidar wrote:
> Thanks for reply. It really help to use fips lib.
> 
> I have another doubts regarding the hmac stored in fipsinstall.conf. If
> some one modify the fips library after installation and modify the hmac
> in fipsinstall.conf accordingly, is openssl3.0 is able to identify this
> and fail the fips library loading.? 
> 
> fipsinstall.conf should be protected from corruption or modification? 
> If yes, current mechanism is able to that or not? 

The hmac stored in the fipsinstall.conf is intended to detect accidental
corruption of the module (or the conf file). If either of these is
changed then it will be detected. It is not intended to prevent
deliberate modification of both the module and the conf file at the same
time.

Matt


> 
> Regards
> Manish
> 
> On Thu, 16 Jan 2020, 8:29 pm Matt Caswell, <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
> 
> 
> 
>     On 14/01/2020 04:51, Manish Patidar wrote:
>     > Hi
>     >
>     > Can any guide me how to use fips api in openssl?
>     >
>     > I try to use like below but it always returns null. 
>     >
>     > ctx = EVP_CIPHER_CTX_new() ;
>     > ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ;
>     >
>     > I am doubting fips provider is not loaded.  
> 
> 
>     Right - the FIPS provider does not get loaded by default.
> 
>     First set some environment variables which will make the whole process a
>     bit easier. The OpenSSL libraries read these to locate the various
>     files:
> 
>     export OPENSSL_CONF_INCLUDE=/path/to/include/dir
>     export OPENSSL_MODULES=/path/to/providers/dir
>     export OPENSSL_CONF=/path/to/fips.cnf
> 
>     Next you will need to "install" the FIPS module. This will create a
>     fipsinstall.conf file:
> 
>     openssl fipsinstall -out $OPENSSL_CONF_INCLUDE/fipsinstall.conf -module
>     $OPENSSL_MODULES/fips.so -provider_name fips -mac_name HMAC -macopt
>     'digest:SHA256' -macopt 'hexkey:00' -section_name fips_sect
> 
>     (Aside: probably we should do the above as part of "make install", but
>     we don't do that AFAIK at the moment)
> 
>     Now create a config file to automatically load the FIPS module when
>     OpenSSL starts. Store it in the file pointed to by $OPENSSL_CONF
> 
>     openssl_conf = openssl_init
> 
>     .include fipsinstall.conf
> 
>     [openssl_init]
>     providers = provider_sect
> 
>     [provider_sect]
>     fips = fips_sect
> 
> 
>     This will have the effect of automatically loading the FIPS provider
>     *and no others*. In this case you don't need the "fips=yes" in your
>     EVP_CIPHER_fetch() call because there are no other providers loaded
>     (although it does no harm).
> 
>     Alternatively you can load both the default and FIPS providers at the
>     same time:
> 
>     openssl_conf = openssl_init
> 
>     .include fipsinstall.conf
> 
>     [openssl_init]
>     providers = provider_sect
> 
>     [provider_sect]
>     default = default_sect
>     fips = fips_sect
> 
>     [default_sect]
>     activate = 1
> 
>     In this case you will need to specify "fips=yes" in the fetch to
>     disambiguate which implementation you want.
> 
>     Hope that helps,
> 
>     Matt
> 


More information about the openssl-users mailing list