OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

Thu Apr 20 01:39:37 UTC 2023

It looks like you're trying to access non-approved crypto.  My 
suggestion would be to create a new library context specifically for 
this using OSSL_LIB_CTX_new().  Load only the default provider into that 
context using OSSL_PROVIDER_load().  Do not call 
EVP_default_properties_enable_fips() on it.

You should only use this new library context for non-FIPS operations.  
If there is any doubt about what is permitted and what isn't, contact 
your FIPS lab for clarification.

Paul Dale

On 20/4/23 01:35, Prasad, PCRaghavendra wrote:
>
> Hi Dr.Paul/Team,
>
> Good Morning,
>
> We have integrated OpenSSL 3.0.8 in our code along with fips 
> enablement. We are using python 3.11 version.
>
> We have used the default search path as our application directory 
> (OSSL_PROVIDER_set_default_search_path) and loaded the “base” and 
> “fips” providers and not the default provider.
>
> OSSL_PROVIDER_load(None, b"base")
>
> OSSL_PROVIDER_load(None, b"fips")
>
> After that, we enabled the FIPS using 
> libcrypto.EVP_default_properties_enable_fips() call.
>
> Should we load the default provider as well or base and fips are good 
> enough?
>
> Sometimes we are getting the below error message from Python 
> cryptography package
>
> cryptography.exceptions.InternalError: Unknown OpenSSL error. This 
> error is commonly encountered when another library is not cleaning up 
> the OpenSSL error stack. If you are using cryptography with another 
> library that uses OpenSSL try disabling it before reporting a bug. 
> Otherwise please file an issue at 
> https://github.com/pyca/cryptography/issues with information on how to 
> reproduce this. ([_OpenSSLErrorWithText(code=50856204, lib=6, 
> reason=524556, reason_text=b'error:0308010C:digital envelope 
> routines::unsupported')])
>
> This error is intermittent is what we are observing as we have already 
> tested the complete application couple of times
>
> Any thoughts or inputs on this please will help us in debugging more 
> on this issue.
>
> Thanks,
>
> Raghavendra
>
> Internal Use - Confidential
>
> *From:* Dr Paul Dale <pauli at openssl.org>
> *Sent:* Wednesday, March 8, 2023 11:02 AM
> *To:* Prasad, PCRaghavendra; openssl-users at openssl.org
> *Cc:* Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal, Srinath
> *Subject:* Re: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need 
> help/inputs
>
> [EXTERNAL EMAIL]
>
>     Are there any specific .h files where we can refer to this method
>     that needs to be used ( ex: evp.h )?
>
>
> #include "openssl/evp.h" should be enough to get the EVP APIs.  You 
> will need other includes for other parts of OpenSSL but that covers 
> EVP well enough.
>
>
>     still, are there any files that we can go through once before
>     calling in the fips mode?
>
>
> Turn on -Wdeprecated or equivalent in your compile and the low level 
> calls will be flagged.  They should all be deprecated.
>
>
>     One more doubt is How can we set fips enabled for the complete
>     application (process/service) while running so that if we are
>     using non-compliant algorithms/methods it should throw errors? Is
>     it possible in OpenSSL 3.0.x?
>
>
> The call you are looking for is:
>
> EVP_set_default_properties(libctx, "fips=yes");
>
> I strongly suggest reading the documentation about the FIPS provider 
> [openssl.org] 
> <https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/fips_module.html__;!!LpKI!gwsGt_60jqaHzhWTEXZCwSn0frcRAuJbbxYQLrkbfBfkw9-Eg_mdOnYzU6EDHNOBOR25XSXKcqHcPO1X7_TtGA$> 
> and the migration guide [openssl.org] 
> <https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/migration_guide.html__;!!LpKI!gwsGt_60jqaHzhWTEXZCwSn0frcRAuJbbxYQLrkbfBfkw9-Eg_mdOnYzU6EDHNOBOR25XSXKcqHcPO2zYsa_AA$>.  
> Both the avoidance of low level calls and setting the default 
> properties are covered therein.  There are a number of other nuances 
> to trip over when using the FIPS provider.
>
>
> Paul Dale
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230420/d4a3c48a/attachment-0001.htm>