OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

Dr Paul Dale pauli at openssl.org
Tue Mar 7 22:42:50 UTC 2023


You aren't using the EVP_MD APIs to access MD5, you are bypassing the 
EVP layer and calling the low level function directly.  In OpenSSL 3.0, 
when using FIPS, you must only use the EVP APIs.
Anything else is non-compliant.  This is a change from the 1.0.2 
compatible FOM.


Paul Dale


On 8/3/23 04:26, Prasad, PCRaghavendra via openssl-users wrote:
>
> Hi Team,
>
> Any help on this will be helpful
>
> How to set fips enabled for the complete application (process/service) 
> which is running.
>
> I have provided all the samples which I have used for testing the same 
> in the below mails
>
> Thanks,
>
> *From:* Prasad, PCRaghavendra
> *Sent:* Tuesday, March 7, 2023 10:33 AM
> *To:* openssl-users
> *Subject:* RE: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need 
> help/inputs
>
> Any help/inputs on this will be really helpful, please
>
> Thanks,
>
> *From:* Prasad, PCRaghavendra
> *Sent:* Tuesday, March 7, 2023 12:31 AM
> *To:* openssl-users
> *Cc:* Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal, Srinath
> *Subject:* RE: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need 
> help/inputs
>
> Hi Team,
>
> Tried another approach by loading the required providers as mentioned 
> in the docs.
>
> The assumption was that the highlighted line in the code will fail 
> when the FIPS provider is enabled.
>
> At the beginning of the application fips provider are enabled and in 
> between code will take care of any non-approved algorithms (like MD5)
>
> And at the end unloading the providers. This is our understanding.
>
> Please let us know if any settings are missing here or if something 
> else needed to be added to the code/config file.
>
> *Openssl.cnf*
>
> *=========*
>
> .include c:\\usr\\local\\ssl\\fipsmodule.cnf
>
> [openssl_init]
>
> providers = provider_sect
>
> #alg_section = algorithm_sect
>
> # List of providers to load
>
> [provider_sect]
>
> default = default_sect
>
> # The fips section name should match the section name inside the
>
> # included fipsmodule.cnf.
>
> fips = fips_sect
>
> #base = base_sect
>
> # If no providers are activated explicitly, the default one is 
> activated implicitly.
>
> # See man 7 OSSL_PROVIDER-default for more details.
>
> #
>
> # If you add a section explicitly activating any other provider(s), 
> you most
>
> # probably need to explicitly activate the default provider, otherwise it
>
> # becomes unavailable in openssl.  As a consequence applications 
> depending on
>
> # OpenSSL may not work correctly which could lead to significant system
>
> # problems including inability to remotely access the system.
>
> [default_sect]
>
> activate = 0
>
> [base_sect]
>
> activate = 1
>
> [algorithm_sect]
>
> default_properties = fips=yes
>
> #include <Windows.h>
>
> #include <stdio.h>
>
> #include <openssl/provider.h>
>
> #include "openssl/md5.h"
>
> *C sample code *
>
> *===========*
>
> int main(void)
>
> {
>
> OSSL_PROVIDER* fips;
>
> OSSL_PROVIDER* base;
>
>     fips = OSSL_PROVIDER_load(NULL, "fips");
>
>     if (fips == NULL) {
>
> printf("Failed to load FIPS provider\n");
>
> exit(EXIT_FAILURE);
>
>     }
>
> printf("Success to load FIPS provider\n");
>
>     base = OSSL_PROVIDER_load(NULL, "base");
>
>     if (base == NULL) {
>
> OSSL_PROVIDER_unload(fips);
>
> printf("Failed to load base provider\n");
>
> exit(EXIT_FAILURE);
>
>     }
>
> printf("Success to load base provider\n");
>
>     /* Rest of application */
>
>     unsigned char* Temp = NULL;
>
> Temp = MD5("The quick brown fox jumps over the lazy dog", 100, NULL);
>
>     printf(Temp);
>
> printf("\n");
>
> OSSL_PROVIDER_unload(base);
>
> OSSL_PROVIDER_unload(fips);
>
> exit(EXIT_SUCCESS);
>
> }
>
> *Output*
>
> *======*
>
> C:\Work\OpenSSL3.x\TEST>test_provider.exe
>
> Success to load FIPS provider
>
> Success to load base provider
>
> pá«í╤δ░Å9¥ê₧IδH*
>
> Internal Use - Confidential
>
> *From:* Prasad, PCRaghavendra
> *Sent:* Monday, March 6, 2023 8:37 PM
> *To:* openssl-users
> *Cc:* Ds, Pradeep Kumar; Kuppam, Pradeep
> *Subject:* OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs
>
> Hi Dr. Paul/Team,
>
> We are following the OpenSSL org docs to enable the fips 
> programmatically \.
>
> With our understanding and refereeing multiple docs, we came up with 
> the following code.
>
> Initially, we wanted to check the fips enablement from the _C code_ 
> then we wanted to check with Python as our application is completely 
> in Python.
>
> Query:
>
>                How can we enable fips programmatically for the entire 
> application, meaning just like _fips_mode_set(1)_ in previous OpenSSL 
> releases which will make the complete application run in the fips mode?
>
> In OpenSSL 3.0.x how can we make the application level ( process level 
> ) to be in FIPS compliance? In our example, we used the context for 
> FIPS and for default. How this FIPS context can be applied to the 
> entire application?
>
> Is there a way to do this? Can you please provide some input on this, 
> please let us know if we are doing something wrong here.
>
> Providing the complete information from our system which is done till 
> now to enable the fips programmatically.
>
> Steps:
>
>   * Installed/Built OpenSSL 3.0.8 version on windows by following the doc
>
> c:\usr\local\ssl\bin>openssl.exe version -v
>
> OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
>
>   * Openssl and fipsmodule cnf files are available at the installed
>     location.
>   * *Contents of OpenSSL.cnf*
>
> ====
>
> [openssl_init]
>
> providers = provider_sect
>
> *alg_section = algorithm_sect*
>
> # List of providers to load
>
> [provider_sect]
>
> default = default_sect
>
> # The fips section name should match the section name inside the
>
> # included fipsmodule.cnf.
>
> *fips = fips_sect*
>
> #base = base_sect
>
> # If no providers are activated explicitly, the default one is 
> activated implicitly.
>
> # See man 7 OSSL_PROVIDER-default for more details.
>
> #
>
> # If you add a section explicitly activating any other provider(s), 
> you most
>
> # probably need to explicitly activate the default provider, otherwise it
>
> # becomes unavailable in openssl. As a consequence applications 
> depending on
>
> # OpenSSL may not work correctly which could lead to significant system
>
> # problems including inability to remotely access the system.
>
> [default_sect]
>
> activate = 0
>
> [base_sect]
>
> activate = 1
>
> [algorithm_sect]
>
> *default_properties = fips=yes*
>
> ==========
>
>   * Contents of the fipsmodule cnf file
>
> [fips_sect]
>
> *activate = 1*
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac = 53:C8.xxx
>
>   * *C code to invoke programmatically*
>
> #include<Windows.h>
>
> #include<stdio.h>
>
> #include"openssl/types.h"
>
> #include"openssl/crypto.h"
>
> #include"openssl/md5.h"
>
> int main()
>
> {
>
>                printf("hello\n");
>
>                OSSL_LIB_CTX* fips_libctx, * nonfips_libctx;
>
>                printf("good\n");
>
>                OSSL_PROVIDER* defctxnull = NULL;
>
>                EVP_MD* fipssha256 = NULL, * nonfipssha256 = NULL, * 
> fipsmd5 = NULL, * fipssha1 = NULL;
>
>                int ret = 1;
>
>                /*
>
>                * Create two nondefault library contexts. One for fips 
> usage and
>
>                * one for non-fips usage
>
>                */
>
>                fips_libctx = OSSL_LIB_CTX_new();
>
>                nonfips_libctx = OSSL_LIB_CTX_new();
>
>                if (fips_libctx == NULL || nonfips_libctx == NULL)
>
> printf("null \n");
>
>                /* Prevent anything from using the default library 
> context */
>
>                defctxnull = OSSL_PROVIDER_load(NULL, "null");
>
>                /*
>
>                * Load config file for the FIPS library context. We 
> assume that
>
>                * this config file will automatically activate the FIPS 
> and base
>
>                * providers so we don't need to explicitly load them here.
>
>                */
>
>                if (!OSSL_LIB_CTX_load_config(fips_libctx, 
> "c:\\usr\\local\\ssl\\openssl.cnf"))
>
> printf("err OSSL_LIB_CTX_load_config\n ");
>
>                /*
>
>                * We don't need to do anything special to load the default
>
>                * provider into nonfips_libctx. This happens 
> automatically if no
>
>                * other providers are loaded.
>
>                * Because we don't call OSSL_LIB_CTX_load_config() 
> explicitly for
>
>                * nonfips_libctx it will just use the default config file.
>
>                */
>
>                /* As an example get some digests */
>
>                /* Get a FIPS validated digest */
>
>                fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2-256", NULL);
>
>                if (fipssha256 == NULL)
>
> printf("err fipssha256 \n");
>
>                fipssha1 = EVP_MD_fetch(fips_libctx, "SHA1", NULL);
>
>                if (fipssha1 == NULL)
>
> printf("err fipssha1 \n");
>
> fipsmd5 = EVP_MD_fetch(fips_libctx, "MD5", NULL); -- *This is throwing 
> error w.r.t context which is expected*
>
> if (fipsmd5 == NULL)
>
> printf("err fipsmd5 \n");
>
>                /* Get a non-FIPS validated digest */
>
>                nonfipssha256 = EVP_MD_fetch(nonfips_libctx, 
> "SHA2-256", NULL);
>
>                if (nonfipssha256 == NULL)
>
> printf("err nonfipssha256 \n");
>
>                unsigned char* Temp = NULL;
>
> Temp = MD5("The quick brown fox jumps over the lazy dog", 100, NULL); 
> -- *This is working fine*
>
>                printf(Temp);
>
>                printf("\n");
>
>                /* Use the digests */
>
>                printf("Success\n");
>
>                ret = 0;
>
> }
>
> Thanks in advance
>
> Thanks,
>
> Raghavendra
>
> Internal Use - Confidential
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230308/16d52825/attachment-0001.htm>


More information about the openssl-users mailing list