openssl-users Digest, Vol 108, Issue 25

meera pulse memopulse at gmail.com
Thu Nov 23 10:18:02 UTC 2023 

Hello Tom,

Thank you for your response. We want to perform fipsinstall using some API
(not on terminal), which I need to execute at runtime after my service has
started, on a demand basis, based on certain conditions. Hope it is clear.

Regards,
Memo

On Wed, Nov 22, 2023 at 1:28 AM <openssl-users-request at openssl.org> wrote:

> Send openssl-users mailing list submissions to
>         openssl-users at openssl.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
>         openssl-users-request at openssl.org
>
> You can reach the person managing the list at
>         openssl-users-owner at openssl.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Programmatic Execution of the "OpenSSL-fipsinstall"
>       Command (Ladd, Watson)
>    2. TLS connect failure with an engine (OpenSSL 3.0.8)
>       (Manish Patidar)
>    3. Re: Programmatic Execution of the "OpenSSL-fipsinstall"
>       Command (Thomas Dwyer III)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 21 Nov 2023 14:48:21 +0000
> From: "Ladd, Watson" <wladd at akamai.com>
> To: meera pulse <memopulse at gmail.com>, "openssl-users at openssl.org"
>         <openssl-users at openssl.org>
> Subject: Re: Programmatic Execution of the "OpenSSL-fipsinstall"
>         Command
> Message-ID: <749d27cda12a44209aa69c6fded607b5 at akamai.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Yes, we've done it via the moral equivalent of postinstall hooks in our
> packaging system. It works reasonably straightfowardly.
>
>
> ________________________________
> From: openssl-users <openssl-users-bounces at openssl.org> on behalf of
> meera pulse <memopulse at gmail.com>
> Sent: Tuesday, November 21, 2023 2:05 AM
> To: openssl-users at openssl.org
> Subject: Programmatic Execution of the "OpenSSL-fipsinstall" Command
>
> Hello,
>
> I am currently working on a project that involves the use of the
> "OpenSSL-fipsinstall" command, and I'm exploring the possibility of running
> it programmatically. I would appreciate some guidance on the steps involved
> and whether this approach is feasible.
>
> Has anyone successfully executed the "OpenSSL-fipsinstall" command
> programmatically?
> What steps need to be taken to achieve programmatic execution of
> "OpenSSL-fipsinstall"?
> Are there any potential challenges or considerations that I should be
> aware of?
> I'm eager to hear from anyone with experience or insights into this
> matter. Your assistance will be invaluable in helping me navigate through
> this aspect of my project.
>
> Thank you in advance for your time and expertise!
>
>
> Thanks,
> Memo
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://mta.openssl.org/pipermail/openssl-users/attachments/20231121/ec32da30/attachment-0001.htm
> >
>
> ------------------------------
>
> Message: 2
> Date: Tue, 21 Nov 2023 23:47:38 +0530
> From: Manish Patidar <mann.patidar at gmail.com>
> To: openssl-users at openssl.org
> Subject: TLS connect failure with an engine (OpenSSL 3.0.8)
> Message-ID:
>         <CAN6ajHJ8dnj12Gdc8pKTECh=
> g3dkgUw3jn+EXSoPgVNN5ApgJA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi
>
> I am using OpenSSL 3.0.8 with an engine .
> We are using an engine for AES GCM encryption/decryption.
> While TLS connection, connection is failing during change cipher state.
>
> int tls1_change_cipher_state(SSL *s, int which) {
>    if (EVP_CIPHER_get0_provider(c) != NULL
>             && !*tls_provider_set_tls_params*(s, *dd*, c, m)) {
>         /* SSLfatal already called */
>         goto err;
>     }
> }
> int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX **ctx*,
>                                 const EVP_CIPHER *ciph,
>                                 const EVP_MD *md) {
>     if (!*EVP_CIPHER_CTX_set_params*(*ctx*, params)) {
>         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
>         return 0;
>     }
> }
>
> int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX **ctx*, const OSSL_PARAM
> params[])
> {
>     if (ctx->cipher != NULL && ctx->*cipher*->*set_ctx_params* != NULL) {
>         ctx->iv_len = -1;
>         return ctx->cipher->set_ctx_params(ctx->algctx, params);
>     }
>     *return 0;*
> }
> I think there is some issue here, as ctx->cipher is created from the
> engine, *set_ctx_param* is not set in the ctx->cipher.
> This check is leading to a drop in the connection.
>
> If we bypass this check , the TLS connection is passing.
> Is there something missing here, please let me know how to avoid this
> issue.
>
> Regards
> Manish
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://mta.openssl.org/pipermail/openssl-users/attachments/20231121/6f752570/attachment-0001.htm
> >
>
> ------------------------------
>
> Message: 3
> Date: Tue, 21 Nov 2023 11:56:43 -0800
> From: Thomas Dwyer III <thomas.dwyer at oracle.com>
> To: openssl-users at openssl.org
> Subject: Re: Programmatic Execution of the "OpenSSL-fipsinstall"
>         Command
> Message-ID: <36fc5eb9-728a-45a9-a0cb-749700aea3ad at oracle.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> When you say programmatically, do you mean executing literally the
> "openssl fipsinstall" command with suitable arguments, or do you mean
> running an equivalent replacement program? We do the latter, in a
> slightly different way than the OpenSSL documentation provides. We
> cross-compile OpenSSL on x86_64 for an embedded 32-bit ARM platform so
> it's not possible for us to execute fipsinstall as part of our build
> process (and non-compliant anyway since coping fipsmodule.cnf to other
> systems is not allowed). Also, flash space constraints prohibit us from
> including the large openssl binary in our images. And then there's the
> chicken-egg situation with shipping a static configuration file that
> ".include"s a nonexistent fipsmodule.cnf.
>
> Our solution was to ship a static configuration file that contains:
>
>  ??? [fips_sect]
>  ??? .include /path/to/fipsmodule.cnf
>
> where fipsmodule.cnf (initially empty) resides in a smaller writable
> location of flash separate from where most other things live. On first
> boot we detect that fipsmodule.cnf is empty and we run a very small
> standalone fipsinstall replacement that loads the FIPS provider, runs
> the self-tests, and generates the same contents as "openssl fipsinstall"
> but without the [fips_sect] header. This solves the problem of using
> libcrypto with a syntactically incorrect configuration (i.e. where
> [provider_sect] in the static openssl.cnf references [fips_sect] which
> doesn't exist yet). Finally, we let the administrator toggle FIPS on/off
> by storing a persistent flag that gets read by a constructor that we
> added to libcrypto:
>
>  ??? void __attribute__ ((constructor)) fipsmode(void)
>  ??? {
>  ??????? int mode = {fetch value of persistent flag}
>  ??????? EVP_default_properties_enable_fips(NULL, mode);
>  ??? }
>
> Note that a forced reboot is required when toggling this flag since the
> change won't apply to any instances of libcrypto already loaded by
> running processes.
>
> We can get away with this because we don't use OpenSSL's FIPS
> certificate--we send our implementation through CMVP and get our own
> certificate. That's probably cost-prohibitive for smaller organizations.
>
>
> Tom.III
>
>
> On 11/21/23 02:05, meera pulse wrote:
> >
> > Hello,
> >
> > I am currently working on a project that involves the use of the
> > "OpenSSL-fipsinstall" command, and I'm exploring the possibility of
> > running it programmatically. I would appreciate some guidance on the
> > steps involved and whether this approach is feasible.
> >
> > Has anyone successfully executed the "OpenSSL-fipsinstall" command
> > programmatically?
> >
> > What steps need to be taken to achieve programmatic execution of
> > "OpenSSL-fipsinstall"?
> >
> > Are there any potential challenges or considerations that I should be
> > aware of?
> >
> > I'm eager to hear from anyone with experience or insights into this
> > matter. Your assistance will be invaluable in helping me navigate
> > through this aspect of my project.
> >
> > Thank you in advance for your time and expertise!
> >
> > Thanks,
> >
> > Memo
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://mta.openssl.org/pipermail/openssl-users/attachments/20231121/fa8bc3ec/attachment.htm
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> ------------------------------
>
> End of openssl-users Digest, Vol 108, Issue 25
> **********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231123/c8b3dfd1/attachment-0001.htm>

More information about the openssl-users mailing list