[openssl-users] Enable the FIPS mode in the library level

[Alan Dean]

Hi All:

I am working on a project to integrate the OpenSSL FIPS capable library
into our product platform. (We will be doing our own FIPS 140-2 level 1
certification)

There are a large number of third party applications/ library (e.g. wget,
libcurl, postfix, etc) run on our platform which use OpenSSL library, and
based on the OpenSSL FIPS Library User Guide, it seems like the only way to
make all these third party applications capable of running on FIPS mode
will require modifying all these software to inject the FIPS_mode_set() API
into the appropriate spots, so that FIPS mode can be explicitly enabled.
This solution, however, may not be scalable since we would need to modify
tens (if not hundreds) of different open source applications/ libraries in
order to make them FIPS capable.

Another potential option I am investigating is, instead of having to invoke
the FIPS_mode_set API from each application, maybe (or maybe not)  it's
feasible to make the FIPS_mode_set API to be invoked in an entry point of
the OpenSSL library so that the library itself will always be operating on
FIPS mode, and in that case we won't need to inject the FIPS_mode_set API
into all these third party software in order to make them FIPS capable. Of
course there will be something like OpenSSH which will still require a lot
of changes in order to make it able to run on FIPS mode without issue, but
I will assume most of the other third party software will probably require
no changes if we can enable the FIPS mode in the library level?

Question 1: Is it even feasible to make the FIPS mode always enabled for
the whole OpenSSL library (i.e. for both libcrypto and libssl), so that
most the applications which dynamically linked to libcrypto and libssl will
be automatically use OpenSSL FIPS mode without the need of changes to add
the FIPS_mode_set invocation (with some exception such as OpenSSH which may
still need some fixes). (Assuming from certification's perspective we are
ok if we may these changes)


Question 2: If the above idea is feasible, where in the OpenSSL library
will be the best entry to invoke FIPS_mode_set API, so that we can make the
whole OpenSSL library always in FIPS mode? Any potebtial issues for this
solution?


Any suggestions will be greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180305/c267d8f7/attachment.html>