[openssl-users] Enable the FIPS mode in the library level
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Mon Mar 5 10:57:40 UTC 2018
On 05.03.2018 10:46, Alan Dean wrote:
> Question 1: Is it even feasible to make the FIPS mode always enabled
> for the whole OpenSSL library (i.e. for both libcrypto and libssl), so
> that most the applications which dynamically linked to libcrypto and
> libssl will be automatically use OpenSSL FIPS mode without the need of
> changes to add the FIPS_mode_set invocation (with some exception such
> as OpenSSH which may still need some fixes). (Assuming from
> certification's perspective we are ok if we may these changes)
> Question 2: If the above idea is feasible, where in the OpenSSL
> library will be the best entry to invoke FIPS_mode_set API, so that we
> can make the whole OpenSSL library always in FIPS mode? Any potebtial
> issues for this solution?
> Any suggestions will be greatly appreciated.
The optimal location for inserting the FIPS_mode_set(1) call is probably
OPENSSL_init() (openssl-1.0.2/crypto/o_fips.c), see code snippet below.
static int done = 0;
done = 1;
# ifndef OPENSSL_NO_DEPRECATED
FIPS_mode_set(1); <<< ENABLE FIPS MODE HERE <<<
fprintf(stderr, "Called OPENSSL_init\n");
However, I am sceptical whether this approach will be accepted, because
there are (at least) two potential problems:
* Normally, it is mandatory to check the result of FIPS_mode_set() or
FIPS_mode() to ensure that the FIPS initialization succeeded. However,
an application which is not FIPS-aware won't check the result.
* It can happen that applications which have their own configuration and
enable/disable FIPS mode explicitely, call FIPS_mode_set(0) afterwards.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users