[openssl-users] Enable the FIPS mode in the library level

Michael Richardson mcr at sandelman.ca
Mon Mar 5 18:10:49 UTC 2018

Dr. Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com> wrote:
    > On 05.03.2018 10:46, Alan Dean wrote:
    >> Question 1: Is it even feasible to make the FIPS mode always enabled
    >> for the whole OpenSSL library (i.e. for both libcrypto and libssl), so

    > The optimal location for inserting the FIPS_mode_set(1) call is probably
    > OPENSSL_init()  (openssl-1.0.2/crypto/o_fips.c), see code snippet below.

    > void OPENSSL_init(void)

    > However, I am sceptical whether this approach will be accepted, because
    > there are (at least) two potential problems:

    > * Normally, it is mandatory to check the result of FIPS_mode_set() or
    > FIPS_mode() to ensure that the FIPS initialization succeeded. However,
    > an application which is not FIPS-aware won't check the result.

I think that Mr. Dean should check FIPS_mode_set() in OPENSSL_Init(), and
should probably do something like core dump if it fails to turn on properly.
Perhaps his system has a better way to get attention.

    > * It can happen that applications which have their own configuration and
    > enable/disable FIPS mode explicitely, call FIPS_mode_set(0) afterwards.

That should probably also cause a core dump.

Dr. Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com> wrote:
    > One more obstacle: In FIPS mode it is not allowed to use low level
    > crypto algorithms, only the EVP interface is allowed. So most of your
    > non-fips-aware applications will malfunction when forced into FIPS mode.
    > The consequence is: it's probably not possible to do it.

That should also cause a core dump.

At the end, Mr. Dean will have a much reduced list of applications that he
needs to either fix (sending patches upstream), or replace.
And the core dumps will point directly into the application code that made
the calls.

Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180305/9d61dcd2/attachment.sig>

More information about the openssl-users mailing list