OpenSSL 3.0 FIPS questions
Dr Paul Dale
pauli at openssl.org
Sun Oct 24 00:06:36 UTC 2021
There are several approaches you could take. With two library contexts:
fips_libctx = OSSL_LIB_CTX_new();
non_fips_libctx = OSSL_LIB_CTX_new();
fipsp = OSSL_PROVIDER_load(fips_libctx, "fips");
basep = OSSL_PROVIDER_load(fips_libctx,"base"); /* can't load keys
without this */
defp = OSSL_PROVIDER_load(non_fips_libctx, "default");
nullp = OSSL_PROVIDER_load(NULL, "null"); /* Disallow falling
back to the default library context */
Then use either fips_libctx or non_fips_libctx for operations.
Alternatively, it can be done in one library context (the default here),
although there is some risk of using non-FIPS crypto in a FIPS context:
fipsp = OSSL_PROVIDER_load(NULL, "fips");
defp = OSSL_PROVIDER_load(non_fips_libctx, "default");
For FIPS, make sure that "fips=yes" is included as a property query.
The easiest way is to do this globally:
EVP_set_default_properties(NULL, “fips=yes”);
For non-FIPS, just don't do anything.
Personally, I'd do the former two library contexts based approach and
not worry about the properties.
Pauli
On 24/10/21 2:58 am, Jason Schultz wrote:
>
> Quick aside: I know the 3.0 FIPS module is not "approved" yet, I'm
> just trying to get my application updates done in advance.
>
>
> I’m porting an application from OpenSSL 1.1.1, which was originally
> written for OpenSSL 1.0.2, to OpenSSL 3.0. Going to 3.0, I need to
> incorporate FIPS usage. My Linux application basically is told if its
> user wants to use FIPS or not. We don’t use the cryptographic APIs
> (EVP_*), we just need to create an SSL_CTX, and SSL objects created
> with SSL_new() based on this SSL_CTX, which will then call SSL_read(),
> SSL_write(), etc. The application won’t “fetch” any algorithms. So my
> focus can been on Section 7.7 of the Wiki:
>
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Using_the_FIPS_module_in_SSL.2FTLS
>
> Based on if FIPS is on or off, I will use the replacement for
> SSL_CTX_new() and call SSL_CTX_new_ex() either something like this:
>
> ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method());
>
> or this:
>
> ctx = SSL_CTX_new_ex(fips_libctx, NULL, TLS_method());
>
> Depending on if the users does not want FIPS, or wants FIPS,
> respectively.
>
> Based on that and what Section 7.7 tells me, I know I need:
>
> 1. A non-default library context with the FIPS provider loaded
> (called fips_libctx), and
> 2. A non-default library context with the default provider loaded
> (called non_fips_libctx)
>
> I know that I don’t want all applications using OpenSSL to use the
> FIPS module by default, so I’m just trying to configure mine
> correctly, using the APIs (and possibly config files). I also
> obviously don’t want to make my application use the FIPS module only.
>
> Given all of the above I’m confused on how to set up #1 and #2. It
> seems like I need to use a combination of configuration files and
> programmatically calling APIs in my application. In the Wiki and the
> fips_module man page there is a section called “Programmatically
> loading the FIPS module (nondefault library context)”. I’m pretty sure
> this is what I want. The code example says it “assumes the existence
> of a config file called openssl-fips.cnf that automatically loads and
> configures the FIPS and base providers.”
>
> The .cnf files that I have after the (FIPS) install of OpenSSL 3.0 are
> in /usr/local/ssl/: openssl.cnf and fipsmodule.cnf.
>
> I guess the first thing is I’m confused on if the “openssl-fips.cnf”
> file referred to in the example is in addition to the two files above,
> or a replacement for one of them, and also what the contents of it
> need to be.
>
> I had already made changes to the openssl.cnf file for FIPS (described
> in earlier sections of the Wiki):
>
> # For FIPS
>
> # Optionally include a file that is generated by the OpenSSL fipsinstall
>
> # application. This file contains configuration data required by the
> OpenSSL
>
> # fips provider. It contains a named section e.g. [fips_sect] which is
>
> # referenced from the [provider_sect] below.
>
> # Refer to the OpenSSL security policy for more information.
>
> .include */usr/local/ssl/fipsmodule.cnf****ß***uncommented
>
> [openssl_init]
>
> providers = provider_sect
>
> # List of providers to load
>
> [provider_sect]
>
> default = default_sect
>
> # The fips section name should match the section name inside the
>
> # included fipsmodule.cnf.
>
> fips = fips_sectßuncommented
>
> # If no providers are activated explicitly, the default one is
> activated implicitly.
>
> # See man 7 OSSL_PROVIDER-default for more details.
>
> #
>
> # If you add a section explicitly activating any other provider(s),
> you most
>
> # probably need to explicitly activate the default provider, otherwise it
>
> # becomes unavailable in openssl.As a consequence applications
> depending on
>
> # OpenSSL may not work correctly which could lead to significant system
>
> # problems including inability to remotely access the system.
>
> [default_sect]
>
> activate = 1ßuncommented
>
> I did this to make sure the FIPS provider was available and make sure
> the default provider was activated.
>
> I also changed the fipsmodule.cnf file to comment out the activate = 1
> line:
>
> [fips_sect]
>
> # activate = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
> E4:0D:C8:C3:1E:DB:2B:30:E6:F2:49:7B:F5:BD:10:5C:9A:2B:CC:C1:33:49:31:B5:C5:AF:50:AB:82:1E:AE:C9
>
> That was from the “Programmatically loading the FIPS module (default
> library context)” section, so I’m wondering if this was a mistake.
>
> But currently, with the configs files as described above, my
> application is loading both providers:
>
> fipsp = OSSL_PROVIDER_load(NULL, "fips");
>
> if (fipsp == NULL)
>
> {
>
> /* error handling */
>
> }
>
> defp = OSSL_PROVIDER_load(NULL, "default");
>
> if (defp == NULL)
>
> {
>
> /* error handling */
>
> }
>
> And then creating two library contexts:
>
> fips_libctx = OSSL_LIB_CTX_new();
>
> non_fips_libctx = OSSL_LIB_CTX_new();
>
> Which are later used to create SSL_CTX’s as needed:
>
> if (user does not want fips)
>
> {
>
> ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method());
>
> }
>
> else (user wants fips)
>
> {
>
> ctx = SSL_CTX_new_ex(fips_libctx, NULL, TLS_method());
>
> }
>
> But I think the 2^nd to last step is probably creating two library
> contexts, both using fips because of my changes to the default
> configuration file. (more on my changes to the default file later)
> Looking at section 7.5 of the Wiki, I’m thinking I need to create a
> file called openssl-fips.cnf with the contents something like(or maybe
> a minimum of):
>
> [fips_sect]
>
> activate = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
> E4:0D:C8:C3:1E:DB:2B:30:E6:F2:49:7B:F5:BD:10:5C:9A:2B:CC:C1:33:49:31:B5:C5:AF:50:AB:82:1E:AE:C9
>
> [base_sect]
>
> activate = 1
>
> Then before creating SSL_CTX’s and after the OSSL_LIB_CTX() calls, I
> need to call:
>
> OSSL_LIB_CTX_load_config(fips_libctx, “openssl-fips.cnf”);
>
> Which will get the FIPS and base providers in the fips_libctx. The
> non_fips_libctx will use the default config file and have the default
> provider, which is what I want.
>
> Also, it seems like I need to call:
>
> defctxnull = OSSL_PROVIDER_load(NULL, “null”);
>
> Which is to “prevent anything from using the default library context”?
>
> Also, I probably need to revert my changes to the default config file
> to not activate additional providers, which means only the default one
> will be activate implicitly. Then the non_fips_libctx =
> OSSL_LIB_CTX_new(); line will set up the default provider in
> non_fips_libctx.
>
> I’m hoping someone can point me in the right direction, because the
> other problem is that I’m not sure how to validate what I’ve done is
> correct. As in, how do I know fips_libctx is actually “FIPS”
> compliant, and/or the SSL_CTX’s I create are “FIPS”. I realize there
> are probably several ways to do this, but I’m looking to isolate my
> application only this way, and not affect any other applications on
> the system.
>
> Thanks in advance.
>
>
> Jason
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211024/06b91fc6/attachment-0001.html>
More information about the openssl-users
mailing list