OpenSSL 3.0 FIPS questions

Jason Schultz jetson23 at hotmail.com
Thu Oct 28 13:49:15 UTC 2021


Thanks Matt. I actually had this working (loading the fips_libctx using the *load_config() API) but I was hitting other issues and thought I was doing something wrong (more on that later).

So to review, I have my own config file, /usr/local/ssl/openssl-fips, with the relevant contents(some comments snipped):

.include /usr/local/ssl/fipsmodule.cnf

[openssl_init]
providers = provider_sect

# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
fips = fips_sect
base = base_sect

[default_sect]
# activate = 1

[base_sect]
activate = 1

And then fipsmodule.cnf contains:

[fips_sect]
activate = 1
conditional-errors = 1
security-checks = 1
module-mac = E4:0D:C8:C3:1E:DB:2B:30:E6:F2:49:7B:F5:BD:10:5C:9A:2B:CC:C1:33:49:31:B5:C5:AF:50:AB:82:1E:AE:C9

By activating the fips and base providers via config, my application then calls:

OSSL_LIB_CTX_load_config(fips_libctx, "/usr/local/ssl/openssl-fips.cnf");

Which loads the "fips" and "base" providers in the fips_libctx, which I verify with:

OSSL_PROVIDER_available(fips_libctx, "fips");
and
OSSL_PROVIDER_available(fips_libctx, "base")

...and both are available.

However, remember I am trying to create two non-default library contexts (from earlier code):

    fips_libctx = OSSL_LIB_CTX_new();
    non_fips_libctx = OSSL_LIB_CTX_new();

Again, I think I have what I need for the fibs_libctx. For the non_fips_libctx, I'm calling:

defp = OSSL_PROVIDER_load(non_fips_libctx, "default");
nullp = OSSL_PROVIDER_load(NULL, "null");

A call to OSSL_PROVIDER_available() says the "default" provider is available;  however, I'm wondering if I should be loading the default provider via *load_config() as well? I would have to uncomment the "activate = 1" in the default section of my config though.

I also still have this in my code:

    /* Disallow falling back to the default library context */

    nullp = OSSL_PROVIDER_load(NULL, "null");

But not sure it's having any affect?

I do know that later in my application, both in "FIPS" or "non-FIPS" mode, I can  create an SSL_CTX with SSL_CTX_new_ex(). I also successfully call several APIs using both the fips_libctx or the non_fips_libctx, for example:


status = SSL_CTX_use_PrivateKey_file(ctx,<file>,SSL_FILETYPE_PEM);

status = SSL_CTX_use_certificate_file(ctx,<file>,SSL_FILETYPE_PEM);

status = SSL_CTX_check_private_key(ctx);

All return successfully. So I think what I have between configuration files and API calls accomplishes what I need to. Would anyone reading this agree?

I'm running into another issue that I need to troubleshoot a bit more before I add too much information and too many questions to a single message.

Thanks to everyone for their help with this, things are starting to make more sense now.



________________________________
From: Matt Caswell <matt at openssl.org>
Sent: Thursday, October 28, 2021 7:39 AM
To: Jason Schultz <jetson23 at hotmail.com>; Dr Paul Dale <pauli at openssl.org>; openssl-users at openssl.org <openssl-users at openssl.org>
Subject: Re: OpenSSL 3.0 FIPS questions



On 27/10/2021 17:28, Jason Schultz wrote:
> With these config files and the code above, the
> OSSL_PROVIDER_load(fips_libctx, "fips") call fails. Here are the
> messages from the ERR_print_errors_fp() call:
>
> 2097C692B57F0000:error:1C8000D5:Provider routines:(unknown
> function):missing config data:providers/fips/self_test.c:289:
> 2097C692B57F0000:error:1C8000E0:Provider routines:(unknown
> function):fips module entering error state:providers/fips/self_test.c:387:
> 2097C692B57F0000:error:1C8000D8:Provider routines:(unknown
> function):self test post failure:providers/fips/fipsprov.c:706:
> 2097C692B57F0000:error:078C0105:common libcrypto routines:(unknown
> function):init fail:crypto/provider_core.c:903:name=fips


This tells us that the fips provider has successfully loaded, but then
subsequently failed during its self-test because it cannot find its
config data.

I can see that you have created a separate libctx for fips. However
automatic loading of the config file only works for the *default*
libctx. If you create your own one then you need to explicitly load the
config file:

if (!OSSL_LIB_CTX_load_config(fips_libtx, "/usr/local/ssl/openssl.cnf")) {
     /* error handling */
}

Actually if you do this then you should not need to call
OSSL_PROVIDER_load() explicitly to load the fips provider since you
already activated it in the config file. You can either drop the
explicit call to OSSL_PROVIDER_load() for the fips provider, or remove
the "activate = 1" line in "fips_sect" in fipsmodule.cnf. This is just a
minor optimisation though. Doing both is redundant but harmless. You
could also load the base provider via config if you wanted to.

Matt


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211028/b4eb473c/attachment-0001.html>


More information about the openssl-users mailing list