<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
There are several approaches you could take. With two library
contexts:<br>
<br>
<blockquote><font face="monospace">fips_libctx =
OSSL_LIB_CTX_new();
</font><br>
<font face="monospace"><span style="mso-spacerun:yes"></span>non_fips_libctx
= OSSL_LIB_CTX_new(); </font><br>
<br>
<font face="monospace">fipsp = OSSL_PROVIDER_load(fips_libctx,
"fips"); </font><br>
<font face="monospace">basep =
OSSL_PROVIDER_load(fips_libctx,"base"); /* can't load keys
without this */</font><br>
<font face="monospace"><span class=""><span
class="Apple-converted-space"></span></span>defp =
OSSL_PROVIDER_load(<span style="mso-spacerun:yes"></span>non_fips_libctx,
"default"); <span class=""> </span></font><br>
<font face="monospace"><span class="">nullp = </span>OSSL_PROVIDER_load(NULL,
"null"); /* Disallow falling back to the default library
context */<span class=""><span class="Apple-converted-space"> </span></span></font><br>
</blockquote>
<br>
Then use either <font face="monospace">fips_libctx</font> or <font
face="monospace">non_fips_libctx</font> for operations.<br>
<br>
<br>
Alternatively, it can be done in one library context (the default
here), although there is some risk of using non-FIPS crypto in a
FIPS context:<br>
<br>
<blockquote><font face="monospace">fipsp = OSSL_PROVIDER_load(NULL,
"fips");</font><br>
<font face="monospace">defp = OSSL_PROVIDER_load(<span
style="mso-spacerun:yes"></span>non_fips_libctx, "default");</font><br>
</blockquote>
<br>
For FIPS, make sure that <font face="monospace">"fips=yes"</font>
is included as a property query. The easiest way is to do this
globally:<br>
<br>
<blockquote><font face="monospace">EVP_set_default_properties(NULL,
“fips=yes”);</font><br>
</blockquote>
<div class="moz-cite-prefix">For non-FIPS, just don't do anything.<br>
<br>
<br>
Personally, I'd do the former two library contexts based approach
and not worry about the properties.<br>
<br>
<br>
Pauli<br>
<br>
On 24/10/21 2:58 am, Jason Schultz wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SN6PR10MB26538ECFB2DB277B7D9724E5C7819@SN6PR10MB2653.namprd10.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Quick aside: I know the 3.0 FIPS module is not "approved" yet,
I'm just trying to get my application updates done in advance.</p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<br>
</p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
I’m porting an application from OpenSSL 1.1.1, which was
originally written for OpenSSL 1.0.2, to OpenSSL 3.0. Going to
3.0, I need to incorporate FIPS usage. My Linux application
basically is told if its user wants to use FIPS or not. We
don’t use the cryptographic APIs (EVP_*), we just need to
create an SSL_CTX, and SSL objects created with SSL_new()
based on this SSL_CTX, which will then call SSL_read(),
SSL_write(), etc. The application won’t “fetch” any
algorithms. So my focus can been on Section 7.7 of the Wiki:<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<a
href="https://wiki.openssl.org/index.php/OpenSSL_3.0#Using_the_FIPS_module_in_SSL.2FTLS"
moz-do-not-send="true" class="moz-txt-link-freetext">https://wiki.openssl.org/index.php/OpenSSL_3.0#Using_the_FIPS_module_in_SSL.2FTLS</a><o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Based on if FIPS is on or off, I will use the replacement for
SSL_CTX_new() and call SSL_CTX_new_ex() either something like
this:<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method());<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
or this:<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
ctx = SSL_CTX_new_ex(fips_libctx, NULL, TLS_method());<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Depending on if the users does not want FIPS, or wants FIPS,
respectively. <o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Based on that and what Section 7.7 tells me, I know I need:<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<ol style="margin-bottom:0in">
<li>A non-default library context with the FIPS provider
loaded (called fips_libctx), and<o:p> </o:p></li>
<li>A non-default library context with the default provider
loaded (called non_fips_libctx)<o:p> </o:p></li>
</ol>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
I know that I don’t want all applications using OpenSSL to use
the FIPS module by default, so I’m just trying to configure
mine correctly, using the APIs (and possibly config files). I
also obviously don’t want to make my application use the FIPS
module only.
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Given all of the above I’m confused on how to set up #1 and
#2. It seems like I need to use a combination of configuration
files and programmatically calling APIs in my application. In
the Wiki and the fips_module man page there is a section
called “Programmatically loading the FIPS module (nondefault
library context)”. I’m pretty sure this is what I want. The
code example says it “assumes the existence of a config file
called openssl-fips.cnf that automatically loads and
configures the FIPS and base providers.”
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
The .cnf files that I have after the (FIPS) install of OpenSSL
3.0 are in /usr/local/ssl/: openssl.cnf and fipsmodule.cnf.<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
I guess the first thing is I’m confused on if the
“openssl-fips.cnf” file referred to in the example is in
addition to the two files above, or a replacement for one of
them, and also what the contents of it need to be.
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
I had already made changes to the openssl.cnf file for FIPS
(described in earlier sections of the Wiki):<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># For FIPS<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># Optionally include a file that is generated by
the OpenSSL fipsinstall<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># application. This file contains configuration
data required by the OpenSSL<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># fips provider. It contains a named section e.g.
[fips_sect] which is<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># referenced from the [provider_sect] below.<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># Refer to the OpenSSL security policy for more
information.<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New";background:yellow;mso-highlight:yellow">.include
<b>/usr/local/ssl/fipsmodule.cnf</b></span><b><span
style="font-size:11.0pt;font-family:"Courier
New""><span style="mso-spacerun:yes">
</span></span></b><b><span
style="font-size:11.0pt;font-family:Wingdings;mso-ascii-font-family:"Courier
New";mso-hansi-font-family:"Courier
New";mso-bidi-font-family:"Courier
New";mso-char-type:symbol;mso-symbol-font-family:Wingdings"><span
style="mso-char-type:symbol;mso-symbol-font-family:Wingdings">ß</span></span></b><b><span
style="font-size:11.0pt;font-family:"Courier
New"">
</span></b><span
style="font-size:11.0pt;font-family:"Courier
New";mso-bidi-font-weight:bold">uncommented</span><span
style="font-size:11.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""> <o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New"">[openssl_init]<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New"">providers = provider_sect<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""> <o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># List of providers to load<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New"">[provider_sect]<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New"">default = default_sect<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># The fips section name should match the section
name inside the<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># included fipsmodule.cnf.<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New";background:yellow;mso-highlight:yellow">fips =
fips_sect</span><span
style="font-size:11.0pt;font-family:"Courier New""><span
style="mso-spacerun:yes">
</span></span><span
style="font-size:11.0pt;font-family:Wingdings;mso-ascii-font-family:"Courier
New";mso-hansi-font-family:"Courier
New";mso-bidi-font-family:"Courier
New";mso-char-type:symbol;mso-symbol-font-family:Wingdings"><span
style="mso-char-type:symbol;mso-symbol-font-family:Wingdings">ß</span></span><span
style="font-size:11.0pt;font-family:"Courier New"">
uncommented<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""> <o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># If no providers are activated explicitly, the
default one is activated implicitly.<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># See man 7 OSSL_PROVIDER-default for more
details.<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New"">#<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># If you add a section explicitly activating any
other provider(s), you most<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># probably need to explicitly activate the
default provider, otherwise it<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># becomes unavailable in openssl.<span
style="mso-spacerun:yes">
</span>As a consequence applications depending on<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># OpenSSL may not work correctly which could lead
to significant system<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""># problems including inability to remotely access
the system.<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New"">[default_sect]<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New";background:yellow;mso-highlight:yellow">activate =
1</span><span
style="font-size:11.0pt;font-family:"Courier New""><span
style="mso-spacerun:yes">
</span></span><span
style="font-size:11.0pt;font-family:Wingdings;mso-ascii-font-family:"Courier
New";mso-hansi-font-family:"Courier
New";mso-bidi-font-family:"Courier
New";mso-char-type:symbol;mso-symbol-font-family:Wingdings"><span
style="mso-char-type:symbol;mso-symbol-font-family:Wingdings">ß</span></span><span
style="font-size:11.0pt;font-family:"Courier New"">
uncommented<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
I did this to make sure the FIPS provider was available and
make sure the default provider was activated.<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
I also changed the fipsmodule.cnf file to comment out the
activate = 1 line:<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New"">[fips_sect]<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New";background:yellow;mso-highlight:yellow"># activate
= 1</span><span
style="font-size:11.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New"">conditional-errors = 1<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New"">security-checks = 1<o:p> </o:p></span></p>
<p
style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:"Times
New Roman", serif;margin:0in;margin-bottom:.0001pt">
<span style="font-size:11.0pt;font-family:"Courier
New"">module-mac =
E4:0D:C8:C3:1E:DB:2B:30:E6:F2:49:7B:F5:BD:10:5C:9A:2B:CC:C1:33:49:31:B5:C5:AF:50:AB:82:1E:AE:C9<o:p> </o:p></span></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
That was from the “Programmatically loading the FIPS module
(default library context)” section, so I’m wondering if this
was a mistake.<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
But currently, with the configs files as described above, my
application is loading both providers:<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>fipsp =
OSSL_PROVIDER_load(NULL, "fips");<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>if (fipsp == NULL)<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>{<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>/* error
handling */<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>}<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span><o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>defp =
OSSL_PROVIDER_load(NULL, "default");<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>if (defp == NULL)<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>{<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>/* error
handling */<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>}<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
And then creating two library contexts:<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>fips_libctx =
OSSL_LIB_CTX_new();<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>non_fips_libctx =
OSSL_LIB_CTX_new();<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Which are later used to create SSL_CTX’s as needed:<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>if (user does not
want fips)<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>{<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>ctx =
SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method());
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>}<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>else (user wants
fips)<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>{<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>ctx =
SSL_CTX_new_ex(fips_libctx, NULL, TLS_method());<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<span style="mso-spacerun:yes"> </span>}<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
But I think the 2<sup>nd</sup> to last step is probably
creating two library contexts, both using fips because of my
changes to the default configuration file. (more on my changes
to the default file later) Looking at section 7.5 of the Wiki,
I’m thinking I need to create a file called openssl-fips.cnf
with the contents something like(or maybe a minimum of):<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
[fips_sect]<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
activate = 1<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
conditional-errors = 1<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
security-checks = 1<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
module-mac =
E4:0D:C8:C3:1E:DB:2B:30:E6:F2:49:7B:F5:BD:10:5C:9A:2B:CC:C1:33:49:31:B5:C5:AF:50:AB:82:1E:AE:C9<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
[base_sect]<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
activate = 1<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Then before creating SSL_CTX’s and after the OSSL_LIB_CTX()
calls, I need to call:<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
OSSL_LIB_CTX_load_config(fips_libctx, “openssl-fips.cnf”);<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Which will get the FIPS and base providers in the fips_libctx.
The non_fips_libctx will use the default config file and have
the default provider, which is what I want.<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Also, it seems like I need to call:<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
defctxnull = OSSL_PROVIDER_load(NULL, “null”);<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Which is to “prevent anything from using the default library
context”?<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Also, I probably need to revert my changes to the default
config file to not activate additional providers, which means
only the default one will be activate implicitly. Then the
non_fips_libctx = OSSL_LIB_CTX_new(); line will set up the
default provider in non_fips_libctx.<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
I’m hoping someone can point me in the right direction,
because the other problem is that I’m not sure how to validate
what I’ve done is correct. As in, how do I know fips_libctx is
actually “FIPS” compliant, and/or the SSL_CTX’s I create are
“FIPS”. I realize there are probably several ways to do this,
but I’m looking to isolate my application only this way, and
not affect any other applications on the system.
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
Thanks in advance. <o:p> </o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p><br>
</o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p>Jason</o:p></p>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:"Times New
Roman", serif;margin-right:0in;margin-left:0in">
<o:p><br>
</o:p></p>
<br>
</div>
</blockquote>
<br>
</body>
</html>