<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Ah, OK. Yes, I am running on the same machine. Thanks for clarifying. </div>

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div>

<div id="appendonsend"></div>

<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Kory Hamzeh <kory@avatarci.com><br>

<b>Sent:</b> Tuesday, October 26, 2021 9:15 PM<br>

<b>To:</b> Jason Schultz <jetson23@hotmail.com><br>

<b>Cc:</b> Dr Paul Dale <pauli@openssl.org>; openssl-users@openssl.org <openssl-users@openssl.org><br>

<b>Subject:</b> Re: OpenSSL 3.0 FIPS questions</font>

<div> </div>

</div>

<div class="" style="word-wrap:break-word; line-break:after-white-space">Actually, if you are running on the same machine that you built OpenSSL, you are fine. I cross-compile and have to do a fipsinstall each time. My apologies.

<div class=""><br class="">

<div><br class="">

<blockquote type="cite" class="">

<div class="">On Oct 26, 2021, at 12:17 PM, Jason Schultz <<a href="mailto:jetson23@hotmail.com" class="">jetson23@hotmail.com</a>> wrote:</div>

<br class="x_Apple-interchange-newline">

<div class="">

<div class="" style="font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">

Thanks for all of the help so far. Unfortunately, I'm still struggling with this. There could be a number of issues, starting with the installation of OpenSSL. I basically followed the documentation and did the following:</div>

<div class="" style="font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">

<br class="">

</div>

<div class="" style="font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">

<div class="" style="margin:0in; font-family:"Courier New"; font-size:11pt">./Configure<span class="x_Apple-converted-space"> </span><span class="" style="background-color:yellow">enable-fips</span></div>

<div class="" style="margin:0in; font-family:"Courier New"; font-size:11pt">make</div>

<div class="" style="margin:0in; font-family:"Courier New"; font-size:11pt">make test</div>

<div class="" style="margin:0in; font-family:"Courier New"; font-size:11pt">make install</div>

<br class="">

</div>

<div class="" style="font-family:Helvetica; font-size:18px; font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class="">The "make test" actually fails, but I did not troubleshoot as it seems like a lot of systems have issues here. But I know the .so produced when I build my application

 is linking to the correct OpenSSL libraries (libssl.so.3 and libcrypto.so.3). Checking the OpenSSL version shows 3.0.</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class=""><br class="">

</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class="">I've tried a number of combinations trying to make this work, starting with the code from Dr. Paul Dale in a previous message:</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class=""><br class="">

</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class="">    fips_libctx = OSSL_LIB_CTX_new();

<div class="">    if (!fips_libctx)</div>

<div class="">        // error handling</div>

<div class=""><br class="">

</div>

<div class="">    non_fips_libctx = OSSL_LIB_CTX_new();</div>

<div class="">    if (!non_fips_libctx)</div>

<span class="">        // error handling</span><br class="">

</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class=""><span class=""><br class="">

</span></span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class="">    fipsp = OSSL_PROVIDER_load(fips_libctx, "fips");

<div class="">    if (fipsp == NULL)</div>

<div class="">      {</div>

<div class="">        /* error handling */</div>

<div class="">      }</div>

<div class=""><br class="">

</div>

<div class="">   <span class="x_Apple-converted-space"> </span></div>

<div class="">    basep = OSSL_PROVIDER_load(fips_libctx, "base"); </div>

<div class="">    if (basep == NULL)</div>

<div class="">      {</div>

<div class="">        /* error handling */</div>

<div class="">      }</div>

<div class=""><br class="">

</div>

<div class="">    defp = OSSL_PROVIDER_load(non_fips_libctx, "default");</div>

<div class="">    if (defp == NULL)</div>

<div class="">      {</div>

<div class="">        /* error handling */</div>

<div class="">      }</div>

<div class=""><br class="">

</div>

<div class="">    /* Disallow falling back to the default library context */</div>

<div class="">   <span class="x_Apple-converted-space"> </span></div>

<div class="">    nullp = OSSL_PROVIDER_load(NULL, "null");</div>

<div class="">    if (nullp == NULL)</div>

<div class="">      {</div>

<div class="">        /*error handling */<br class="">

</div>

      }<br class="">

</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class=""><br class="">

</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class="">With the code like the above, the OSSL_PROVIDER_load() calls fails for fips. If I try to use the fips_libctx in SSL_CTX_new_ex(), it fails and returns NULL, which

 is probably expected given the fips provider didn't load.</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class=""><br class="">

</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class="">At that point, I wasn't sure if my application was using the (correct) config file in /usr/local/ssl/. I don't have any environment variables set up, and would prefer

 not to have to set any to get this to work. So I changed the provider load for FIPS to use OSSL_LIB_CTX_load_config():</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class=""><br class="">

</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class="">    if (!OSSL_LIB_CTX_load_config(fips_libctx, "/usr/local/ssl/openssl-fips.cnf"))

<div class="">          // error handling</div>

<div class=""><br class="">

</div>

<div class="">This seems to work load the provider; however, there are two separate problems at this point. If FIPS is enabled by my application creating the SSL_CTX with  the FIPS library context fails, returning NULL. </div>

<div class=""><br class="">

</div>

<div class="">If FIPS is turned OFF by my application, creating an SSL_CTX with the non_fips_libctx<span class="x_Apple-converted-space"> </span><span class="" style="background-color:rgb(255,255,255); display:inline!important"><span class=""> </span>is successful</span>,

 but later calling X509_get_pubkey() returns NULL, implying maybe something is wrong with the non_fips_libctx as well. </div>

<div class=""><br class="">

</div>

<div class="">I've tried other combinations, but at this point I'm just guessing. Is there anything obvious I could be missing and I should be checking?</div>

<div class=""><br class="">

</div>

<div class="">Thanks,</div>

<div class=""><br class="">

</div>

<div class="">Jason</div>

<div class=""><br class="">

</div>

</span></div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class=""><br class="">

</span></div>

<hr tabindex="-1" class="" style="display:inline-block; width:1012.328125px">

<div id="x_divRplyFwdMsg" dir="ltr" class=""><font face="Calibri, sans-serif" class="" style="font-size:11pt"><b class="">From:</b><span class="x_Apple-converted-space"> </span>Dr Paul Dale <<a href="mailto:pauli@openssl.org" class="">pauli@openssl.org</a>><br class="">

<b class="">Sent:</b><span class="x_Apple-converted-space"> </span>Monday, October 25, 2021 9:37 PM<br class="">

<b class="">To:</b><span class="x_Apple-converted-space"> </span>Jason Schultz <<a href="mailto:jetson23@hotmail.com" class="">jetson23@hotmail.com</a>>;

<a href="mailto:openssl-users@openssl.org" class="">openssl-users@openssl.org</a> <<a href="mailto:openssl-users@openssl.org" class="">openssl-users@openssl.org</a>><br class="">

<b class="">Subject:</b><span class="x_Apple-converted-space"> </span>Re: OpenSSL 3.0 FIPS questions</font>

<div class=""> </div>

</div>

<div class="">It was meant for the second method only.  The first method is using different library contexts to distinguish FIPS algorithms.  Using the properties in addition is harmless and might prevent a future mistake that breaks compliance.<br class="">

<br class="">

Pauli<br class="">

<br class="">

<div class="x_x_moz-cite-prefix">On 26/10/21 4:46 am, Jason Schultz wrote:<br class="">

</div>

<blockquote type="cite" class="">

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Thanks again. I think most of that makes sense. Going back to your initial response, there is something I'm not clear on. </div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">

</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">The second method you explained (which I don't plan to use) starting with "Alternatively,..." included the calls to OSSL_PRIVIDER_load(), and then discussed calling the following

 API for FIPS:</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">

<pre class="" style="font-family:courier,"courier new",monospace; font-size:14px; margin:0em; background-color:rgb(255,255,255)">   EVP_set_default_properties(NULL, �fips=yes�);</pre>

<br class="">

</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span class=""></span></div>

<div class="">

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Was the EVP_set_default_properties() call specifically and only for the 2nd method, or did that API call apply to both the first and second methods you explained? From reading the

 doc for that call, it seems like I should be doing it if I use the first method as well.</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">

</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Regards,</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">

</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Jason</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">

</div>

<hr tabindex="-1" class="" style="display:inline-block; width:1002.53125px">

<div id="x_x_divRplyFwdMsg" dir="ltr" class=""><font face="Calibri, sans-serif" class="" style="font-size:11pt"><b class="">From:</b><span class="x_Apple-converted-space"> </span>openssl-users<span class="x_Apple-converted-space"> </span><a class="x_x_moz-txt-link-rfc2396E" href="mailto:openssl-users-bounces@openssl.org"><openssl-users-bounces@openssl.org></a><span class="x_Apple-converted-space"> </span>on

 behalf of Dr Paul Dale<span class="x_Apple-converted-space"> </span><a class="x_x_moz-txt-link-rfc2396E" href="mailto:pauli@openssl.org"><pauli@openssl.org></a><br class="">

<b class="">Sent:</b><span class="x_Apple-converted-space"> </span>Sunday, October 24, 2021 11:12 PM<br class="">

<b class="">To:</b><span class="x_Apple-converted-space"> </span><a class="x_x_moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><span class="x_Apple-converted-space"> </span><a class="x_x_moz-txt-link-rfc2396E" href="mailto:openssl-users@openssl.org"><openssl-users@openssl.org></a><br class="">

<b class="">Subject:</b><span class="x_Apple-converted-space"> </span>Re: OpenSSL 3.0 FIPS questions</font>

<div class=""> </div>

</div>

<div class="">The configuration shouldn't have much impact.  You will need a fips section specifying where the integrity check data are.  You shouldn't need base or default sections.<br class="">

<br class="">

<br class="">

Pauli<br class="">

<br class="">

<div class="x_x_x_moz-cite-prefix">On 25/10/21 5:23 am, Jason Schultz wrote:<br class="">

</div>

<blockquote type="cite" class="">

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span id="" title="" class="">Thank you </span>for your response. I think all of that makes sense, and seems to accomplish what I want programmatically, limiting it to my application.

 I guess the only question I have is what about the config files? Should they remain as they were installed, or do I need to provide sections for fips, base, default, etc?</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">

</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Regards,</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">

</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Jason</div>

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">

</div>

<div class="">

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">

</div>

<hr tabindex="-1" class="" style="display:inline-block; width:992.734375px">

<div id="x_x_x_divRplyFwdMsg" dir="ltr" class=""><font face="Calibri, sans-serif" class="" style="font-size:11pt"><b class="">From:</b><span class="x_Apple-converted-space"> </span>openssl-users<span class="x_Apple-converted-space"> </span><a class="x_x_x_moz-txt-link-rfc2396E" href="mailto:openssl-users-bounces@openssl.org"><openssl-users-bounces@openssl.org></a><span class="x_Apple-converted-space"> </span>on

 behalf of Dr Paul Dale<span class="x_Apple-converted-space"> </span><a class="x_x_x_moz-txt-link-rfc2396E" href="mailto:pauli@openssl.org"><pauli@openssl.org></a><br class="">

<b class="">Sent:</b><span class="x_Apple-converted-space"> </span>Sunday, October 24, 2021 12:28 AM<br class="">

<b class="">To:</b><span class="x_Apple-converted-space"> </span><a class="x_x_x_moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><span class="x_Apple-converted-space"> </span><a class="x_x_x_moz-txt-link-rfc2396E" href="mailto:openssl-users@openssl.org"><openssl-users@openssl.org></a><br class="">

<b class="">Subject:</b><span class="x_Apple-converted-space"> </span>Re: OpenSSL 3.0 FIPS questions</font>

<div class=""> </div>

</div>

<div class="">Oops, the second time this occurs "<font face="monospace" class="">defp = OSSL_PROVIDER_load(<span class=""></span>non_fips_libctx, "default");" it should be "</font><font face="monospace" class="">defp = OSSL_PROVIDER_load(NULL, "default");"</font><br class="">

<br class="">

<br class="">

Pauli<br class="">

<br class="">

<div class="x_x_x_x_moz-cite-prefix">On 24/10/21 10:06 am, Dr Paul Dale wrote:<br class="">

</div>

<blockquote type="cite" class=""><font face="monospace" class="">defp = OSSL_PROVIDER_load(<span class=""></span>non_fips_libctx, "default");</font></blockquote>

</div>

</div>

</blockquote>

</div>

</div>

</blockquote>

</div>

</div>

</div>

</blockquote>

</div>

<br class="">

</div>

</div>

</div>

</body>

</html>