<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cascadia Mono";
panose-1:2 11 6 9 2 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msipfooter90245289, li.msipfooter90245289, div.msipfooter90245289
{mso-style-name:msipfooter90245289;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:40641144;
mso-list-template-ids:651042566;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:396585968;
mso-list-type:hybrid;
mso-list-template-ids:-118208842 1875967796 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:DengXian;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:424689739;
mso-list-template-ids:1821925314;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3
{mso-list-id:983852205;
mso-list-template-ids:437958424;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4
{mso-list-id:1249466666;
mso-list-template-ids:-707250442;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any help on this will be helpful<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">How to set fips enabled for the complete application (process/service) which is running.<o:p></o:p></p>
<p class="MsoNormal">I have provided all the samples which I have used for testing the same in the below mails<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Prasad, PCRaghavendra <br>
<b>Sent:</b> Tuesday, March 7, 2023 10:33 AM<br>
<b>To:</b> openssl-users<br>
<b>Subject:</b> RE: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any help/inputs on this will be really helpful, please <o:p>
</o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Prasad, PCRaghavendra <br>
<b>Sent:</b> Tuesday, March 7, 2023 12:31 AM<br>
<b>To:</b> openssl-users<br>
<b>Cc:</b> Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal, Srinath<br>
<b>Subject:</b> RE: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tried another approach by loading the required providers as mentioned in the docs.<o:p></o:p></p>
<p class="MsoNormal">The assumption was that the highlighted line in the code will fail when the FIPS provider is enabled.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">At the beginning of the application fips provider are enabled and in between code will take care of any non-approved algorithms (like MD5)<o:p></o:p></p>
<p class="MsoNormal">And at the end unloading the providers. This is our understanding.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please let us know if any settings are missing here or if something else needed to be added to the code/config file.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Openssl.cnf<o:p></o:p></b></p>
<p class="MsoNormal"><b>=========<o:p></o:p></b></p>
<p class="MsoNormal">.include c:\\usr\\local\\ssl\\fipsmodule.cnf<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[openssl_init]<o:p></o:p></p>
<p class="MsoNormal">providers = provider_sect<o:p></o:p></p>
<p class="MsoNormal">#alg_section = algorithm_sect<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># List of providers to load<o:p></o:p></p>
<p class="MsoNormal">[provider_sect]<o:p></o:p></p>
<p class="MsoNormal">default = default_sect<o:p></o:p></p>
<p class="MsoNormal"># The fips section name should match the section name inside the<o:p></o:p></p>
<p class="MsoNormal"># included fipsmodule.cnf.<o:p></o:p></p>
<p class="MsoNormal">fips = fips_sect<o:p></o:p></p>
<p class="MsoNormal">#base = base_sect<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># If no providers are activated explicitly, the default one is activated implicitly.<o:p></o:p></p>
<p class="MsoNormal"># See man 7 OSSL_PROVIDER-default for more details.<o:p></o:p></p>
<p class="MsoNormal">#<o:p></o:p></p>
<p class="MsoNormal"># If you add a section explicitly activating any other provider(s), you most<o:p></o:p></p>
<p class="MsoNormal"># probably need to explicitly activate the default provider, otherwise it<o:p></o:p></p>
<p class="MsoNormal"># becomes unavailable in openssl. As a consequence applications depending on<o:p></o:p></p>
<p class="MsoNormal"># OpenSSL may not work correctly which could lead to significant system<o:p></o:p></p>
<p class="MsoNormal"># problems including inability to remotely access the system.<o:p></o:p></p>
<p class="MsoNormal">[default_sect]<o:p></o:p></p>
<p class="MsoNormal">activate = 0<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[base_sect]<o:p></o:p></p>
<p class="MsoNormal">activate = 1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[algorithm_sect]<o:p></o:p></p>
<p class="MsoNormal">default_properties = fips=yes<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include <Windows.h><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include <stdio.h><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include <openssl/provider.h><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include "openssl/md5.h"<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal"><b>C sample code <o:p></o:p></b></p>
<p class="MsoNormal"><b>===========<o:p></o:p></b></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">int main(void)<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">{<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> OSSL_PROVIDER* fips;<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> OSSL_PROVIDER* base;<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> fips = OSSL_PROVIDER_load(NULL, "fips");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> if (fips == NULL) {<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf("Failed to load FIPS provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> exit(EXIT_FAILURE);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> }<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf("Success to load FIPS provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> base = OSSL_PROVIDER_load(NULL, "base");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> if (base == NULL) {<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> OSSL_PROVIDER_unload(fips);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf("Failed to load base provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> exit(EXIT_FAILURE);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> }<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf("Success to load base provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> /* Rest of application */<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> unsigned char* Temp = NULL;<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <span style="background:yellow;mso-highlight:yellow">
Temp = MD5("The quick brown fox jumps over the lazy dog", 100, NULL);</span> <o:p>
</o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf(Temp);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf("\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> OSSL_PROVIDER_unload(base);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> OSSL_PROVIDER_unload(fips);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> exit(EXIT_SUCCESS);<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Output<o:p></o:p></b></p>
<p class="MsoNormal"><b>======<o:p></o:p></b></p>
<p class="MsoNormal">C:\Work\OpenSSL3.x\TEST>test_provider.exe<o:p></o:p></p>
<p class="MsoNormal">Success to load FIPS provider<o:p></o:p></p>
<p class="MsoNormal">Success to load base provider<o:p></o:p></p>
<p class="MsoNormal"><span style="background:yellow;mso-highlight:yellow">pá«í</span><span lang="ZH-CN" style="font-family:DengXian;background:yellow;mso-highlight:yellow">╤δ</span><span style="font-family:"Arial",sans-serif;background:yellow;mso-highlight:yellow">░</span><span style="background:yellow;mso-highlight:yellow">Å9¥ê₧IδH*</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span style="font-size:7.0pt;color:#737373">Internal Use - Confidential</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Prasad, PCRaghavendra <br>
<b>Sent:</b> Monday, March 6, 2023 8:37 PM<br>
<b>To:</b> openssl-users<br>
<b>Cc:</b> Ds, Pradeep Kumar; Kuppam, Pradeep<br>
<b>Subject:</b> OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Dr. Paul/Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We are following the OpenSSL org docs to enable the fips programmatically \.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">With our understanding and refereeing multiple docs, we came up with the following code.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Initially, we wanted to check the fips enablement from the <u>
C code</u> then we wanted to check with Python as our application is completely in Python.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Query:<o:p></o:p></p>
<p class="MsoNormal"> How can we enable fips programmatically for the entire application, meaning just like
<u>fips_mode_set(1)</u> in previous OpenSSL releases which will make the complete application run in the fips mode?<o:p></o:p></p>
<p class="MsoNormal">In OpenSSL 3.0.x how can we make the application level ( process level ) to be in FIPS compliance? In our example, we used the context for FIPS and for default. How this FIPS context can be applied to the entire application?<o:p></o:p></p>
<p class="MsoNormal">Is there a way to do this? Can you please provide some input on this, please let us know if we are doing something wrong here.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Providing the complete information from our system which is done till now to enable the fips programmatically.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Steps:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo3">Installed/Built OpenSSL 3.0.8 version on windows by following the doc<o:p></o:p></li></ul>
<p class="MsoListParagraph">c:\usr\local\ssl\bin>openssl.exe version -v<o:p></o:p></p>
<p class="MsoListParagraph"><span style="background:yellow;mso-highlight:yellow">OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)</span><o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo3">Openssl and fipsmodule cnf files are available at the installed location.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo3"><b>Contents of OpenSSL.cnf<o:p></o:p></b></li></ul>
<p class="MsoListParagraph">====<o:p></o:p></p>
<p class="MsoListParagraph">[openssl_init]<o:p></o:p></p>
<p class="MsoListParagraph">providers = provider_sect<o:p></o:p></p>
<p class="MsoListParagraph"><b>alg_section = algorithm_sect<o:p></o:p></b></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"># List of providers to load<o:p></o:p></p>
<p class="MsoListParagraph">[provider_sect]<o:p></o:p></p>
<p class="MsoListParagraph">default = default_sect<o:p></o:p></p>
<p class="MsoListParagraph"># The fips section name should match the section name inside the<o:p></o:p></p>
<p class="MsoListParagraph"># included fipsmodule.cnf.<o:p></o:p></p>
<p class="MsoListParagraph"><b>fips = fips_sect<o:p></o:p></b></p>
<p class="MsoListParagraph">#base = base_sect<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"># If no providers are activated explicitly, the default one is activated implicitly.<o:p></o:p></p>
<p class="MsoListParagraph"># See man 7 OSSL_PROVIDER-default for more details.<o:p></o:p></p>
<p class="MsoListParagraph">#<o:p></o:p></p>
<p class="MsoListParagraph"># If you add a section explicitly activating any other provider(s), you most<o:p></o:p></p>
<p class="MsoListParagraph"># probably need to explicitly activate the default provider, otherwise it<o:p></o:p></p>
<p class="MsoListParagraph"># becomes unavailable in openssl. As a consequence applications depending on<o:p></o:p></p>
<p class="MsoListParagraph"># OpenSSL may not work correctly which could lead to significant system<o:p></o:p></p>
<p class="MsoListParagraph"># problems including inability to remotely access the system.<o:p></o:p></p>
<p class="MsoListParagraph">[default_sect]<o:p></o:p></p>
<p class="MsoListParagraph">activate = 0<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph">[base_sect]<o:p></o:p></p>
<p class="MsoListParagraph">activate = 1<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph">[algorithm_sect]<o:p></o:p></p>
<p class="MsoListParagraph"><b>default_properties = fips=yes<o:p></o:p></b></p>
<p class="MsoListParagraph">==========<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo3">Contents of the fipsmodule cnf file<o:p></o:p></li></ul>
<p class="MsoListParagraph">[fips_sect]<o:p></o:p></p>
<p class="MsoListParagraph"><b>activate = 1<o:p></o:p></b></p>
<p class="MsoListParagraph">conditional-errors = 1<o:p></o:p></p>
<p class="MsoListParagraph">security-checks = 1<o:p></o:p></p>
<p class="MsoListParagraph">module-mac = 53:C8.xxx<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo3"><b>C code to invoke programmatically<o:p></o:p></b></li></ul>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:gray">#include</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:#A31515"><Windows.h></span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:gray">#include</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:#A31515"><stdio.h></span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:gray">#include</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:#A31515">"openssl/types.h"</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:gray">#include</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:#A31515">"openssl/crypto.h"</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:gray">#include</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:#A31515">"openssl/md5.h"</span><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:9.5pt;font-family:"Cascadia Mono";color:black"><o:p> </o:p></span></p>
<p class="MsoListParagraph">int main()<o:p></o:p></p>
<p class="MsoListParagraph">{<o:p></o:p></p>
<p class="MsoListParagraph"> printf("hello\n");<o:p></o:p></p>
<p class="MsoListParagraph"> OSSL_LIB_CTX* fips_libctx, * nonfips_libctx;<o:p></o:p></p>
<p class="MsoListParagraph"> printf("good\n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> OSSL_PROVIDER* defctxnull = NULL;<o:p></o:p></p>
<p class="MsoListParagraph"> EVP_MD* fipssha256 = NULL, * nonfipssha256 = NULL, * fipsmd5 = NULL, * fipssha1 = NULL;<o:p></o:p></p>
<p class="MsoListParagraph"> int ret = 1;<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /*<o:p></o:p></p>
<p class="MsoListParagraph"> * Create two nondefault library contexts. One for fips usage and<o:p></o:p></p>
<p class="MsoListParagraph"> * one for non-fips usage<o:p></o:p></p>
<p class="MsoListParagraph"> */<o:p></o:p></p>
<p class="MsoListParagraph"> fips_libctx = OSSL_LIB_CTX_new();<o:p></o:p></p>
<p class="MsoListParagraph"> nonfips_libctx = OSSL_LIB_CTX_new();<o:p></o:p></p>
<p class="MsoListParagraph"> if (fips_libctx == NULL || nonfips_libctx == NULL)<o:p></o:p></p>
<p class="MsoListParagraph"> printf("null \n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /* Prevent anything from using the default library context */<o:p></o:p></p>
<p class="MsoListParagraph"> defctxnull = OSSL_PROVIDER_load(NULL, "null");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /*<o:p></o:p></p>
<p class="MsoListParagraph"> * Load config file for the FIPS library context. We assume that<o:p></o:p></p>
<p class="MsoListParagraph"> * this config file will automatically activate the FIPS and base<o:p></o:p></p>
<p class="MsoListParagraph"> * providers so we don't need to explicitly load them here.<o:p></o:p></p>
<p class="MsoListParagraph"> */<o:p></o:p></p>
<p class="MsoListParagraph"> if (!OSSL_LIB_CTX_load_config(fips_libctx, "c:\\usr\\local\\ssl\\openssl.cnf"))<o:p></o:p></p>
<p class="MsoListParagraph"> printf("err OSSL_LIB_CTX_load_config\n ");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /*<o:p></o:p></p>
<p class="MsoListParagraph"> * We don't need to do anything special to load the default<o:p></o:p></p>
<p class="MsoListParagraph"> * provider into nonfips_libctx. This happens automatically if no<o:p></o:p></p>
<p class="MsoListParagraph"> * other providers are loaded.<o:p></o:p></p>
<p class="MsoListParagraph"> * Because we don't call OSSL_LIB_CTX_load_config() explicitly for<o:p></o:p></p>
<p class="MsoListParagraph"> * nonfips_libctx it will just use the default config file.<o:p></o:p></p>
<p class="MsoListParagraph"> */<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /* As an example get some digests */<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /* Get a FIPS validated digest */<o:p></o:p></p>
<p class="MsoListParagraph"> fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2-256", NULL);<o:p></o:p></p>
<p class="MsoListParagraph"> if (fipssha256 == NULL)<o:p></o:p></p>
<p class="MsoListParagraph"> printf("err fipssha256 \n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> fipssha1 = EVP_MD_fetch(fips_libctx, "SHA1", NULL);<o:p></o:p></p>
<p class="MsoListParagraph"> if (fipssha1 == NULL)<o:p></o:p></p>
<p class="MsoListParagraph"> printf("err fipssha1 \n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> <span style="background:yellow;mso-highlight:yellow">
fipsmd5 = EVP_MD_fetch(fips_libctx, "MD5", NULL); -- </span><b><span style="color:#70AD47">This is throwing error w.r.t context which is expected</span></b><span style="background:yellow;mso-highlight:yellow"><o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="background:yellow;mso-highlight:yellow"> if (fipsmd5 == NULL)<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="background:yellow;mso-highlight:yellow"> printf("err fipsmd5 \n");</span><o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /* Get a non-FIPS validated digest */<o:p></o:p></p>
<p class="MsoListParagraph"> nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2-256", NULL);<o:p></o:p></p>
<p class="MsoListParagraph"> if (nonfipssha256 == NULL)<o:p></o:p></p>
<p class="MsoListParagraph"> printf("err nonfipssha256 \n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> unsigned char* Temp = NULL;<o:p></o:p></p>
<p class="MsoListParagraph"> <span style="background:yellow;mso-highlight:yellow">
Temp = MD5("The quick brown fox jumps over the lazy dog", 100, NULL);</span> <span style="color:red">
-- <b>This is working fine</b> </span><o:p></o:p></p>
<p class="MsoListParagraph"> printf(Temp);<o:p></o:p></p>
<p class="MsoListParagraph"> printf("\n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /* Use the digests */<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> printf("Success\n");<o:p></o:p></p>
<p class="MsoListParagraph"> ret = 0;<o:p></o:p></p>
<p class="MsoListParagraph">}<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks in advance<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Raghavendra<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span style="font-size:7.0pt;color:#737373">Internal Use - Confidential</span><o:p></o:p></p>
</div>
</body>
</html>