<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
You example indicates that you were attempting to use a legacy
algorithm that the legacy provider implements. This will never be
FIPS compliant.<br>
<br>
Yes, you can have many library contexts. Just be very careful which
you are using for FIPS and which you are using for legacy access.
Non-legacy access to non-FIPS algorithms will invalidate any FIPS
compliance.<br>
<br>
Dr Paul Dale<br>
<br>
<br>
<div class="moz-cite-prefix">On 20/4/23 15:39, Prasad, PCRaghavendra
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MN2PR19MB402941B8ACF3637AEA3950BB9A639@MN2PR19MB4029.namprd19.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}p.msipfooter90245289, li.msipfooter90245289, div.msipfooter90245289
{mso-style-name:msipfooter90245289;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.n
{mso-style-name:n;}span.idiff
{mso-style-name:idiff;}span.ui-provider
{mso-style-name:ui-provider;}span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Thanks, Dr.Paul,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So we can have another context for the
default providers along with the fips and base providers?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">FIPS and base providers are loaded in the
default context (NULL) and we are not using any specific lib
context for default providers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As we want to run our application only in
the FIPS mode so we didn’t load the default provider.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We will explore the points which you have
mentioned below and try to integrate and test them again<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">One more thing when we searched for this
error most of the places they were saying we need to
<span style="background:yellow;mso-highlight:yellow">use <span
class="ui-provider">
--openssl-legacy-provider</span></span><span
class="ui-provider"> is it the right way to add this flag?<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Dr. Paul for the information.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span
style="font-size:7.0pt;color:#737373">Internal Use -
Confidential</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> openssl-users
<a class="moz-txt-link-rfc2396E" href="mailto:openssl-users-bounces@openssl.org"><openssl-users-bounces@openssl.org></a>
<b>On Behalf Of </b>Dr Paul Dale<br>
<b>Sent:</b> Thursday, April 20, 2023 7:10 AM<br>
<b>To:</b> Prasad, PCRaghavendra;
<a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<b>Cc:</b> Ds, Pradeep Kumar<br>
<b>Subject:</b> Re: OpenSSL 3.0.x + Python 3.9.x + Enable
FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p><span style="color:#CE1126">[EXTERNAL EMAIL] <o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">It looks like
you're trying to access non-approved crypto. My suggestion
would be to create a new library context specifically for this
using OSSL_LIB_CTX_new(). Load only the default provider into
that context using OSSL_PROVIDER_load(). Do not call
EVP_default_properties_enable_fips() on it.<br>
<br>
You should only use this new library context for non-FIPS
operations. If there is any doubt about what is permitted and
what isn't, contact your FIPS lab for clarification.<br>
<br>
Paul Dale<o:p></o:p></p>
<div>
<p class="MsoNormal">On 20/4/23 01:35, Prasad, PCRaghavendra
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi Dr.Paul/Team,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Good Morning,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">We have integrated OpenSSL 3.0.8 in our
code along with fips enablement. We are using python 3.11
version.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">We have used the default search path as
our application directory (<span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#ECFDF0">OSSL_PROVIDER_set_default_search_path)
</span>and loaded the “base” and “fips” providers and not
the default provider.<o:p></o:p></p>
<p class="MsoNormal"
style="background:#ECFDF0;vertical-align:top"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333">OSSL_PROVIDER_load</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">(</span><span
style="font-size:9.5pt;font-family:Consolas;color:#999999">None</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">,
b</span><span
style="font-size:9.5pt;font-family:Consolas;color:#DD1144">"base"</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">)
</span><o:p></o:p></p>
<p class="MsoNormal"
style="text-align:right;background:#FBFAFD;vertical-align:top"
align="right">
<span
style="font-size:9.5pt;font-family:Consolas;color:#89888D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="background:#ECFDF0;vertical-align:top"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333">OSSL_PROVIDER_load</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">(</span><span
style="font-size:9.5pt;font-family:Consolas;color:#999999">None</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">,
b</span><span
style="font-size:9.5pt;font-family:Consolas;color:#DD1144">"fips"</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">)</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">After that, we enabled the FIPS using <span
class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2">lib</span></span><span
class="n"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#ECFDF0">crypto</span></span><span
class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333238;background:#C7F0D2">.</span></span><span
class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2">EVP_default_properties_enable_fips()
call.</span></span><o:p></o:p></p>
<p class="MsoNormal"><span class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2"> </span></span><o:p></o:p></p>
<p class="MsoNormal">Should we load the default provider as
well or base and fips are good enough?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Sometimes we are getting the below error
message from Python cryptography package<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span class="ui-provider"><span
style="background:yellow;mso-highlight:yellow">cryptography.exceptions.InternalError:
Unknown OpenSSL error. This error is commonly
encountered when another library is not cleaning up the
OpenSSL error stack. If you are using cryptography with
another library that uses OpenSSL try disabling it
before reporting a bug. Otherwise please file an issue
at
<a
href="https://urldefense.com/v3/__https:/github.com/pyca/cryptography/issues__;!!LpKI!k2dOju-PcFtDgXJsvQ8wln-keBoqB3Zo6epPOzNg4aOtQsO98RQzfy_XPLDhXGAB2LO6UMYRTiMVr8SPtOggfQ$"
target="_blank"
title="https://github.com/pyca/cryptography/issues"
moz-do-not-send="true">
https://github.com/pyca/cryptography/issues
[github.com]</a> with information on how to reproduce
this. ([_OpenSSLErrorWithText(code=50856204, lib=6,
reason=524556, reason_text=b'error:0308010C:digital
envelope routines::unsupported')])</span></span><o:p></o:p></p>
<p class="MsoNormal"><span class="ui-provider"> </span><o:p></o:p></p>
<p class="MsoNormal">This error is intermittent is what we are
observing as we have already tested the complete application
couple of times
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Any thoughts or inputs on this please
will help us in debugging more on this issue.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Raghavendra<o:p></o:p></p>
<p class="MsoNormal"><span class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2"> </span></span><o:p></o:p></p>
<p class="MsoNormal"><span class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2"> </span></span><o:p></o:p></p>
<p class="MsoNormal"><span class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2"> </span></span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span
style="font-size:7.0pt;color:#737373">Internal Use -
Confidential</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Dr Paul Dale <a
href="mailto:pauli@openssl.org" moz-do-not-send="true">
<pauli@openssl.org></a> <br>
<b>Sent:</b> Wednesday, March 8, 2023 11:02 AM<br>
<b>To:</b> Prasad, PCRaghavendra; <a
href="mailto:openssl-users@openssl.org"
moz-do-not-send="true" class="moz-txt-link-freetext">openssl-users@openssl.org</a><br>
<b>Cc:</b> Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal,
Srinath<br>
<b>Subject:</b> Re: OpenSSL 3.0.x + Python 3.9.x +
Enable FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p><span style="color:#CE1126">[EXTERNAL EMAIL] </span><o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Are
there any specific .h files where we can refer to this
method that needs to be used ( ex: evp.h )?
<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
#include "openssl/evp.h" should be enough to get the EVP
APIs. You will need other includes for other parts of
OpenSSL but that covers EVP well enough.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">still,
are there any files that we can go through once before
calling in the fips mode?<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Turn on <span style="font-family:"Courier New"">-Wdeprecated</span>
or equivalent in your compile and the low level calls will
be flagged. They should all be deprecated.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">One
more doubt is How can we set fips enabled for the
complete application (process/service) while running so
that if we are using non-compliant algorithms/methods it
should throw errors? Is it possible in OpenSSL 3.0.x?<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
The call you are looking for is:<br>
<br>
<span style="font-family:"Courier New"">EVP_set_default_properties(libctx,
"fips=yes");<br>
</span><br>
I strongly suggest reading the documentation about the <a
href="https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/fips_module.html__;!!LpKI!gwsGt_60jqaHzhWTEXZCwSn0frcRAuJbbxYQLrkbfBfkw9-Eg_mdOnYzU6EDHNOBOR25XSXKcqHcPO1X7_TtGA$"
moz-do-not-send="true">
FIPS provider [openssl.org]</a> and the <a
href="https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/migration_guide.html__;!!LpKI!gwsGt_60jqaHzhWTEXZCwSn0frcRAuJbbxYQLrkbfBfkw9-Eg_mdOnYzU6EDHNOBOR25XSXKcqHcPO2zYsa_AA$"
moz-do-not-send="true">
migration guide [openssl.org]</a>. Both the avoidance of
low level calls and setting the default properties are
covered therein. There are a number of other nuances to
trip over when using the FIPS provider.<br>
<br>
<br>
Paul Dale<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>