<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
It looks like you're trying to access non-approved crypto. My
suggestion would be to create a new library context specifically for
this using OSSL_LIB_CTX_new(). Load only the default provider into
that context using OSSL_PROVIDER_load(). Do not call
EVP_default_properties_enable_fips() on it.<br>
<br>
You should only use this new library context for non-FIPS
operations. If there is any doubt about what is permitted and what
isn't, contact your FIPS lab for clarification.<br>
<br>
Paul Dale<br>
<br>
<div class="moz-cite-prefix">On 20/4/23 01:35, Prasad, PCRaghavendra
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MN2PR19MB40298557AFA1C76EC4831EC59A629@MN2PR19MB4029.namprd19.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}span.n
{mso-style-name:n;}span.idiff
{mso-style-name:idiff;}span.ui-provider
{mso-style-name:ui-provider;}p.msipfooter90245289, li.msipfooter90245289, div.msipfooter90245289
{mso-style-name:msipfooter90245289;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Dr.Paul/Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Good Morning,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We have integrated OpenSSL 3.0.8 in our
code along with fips enablement. We are using python 3.11
version.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We have used the default search path as our
application directory (<span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#ECFDF0">OSSL_PROVIDER_set_default_search_path)
</span>and loaded the “base” and “fips” providers and not the
default provider.<o:p></o:p></p>
<p class="MsoNormal"
style="background:#ECFDF0;vertical-align:top"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333">OSSL_PROVIDER_load</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">(</span><span
style="font-size:9.5pt;font-family:Consolas;color:#999999">None</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">,
b</span><span
style="font-size:9.5pt;font-family:Consolas;color:#DD1144">"base"</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">)
<o:p></o:p></span></p>
<p class="MsoNormal"
style="text-align:right;background:#FBFAFD;vertical-align:top"
align="right">
<span
style="font-size:9.5pt;font-family:Consolas;color:#89888D"> <o:p></o:p></span></p>
<p class="MsoNormal"
style="background:#ECFDF0;vertical-align:top"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333">OSSL_PROVIDER_load</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">(</span><span
style="font-size:9.5pt;font-family:Consolas;color:#999999">None</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">,
b</span><span
style="font-size:9.5pt;font-family:Consolas;color:#DD1144">"fips"</span><span
style="font-size:9.5pt;font-family:Consolas;color:#333238">)<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">After that, we enabled the FIPS using <span
class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2">lib</span></span><span
class="n"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#ECFDF0">crypto</span></span><span
class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333238;background:#C7F0D2">.</span></span><span
class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2">EVP_default_properties_enable_fips()
call.<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2"><o:p> </o:p></span></span></p>
<p class="MsoNormal">Should we load the default provider as well
or base and fips are good enough?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Sometimes we are getting the below error
message from Python cryptography package<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span class="ui-provider"><span
style="background:yellow;mso-highlight:yellow">cryptography.exceptions.InternalError:
Unknown OpenSSL error. This error is commonly encountered
when another library is not cleaning up the OpenSSL error
stack. If you are using cryptography with another library
that uses OpenSSL try disabling it before reporting a bug.
Otherwise please file an issue at
<a href="https://github.com/pyca/cryptography/issues"
target="_blank"
title="https://github.com/pyca/cryptography/issues"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://github.com/pyca/cryptography/issues</a> with
information on how to reproduce this.
([_OpenSSLErrorWithText(code=50856204, lib=6,
reason=524556, reason_text=b'error:0308010C:digital
envelope routines::unsupported')])</span><o:p></o:p></span></p>
<p class="MsoNormal"><span class="ui-provider"><o:p> </o:p></span></p>
<p class="MsoNormal">This error is intermittent is what we are
observing as we have already tested the complete application
couple of times
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any thoughts or inputs on this please will
help us in debugging more on this issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Raghavendra<o:p></o:p></p>
<p class="MsoNormal"><span class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span class="idiff"><span
style="font-size:9.5pt;font-family:Consolas;color:#333333;background:#C7F0D2"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span
style="font-size:7.0pt;color:#737373">Internal Use -
Confidential</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Dr Paul Dale
<a class="moz-txt-link-rfc2396E" href="mailto:pauli@openssl.org"><pauli@openssl.org></a> <br>
<b>Sent:</b> Wednesday, March 8, 2023 11:02 AM<br>
<b>To:</b> Prasad, PCRaghavendra;
<a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<b>Cc:</b> Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal,
Srinath<br>
<b>Subject:</b> Re: OpenSSL 3.0.x + Python 3.9.x + Enable
FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p><span style="color:#CE1126">[EXTERNAL EMAIL] <o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Are
there any specific .h files where we can refer to this
method that needs to be used ( ex: evp.h )?
<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
#include "openssl/evp.h" should be enough to get the EVP
APIs. You will need other includes for other parts of OpenSSL
but that covers EVP well enough.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">still,
are there any files that we can go through once before
calling in the fips mode?<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Turn on <span style="font-family:"Courier New"">-Wdeprecated</span>
or equivalent in your compile and the low level calls will be
flagged. They should all be deprecated.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">One
more doubt is How can we set fips enabled for the complete
application (process/service) while running so that if we
are using non-compliant algorithms/methods it should throw
errors? Is it possible in OpenSSL 3.0.x?<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
The call you are looking for is:<br>
<br>
<span style="font-family:"Courier New"">EVP_set_default_properties(libctx,
"fips=yes");<br>
</span><br>
I strongly suggest reading the documentation about the <a
href="https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/fips_module.html__;!!LpKI!gwsGt_60jqaHzhWTEXZCwSn0frcRAuJbbxYQLrkbfBfkw9-Eg_mdOnYzU6EDHNOBOR25XSXKcqHcPO1X7_TtGA$"
moz-do-not-send="true">
FIPS provider [openssl.org]</a> and the <a
href="https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/migration_guide.html__;!!LpKI!gwsGt_60jqaHzhWTEXZCwSn0frcRAuJbbxYQLrkbfBfkw9-Eg_mdOnYzU6EDHNOBOR25XSXKcqHcPO2zYsa_AA$"
moz-do-not-send="true">
migration guide [openssl.org]</a>. Both the avoidance of
low level calls and setting the default properties are covered
therein. There are a number of other nuances to trip over
when using the FIPS provider.<br>
<br>
<br>
Paul Dale<o:p></o:p></p>
</div>
</blockquote>
<br>
</body>
</html>