<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi,<br>
<br>
I would suggest that you contact your FIPS lab for definitive
answers to your questions. This is well outside the experience of
the OpenSSL team members' FIPS experience.<br>
<br>
My understanding is that you are correct but the FIPS criteria are
fickle until a lab has determined and resolved an outcome.<br>
<br>
<br>
Dr Paul Dale<br>
<br>
<br>
<div class="moz-cite-prefix">On 30/6/2023 5:58 pm, Zhongyan Wang
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SN7PR07MB95778A847D25657BBD77B4C9E92AA@SN7PR07MB9577.namprd07.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.gmail-ui-provider
{mso-style-name:gmail-ui-provider;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">5) Is it possible to load
multiple providers like default, leacy and also fips
programmatically using OSSL_PROVIDER_load function ?<o:p></o:p></p>
<p class="MsoNormal">=>This is my own thought, not official.
In my product, we also use FIPS module and we have one FIPS
mode, one non-FIPS mode. They are mutually exclusive.<o:p></o:p></p>
<p class="MsoNormal">In FIPS mode, we load FIPS and base
providers together. In non-FIPS mode, we load default provider
by default and optional load legacy provider by customer
setting.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">6) When multiple providers like for ex:
FIPS and default provider are enabled and when an encryption
function is called, then algorithm from which provider is
picked(from my findings it can use any of the loaded provider
implementations )? assumption that we have <b>not</b> used
property query string during algorithm fetches to specify
which implementation to be used.<o:p></o:p></p>
<p class="MsoNormal">=>In the openssl 3.0 migration guide, it
says this result is undefined. So we design my product as
above to make sure FIPS and default provider won’t be loaded
at same time.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On the other hand, I also have a question
about FIPS provider:<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:10.0pt">How to specify
the path of openssl.cnf and so-called fipsmodule.cnf
programmatically when load FIPS Provider?<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:10.0pt">Our product has
a build-in openssl bin and library, but doesn’t have any
openssl configure file due to history reason.<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:10.0pt">I will add
execute “make fipsinstall” during the product installation to
generate the fipsmodule.cnf.<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:10.0pt">Since customer
can install product to anywhere and “make fipsinstall” can
also install fipsmodule.cnf to anywhere and openssl library
won’t know the location.<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:10.0pt">So I can’t
successfully load FIPS provider because it doesn’t know where
is the fipsmodule.cnf. Per my test, it seems to find
fipsmodule.cnf in pre-fix path configure in compile.<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:10.0pt">My key point is:
is there a method to let openssl know where to load/check
fipsmodule.cnf?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> openssl-users
<a class="moz-txt-link-rfc2396E" href="mailto:openssl-users-bounces@openssl.org"><openssl-users-bounces@openssl.org></a>
<b>On Behalf Of </b><a class="moz-txt-link-abbreviated" href="mailto:pauli@openssl.org">pauli@openssl.org</a><br>
<b>Sent:</b> Friday, June 30, 2023 15:16<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<b>Subject:</b> Re: questions on fips provider<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable"
style="width:6.0pt;background:#FFFFE5" width="8"
cellspacing="0" cellpadding="0" border="1" align="left">
<tbody>
<tr>
<td style="padding:3.5pt 3.5pt 3.5pt 3.5pt"
nowrap="nowrap">
<p class="MsoNormal"
style="mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly"><b><span
style="color:black">EXTERNAL EMAIL</span></b><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="color:red">Answers below....<br>
<br>
</span><o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span class="gmail-ui-provider">1)
Is there a way to static link FIPS? I see at many
places that fips cannot be statically linked but
would like to know if we have any other ways to do
that.</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<span style="color:red">No. This was a design
goal/limitation from the start. Statically linking the
FIPS provider would have been a major source of pain. We
managed it for 1.0.2 with some inspirational assembly
coding but that approach wouldn't have worked for 3.0.</span><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span class="gmail-ui-provider">2)
If it is dynamic linking then does FIPS has any
integrity check to make sure
<a href="http://fips.so/fips.dll"
moz-do-not-send="true">
fips.so/fips.dll</a> is the right one? </span>and
not some thing tampered by some body(as per my
findings we have some check in configuration file as
mentioned in the below attached snapshot 3rd line)<o:p></o:p></p>
</div>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<span style="color:red">Yes it does do an integrity check on
load. This was the main reason to limit the FIPS provider
to being a loadable module. The approach taken in the
1.0.2 FOM wasn't viable with the re-architecture.</span><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">3) can both legacy and fips
providers be loaded and used? <o:p>
</o:p></p>
</div>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<span style="color:red">Technically yes, but you'll not be
FIPS compliant unless you are
<b>extremely</b> careful.<br>
Which means talking to your FIPS labs and getting official
resolutions on the specifics.<br>
The OpenSSL developers are **<b>not</b>** FIPS experts.
Only a FIPS lab can definitively answer questions like
this.<br>
</span><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">4) Is it possible If i have built
openssl with no-module configure option (to
statically link legacy provider) and also wanted to
use openssl-3.0.8 built fips module here? If yes
then in what way can it be done?<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<span style="color:red">Honestly not sure here. You <b>must</b>
load the FIPS provider dynamically to be compliant.<br>
If that's possible with the </span><span
style="font-family:"Courier New";color:red">no-module</span><span
style="color:red"> option, you should be okay. I suspect
it isn't. Try it and see.<br>
<br>
If you don't get a definitive result, this means talking
to your FIPS labs and getting official resolutions on the
specifics.<br>
The OpenSSL developers are **<b>not</b>** FIPS experts.
Only a FIPS lab can definitively answer questions like
this.<br>
</span><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">5) Is it possible to load
multiple providers like default, leacy and also fips
programmatically using OSSL_PROVIDER_load function
?<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<span style="color:red">Absolutely it is possible. However,
meeting FIPS requirements afterwards could be problematic.<br>
This means talking to your FIPS labs and getting official
resolutions on the specifics.</span><br>
<span style="color:red">The OpenSSL developers are **<b>not</b>**
FIPS experts. Only a FIPS lab can definitively answer
questions like this.<br>
<br>
Having several library contexts with each having different
providers loaded might be a way to circumvent the strict
interpretation of the requirements. This means talking to
your FIPS labs and getting official resolutions on the
specifics.</span><br>
<span style="color:red">The OpenSSL developers are **<b>not</b>**
FIPS experts. Only a FIPS lab can definitively answer
questions like this.</span><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">6) When multiple providers like
for ex: FIPS and default provider are enabled and
when an encryption function is called, then
algorithm from which provider is picked(from my
findings it can use any of the loaded provider
implementations )? assumption that we have <b>not</b>
used property query string during algorithm fetches
to specify which implementation to be used.<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<span style="color:red">The OpenSSL project <b>deliberately</b>
makes <b>no guarantee</b> about which provider is used in
such cases. It is deterministic currently, but there is
no guarantee that we'll not change the order of resolution
or making it randomly non-deterministic in any future
releases. Honestly, expect that <b>we will</b> make
changes to the resolution order in the future. Such a
change is not considered breaking and doesn't have to
adhere to our stable release policy.<br>
<br>
Our best recommendation is to not mix providers in library
contexts. Seek resolution from you FIPS lab.<br>
<br>
<br>
Dr Paul Dale</span><o:p></o:p></p>
</div>
</div>
<p>================================<br>
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue,
Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323<br>
Contact Customer Support:
<a class="moz-txt-link-freetext" href="https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport">https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport</a><br>
Unsubscribe from Marketing Messages/Manage Your Subscription
Preferences -
<a class="moz-txt-link-freetext" href="http://www.rocketsoftware.com/manage-your-email-preferences">http://www.rocketsoftware.com/manage-your-email-preferences</a><br>
Privacy Policy -
<a class="moz-txt-link-freetext" href="http://www.rocketsoftware.com/company/legal/privacy-policy">http://www.rocketsoftware.com/company/legal/privacy-policy</a><br>
================================ <br>
<br>
This communication and any attachments may contain confidential
information of Rocket Software, Inc. All unauthorized use,
disclosure or distribution is prohibited. If you are not the
intended recipient, please notify Rocket Software immediately
and destroy all copies of this communication. Thank you. <br>
</p>
</blockquote>
<br>
</body>
</html>