On 10/26/2016 04:37 PM, Eric Tremblay wrote: > Hi all,____ > > __ __ > > I have built the FIPS module into our Platform but I am stuck at the > point to enable it.____ > > __ __ > > We need FIPS to be enabled ? Platform wide ? not just for one > application.____ > > __ __ > > I have read the documentation and search on the web for answer but it > seem that I would have ____ > > to modify a package or write a small application just to enable FIPS.____ > > __ __ > > Is there another way to enable it on startup of Linux ? or maybe > something in OpenSSH ?____ > > __ __ > > I also read about the OPENSSL_Config in the User Guide but I?m not sure > if/who and how it is called.____ > > __ __ > > I am working with OpenSSL 1.0.2j and FIPS 2.0.9.____ > > __ __ > > Thanks____ > > __ __ > > Eric > > > Hmmm ... where to start. First there is really no such thing as "enabling FIPS" for a platform. The FIPS module is executable code that runs in the context of a process, and to be righteous FIPS-wise each process (that uses cryptography) must invoke the FIPS_mode_set() call that performs the mandatory POST (Power Up Self Test). Note that is true even when the FIPS module is embedded in a shared library (the "FIPS enabled" OpenSSL), as each process using said shared library maps writable data into its own private address space. So to make the sweeping claim that a "platform" is FIPS enabled, you must make sure that *every* process for that platform enables FIPS mode via a FIPS_mode_set() call (whether directly or indirectly). Note that for your typical general purpose (e.g. Windows or Linux-like) operating system that is an essentially unachievable goal, as not all of the many crypto-using applications are readily converted to use the FIPS enabled OpenSSL (for instance OpenSSH needs non-trivial hacks). Likewise kernel-mode crypto can't be addressed with the OpenSSL FIPS module. For that reason the wise and prudent vendor does not attempt to "enable FIPS" for an entire platform (for Level 1 validations), but rather only makes claims about specific individual applications running on that platform. In the case where all processes of interest are compatible with the FIPS capable OpenSSL (specifically, not referencing any other crypto implementations, or non-approved cryptographic operations), then OPENSSL_config() can in principle be used to indirectly call FIPS_mode_set() for each such application. That is only *after* every such application/process has *first* been modified for compatibility with the FIPS capable OpenSSL. Very few applications not already designed to support the OpenSSL FIPS module will be compatible without some degree of modification. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
