Dr. Matthias St. Pierre <Matthias.St.Pierre@xxxxxxxxx> wrote: > On 05.03.2018 10:46, Alan Dean wrote: >> Question 1: Is it even feasible to make the FIPS mode always enabled >> for the whole OpenSSL library (i.e. for both libcrypto and libssl), so > The optimal location for inserting the FIPS_mode_set(1) call is probably > OPENSSL_init() (openssl-1.0.2/crypto/o_fips.c), see code snippet below. > void OPENSSL_init(void) ... > However, I am sceptical whether this approach will be accepted, because > there are (at least) two potential problems: > * Normally, it is mandatory to check the result of FIPS_mode_set() or > FIPS_mode() to ensure that the FIPS initialization succeeded. However, > an application which is not FIPS-aware won't check the result. I think that Mr. Dean should check FIPS_mode_set() in OPENSSL_Init(), and should probably do something like core dump if it fails to turn on properly. Perhaps his system has a better way to get attention. > * It can happen that applications which have their own configuration and > enable/disable FIPS mode explicitely, call FIPS_mode_set(0) afterwards. That should probably also cause a core dump. Dr. Matthias St. Pierre <Matthias.St.Pierre@xxxxxxxxx> wrote: > One more obstacle: In FIPS mode it is not allowed to use low level > crypto algorithms, only the EVP interface is allowed. So most of your > non-fips-aware applications will malfunction when forced into FIPS mode. > The consequence is: it's probably not possible to do it. That should also cause a core dump. At the end, Mr. Dean will have a much reduced list of applications that he needs to either fix (sending patches upstream), or replace. And the core dumps will point directly into the application code that made the calls. -- Michael Richardson <mcr+IETF@xxxxxxxxxxxx>, Sandelman Software Works -= IPv6 IoT consulting =- -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
Attachment:
signature.asc
Description: PGP signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users