Thanks for reply. It really help to use fips lib.
I have another doubts regarding the hmac stored in fipsinstall.conf. If some one modify the fips library after installation and modify the hmac in fipsinstall.conf accordingly, is openssl3.0 is able to identify this and fail the fips library loading.?
fipsinstall.conf should be protected from corruption or modification? If yes, current mechanism is able to that or not?
Regards
Manish
On Thu, 16 Jan 2020, 8:29 pm Matt Caswell, <matt@xxxxxxxxxxx> wrote:
On 14/01/2020 04:51, Manish Patidar wrote:
> Hi
>
> Can any guide me how to use fips api in openssl?
>
> I try to use like below but it always returns null.
>
> ctx = EVP_CIPHER_CTX_new() ;
> ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ;
>
> I am doubting fips provider is not loaded.
Right - the FIPS provider does not get loaded by default.
First set some environment variables which will make the whole process a
bit easier. The OpenSSL libraries read these to locate the various files:
export OPENSSL_CONF_INCLUDE=/path/to/include/dir
export OPENSSL_MODULES=/path/to/providers/dir
export OPENSSL_CONF=/path/to/fips.cnf
Next you will need to "install" the FIPS module. This will create a
fipsinstall.conf file:
openssl fipsinstall -out $OPENSSL_CONF_INCLUDE/fipsinstall.conf -module
$OPENSSL_MODULES/fips.so -provider_name fips -mac_name HMAC -macopt
'digest:SHA256' -macopt 'hexkey:00' -section_name fips_sect
(Aside: probably we should do the above as part of "make install", but
we don't do that AFAIK at the moment)
Now create a config file to automatically load the FIPS module when
OpenSSL starts. Store it in the file pointed to by $OPENSSL_CONF
openssl_conf = openssl_init
.include fipsinstall.conf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
This will have the effect of automatically loading the FIPS provider
*and no others*. In this case you don't need the "fips=yes" in your
EVP_CIPHER_fetch() call because there are no other providers loaded
(although it does no harm).
Alternatively you can load both the default and FIPS providers at the
same time:
openssl_conf = openssl_init
.include fipsinstall.conf
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
fips = fips_sect
[default_sect]
activate = 1
In this case you will need to specify "fips=yes" in the fetch to
disambiguate which implementation you want.
Hope that helps,
Matt
