On 26/10/2021 20:17, Jason Schultz wrote:
Thanks for all of the help so far. Unfortunately, I'm still struggling
with this. There could be a number of issues, starting with the
installation of OpenSSL. I basically followed the documentation and did
the following:
./Configure enable-fips
make
make test
make install
The "make test" actually fails, but I did not troubleshoot as it seems
like a lot of systems have issues here. But I know the .so produced when
I build my application is linking to the correct OpenSSL libraries
(libssl.so.3 and libcrypto.so.3). Checking the OpenSSL version shows 3.0.
I've tried a number of combinations trying to make this work, starting
with the code from Dr. Paul Dale in a previous message:
fips_libctx = OSSL_LIB_CTX_new();
if (!fips_libctx)
// error handling
non_fips_libctx = OSSL_LIB_CTX_new();
if (!non_fips_libctx)
// error handling
fipsp = OSSL_PROVIDER_load(fips_libctx, "fips");
if (fipsp == NULL)
{
/* error handling */
}
basep = OSSL_PROVIDER_load(fips_libctx, "base");
if (basep == NULL)
{
/* error handling */
}
defp = OSSL_PROVIDER_load(non_fips_libctx, "default");
if (defp == NULL)
{
/* error handling */
}
/* Disallow falling back to the default library context */
nullp = OSSL_PROVIDER_load(NULL, "null");
if (nullp == NULL)
{
/*error handling */
}
With the code like the above, the OSSL_PROVIDER_load() calls fails for
fips. If I try to use the fips_libctx in SSL_CTX_new_ex(), it fails and
returns NULL, which is probably expected given the fips provider didn't
load.
At that point, I wasn't sure if my application was using the (correct)
config file in /usr/local/ssl/. I don't have any environment variables
set up, and would prefer not to have to set any to get this to work. So
I changed the provider load for FIPS to use OSSL_LIB_CTX_load_config():
if (!OSSL_LIB_CTX_load_config(fips_libctx,
"/usr/local/ssl/openssl-fips.cnf"))
What is in the /usr/local/ssl/openssl-fips.cnf config file?
Does the config file attempt to activate the FIPS provider itself? Does
it supply the necessary FIPS provider config parameters?
Typically the config file has a ".include" directive in it which
includes the necessary FIPS config params. That included file will look
something like this:
$ cat fipsmodule.cnf
[fips_sect]
activate = 1
conditional-errors = 1
security-checks = 1
module-mac =
95:06:06:D1:85:17:92:F6:7B:7D:C2:43:36:A4:59:5D:75:6F:39:E6:13:0B:4B:26:5A:1B:48:78:33:5B:BE:F0
Most likely what is happening is that the FIPS provider is failing to
load. Either because it cannot find the fips.so file, or because the
necessary FIPS config parameters above are not found or not correct.
You can test whether a provider is actually available for use or not
using the OSSL_PROVIDER_available() function call. E.g.:
if (!OSSL_PROVIDER_available(fips_libctx, "fips")) {
/* error handling */
}
https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER_available.html
If things are failing then you might find it helpful to dump the OpenSSL
error stack to try and get some clues as to what the problem might be, e.g.
ERR_print_errors_fp(stdout);
https://www.openssl.org/docs/man3.0/man3/ERR_print_errors_fp.html
Matt
