|
Thanks Matt. I actually had this working (loading the fips_libctx using the *load_config() API) but I was hitting other issues and thought I was doing something wrong (more on that later).
So to review, I have my own config file, /usr/local/ssl/openssl-fips, with the relevant contents(some comments snipped):
.include /usr/local/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
fips = fips_sect
base = base_sect
[default_sect]
# activate = 1
[base_sect]
activate = 1
And then fipsmodule.cnf contains:
[fips_sect]
activate = 1
conditional-errors = 1
security-checks = 1
module-mac = E4:0D:C8:C3:1E:DB:2B:30:E6:F2:49:7B:F5:BD:10:5C:9A:2B:CC:C1:33:49:31:B5:C5:AF:50:AB:82:1E:AE:C9
By activating the fips and base providers via config, my application then calls:
OSSL_LIB_CTX_load_config(fips_libctx, "/usr/local/ssl/openssl-fips.cnf");
Which loads the "fips" and "base" providers in the fips_libctx, which I verify with:
OSSL_PROVIDER_available(fips_libctx, "fips");
and
OSSL_PROVIDER_available(fips_libctx, "base")
...and both are available.
However, remember I am trying to create two non-default library contexts (from earlier code):
fips_libctx = OSSL_LIB_CTX_new();
non_fips_libctx = OSSL_LIB_CTX_new();
Again, I think I have what I need for the fibs_libctx. For the non_fips_libctx, I'm calling:
defp = OSSL_PROVIDER_load(non_fips_libctx, "default");
nullp = OSSL_PROVIDER_load(NULL, "null");
A call to OSSL_PROVIDER_available() says the "default" provider is available; however, I'm wondering if I should be loading the default provider via *load_config() as well? I would have to uncomment the "activate = 1" in the default section of my config though.
I also still have this in my code:
/* Disallow falling back to the default library context */
But not sure it's having any affect?
I do know that later in my application, both in "FIPS" or "non-FIPS" mode, I can create an SSL_CTX with SSL_CTX_new_ex(). I also successfully call several APIs using both the fips_libctx or the non_fips_libctx, for example:
status = SSL_CTX_use_PrivateKey_file(ctx,<file>,SSL_FILETYPE_PEM); status = SSL_CTX_use_certificate_file(ctx,<file>,SSL_FILETYPE_PEM); status = SSL_CTX_check_private_key(ctx);
All return successfully. So I think what I have between configuration files and API calls accomplishes what I need to. Would anyone reading this agree?
I'm running into another issue that I need to troubleshoot a bit more before I add too much information and too many questions to a single message.
Thanks to everyone for their help with this, things are starting to make more sense now.
From: Matt Caswell <matt@xxxxxxxxxxx>
Sent: Thursday, October 28, 2021 7:39 AM To: Jason Schultz <jetson23@xxxxxxxxxxx>; Dr Paul Dale <pauli@xxxxxxxxxxx>; openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx> Subject: Re: OpenSSL 3.0 FIPS questions On 27/10/2021 17:28, Jason Schultz wrote: > With these config files and the code above, the > OSSL_PROVIDER_load(fips_libctx, "fips") call fails. Here are the > messages from the ERR_print_errors_fp() call: > > 2097C692B57F0000:error:1C8000D5:Provider routines:(unknown > function):missing config data:providers/fips/self_test.c:289: > 2097C692B57F0000:error:1C8000E0:Provider routines:(unknown > function):fips module entering error state:providers/fips/self_test.c:387: > 2097C692B57F0000:error:1C8000D8:Provider routines:(unknown > function):self test post failure:providers/fips/fipsprov.c:706: > 2097C692B57F0000:error:078C0105:common libcrypto routines:(unknown > function):init fail:crypto/provider_core.c:903:name=fips This tells us that the fips provider has successfully loaded, but then subsequently failed during its self-test because it cannot find its config data. I can see that you have created a separate libctx for fips. However automatic loading of the config file only works for the *default* libctx. If you create your own one then you need to explicitly load the config file: if (!OSSL_LIB_CTX_load_config(fips_libtx, "/usr/local/ssl/openssl.cnf")) { /* error handling */ } Actually if you do this then you should not need to call OSSL_PROVIDER_load() explicitly to load the fips provider since you already activated it in the config file. You can either drop the explicit call to OSSL_PROVIDER_load() for the fips provider, or remove the "activate = 1" line in "fips_sect" in fipsmodule.cnf. This is just a minor optimisation though. Doing both is redundant but harmless. You could also load the base provider via config if you wanted to. Matt |
