Hi Team, Any help on this will be helpful How to set fips enabled for the complete application (process/service) which is running. I have provided all the samples which I have used for testing the same in the below mails Thanks, From: Prasad, PCRaghavendra Any help/inputs on this will be really helpful, please Thanks, From: Prasad, PCRaghavendra Hi Team, Tried another approach by loading the required providers as mentioned in the docs. The assumption was that the highlighted line in the code will fail when the FIPS provider is enabled. At the beginning of the application fips provider are enabled and in between code will take care of any non-approved algorithms (like MD5) And at the end unloading the providers. This is our understanding. Please let us know if any settings are missing here or if something else needed to be added to the code/config file. Openssl.cnf ========= .include c:\\usr\\local\\ssl\\fipsmodule.cnf [openssl_init] providers = provider_sect #alg_section = algorithm_sect # List of providers to load [provider_sect] default = default_sect # The fips section name should match the section name inside the # included fipsmodule.cnf. fips = fips_sect #base = base_sect # If no providers are activated explicitly, the default one is activated implicitly. # See man 7 OSSL_PROVIDER-default for more details. # # If you add a section explicitly activating any other provider(s), you most # probably need to explicitly activate the default provider, otherwise it # becomes unavailable in openssl. As a consequence applications depending on # OpenSSL may not work correctly which could lead to significant system # problems including inability to remotely access the system. [default_sect] activate = 0 [base_sect] activate = 1 [algorithm_sect] default_properties = fips=yes #include <Windows.h> #include <stdio.h> #include <openssl/provider.h> #include "openssl/md5.h" C sample code =========== int main(void) { OSSL_PROVIDER* fips; OSSL_PROVIDER* base; fips = OSSL_PROVIDER_load(NULL, "fips"); if (fips == NULL) { printf("Failed to load FIPS provider\n"); exit(EXIT_FAILURE); } printf("Success to load FIPS provider\n"); base = OSSL_PROVIDER_load(NULL, "base"); if (base == NULL) { OSSL_PROVIDER_unload(fips); printf("Failed to load base provider\n"); exit(EXIT_FAILURE); } printf("Success to load base provider\n"); /* Rest of application */ unsigned char* Temp = NULL;
Temp = MD5("The quick brown fox jumps over the lazy dog", 100, NULL); printf(Temp); printf("\n"); OSSL_PROVIDER_unload(base); OSSL_PROVIDER_unload(fips); exit(EXIT_SUCCESS); } Output ====== C:\Work\OpenSSL3.x\TEST>test_provider.exe Success to load FIPS provider Success to load base provider pá«í╤δ░Å9¥ê₧IδH* From: Prasad, PCRaghavendra Hi Dr. Paul/Team, We are following the OpenSSL org docs to enable the fips programmatically \. With our understanding and refereeing multiple docs, we came up with the following code. Initially, we wanted to check the fips enablement from the
C code then we wanted to check with Python as our application is completely in Python. Query: How can we enable fips programmatically for the entire application, meaning just like
fips_mode_set(1) in previous OpenSSL releases which will make the complete application run in the fips mode? In OpenSSL 3.0.x how can we make the application level ( process level ) to be in FIPS compliance? In our example, we used the context for FIPS and for default. How this FIPS context can be applied to the entire application? Is there a way to do this? Can you please provide some input on this, please let us know if we are doing something wrong here. Providing the complete information from our system which is done till now to enable the fips programmatically. Steps:
c:\usr\local\ssl\bin>openssl.exe version -v OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
==== [openssl_init] providers = provider_sect alg_section = algorithm_sect # List of providers to load [provider_sect] default = default_sect # The fips section name should match the section name inside the # included fipsmodule.cnf. fips = fips_sect #base = base_sect # If no providers are activated explicitly, the default one is activated implicitly. # See man 7 OSSL_PROVIDER-default for more details. # # If you add a section explicitly activating any other provider(s), you most # probably need to explicitly activate the default provider, otherwise it # becomes unavailable in openssl. As a consequence applications depending on # OpenSSL may not work correctly which could lead to significant system # problems including inability to remotely access the system. [default_sect] activate = 0 [base_sect] activate = 1 [algorithm_sect] default_properties = fips=yes ==========
[fips_sect] activate = 1 conditional-errors = 1 security-checks = 1 module-mac = 53:C8.xxx
#include
<Windows.h> #include
<stdio.h> #include
"openssl/types.h" #include
"openssl/crypto.h" #include
"openssl/md5.h" int main() { printf("hello\n"); OSSL_LIB_CTX* fips_libctx, * nonfips_libctx; printf("good\n"); OSSL_PROVIDER* defctxnull = NULL; EVP_MD* fipssha256 = NULL, * nonfipssha256 = NULL, * fipsmd5 = NULL, * fipssha1 = NULL; int ret = 1; /* * Create two nondefault library contexts. One for fips usage and * one for non-fips usage */ fips_libctx = OSSL_LIB_CTX_new(); nonfips_libctx = OSSL_LIB_CTX_new(); if (fips_libctx == NULL || nonfips_libctx == NULL) printf("null \n"); /* Prevent anything from using the default library context */ defctxnull = OSSL_PROVIDER_load(NULL, "null"); /* * Load config file for the FIPS library context. We assume that * this config file will automatically activate the FIPS and base * providers so we don't need to explicitly load them here. */ if (!OSSL_LIB_CTX_load_config(fips_libctx, "c:\\usr\\local\\ssl\\openssl.cnf")) printf("err OSSL_LIB_CTX_load_config\n "); /* * We don't need to do anything special to load the default * provider into nonfips_libctx. This happens automatically if no * other providers are loaded. * Because we don't call OSSL_LIB_CTX_load_config() explicitly for * nonfips_libctx it will just use the default config file. */ /* As an example get some digests */ /* Get a FIPS validated digest */ fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2-256", NULL); if (fipssha256 == NULL) printf("err fipssha256 \n"); fipssha1 = EVP_MD_fetch(fips_libctx, "SHA1", NULL); if (fipssha1 == NULL) printf("err fipssha1 \n");
fipsmd5 = EVP_MD_fetch(fips_libctx, "MD5", NULL); -- This is throwing error w.r.t context which is expected if (fipsmd5 == NULL) printf("err fipsmd5 \n"); /* Get a non-FIPS validated digest */ nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2-256", NULL); if (nonfipssha256 == NULL) printf("err nonfipssha256 \n"); unsigned char* Temp = NULL;
Temp = MD5("The quick brown fox jumps over the lazy dog", 100, NULL);
-- This is working fine printf(Temp); printf("\n"); /* Use the digests */ printf("Success\n"); ret = 0; } Thanks in advance Thanks, Raghavendra |