Re: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You aren't using the EVP_MD APIs to access MD5, you are bypassing the EVP layer and calling the low level function directly.  In OpenSSL 3.0, when using FIPS, you must only use the EVP APIs.
Anything else is non-compliant.  This is a change from the 1.0.2 compatible FOM.


Paul Dale


On 8/3/23 04:26, Prasad, PCRaghavendra via openssl-users wrote:

Hi Team,

 

Any help on this will be helpful

 

How to set fips enabled for the complete application (process/service) which is running.

I have provided all the samples which I have used for testing the same in the below mails

 

Thanks,

 

From: Prasad, PCRaghavendra
Sent: Tuesday, March 7, 2023 10:33 AM
To: openssl-users
Subject: RE: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

 

Any help/inputs on this will be really helpful, please

 

Thanks,

 

From: Prasad, PCRaghavendra
Sent: Tuesday, March 7, 2023 12:31 AM
To: openssl-users
Cc: Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal, Srinath
Subject: RE: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

 

Hi Team,

 

Tried another approach by loading the required providers as mentioned in the docs.

The assumption was that the highlighted line in the code will fail when the FIPS provider is enabled.

 

At the beginning of the application fips provider are enabled and in between code will take care of any non-approved algorithms (like MD5)

And at the end unloading the providers. This is our understanding.

 

Please let us know if any settings are missing here or if something else needed to be added to the code/config file.

 

Openssl.cnf

=========

.include c:\\usr\\local\\ssl\\fipsmodule.cnf

 

[openssl_init]

providers = provider_sect

#alg_section = algorithm_sect

 

# List of providers to load

[provider_sect]

default = default_sect

# The fips section name should match the section name inside the

# included fipsmodule.cnf.

fips = fips_sect

#base = base_sect

 

# If no providers are activated explicitly, the default one is activated implicitly.

# See man 7 OSSL_PROVIDER-default for more details.

#

# If you add a section explicitly activating any other provider(s), you most

# probably need to explicitly activate the default provider, otherwise it

# becomes unavailable in openssl.  As a consequence applications depending on

# OpenSSL may not work correctly which could lead to significant system

# problems including inability to remotely access the system.

[default_sect]

activate = 0

 

[base_sect]

activate = 1

 

[algorithm_sect]

default_properties = fips=yes

 

#include <Windows.h>

#include <stdio.h>

#include <openssl/provider.h>

#include "openssl/md5.h"

 

C sample code

===========

 

int main(void)

{

    OSSL_PROVIDER* fips;

    OSSL_PROVIDER* base;

 

    fips = OSSL_PROVIDER_load(NULL, "fips");

    if (fips == NULL) {

        printf("Failed to load FIPS provider\n");

        exit(EXIT_FAILURE);

    }

 

    printf("Success to load FIPS provider\n");

 

    base = OSSL_PROVIDER_load(NULL, "base");

    if (base == NULL) {

        OSSL_PROVIDER_unload(fips);

        printf("Failed to load base provider\n");

        exit(EXIT_FAILURE);

    }

 

    printf("Success to load base provider\n");

 

    /* Rest of application */

 

    unsigned char* Temp = NULL;

    Temp = MD5("The quick brown fox jumps over the lazy dog", 100, NULL);

    printf(Temp);

    printf("\n");

 

    OSSL_PROVIDER_unload(base);

    OSSL_PROVIDER_unload(fips);

    exit(EXIT_SUCCESS);

}

 

Output

======

C:\Work\OpenSSL3.x\TEST>test_provider.exe

Success to load FIPS provider

Success to load base provider

pá«í╤δÅ9¥ê₧IδH*

 

 

Internal Use - Confidential

From: Prasad, PCRaghavendra
Sent: Monday, March 6, 2023 8:37 PM
To: openssl-users
Cc: Ds, Pradeep Kumar; Kuppam, Pradeep
Subject: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

 

Hi Dr. Paul/Team,

 

We are following the OpenSSL org docs to enable the fips programmatically \.

 

With our understanding and refereeing multiple docs, we came up with the following code.

 

Initially, we wanted to check the fips enablement from the C code then we wanted to check with Python as our application is completely in Python.

 

Query:

               How can we enable fips programmatically for the entire application, meaning just like fips_mode_set(1) in previous OpenSSL releases which will make the complete application run in the fips mode?

In OpenSSL 3.0.x how can we make the application level ( process level ) to be in FIPS compliance? In our example, we used the context for FIPS and for default. How this FIPS context can be applied to the entire application?

Is there a way to do this? Can you please provide some input on this, please let us know if we are doing something wrong here.

 

Providing the complete information from our system which is done till now to enable the fips programmatically.

 

Steps:

  • Installed/Built OpenSSL 3.0.8 version on windows by following the doc

c:\usr\local\ssl\bin>openssl.exe version -v

OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

  • Openssl and fipsmodule cnf files are available at the installed location.
  • Contents of OpenSSL.cnf

====

[openssl_init]

providers = provider_sect

alg_section = algorithm_sect

 

# List of providers to load

[provider_sect]

default = default_sect

# The fips section name should match the section name inside the

# included fipsmodule.cnf.

fips = fips_sect

#base = base_sect

 

# If no providers are activated explicitly, the default one is activated implicitly.

# See man 7 OSSL_PROVIDER-default for more details.

#

# If you add a section explicitly activating any other provider(s), you most

# probably need to explicitly activate the default provider, otherwise it

# becomes unavailable in openssl.  As a consequence applications depending on

# OpenSSL may not work correctly which could lead to significant system

# problems including inability to remotely access the system.

[default_sect]

activate = 0

 

[base_sect]

activate = 1

 

[algorithm_sect]

default_properties = fips=yes

==========

  • Contents of the fipsmodule cnf file

[fips_sect]

activate = 1

conditional-errors = 1

security-checks = 1

module-mac = 53:C8.xxx

 

  • C code to invoke programmatically

 

#include <Windows.h>

#include <stdio.h>

#include "openssl/types.h"

#include "openssl/crypto.h"

#include "openssl/md5.h"

 

int main()

{

               printf("hello\n");

               OSSL_LIB_CTX* fips_libctx, * nonfips_libctx;

               printf("good\n");

 

               OSSL_PROVIDER* defctxnull = NULL;

               EVP_MD* fipssha256 = NULL, * nonfipssha256 = NULL, * fipsmd5 = NULL, * fipssha1 = NULL;

               int ret = 1;

 

               /*

               * Create two nondefault library contexts. One for fips usage and

               * one for non-fips usage

               */

               fips_libctx = OSSL_LIB_CTX_new();

               nonfips_libctx = OSSL_LIB_CTX_new();

               if (fips_libctx == NULL || nonfips_libctx == NULL)

                              printf("null \n");

 

 

               /* Prevent anything from using the default library context */

               defctxnull = OSSL_PROVIDER_load(NULL, "null");

 

               /*

               * Load config file for the FIPS library context. We assume that

               * this config file will automatically activate the FIPS and base

               * providers so we don't need to explicitly load them here.

               */

               if (!OSSL_LIB_CTX_load_config(fips_libctx, "c:\\usr\\local\\ssl\\openssl.cnf"))

                              printf("err OSSL_LIB_CTX_load_config\n ");

 

               /*

               * We don't need to do anything special to load the default

               * provider into nonfips_libctx. This happens automatically if no

               * other providers are loaded.

               * Because we don't call OSSL_LIB_CTX_load_config() explicitly for

               * nonfips_libctx it will just use the default config file.

               */

 

               /* As an example get some digests */

 

               /* Get a FIPS validated digest */

               fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2-256", NULL);

               if (fipssha256 == NULL)

                              printf("err fipssha256 \n");

 

               fipssha1 = EVP_MD_fetch(fips_libctx, "SHA1", NULL);

               if (fipssha1 == NULL)

                              printf("err fipssha1 \n");

 

               fipsmd5 = EVP_MD_fetch(fips_libctx, "MD5", NULL); -- This is throwing error w.r.t context which is expected

               if (fipsmd5 == NULL)

                              printf("err fipsmd5 \n");

 

               /* Get a non-FIPS validated digest */

               nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2-256", NULL);

               if (nonfipssha256 == NULL)

                              printf("err nonfipssha256 \n");

 

               unsigned char* Temp = NULL;

               Temp = MD5("The quick brown fox jumps over the lazy dog", 100, NULL); -- This is working fine

               printf(Temp);

               printf("\n");

 

               /* Use the digests */

 

               printf("Success\n");

               ret = 0;

}

 

 

Thanks in advance

 

Thanks,

Raghavendra

 

Internal Use - Confidential



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux