FIPS and default properties

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS and default properties

Thomas Dwyer III
I'm struggling to understand how EVP_default_properties_is_fips_enabled() works. I cannot get this function to return nonzero unless I first call either EVP_default_properties_enable_fips() or EVP_set_default_properties(), even when the config file sets default_properties to enable fips.

Also, the return value of this function doesn't seem to have any effect on which provider gets selected (which I think is what issue #11594 describes?).

My config file has the following:

[openssl_init]
providers = provider_sect
alg_section = alg_sect

[provider_sect]
fips = fips_sect
default = default_sect

[default_sect]
activate = 1

[alg_sect]
default_properties = fips=yes

.include /path/to/fips.cnf

I understand this to mean both the default provider and the fips provider will be loaded into the default context, and both of these providers will be activated. I also see that:

EVP_MD_fetch(NULL, "sha256", NULL);

returns a pointer which EVP_MD_provider() confirms as being from the fips provider (as expected). Changing this to "fips=no" in the config file results in EVP_MD_fetch() returning EVP_MD from the default provider, again as expected. However, in both cases, EVP_default_properties_is_fips_enabled() always returns zero. I don't see anything in #11594 that would explain this.

Calling EVP_default_properties_enable_fips(NULL, 1) results in EVP_default_properties_is_fips_enabled() returning 1, but this does not appear to override the fips=no from the config file during EVP_MD_fetch() (which is what I believe #11594 describes).

Is the result of EVP_default_properties_is_fips_enabled() supposed to take into account the default properties specified in the config file? I don't see it doing that. Also, regarding #11594, if default properties are currently still broken, why do those in the config appear to work properly?

And finally the burning question: Any ETA on a fix? :-) :-) :-)


Thanks,
Tom.III

Reply | Threaded
Open this post in threaded view
|

Re: FIPS and default properties

Matt Caswell-2


On 31/07/2020 00:12, Thomas Dwyer III wrote:
> Is the result of EVP_default_properties_is_fips_enabled() supposed to
> take into account the default properties specified in the config file? I
> don't see it doing that. Also, regarding #11594, if default properties
> are currently still broken, why do those in the config appear to work
> properly?

EVP_default_is_fips_enabled() is supposed to take into account the
default properties specified in the config file, so it sounds like you
may have encountered a bug. I've raised this issue here:

https://github.com/openssl/openssl/issues/12565

Matt

>
> And finally the burning question: Any ETA on a fix? :-) :-) :-)
>
>
> Thanks,
> Tom.III
>