FIPS mode on Windows

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS mode on Windows

OpenSSL - User mailing list
I have a question: On Windows, should OpenSSL FIPS automatically enable FIPS mode (FIPS_mode_set(1)) if the FIPS registry entry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled is set to 1?

This is to emulate the Linux behavior - if I understand correctly, if Linux is configured for FIPS mode, OpenSSL automatically enables FIPS mode.

Thanks in advance,
Alessandro

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS mode on Windows

Hubert Kario
On Thursday, 6 September 2018 04:18:38 CEST Alessandro Gherardi via openssl-
users wrote:
> I have a question: On Windows, should OpenSSL FIPS automatically enable FIPS
> mode (FIPS_mode_set(1)) if the FIPS registry
> entry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithm
> Policy\Enabled is set to 1?
>
> This is to emulate the Linux behavior - if I understand correctly, if Linux
> is configured for FIPS mode, OpenSSL automatically enables FIPS mode.
> Thanks in advance,Alessandro

putting Linux kernel to fips mode (adding `fips=1` to kernel command line) not
necessarily puts the whole system (and thus OpenSSL) into fips mode

please check the module's Security Policy on the NIST Cryptographic Module
Validation Program website to find the authoritative instructions on how to
ensure FIPS mandated behaviour of the module
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: FIPS mode on Windows

Alessandro Gherardi
Thank you for your reply.


"The Module requires an initialization sequence (see IG 9.5): the calling application invokes FIPS_mode_set(), which returns a “1” for success and “0” for failure.  If FIPS_mode_set() fails then all cryptographic services fail from then on.  The application can test to see if FIPS  mode has been successfully performed."

Therefore, for OpenSSL to switch to FIPS mode, it is required that the application call FIPS_mode_set(1).

Can you please confirm that my understanding is now correct?



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS mode on Windows

Hubert Kario
On Friday, 7 September 2018 16:18:48 CEST Alessandro Gherardi wrote:

>  Thank you for your reply.
> Looking at the OpenSSL FIPS Security
> Policy https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-valid
> ation-program/documents/security-policies/140sp1747.pdf, I see the following
> statement:
> "The Module requires an initialization sequence (see IG 9.5): the calling a
> pplication invokes
> FIPS_mode_set(), which returns a “1” for success and “0” for failure.  If F
> IPS_mode_set()
> fails then all cryptographic services fail from then on.  The application c
> an test to see if FIPS  mode has been successfully performed." Therefore,
> for OpenSSL to switch to FIPS mode, it is required that the application
> call FIPS_mode_set(1). Can you please confirm that my understanding is now
> correct?
If you are using that specific openssl module, then yes, you have to manually
call FIPS_mode_set() from application code.

But please note that's not the only openssl FIPS module in existence, and
other modules may behave differently (I know that some not only _may_ , but
_will_ behave differently).

Sorry for being vague, but you have not provided any information what versions
you are actually running, on what versions of OS, how you acquired them, etc.
All of which has quite significant impact on FIPS-worthiness of any particular
module. Also, to make matters worse (more confusing), software package version
is not the same thing as FIPS module version.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: FIPS mode on Windows

Alessandro Gherardi
I'm running Windows 10.

I downloaded the FIPS module sources from https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz and the OpenSSL sources from https://www.openssl.org/source/openssl-1.0.2p.tar.gz .

I built both FIPS module and OpenSSL (following the instructions at https://www.openssl.org/docs/fips/UserGuide-2.0.pdf to make sure OpenSSL uses the FIPS module) using Visual Studio.

But please note that's not the only openssl FIPS module in existence

I wasn't aware that other OpenSSL FIPS modules exist. Are those modules also opensource? Are they all FIPS-certified? Do you have a recommendation for which one is the "best" to use?

Thanks again,
Alessandro

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS mode on Windows

Hubert Kario
On Friday, 7 September 2018 20:18:38 CEST Alessandro Gherardi wrote:
> I'm running Windows 10.
> I downloaded the FIPS module sources
> from https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz and the
> OpenSSL sources from https://www.openssl.org/source/openssl-1.0.2p.tar.gz .
> I built both FIPS module and OpenSSL (following the instructions
> at https://www.openssl.org/docs/fips/UserGuide-2.0.pdf to make sure OpenSSL
> uses the FIPS module) using Visual Studio.

then that does sound like it does match the policy

>  > But please note that's not the only openssl FIPS module in existence
>
> I wasn't aware that other OpenSSL FIPS modules exist. Are those modules also
> opensource? Are they all FIPS-certified? Do you have a recommendation for
> which one is the "best" to use?

the one we use in RHEL packages is different, and it is, of course, open
source

I wouldn't say that there is a "best" one, if it does match your requirements,
it should be good enough.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (849 bytes) Download Attachment