Using EVP api in fips mode (openssl3.0)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Using EVP api in fips mode (openssl3.0)

Manish Patidar
Hi

Can any guide me how to use fips api in openssl?

I try to use like below but it always returns null. 

ctx = EVP_CIPHER_CTX_new() ;
ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ;

I am doubting fips provider is not loaded.  


Regards 
Manish
Reply | Threaded
Open this post in threaded view
|

Re: Using EVP api in fips mode (openssl3.0)

Matt Caswell-2


On 14/01/2020 04:51, Manish Patidar wrote:

> Hi
>
> Can any guide me how to use fips api in openssl?
>
> I try to use like below but it always returns null. 
>
> ctx = EVP_CIPHER_CTX_new() ;
> ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ;
>
> I am doubting fips provider is not loaded.  


Right - the FIPS provider does not get loaded by default.

First set some environment variables which will make the whole process a
bit easier. The OpenSSL libraries read these to locate the various files:

export OPENSSL_CONF_INCLUDE=/path/to/include/dir
export OPENSSL_MODULES=/path/to/providers/dir
export OPENSSL_CONF=/path/to/fips.cnf

Next you will need to "install" the FIPS module. This will create a
fipsinstall.conf file:

openssl fipsinstall -out $OPENSSL_CONF_INCLUDE/fipsinstall.conf -module
$OPENSSL_MODULES/fips.so -provider_name fips -mac_name HMAC -macopt
'digest:SHA256' -macopt 'hexkey:00' -section_name fips_sect

(Aside: probably we should do the above as part of "make install", but
we don't do that AFAIK at the moment)

Now create a config file to automatically load the FIPS module when
OpenSSL starts. Store it in the file pointed to by $OPENSSL_CONF

openssl_conf = openssl_init

.include fipsinstall.conf

[openssl_init]
providers = provider_sect

[provider_sect]
fips = fips_sect


This will have the effect of automatically loading the FIPS provider
*and no others*. In this case you don't need the "fips=yes" in your
EVP_CIPHER_fetch() call because there are no other providers loaded
(although it does no harm).

Alternatively you can load both the default and FIPS providers at the
same time:

openssl_conf = openssl_init

.include fipsinstall.conf

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
fips = fips_sect

[default_sect]
activate = 1

In this case you will need to specify "fips=yes" in the fetch to
disambiguate which implementation you want.

Hope that helps,

Matt
Reply | Threaded
Open this post in threaded view
|

Re: Using EVP api in fips mode (openssl3.0)

Manish Patidar
Thanks for reply. It really help to use fips lib.

I have another doubts regarding the hmac stored in fipsinstall.conf. If some one modify the fips library after installation and modify the hmac in fipsinstall.conf accordingly, is openssl3.0 is able to identify this and fail the fips library loading.? 

fipsinstall.conf should be protected from corruption or modification?  If yes, current mechanism is able to that or not? 

Regards
Manish

On Thu, 16 Jan 2020, 8:29 pm Matt Caswell, <[hidden email]> wrote:


On 14/01/2020 04:51, Manish Patidar wrote:
> Hi
>
> Can any guide me how to use fips api in openssl?
>
> I try to use like below but it always returns null. 
>
> ctx = EVP_CIPHER_CTX_new() ;
> ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ;
>
> I am doubting fips provider is not loaded.  


Right - the FIPS provider does not get loaded by default.

First set some environment variables which will make the whole process a
bit easier. The OpenSSL libraries read these to locate the various files:

export OPENSSL_CONF_INCLUDE=/path/to/include/dir
export OPENSSL_MODULES=/path/to/providers/dir
export OPENSSL_CONF=/path/to/fips.cnf

Next you will need to "install" the FIPS module. This will create a
fipsinstall.conf file:

openssl fipsinstall -out $OPENSSL_CONF_INCLUDE/fipsinstall.conf -module
$OPENSSL_MODULES/fips.so -provider_name fips -mac_name HMAC -macopt
'digest:SHA256' -macopt 'hexkey:00' -section_name fips_sect

(Aside: probably we should do the above as part of "make install", but
we don't do that AFAIK at the moment)

Now create a config file to automatically load the FIPS module when
OpenSSL starts. Store it in the file pointed to by $OPENSSL_CONF

openssl_conf = openssl_init

.include fipsinstall.conf

[openssl_init]
providers = provider_sect

[provider_sect]
fips = fips_sect


This will have the effect of automatically loading the FIPS provider
*and no others*. In this case you don't need the "fips=yes" in your
EVP_CIPHER_fetch() call because there are no other providers loaded
(although it does no harm).

Alternatively you can load both the default and FIPS providers at the
same time:

openssl_conf = openssl_init

.include fipsinstall.conf

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
fips = fips_sect

[default_sect]
activate = 1

In this case you will need to specify "fips=yes" in the fetch to
disambiguate which implementation you want.

Hope that helps,

Matt
Reply | Threaded
Open this post in threaded view
|

Re: Using EVP api in fips mode (openssl3.0)

Matt Caswell-2


On 25/02/2020 11:12, Manish Patidar wrote:
> Thanks for reply. It really help to use fips lib.
>
> I have another doubts regarding the hmac stored in fipsinstall.conf. If
> some one modify the fips library after installation and modify the hmac
> in fipsinstall.conf accordingly, is openssl3.0 is able to identify this
> and fail the fips library loading.? 
>
> fipsinstall.conf should be protected from corruption or modification? 
> If yes, current mechanism is able to that or not?

The hmac stored in the fipsinstall.conf is intended to detect accidental
corruption of the module (or the conf file). If either of these is
changed then it will be detected. It is not intended to prevent
deliberate modification of both the module and the conf file at the same
time.

Matt


>
> Regards
> Manish
>
> On Thu, 16 Jan 2020, 8:29 pm Matt Caswell, <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 14/01/2020 04:51, Manish Patidar wrote:
>     > Hi
>     >
>     > Can any guide me how to use fips api in openssl?
>     >
>     > I try to use like below but it always returns null. 
>     >
>     > ctx = EVP_CIPHER_CTX_new() ;
>     > ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ;
>     >
>     > I am doubting fips provider is not loaded.  
>
>
>     Right - the FIPS provider does not get loaded by default.
>
>     First set some environment variables which will make the whole process a
>     bit easier. The OpenSSL libraries read these to locate the various
>     files:
>
>     export OPENSSL_CONF_INCLUDE=/path/to/include/dir
>     export OPENSSL_MODULES=/path/to/providers/dir
>     export OPENSSL_CONF=/path/to/fips.cnf
>
>     Next you will need to "install" the FIPS module. This will create a
>     fipsinstall.conf file:
>
>     openssl fipsinstall -out $OPENSSL_CONF_INCLUDE/fipsinstall.conf -module
>     $OPENSSL_MODULES/fips.so -provider_name fips -mac_name HMAC -macopt
>     'digest:SHA256' -macopt 'hexkey:00' -section_name fips_sect
>
>     (Aside: probably we should do the above as part of "make install", but
>     we don't do that AFAIK at the moment)
>
>     Now create a config file to automatically load the FIPS module when
>     OpenSSL starts. Store it in the file pointed to by $OPENSSL_CONF
>
>     openssl_conf = openssl_init
>
>     .include fipsinstall.conf
>
>     [openssl_init]
>     providers = provider_sect
>
>     [provider_sect]
>     fips = fips_sect
>
>
>     This will have the effect of automatically loading the FIPS provider
>     *and no others*. In this case you don't need the "fips=yes" in your
>     EVP_CIPHER_fetch() call because there are no other providers loaded
>     (although it does no harm).
>
>     Alternatively you can load both the default and FIPS providers at the
>     same time:
>
>     openssl_conf = openssl_init
>
>     .include fipsinstall.conf
>
>     [openssl_init]
>     providers = provider_sect
>
>     [provider_sect]
>     default = default_sect
>     fips = fips_sect
>
>     [default_sect]
>     activate = 1
>
>     In this case you will need to specify "fips=yes" in the fetch to
>     disambiguate which implementation you want.
>
>     Hope that helps,
>
>     Matt
>