1=pod 2 3=head1 NAME 4 5fips_module - OpenSSL fips module guide 6 7=head1 SYNOPSIS 8 9See the individual manual pages for details. 10 11=head1 DESCRIPTION 12 13This guide details different ways that OpenSSL can be used in conjunction 14with the FIPS module. Which is the correct approach to use will depend on your 15own specific circumstances and what you are attempting to achieve. 16 17For information related to installing the FIPS module see 18L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>. 19 20Note that the old functions FIPS_mode() and FIPS_mode_set() are no longer 21present so you must remove them from your application if you use them. 22 23Applications written to use the OpenSSL 3.0 FIPS module should not use any 24legacy APIs or features that avoid the FIPS module. Specifically this includes: 25 26=over 4 27 28=item * 29 30Low level cryptographic APIs (use the high level APIs, such as EVP, instead) 31 32=item * 33 34Engines 35 36=item * 37 38Any functions that create or modify custom "METHODS" (for example 39EVP_MD_meth_new(), EVP_CIPHER_meth_new(), EVP_PKEY_meth_new(), RSA_meth_new(), 40EC_KEY_METHOD_new(), etc.) 41 42=back 43 44All of the above APIs are deprecated in OpenSSL 3.0 - so a simple rule is to 45avoid using all deprecated functions. See L<ossl-guide-migration(7)> for a list of 46deprecated functions. 47 48=head2 Making all applications use the FIPS module by default 49 50One simple approach is to cause all applications that are using OpenSSL to only 51use the FIPS module for cryptographic algorithms by default. 52 53This approach can be done purely via configuration. As long as applications are 54built and linked against OpenSSL 3.0 and do not override the loading of the 55default config file or its settings then they can automatically start using the 56FIPS module without the need for any further code changes. 57 58To do this the default OpenSSL config file will have to be modified. The 59location of this config file will depend on the platform, and any options that 60were given during the build process. You can check the location of the config 61file by running this command: 62 63 $ openssl version -d 64 OPENSSLDIR: "/usr/local/ssl" 65 66Caution: Many Operating Systems install OpenSSL by default. It is a common error 67to not have the correct version of OpenSSL in your $PATH. Check that you are 68running an OpenSSL 3.0 version like this: 69 70 $ openssl version -v 71 OpenSSL 3.0.0-dev xx XXX xxxx (Library: OpenSSL 3.0.0-dev xx XXX xxxx) 72 73The B<OPENSSLDIR> value above gives the directory name for where the default 74config file is stored. So in this case the default config file will be called 75F</usr/local/ssl/openssl.cnf>. 76 77Edit the config file to add the following lines near the beginning: 78 79 config_diagnostics = 1 80 openssl_conf = openssl_init 81 82 .include /usr/local/ssl/fipsmodule.cnf 83 84 [openssl_init] 85 providers = provider_sect 86 alg_section = algorithm_sect 87 88 [provider_sect] 89 fips = fips_sect 90 base = base_sect 91 92 [base_sect] 93 activate = 1 94 95 [algorithm_sect] 96 default_properties = fips=yes 97 98Obviously the include file location above should match the path and name of the 99FIPS module config file that you installed earlier. 100See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>. 101 102For FIPS usage, it is recommended that the B<config_diagnostics> option is 103enabled to prevent accidental use of non-FIPS validated algorithms via broken 104or mistaken configuration. See L<config(5)>. 105 106Any applications that use OpenSSL 3.0 and are started after these changes are 107made will start using only the FIPS module unless those applications take 108explicit steps to avoid this default behaviour. Note that this configuration 109also activates the "base" provider. The base provider does not include any 110cryptographic algorithms (and therefore does not impact the validation status of 111any cryptographic operations), but does include other supporting algorithms that 112may be required. It is designed to be used in conjunction with the FIPS module. 113 114This approach has the primary advantage that it is simple, and no code changes 115are required in applications in order to benefit from the FIPS module. There are 116some disadvantages to this approach: 117 118=over 4 119 120=item * 121 122You may not want all applications to use the FIPS module. 123 124It may be the case that some applications should and some should not use the 125FIPS module. 126 127=item * 128 129If applications take explicit steps to not load the default config file or 130set different settings. 131 132This method will not work for these cases. 133 134=item * 135 136The algorithms available in the FIPS module are a subset of the algorithms 137that are available in the default OpenSSL Provider. 138 139If any applications attempt to use any algorithms that are not present, 140then they will fail. 141 142=item * 143 144Usage of certain deprecated APIs avoids the use of the FIPS module. 145 146If any applications use those APIs then the FIPS module will not be used. 147 148=back 149 150=head2 Selectively making applications use the FIPS module by default 151 152A variation on the above approach is to do the same thing on an individual 153application basis. The default OpenSSL config file depends on the compiled in 154value for B<OPENSSLDIR> as described in the section above. However it is also 155possible to override the config file to be used via the B<OPENSSL_CONF> 156environment variable. For example the following, on Unix, will cause the 157application to be executed with a non-standard config file location: 158 159 $ OPENSSL_CONF=/my/nondefault/openssl.cnf myapplication 160 161Using this mechanism you can control which config file is loaded (and hence 162whether the FIPS module is loaded) on an application by application basis. 163 164This removes the disadvantage listed above that you may not want all 165applications to use the FIPS module. All the other advantages and disadvantages 166still apply. 167 168=head2 Programmatically loading the FIPS module (default library context) 169 170Applications may choose to load the FIPS provider explicitly rather than relying 171on config to do this. The config file is still necessary in order to hold the 172FIPS module config data (such as its self test status and integrity data). But 173in this case we do not automatically activate the FIPS provider via that config 174file. 175 176To do things this way configure as per 177L</Making all applications use the FIPS module by default> above, but edit the 178F<fipsmodule.cnf> file to remove or comment out the line which says 179C<activate = 1> (note that setting this value to 0 is I<not> sufficient). 180This means all the required config information will be available to load the 181FIPS module, but it is not automatically loaded when the application starts. The 182FIPS provider can then be loaded programmatically like this: 183 184 #include <openssl/provider.h> 185 186 int main(void) 187 { 188 OSSL_PROVIDER *fips; 189 OSSL_PROVIDER *base; 190 191 fips = OSSL_PROVIDER_load(NULL, "fips"); 192 if (fips == NULL) { 193 printf("Failed to load FIPS provider\n"); 194 exit(EXIT_FAILURE); 195 } 196 base = OSSL_PROVIDER_load(NULL, "base"); 197 if (base == NULL) { 198 OSSL_PROVIDER_unload(fips); 199 printf("Failed to load base provider\n"); 200 exit(EXIT_FAILURE); 201 } 202 203 /* Rest of application */ 204 205 OSSL_PROVIDER_unload(base); 206 OSSL_PROVIDER_unload(fips); 207 exit(EXIT_SUCCESS); 208 } 209 210Note that this should be one of the first things that you do in your 211application. If any OpenSSL functions get called that require the use of 212cryptographic functions before this occurs then, if no provider has yet been 213loaded, then the default provider will be automatically loaded. If you then 214later explicitly load the FIPS provider then you will have both the FIPS and the 215default provider loaded at the same time. It is undefined which implementation 216of an algorithm will be used if multiple implementations are available and you 217have not explicitly specified via a property query (see below) which one should 218be used. 219 220Also note that in this example we have additionally loaded the "base" provider. 221This loads a sub-set of algorithms that are also available in the default 222provider - specifically non cryptographic ones which may be used in conjunction 223with the FIPS provider. For example this contains algorithms for encoding and 224decoding keys. If you decide not to load the default provider then you 225will usually want to load the base provider instead. 226 227In this example we are using the "default" library context. OpenSSL functions 228operate within the scope of a library context. If no library context is 229explicitly specified then the default library context is used. For further 230details about library contexts see the L<OSSL_LIB_CTX(3)> man page. 231 232=head2 Loading the FIPS module at the same time as other providers 233 234It is possible to have the FIPS provider and other providers (such as the 235default provider) all loaded at the same time into the same library context. You 236can use a property query string during algorithm fetches to specify which 237implementation you would like to use. 238 239For example to fetch an implementation of SHA256 which conforms to FIPS 240standards you can specify the property query C<fips=yes> like this: 241 242 EVP_MD *sha256; 243 244 sha256 = EVP_MD_fetch(NULL, "SHA2-256", "fips=yes"); 245 246If no property query is specified, or more than one implementation matches the 247property query then it is undefined which implementation of a particular 248algorithm will be returned. 249 250This example shows an explicit request for an implementation of SHA256 from the 251default provider: 252 253 EVP_MD *sha256; 254 255 sha256 = EVP_MD_fetch(NULL, "SHA2-256", "provider=default"); 256 257It is also possible to set a default property query string. The following 258example sets the default property query of C<fips=yes> for all fetches within 259the default library context: 260 261 EVP_set_default_properties(NULL, "fips=yes"); 262 263If a fetch function has both an explicit property query specified, and a 264default property query is defined then the two queries are merged together and 265both apply. The local property query overrides the default properties if the 266same property name is specified in both. 267 268There are two important built-in properties that you should be aware of: 269 270The "provider" property enables you to specify which provider you want an 271implementation to be fetched from, e.g. C<provider=default> or C<provider=fips>. 272All algorithms implemented in a provider have this property set on them. 273 274There is also the C<fips> property. All FIPS algorithms match against the 275property query C<fips=yes>. There are also some non-cryptographic algorithms 276available in the default and base providers that also have the C<fips=yes> 277property defined for them. These are the encoder and decoder algorithms that 278can (for example) be used to write out a key generated in the FIPS provider to a 279file. The encoder and decoder algorithms are not in the FIPS module itself but 280are allowed to be used in conjunction with the FIPS algorithms. 281 282It is possible to specify default properties within a config file. For example 283the following config file automatically loads the default and FIPS providers and 284sets the default property value to be C<fips=yes>. Note that this config file 285does not load the "base" provider. All supporting algorithms that are in "base" 286are also in "default", so it is unnecessary in this case: 287 288 config_diagnostics = 1 289 openssl_conf = openssl_init 290 291 .include /usr/local/ssl/fipsmodule.cnf 292 293 [openssl_init] 294 providers = provider_sect 295 alg_section = algorithm_sect 296 297 [provider_sect] 298 fips = fips_sect 299 default = default_sect 300 301 [default_sect] 302 activate = 1 303 304 [algorithm_sect] 305 default_properties = fips=yes 306 307=head2 Programmatically loading the FIPS module (nondefault library context) 308 309In addition to using properties to separate usage of the FIPS module from other 310usages this can also be achieved using library contexts. In this example we 311create two library contexts. In one we assume the existence of a config file 312called F<openssl-fips.cnf> that automatically loads and configures the FIPS and 313base providers. The other library context will just use the default provider. 314 315 OSSL_LIB_CTX *fips_libctx, *nonfips_libctx; 316 OSSL_PROVIDER *defctxnull = NULL; 317 EVP_MD *fipssha256 = NULL, *nonfipssha256 = NULL; 318 int ret = 1; 319 320 /* 321 * Create two nondefault library contexts. One for fips usage and 322 * one for non-fips usage 323 */ 324 fips_libctx = OSSL_LIB_CTX_new(); 325 nonfips_libctx = OSSL_LIB_CTX_new(); 326 if (fips_libctx == NULL || nonfips_libctx == NULL) 327 goto err; 328 329 /* Prevent anything from using the default library context */ 330 defctxnull = OSSL_PROVIDER_load(NULL, "null"); 331 332 /* 333 * Load config file for the FIPS library context. We assume that 334 * this config file will automatically activate the FIPS and base 335 * providers so we don't need to explicitly load them here. 336 */ 337 if (!OSSL_LIB_CTX_load_config(fips_libctx, "openssl-fips.cnf")) 338 goto err; 339 340 /* 341 * Set the default property query on the FIPS library context to 342 * ensure that only FIPS algorithms can be used. There are a few non-FIPS 343 * approved algorithms in the FIPS provider for backward compatibility reasons. 344 */ 345 if (!EVP_set_default_properties(fips_libctx, "fips=yes")) 346 goto err; 347 348 /* 349 * We don't need to do anything special to load the default 350 * provider into nonfips_libctx. This happens automatically if no 351 * other providers are loaded. 352 * Because we don't call OSSL_LIB_CTX_load_config() explicitly for 353 * nonfips_libctx it will just use the default config file. 354 */ 355 356 /* As an example get some digests */ 357 358 /* Get a FIPS validated digest */ 359 fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2-256", NULL); 360 if (fipssha256 == NULL) 361 goto err; 362 363 /* Get a non-FIPS validated digest */ 364 nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2-256", NULL); 365 if (nonfipssha256 == NULL) 366 goto err; 367 368 /* Use the digests */ 369 370 printf("Success\n"); 371 ret = 0; 372 373 err: 374 EVP_MD_free(fipssha256); 375 EVP_MD_free(nonfipssha256); 376 OSSL_LIB_CTX_free(fips_libctx); 377 OSSL_LIB_CTX_free(nonfips_libctx); 378 OSSL_PROVIDER_unload(defctxnull); 379 380 return ret; 381 382Note that we have made use of the special "null" provider here which we load 383into the default library context. We could have chosen to use the default 384library context for FIPS usage, and just create one additional library context 385for other usages - or vice versa. However if code has not been converted to use 386library contexts then the default library context will be automatically used. 387This could be the case for your own existing applications as well as certain 388parts of OpenSSL itself. Not all parts of OpenSSL are library context aware. If 389this happens then you could "accidentally" use the wrong library context for a 390particular operation. To be sure this doesn't happen you can load the "null" 391provider into the default library context. Because a provider has been 392explicitly loaded, the default provider will not automatically load. This means 393code using the default context by accident will fail because no algorithms will 394be available. 395 396See L<ossl-guide-migration(7)/Library Context> for additional information about the 397Library Context. 398 399=head2 Using Encoders and Decoders with the FIPS module 400 401Encoders and decoders are used to read and write keys or parameters from or to 402some external format (for example a PEM file). If your application generates 403keys or parameters that then need to be written into PEM or DER format 404then it is likely that you will need to use an encoder to do this. Similarly 405you need a decoder to read previously saved keys and parameters. In most cases 406this will be invisible to you if you are using APIs that existed in 407OpenSSL 1.1.1 or earlier such as L<i2d_PrivateKey(3)>. However the appropriate 408encoder/decoder will need to be available in the library context associated with 409the key or parameter object. The built-in OpenSSL encoders and decoders are 410implemented in both the default and base providers and are not in the FIPS 411module boundary. However since they are not cryptographic algorithms themselves 412it is still possible to use them in conjunction with the FIPS module, and 413therefore these encoders/decoders have the C<fips=yes> property against them. 414You should ensure that either the default or base provider is loaded into the 415library context in this case. 416 417=head2 Using the FIPS module in SSL/TLS 418 419Writing an application that uses libssl in conjunction with the FIPS module is 420much the same as writing a normal libssl application. If you are using global 421properties and the default library context to specify usage of FIPS validated 422algorithms then this will happen automatically for all cryptographic algorithms 423in libssl. If you are using a nondefault library context to load the FIPS 424provider then you can supply this to libssl using the function 425L<SSL_CTX_new_ex(3)>. This works as a drop in replacement for the function 426L<SSL_CTX_new(3)> except it provides you with the capability to specify the 427library context to be used. You can also use the same function to specify 428libssl specific properties to use. 429 430In this first example we create two SSL_CTX objects using two different library 431contexts. 432 433 /* 434 * We assume that a nondefault library context with the FIPS 435 * provider loaded has been created called fips_libctx. 436 */ 437 SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(fips_libctx, "fips=yes", TLS_method()); 438 /* 439 * We assume that a nondefault library context with the default 440 * provider loaded has been created called non_fips_libctx. 441 */ 442 SSL_CTX *non_fips_ssl_ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, 443 TLS_method()); 444 445In this second example we create two SSL_CTX objects using different properties 446to specify FIPS usage: 447 448 /* 449 * The "fips=yes" property includes all FIPS approved algorithms 450 * as well as encoders from the default provider that are allowed 451 * to be used. The NULL below indicates that we are using the 452 * default library context. 453 */ 454 SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(NULL, "fips=yes", TLS_method()); 455 /* 456 * The "provider!=fips" property allows algorithms from any 457 * provider except the FIPS provider 458 */ 459 SSL_CTX *non_fips_ssl_ctx = SSL_CTX_new_ex(NULL, "provider!=fips", 460 TLS_method()); 461 462=head2 Confirming that an algorithm is being provided by the FIPS module 463 464A chain of links needs to be followed to go from an algorithm instance to the 465provider that implements it. The process is similar for all algorithms. Here the 466example of a digest is used. 467 468To go from an B<EVP_MD_CTX> to an B<EVP_MD>, use L<EVP_MD_CTX_md(3)> . 469To go from the B<EVP_MD> to its B<OSSL_PROVIDER>, 470use L<EVP_MD_get0_provider(3)>. 471To extract the name from the B<OSSL_PROVIDER>, use 472L<OSSL_PROVIDER_get0_name(3)>. 473 474=head2 FIPS indicators 475 476FIPS indicators have been added to the FIPS provider in OpenSSL 3.4. 477FIPS 140-3 requires indicators to be used if the FIPS provider allows non 478approved algorithms. An algorithm is approved if it passes all required checks 479such as minimum key size. By default an error will occur if any check fails. 480For backwards compatibility individual algorithms may override the checks by 481using either an option in the FIPS configuration (See 482L<fips_config(5)/FIPS indicator options>) OR in code using an algorithm context 483setter. Overriding the check means that the algorithm is not FIPS compliant. 484L<OSSL_INDICATOR_set_callback(3)> can be called to register a callback to log 485unapproved algorithms. At the end of any algorithm operation the approved status 486can be queried using an algorithm context getter to retrieve the indicator 487(e.g. "fips-indicator"). 488An example of an algorithm context setter is "key-check" 489in L<EVP_KDF-HKDF(7)/Supported parameters>. 490 491The following algorithms use "fips-indicator" to query if the algorithm 492is approved: 493 494=over 4 495 496=item DSA Key generation 497 498DSA Key generation is no longer approved. 499See L<EVP_PKEY-DSA(7)/DSA parameters> 500 501=item DSA Signatures 502 503DSA Signature generation is no longer approved. 504See L<EVP_SIGNATURE-DSA(7)/Signature Parameters> 505 506=item ECDSA Signatures 507 508See L<EVP_SIGNATURE-ECDSA(7)/ECDSA Signature Parameters> 509 510=item EC Key Generation 511 512See L<EVP_PKEY-EC(7)/Common EC parameters> 513 514=item RSA Encryption 515 516"pkcs1" padding is no longer approved. 517 518See L<EVP_ASYM_CIPHER-RSA(7)/RSA Asymmetric Cipher parameters> and 519L<EVP_KEM-RSA(7)/RSA KEM parameters> 520 521=item RSA Signatures 522 523See L<EVP_SIGNATURE-RSA(7)/Signature Parameters> 524 525=item DRBGS 526 527See L<EVP_RAND-HASH-DRBG(7)/Supported parameters> and 528EVP_RAND-HMAC-DRBG(7)/Supported parameters> 529 530=item DES 531 532Triple-DES is not longer approved for encryption. 533See L<EVP_CIPHER-DES(7)/Parameters> 534 535=item DH 536 537See L<EVP_KEYEXCH-DH(7)/DH and DHX key exchange parameters> 538 539=item ECDH 540 541See L<EVP_KEYEXCH-ECDH(7)/ECDH Key Exchange parameters> 542 543=item KDFS 544 545See relevant KDF documentation e.g. L<EVP_KDF-HKDF(7)/Supported parameters> 546 547=item CMAC and KMAC 548 549See L<EVP_MAC-CMAC(7)/Supported parameters> and 550L<EVP_MAC-KMAC(7)/Supported parameters> 551 552=back 553 554The following FIPS algorithms are unapproved and use the "fips-indicator". 555 556=over 4 557 558=item RAND-TEST-RAND 559 560See L<EVP_RAND-TEST-RAND(7)/Supported parameters> 561The indicator callback is NOT triggered for this algorithm since it is used 562internally for non security purposes. 563 564=item X25519 and X448 Key Generation and Key Exchange 565 566=back 567 568The unapproved (non FIPS validated) algorithms have a property query value of 569"fips=no". 570 571The following algorithms use a unique indicator and do not trigger the 572indicator callback. 573 574=over 4 575 576=item AES-GCM ciphers support the indicator "iv-generated" 577 578See L<EVP_EncryptInit(3)/PARAMETERS> for further information. 579 580=item ECDSA and RSA Signatures support the indicator "verify-message". 581 582See L<EVP_SIGNATURE-ECDSA(7)/ECDSA Signature Parameters> and 583L<EVP_SIGNATURE-RSA(7)/Signature Parameters> /for further information. 584 585=back 586 587=head1 NOTES 588 589Some released versions of OpenSSL do not include a validated 590FIPS provider. To determine which versions have undergone 591the validation process, please refer to the 592L<OpenSSL Downloads page|https://www.openssl.org/source/>. If you 593require FIPS-approved functionality, it is essential to build your FIPS 594provider using one of the validated versions listed there. Normally, 595it is possible to utilize a FIPS provider constructed from one of the 596validated versions alongside F<libcrypto> and F<libssl> compiled from any 597release within the same major release series. This flexibility enables 598you to address bug fixes and CVEs that fall outside the FIPS boundary. 599 600As the FIPS provider still supports non-FIPS validated algorithms, 601The property query C<fips=yes> is mandatory for applications that 602want to operate in a FIPS approved manner. 603 604=head1 SEE ALSO 605 606L<ossl-guide-migration(7)>, L<crypto(7)>, L<fips_config(5)>, 607L<https://www.openssl.org/source/> 608 609=head1 HISTORY 610 611The FIPS module guide was created for use with the new FIPS provider 612in OpenSSL 3.0. 613FIPS indicators were added in OpenSSL 3.4. 614 615=head1 COPYRIGHT 616 617Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. 618 619Licensed under the Apache License 2.0 (the "License"). You may not use 620this file except in compliance with the License. You can obtain a copy 621in the file LICENSE in the source distribution or at 622L<https://www.openssl.org/source/license.html>. 623 624=cut 625
