xref: /openssl/doc/man7/fips_module.pod (revision 37aa1143)
1=pod
2
3=head1 NAME
4
5fips_module - OpenSSL fips module guide
6
7=head1 SYNOPSIS
8
9See the individual manual pages for details.
10
11=head1 DESCRIPTION
12
13This guide details different ways that OpenSSL can be used in conjunction
14with the FIPS module. Which is the correct approach to use will depend on your
15own specific circumstances and what you are attempting to achieve.
16
17For information related to installing the FIPS module see
18L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
19
20Note that the old functions FIPS_mode() and FIPS_mode_set() are no longer
21present so you must remove them from your application if you use them.
22
23Applications written to use the OpenSSL 3.0 FIPS module should not use any
24legacy APIs or features that avoid the FIPS module. Specifically this includes:
25
26=over 4
27
28=item *
29
30Low level cryptographic APIs (use the high level APIs, such as EVP, instead)
31
32=item *
33
34Engines
35
36=item *
37
38Any functions that create or modify custom "METHODS" (for example
39EVP_MD_meth_new(), EVP_CIPHER_meth_new(), EVP_PKEY_meth_new(), RSA_meth_new(),
40EC_KEY_METHOD_new(), etc.)
41
42=back
43
44All of the above APIs are deprecated in OpenSSL 3.0 - so a simple rule is to
45avoid using all deprecated functions. See L<ossl-guide-migration(7)> for a list of
46deprecated functions.
47
48=head2 Making all applications use the FIPS module by default
49
50One simple approach is to cause all applications that are using OpenSSL to only
51use the FIPS module for cryptographic algorithms by default.
52
53This approach can be done purely via configuration. As long as applications are
54built and linked against OpenSSL 3.0 and do not override the loading of the
55default config file or its settings then they can automatically start using the
56FIPS module without the need for any further code changes.
57
58To do this the default OpenSSL config file will have to be modified. The
59location of this config file will depend on the platform, and any options that
60were given during the build process. You can check the location of the config
61file by running this command:
62
63    $ openssl version -d
64    OPENSSLDIR: "/usr/local/ssl"
65
66Caution: Many Operating Systems install OpenSSL by default. It is a common error
67to not have the correct version of OpenSSL in your $PATH. Check that you are
68running an OpenSSL 3.0 version like this:
69
70    $ openssl version -v
71    OpenSSL 3.0.0-dev xx XXX xxxx (Library: OpenSSL 3.0.0-dev xx XXX xxxx)
72
73The B<OPENSSLDIR> value above gives the directory name for where the default
74config file is stored. So in this case the default config file will be called
75F</usr/local/ssl/openssl.cnf>.
76
77Edit the config file to add the following lines near the beginning:
78
79    config_diagnostics = 1
80    openssl_conf = openssl_init
81
82    .include /usr/local/ssl/fipsmodule.cnf
83
84    [openssl_init]
85    providers = provider_sect
86    alg_section = algorithm_sect
87
88    [provider_sect]
89    fips = fips_sect
90    base = base_sect
91
92    [base_sect]
93    activate = 1
94
95    [algorithm_sect]
96    default_properties = fips=yes
97
98Obviously the include file location above should match the path and name of the
99FIPS module config file that you installed earlier.
100See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
101
102For FIPS usage, it is recommended that the B<config_diagnostics> option is
103enabled to prevent accidental use of non-FIPS validated algorithms via broken
104or mistaken configuration.  See L<config(5)>.
105
106Any applications that use OpenSSL 3.0 and are started after these changes are
107made will start using only the FIPS module unless those applications take
108explicit steps to avoid this default behaviour. Note that this configuration
109also activates the "base" provider. The base provider does not include any
110cryptographic algorithms (and therefore does not impact the validation status of
111any cryptographic operations), but does include other supporting algorithms that
112may be required. It is designed to be used in conjunction with the FIPS module.
113
114This approach has the primary advantage that it is simple, and no code changes
115are required in applications in order to benefit from the FIPS module. There are
116some disadvantages to this approach:
117
118=over 4
119
120=item *
121
122You may not want all applications to use the FIPS module.
123
124It may be the case that some applications should and some should not use the
125FIPS module.
126
127=item *
128
129If applications take explicit steps to not load the default config file or
130set different settings.
131
132This method will not work for these cases.
133
134=item *
135
136The algorithms available in the FIPS module are a subset of the algorithms
137that are available in the default OpenSSL Provider.
138
139If any applications attempt to use any algorithms that are not present,
140then they will fail.
141
142=item *
143
144Usage of certain deprecated APIs avoids the use of the FIPS module.
145
146If any applications use those APIs then the FIPS module will not be used.
147
148=back
149
150=head2 Selectively making applications use the FIPS module by default
151
152A variation on the above approach is to do the same thing on an individual
153application basis. The default OpenSSL config file depends on the compiled in
154value for B<OPENSSLDIR> as described in the section above. However it is also
155possible to override the config file to be used via the B<OPENSSL_CONF>
156environment variable. For example the following, on Unix, will cause the
157application to be executed with a non-standard config file location:
158
159    $ OPENSSL_CONF=/my/nondefault/openssl.cnf myapplication
160
161Using this mechanism you can control which config file is loaded (and hence
162whether the FIPS module is loaded) on an application by application basis.
163
164This removes the disadvantage listed above that you may not want all
165applications to use the FIPS module. All the other advantages and disadvantages
166still apply.
167
168=head2 Programmatically loading the FIPS module (default library context)
169
170Applications may choose to load the FIPS provider explicitly rather than relying
171on config to do this. The config file is still necessary in order to hold the
172FIPS module config data (such as its self test status and integrity data). But
173in this case we do not automatically activate the FIPS provider via that config
174file.
175
176To do things this way configure as per
177L</Making all applications use the FIPS module by default> above, but edit the
178F<fipsmodule.cnf> file to remove or comment out the line which says
179C<activate = 1> (note that setting this value to 0 is I<not> sufficient).
180This means all the required config information will be available to load the
181FIPS module, but it is not automatically loaded when the application starts. The
182FIPS provider can then be loaded programmatically like this:
183
184    #include <openssl/provider.h>
185
186    int main(void)
187    {
188        OSSL_PROVIDER *fips;
189        OSSL_PROVIDER *base;
190
191        fips = OSSL_PROVIDER_load(NULL, "fips");
192        if (fips == NULL) {
193            printf("Failed to load FIPS provider\n");
194            exit(EXIT_FAILURE);
195        }
196        base = OSSL_PROVIDER_load(NULL, "base");
197        if (base == NULL) {
198            OSSL_PROVIDER_unload(fips);
199            printf("Failed to load base provider\n");
200            exit(EXIT_FAILURE);
201        }
202
203        /* Rest of application */
204
205        OSSL_PROVIDER_unload(base);
206        OSSL_PROVIDER_unload(fips);
207        exit(EXIT_SUCCESS);
208    }
209
210Note that this should be one of the first things that you do in your
211application. If any OpenSSL functions get called that require the use of
212cryptographic functions before this occurs then, if no provider has yet been
213loaded, then the default provider will be automatically loaded. If you then
214later explicitly load the FIPS provider then you will have both the FIPS and the
215default provider loaded at the same time. It is unspecified which implementation
216of an algorithm will be used if multiple implementations are available and you
217have not explicitly specified via a property query (see below) which one should
218be used.
219
220Also note that in this example we have additionally loaded the "base" provider.
221This loads a sub-set of algorithms that are also available in the default
222provider - specifically non cryptographic ones which may be used in conjunction
223with the FIPS provider. For example this contains algorithms for encoding and
224decoding keys. If you decide not to load the default provider then you
225will usually want to load the base provider instead.
226
227In this example we are using the "default" library context. OpenSSL functions
228operate within the scope of a library context. If no library context is
229explicitly specified then the default library context is used. For further
230details about library contexts see the L<OSSL_LIB_CTX(3)> man page.
231
232=head2 Loading the FIPS module at the same time as other providers
233
234It is possible to have the FIPS provider and other providers (such as the
235default provider) all loaded at the same time into the same library context. You
236can use a property query string during algorithm fetches to specify which
237implementation you would like to use.
238
239For example to fetch an implementation of SHA256 which conforms to FIPS
240standards you can specify the property query C<fips=yes> like this:
241
242    EVP_MD *sha256;
243
244    sha256 = EVP_MD_fetch(NULL, "SHA2-256", "fips=yes");
245
246If no property query is specified, or more than one implementation matches the
247property query then it is unspecified which implementation of a particular
248algorithm will be returned.
249
250This example shows an explicit request for an implementation of SHA256 from the
251default provider:
252
253    EVP_MD *sha256;
254
255    sha256 = EVP_MD_fetch(NULL, "SHA2-256", "provider=default");
256
257It is also possible to set a default property query string. The following
258example sets the default property query of C<fips=yes> for all fetches within
259the default library context:
260
261    EVP_set_default_properties(NULL, "fips=yes");
262
263If a fetch function has both an explicit property query specified, and a
264default property query is defined then the two queries are merged together and
265both apply. The local property query overrides the default properties if the
266same property name is specified in both.
267
268There are two important built-in properties that you should be aware of:
269
270The "provider" property enables you to specify which provider you want an
271implementation to be fetched from, e.g. C<provider=default> or C<provider=fips>.
272All algorithms implemented in a provider have this property set on them.
273
274There is also the C<fips> property. All FIPS algorithms match against the
275property query C<fips=yes>. There are also some non-cryptographic algorithms
276available in the default and base providers that also have the C<fips=yes>
277property defined for them. These are the encoder and decoder algorithms that
278can (for example) be used to write out a key generated in the FIPS provider to a
279file. The encoder and decoder algorithms are not in the FIPS module itself but
280are allowed to be used in conjunction with the FIPS algorithms.
281
282It is possible to specify default properties within a config file. For example
283the following config file automatically loads the default and FIPS providers and
284sets the default property value to be C<fips=yes>. Note that this config file
285does not load the "base" provider. All supporting algorithms that are in "base"
286are also in "default", so it is unnecessary in this case:
287
288    config_diagnostics = 1
289    openssl_conf = openssl_init
290
291    .include /usr/local/ssl/fipsmodule.cnf
292
293    [openssl_init]
294    providers = provider_sect
295    alg_section = algorithm_sect
296
297    [provider_sect]
298    fips = fips_sect
299    default = default_sect
300
301    [default_sect]
302    activate = 1
303
304    [algorithm_sect]
305    default_properties = fips=yes
306
307=head2 Programmatically loading the FIPS module (nondefault library context)
308
309In addition to using properties to separate usage of the FIPS module from other
310usages this can also be achieved using library contexts. In this example we
311create two library contexts. In one we assume the existence of a config file
312called F<openssl-fips.cnf> that automatically loads and configures the FIPS and
313base providers. The other library context will just use the default provider.
314
315    OSSL_LIB_CTX *fips_libctx, *nonfips_libctx;
316    OSSL_PROVIDER *defctxnull = NULL;
317    EVP_MD *fipssha256 = NULL, *nonfipssha256 = NULL;
318    int ret = 1;
319
320    /*
321     * Create two nondefault library contexts. One for fips usage and
322     * one for non-fips usage
323     */
324    fips_libctx = OSSL_LIB_CTX_new();
325    nonfips_libctx = OSSL_LIB_CTX_new();
326    if (fips_libctx == NULL || nonfips_libctx == NULL)
327        goto err;
328
329    /* Prevent anything from using the default library context */
330    defctxnull = OSSL_PROVIDER_load(NULL, "null");
331
332    /*
333     * Load config file for the FIPS library context. We assume that
334     * this config file will automatically activate the FIPS and base
335     * providers so we don't need to explicitly load them here.
336     */
337    if (!OSSL_LIB_CTX_load_config(fips_libctx, "openssl-fips.cnf"))
338        goto err;
339
340    /*
341     * Set the default property query on the FIPS library context to
342     * ensure that only FIPS algorithms can be used.  There are a few non-FIPS
343     * approved algorithms in the FIPS provider for backward compatibility reasons.
344     */
345    if (!EVP_set_default_properties(fips_libctx, "fips=yes"))
346        goto err;
347
348    /*
349     * We don't need to do anything special to load the default
350     * provider into nonfips_libctx. This happens automatically if no
351     * other providers are loaded.
352     * Because we don't call OSSL_LIB_CTX_load_config() explicitly for
353     * nonfips_libctx it will just use the default config file.
354     */
355
356    /* As an example get some digests */
357
358    /* Get a FIPS validated digest */
359    fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2-256", NULL);
360    if (fipssha256 == NULL)
361        goto err;
362
363    /* Get a non-FIPS validated digest */
364    nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2-256", NULL);
365    if (nonfipssha256 == NULL)
366        goto err;
367
368    /* Use the digests */
369
370    printf("Success\n");
371    ret = 0;
372
373    err:
374    EVP_MD_free(fipssha256);
375    EVP_MD_free(nonfipssha256);
376    OSSL_LIB_CTX_free(fips_libctx);
377    OSSL_LIB_CTX_free(nonfips_libctx);
378    OSSL_PROVIDER_unload(defctxnull);
379
380    return ret;
381
382Note that we have made use of the special "null" provider here which we load
383into the default library context. We could have chosen to use the default
384library context for FIPS usage, and just create one additional library context
385for other usages - or vice versa. However if code has not been converted to use
386library contexts then the default library context will be automatically used.
387This could be the case for your own existing applications as well as certain
388parts of OpenSSL itself. Not all parts of OpenSSL are library context aware. If
389this happens then you could "accidentally" use the wrong library context for a
390particular operation. To be sure this doesn't happen you can load the "null"
391provider into the default library context. Because a provider has been
392explicitly loaded, the default provider will not automatically load. This means
393code using the default context by accident will fail because no algorithms will
394be available.
395
396See L<ossl-guide-migration(7)/Library Context> for additional information about the
397Library Context.
398
399=head2 Using Encoders and Decoders with the FIPS module
400
401Encoders and decoders are used to read and write keys or parameters from or to
402some external format (for example a PEM file). If your application generates
403keys or parameters that then need to be written into PEM or DER format
404then it is likely that you will need to use an encoder to do this. Similarly
405you need a decoder to read previously saved keys and parameters. In most cases
406this will be invisible to you if you are using APIs that existed in
407OpenSSL 1.1.1 or earlier such as L<i2d_PrivateKey(3)>. However the appropriate
408encoder/decoder will need to be available in the library context associated with
409the key or parameter object. The built-in OpenSSL encoders and decoders are
410implemented in both the default and base providers and are not in the FIPS
411module boundary. However since they are not cryptographic algorithms themselves
412it is still possible to use them in conjunction with the FIPS module, and
413therefore these encoders/decoders have the C<fips=yes> property against them.
414You should ensure that either the default or base provider is loaded into the
415library context in this case.
416
417=head2 Using the FIPS module in SSL/TLS
418
419Writing an application that uses libssl in conjunction with the FIPS module is
420much the same as writing a normal libssl application. If you are using global
421properties and the default library context to specify usage of FIPS validated
422algorithms then this will happen automatically for all cryptographic algorithms
423in libssl. If you are using a nondefault library context to load the FIPS
424provider then you can supply this to libssl using the function
425L<SSL_CTX_new_ex(3)>. This works as a drop in replacement for the function
426L<SSL_CTX_new(3)> except it provides you with the capability to specify the
427library context to be used. You can also use the same function to specify
428libssl specific properties to use.
429
430In this first example we create two SSL_CTX objects using two different library
431contexts.
432
433    /*
434     * We assume that a nondefault library context with the FIPS
435     * provider loaded has been created called fips_libctx.
436     */
437    SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(fips_libctx, "fips=yes", TLS_method());
438    /*
439     * We assume that a nondefault library context with the default
440     * provider loaded has been created called non_fips_libctx.
441     */
442    SSL_CTX *non_fips_ssl_ctx = SSL_CTX_new_ex(non_fips_libctx, NULL,
443                                               TLS_method());
444
445In this second example we create two SSL_CTX objects using different properties
446to specify FIPS usage:
447
448    /*
449     * The "fips=yes" property includes all FIPS approved algorithms
450     * as well as encoders from the default provider that are allowed
451     * to be used. The NULL below indicates that we are using the
452     * default library context.
453     */
454    SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(NULL, "fips=yes", TLS_method());
455    /*
456     * The "provider!=fips" property allows algorithms from any
457     * provider except the FIPS provider
458     */
459    SSL_CTX *non_fips_ssl_ctx = SSL_CTX_new_ex(NULL, "provider!=fips",
460                                               TLS_method());
461
462=head2 Confirming that an algorithm is being provided by the FIPS module
463
464A chain of links needs to be followed to go from an algorithm instance to the
465provider that implements it. The process is similar for all algorithms. Here the
466example of a digest is used.
467
468To go from an B<EVP_MD_CTX> to an B<EVP_MD>, use L<EVP_MD_CTX_md(3)> .
469To go from the B<EVP_MD> to its B<OSSL_PROVIDER>,
470use L<EVP_MD_get0_provider(3)>.
471To extract the name from the B<OSSL_PROVIDER>, use
472L<OSSL_PROVIDER_get0_name(3)>.
473
474=head2 FIPS indicators
475
476FIPS indicators have been added to the FIPS provider in OpenSSL 3.4.
477FIPS 140-3 requires indicators to be used if the FIPS provider allows non
478approved algorithms. An algorithm is approved if it passes all required checks
479such as minimum key size. By default an error will occur if any check fails.
480For backwards compatibility individual algorithms may override the checks by
481using either an option in the FIPS configuration (See
482L<fips_config(5)/FIPS indicator options>) OR in code using an algorithm context
483setter. Overriding the check means that the algorithm is not FIPS compliant.
484L<OSSL_INDICATOR_set_callback(3)> can be called to register a callback to log
485unapproved algorithms. At the end of any algorithm operation the approved status
486can be queried using an algorithm context getter to retrieve the indicator
487(e.g. "fips-indicator").
488An example of an algorithm context setter is "key-check"
489in L<EVP_KDF-HKDF(7)/Supported parameters>.
490
491The following algorithms use "fips-indicator" to query if the algorithm
492is approved:
493
494=over 4
495
496=item DSA Key generation
497
498DSA Key generation is no longer approved.
499See L<EVP_PKEY-DSA(7)/DSA parameters>
500
501=item DSA Signatures
502
503DSA Signature generation is no longer approved.
504See L<EVP_SIGNATURE-DSA(7)/Signature Parameters>
505
506=item ECDSA Signatures
507
508See L<EVP_SIGNATURE-ECDSA(7)/ECDSA Signature Parameters>
509
510=item EC Key Generation
511
512See L<EVP_PKEY-EC(7)/Common EC parameters>
513
514=item RSA Encryption
515
516"pkcs1" padding is no longer approved.
517
518See L<EVP_ASYM_CIPHER-RSA(7)/RSA Asymmetric Cipher parameters> and
519L<EVP_KEM-RSA(7)/RSA KEM parameters>
520
521=item RSA Signatures
522
523See L<EVP_SIGNATURE-RSA(7)/Signature Parameters>
524
525=item DRBGS
526
527See L<EVP_RAND-HASH-DRBG(7)/Supported parameters> and
528EVP_RAND-HMAC-DRBG(7)/Supported parameters>
529
530=item DES
531
532Triple-DES is not longer approved for encryption.
533See L<EVP_CIPHER-DES(7)/Parameters>
534
535=item DH
536
537See L<EVP_KEYEXCH-DH(7)/DH and DHX key exchange parameters>
538
539=item ECDH
540
541See L<EVP_KEYEXCH-ECDH(7)/ECDH Key Exchange parameters>
542
543=item KDFS
544
545See relevant KDF documentation e.g. L<EVP_KDF-HKDF(7)/Supported parameters>
546
547=item CMAC and KMAC
548
549See L<EVP_MAC-CMAC(7)/Supported parameters> and
550L<EVP_MAC-KMAC(7)/Supported parameters>
551
552=back
553
554The following FIPS algorithms are unapproved and use the "fips-indicator".
555
556=over 4
557
558=item RAND-TEST-RAND
559
560See L<EVP_RAND-TEST-RAND(7)/Supported parameters>
561The indicator callback is NOT triggered for this algorithm since it is used
562internally for non security purposes.
563
564=item X25519 and X448 Key Generation and Key Exchange
565
566=back
567
568The unapproved (non FIPS validated) algorithms have a property query value of
569"fips=no".
570
571The following algorithms use a unique indicator and do not trigger the
572indicator callback.
573
574=over 4
575
576=item AES-GCM ciphers support the indicator "iv-generated"
577
578See L<EVP_EncryptInit(3)/PARAMETERS> for further information.
579
580=item ECDSA and RSA Signatures support the indicator "verify-message".
581
582See L<EVP_SIGNATURE-ECDSA(7)/ECDSA Signature Parameters> and
583L<EVP_SIGNATURE-RSA(7)/Signature Parameters> /for further information.
584
585=back
586
587=head1 NOTES
588
589Some released versions of OpenSSL do not include a validated
590FIPS provider.  To determine which versions have undergone
591the validation process, please refer to the
592L<OpenSSL Downloads page|https://www.openssl.org/source/>.  If you
593require FIPS-approved functionality, it is essential to build your FIPS
594provider using one of the validated versions listed there.  Normally,
595it is possible to utilize a FIPS provider constructed from one of the
596validated versions alongside F<libcrypto> and F<libssl> compiled from any
597release within the same major release series.  This flexibility enables
598you to address bug fixes and CVEs that fall outside the FIPS boundary.
599
600As the FIPS provider still supports non-FIPS validated algorithms,
601The property query C<fips=yes> is mandatory for applications that
602want to operate in a FIPS approved manner.
603
604=head1 SEE ALSO
605
606L<ossl-guide-migration(7)>, L<crypto(7)>, L<fips_config(5)>,
607L<https://www.openssl.org/source/>
608
609=head1 HISTORY
610
611The FIPS module guide was created for use with the new FIPS provider
612in OpenSSL 3.0.
613FIPS indicators were added in OpenSSL 3.4.
614
615=head1 COPYRIGHT
616
617Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
618
619Licensed under the Apache License 2.0 (the "License").  You may not use
620this file except in compliance with the License.  You can obtain a copy
621in the file LICENSE in the source distribution or at
622L<https://www.openssl.org/source/license.html>.
623
624=cut
625