How to check FIPS 140-2 support in OpenSSL?

Question

We have a client which is asking about OpenSSL FIPS (Federal Information Processing Standard) 140-2 compliant support validated cryptography use. How do I check whether OpenSSL has FIPS complains is providing FIPS validated cryptography or not?

OS: Redhat 5 Linux

Answer 1

The Openssl 3.0 series has removed these

• FIPS_mode()
• FIPS_mode_set()

These functions are legacy APIs that are not applicable to the new provider model. Applications should instead use

• EVP_default_properties_is_fips_enabled()
• EVP_default_properties_enable_fips()

For example,

#include <openssl/evp.h>
#include <iostream>

int main() {
    // Check if FIPS mode is enabled in the default library context
    int fipsEnabled = EVP_default_properties_is_fips_enabled(NULL);
    if (fipsEnabled) {
        printf("FIPS mode is enabled.\n");
    } else {
        printf("FIPS mode is not enabled.\n");
    }

    return 0;
}

Answer 2

If you are using dynamic linking, this c code will check for you:

#include <openssl/err.h>
#include <string.h>

int main() {
  if (FIPS_mode() || FIPS_mode_set(1)) {
    printf("Installed library has FIPS support\n");
    return 0;
  }

  const char* err_str = ERR_error_string(ERR_get_error(), 0);
  printf("Failed to enable FIPS mode, %s\n", err_str);
  if (strstr(err_str, "0F06D065")) {
    printf("Installed library does not have FIPS support\n");
  }

  return 0;
}

On Linux you can compile and run via:

Compile like so:

gcc fips_openssl_check.c -lcrypto

or

gcc fips_openssl_check.c -l:libcrypto.so.1.0.2

if you have multiple libcrypto versions installed and want to check a specific one. Other compilers such as clang are fine too.

Execute to perform the check:

./a.out

https://github.com/ericcurtin/fips_openssl_check

Answer 3

Kernel option "fips=1" should be enabled. A bit more on that here.

To see if that is loaded:

sudo sysctl -a|grep fips

Answer 4

How do I check whether OpenSSL has is providing FIPS validated cryptography or not?

It depends on how and when you want to check. It also depends on the application.

FIPS could be available but not used. So an application must enable the validated cryptography via FIPS_mode_set, and the call must succeed.

---

If you want to check if the FIPS Capable Library, such as OpenSSL 1.0.1e, was configured to use the FIPS Object Module, then you can:

$ cat /usr/local/ssl/include/openssl/opensslconf.h  | grep -A 2 -i fips
#ifndef OPENSSL_FIPS
# define OPENSSL_FIPS
#endif

OPENSSL_FIPS tells you the FIPS Capable Library was configured to use FIPS Object Module. So the FIPS validated cryptography is available.

OPENSSL_FIPS does not mean the application is using the FIPS validated cryptography, though. The application must call FIPS_mode_set, and the function must return success.

---

At runtime, you can print the string associated with the following (its taken from code I use specifically for this):

ostringstream oss;
oss << OPENSSL_VERSION_TEXT;
LogVersion(oss.str().c_str());

The code will produce a log entry similar to the following:

Version: OpenSSL 1.0.1f-fips 6 Jan 2014

---

You can audit the module with a few tricks. For example, the following will test for some symbols that must be present if executable is truly FIPS.

In this case, I'm testing the OpenSSL FIPS Capable shared object. If the application links to libcrypto.a, then you can audit the program rather than the OpenSSL shared object.

$ nm /usr/local/ssl/lib/libcrypto.so | grep -i fips_*
00000000000c7f60 T ERR_load_FIPS_strings
00000000000c2250 T FIPS_add_error_data
00000000000c3900 T FIPS_add_lock
0000000000082820 T FIPS_bn_bin2bn
0000000000082980 T FIPS_bn_bn2bin
0000000000082760 T FIPS_bn_clear
0000000000082350 T FIPS_bn_clear_free
00000000000823d0 T FIPS_bn_free
0000000000087c90 T FIPS_bn_generate_prime_ex
0000000000082790 T FIPS_bn_get_word
0000000000082d20 T FIPS_bn_is_bit_set
0000000000087c80 T FIPS_bn_is_prime_ex
0000000000087750 T FIPS_bn_is_prime_fasttest_ex
...

---

You also have the symbols from fips_premain.c:

$ nm /usr/local/ssl/lib/libcrypto.so | grep -i fips_text_*
00000000000c4520 T FIPS_text_end
000000000007b340 T FIPS_text_start
$ nm /usr/local/ssl/lib/libcrypto.so | grep -i fips_rodata*
00000000001e1e20 R FIPS_rodata_end
00000000001d8ce0 R FIPS_rodata_start
$ nm /usr/local/ssl/lib/libcrypto.so | grep -i fips_signature*
00000000004696c0 B FIPS_signature
$ nm /usr/local/ssl/lib/libcrypto.so | grep -i fips_incore*
000000000007b5a0 T FIPS_incore_fingerprint

---

Now, this is really sneaky. You can check that the module includes the self tests. For example, fips_drbg_selftest.h will include the following bytes its self tests:

0x2e,0xbf,0x98,0xf9,0x85,0x27,0x8b,0xff,0x36,0xb9,0x40,0x0b,
0xc0,0xa1,0xa0,0x13,0x20,0x06,0xcc,0xe6,0x2a,0x03,0x77,0x7d,
0xee,0xde,0xcc,0x34,0xe3,0xcd,0x77,0xea,0xd0,0x3e,0xbe,0xdd,
0xf6,0x15,0xfb,0xa7,0xd7,0x8e,0xd0,0x2e,0x2f,0x82,0x4c,0xc7,
0x87,0xb1,0x6f,0xc5,0xf8,0x5c,0x78,0xde,0x77,0x9b,0x15,0x9a,
0xb9,0x3c,0x38

---

And you can verify the developer ran incore or macho_incore on their executable to embed the FIPS fingerprint by dumping the 20 bytes of the symbol FIPS_signature. If its 20 bytes of 0's (the default from fips_premain.c), then the fingerprint was not embedded and FIPS_mode_set will fail. So its not possible to use FIPS validated cryptography in this case.

---

Update: I uploaded a slide deck I have on the subject to the OpenSSL wiki. Its called Building Applications using OpenSSL Validated Cryptography: Notes from the Field for Developers and Auditors. You will want to review the material starting around Slide 18.

I built the slide deck for OWASP but there's was no interest in receiving it. I know Stack Overflow frowns upon links like the one on the OpenSSL wiki, but I don't know how to provide a 35+ slide deck here.

Answer 5

To check if openssl is operating under fips mode, issue the following:

$ openssl md5 somefile

The above should fail as MD5 is not a fips approved Hash Standard.

$ openssl sha1 somefile

The above would work as SHA1 is the fips Approved Hash Standard.

Example:

# openssl md5 message.txt
Error setting digest md5
140062425388872:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:251:

# openssl sha1 message.txt 
SHA1(messagetext.txt)= 9f5080758dbf71537cc44a4d8cb67564f2ad938a

Reference

Answer 6

OpenSSL itself is not FIPS 140-2 validated and, according to it's maintainers, will never be. However, it has a FIPS 140-2 validated module called the FIPS Object Module, that partly replaces libcrypto used in vanilla OpenSSL. More information, including user guide, can be found here. In short:

OpenSSL itself is not validated, and never will be. Instead a special carefully defined software component called the OpenSSL FIPS Object Module has been created. This Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography with minimal effort.

Answer 7

Here what i found to check support.

# openssl ciphers FIPS -v
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1