Reputation: 25
Check if an algorithm is provided by FIPS module
I am using Openssl-3 with the FIPS provider and want to confirm that it's being used for different algorithms. One way to do this is listed in the Openssl 3 wiki: https://wiki.openssl.org/index.php/OpenSSL_3.0#Confirming_that_an_algorithm_is_being_provided_by_the_FIPS_module
It needs some changes to address the API change in Openssl 3 and I wrote a small C script to try it out.
#include <stdio.h>
#include <openssl/provider.h>
#include <lopenssl/evp.h>
int main(void)
{
EVP_MD_CTX * mdctx;
md = EVP_get_digestbyname("sha1");
mdctx = EVP_MD_CTX_new();
EVP_DigestInit_ex2(mdctx,md,NULL);
printf(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(EVP_MD_CTX_get0_md(mdctx))));
}
I expect the name of the module as output which in this case should be FIPS. But I am getting a segmentation fault.
I tried debugging in GDB to understand the problem and I am getting a seg fault at EVP_MD_get0_provider(md = 0x0). Here is the definition for EVP_MD_get0_provider: https://github.com/openssl/openssl/blob/master/crypto/evp/evp_lib.c#L793
So it looks like the argument passed in the EVP_MD_get0_provider is NULL which is leading to the segfault. The argument passed is the return of EVP_MD_CTX_get0_md(ctx) which is defined here: https://github.com/openssl/openssl/blob/master/crypto/evp/evp_lib.c#L1021
If my ctx is NULL then the return will be NULL but since I have initialized ctx, it should not be NULL.
Please help me understand why am I getting a seg fault here and how can I fix it.
Edit:
Made some changes suggested by Matt@:
#include <stdio.h>
#include <openssl/provider.h>
#include <openssl/evp.h>
int main(void)
{
EVP_MD_CTX * mdctx;
mdctx = EVP_MD_CTX_new();
printf("EVP_DigestInit_ex(mdctx,EVP_sha256(),NULL): %d\n", EVP_DigestInit_ex(mdctx,EVP_sha256(),NULL));
printf("OSSL_PROVIDER_available: %d\n",OSSL_PROVIDER_available(NULL,"fips"));
printf(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(EVP_MD_CTX_get0_md(mdctx))));
}
Here is the Config file:
config_diagnostics = 1
openssl_conf = openssl_init
.include /Openssl/build/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1
Output when hooked to GDB:
EVP_DigestInit_ex(mdctx,EVP_sha256(),NULL): 1
OSSL_PROVIDER_available: 1
Program received signal SIGSEGV, Segmentation fault.
ossl_provider_name (prov=0x0) at crypto/provider_core.c:1490
1490 return prov->name;
I am able to verify that the FIPS provider is loaded and also the error is now different, it fails on EVP_MD_get0_provider.
Upvotes: 0
Views: 1004
Answers (1)
Reputation: 25
Openssl-3 wiki also talks about fetching algorithms https://wiki.openssl.org/index.php/OpenSSL_3.0#Fetching_algorithms_and_property_queries from a specific provider.
int main(void)
{
EVP_MD_CTX * mdctx;
EVP_MD * sha256;
mdctx = EVP_MD_CTX_new();
sha256 = EVP_MD_fetch(NULL,"SHA-256","fips=yes");
if (sha256 == NULL)
exit(1);
printf("EVP_DigestInit_ex(mdctx,sha256,NULL): %d\n", EVP_DigestInit_ex(mdctx,sha256,NULL));
printf("OSSL_PROVIDER_available: %d\n",OSSL_PROVIDER_available(NULL,"fips"));
printf(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(EVP_MD_CTX_get0_md(mdctx))));
}
This gives me the expected output:
EVP_DigestInit_ex(mdctx,EVP_sha256(),NULL): 1
OSSL_PROVIDER_available: 1
fips%
Upvotes: 1
Related Questions
- OpenSSL FIPS_mode_set not working in Python cryptography library
- RHEL8: FIPS Object Module (fipscanister) existing?
- How to check FIPS 140-2 support in OpenSSL?
- FIPS_mode_set() code not found in openssl package
- How do I check for FIPS compliance at compile time?
- How to check that CNG Windows API returns algorithm implementation which is FIPS compliant
- OpenSSL Fips in C++ Wrapper Library How To? Err: fingerprint does not match
- How can Windows OS detect if an algorithm is FIPS compliant?
- FIPS Capable OpenSSL and openssl/fips.h: No such file or directory
- Consuming FIPS validated OpenSSL runtime