Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openssl FIPS_mode_set error #151

Open
bimbimprasetyoafif opened this issue Apr 26, 2022 · 11 comments
Open

openssl FIPS_mode_set error #151

bimbimprasetyoafif opened this issue Apr 26, 2022 · 11 comments

Comments

@bimbimprasetyoafif
Copy link

i hope this repo not die yet. I face error when running my golang app that used this library.
it return
# github.com/spacemonkeygo/openssl ../../go/pkg/mod/github.com/spacemonkeygo/[email protected]/fips.go:31:7: could not determine kind of name for C.FIPS_mode_set
my thought is the version of openssl, this library used and mine was different.

note: running on ubuntu 22.04, openssl 3.0.2

@nisarg0103
Copy link

same issue @bimbimprasetyoafif , have you got any solution ?

@bimbimprasetyoafif
Copy link
Author

same issue @bimbimprasetyoafif , have you got any solution ?

Nope, i just downgrade to ubuntu 20 to solve my problem, I thought there's no dependency for latest version. Beside, this repo has been no update since 2018 @nisarg0103

@ashishm8898
Copy link

You need to downgrade your ubuntu version to 20 from 22...

@ashishm8898
Copy link

Now this comes in My macbook M1 chip

@ricky-charlet
Copy link

See my untested pull request for a possible solution.
#154

@rodrigorodriguescosta
Copy link

same issue, is there any solution except downgrade ubuntu?

@huwcbjones
Copy link

FIPS_mode_set got removed in OpenSSL 3.
There is an OpenSSL 3 only fork that doesn't use deprecated symbols here: https://github.com/pexip/go-openssl

@Rocky210
Copy link

Is there any solution for this error

github.com/spacemonkeygo/openssl

../../../go/pkg/mod/github.com/spacemonkeygo/[email protected]/fips.go:31:7: could not determine kind of name for C.FIPS_mode_set

@huwcbjones
Copy link

@Rocky210 see my previous comment regarding deprecated symbols in OpenSSL3 here: #151 (comment)

@Rocky210
Copy link

Rocky210 commented Apr 17, 2024 via email

@huwcbjones
Copy link

I need a clear demonstration for implementation ,could you please explain .

I will do my best to explain what's changed, point you in the right direction and provide you with some untested code snippets.

From the OpenSSL 3 manpage, gone are FIPS_mode() and FIPS_mode_set(), hence this issue. They do not exist, you cannot call them.

OpenSSL 3 introduced an architecture change with the introduction of library contexts and providers.
If no provider is loaded and cryptographic functions are called, the "default" provider will be loaded.
Therefore users requiring programmatic enabling of the FIPS module should load the fips provider into the default library context before performing any crypto operations.

I've just had a look at what we've got in our OpenSSL 3 fork and it appears we load the default provider on init.
https://github.com/pexip/go-openssl/blob/master/init.go#L108
https://github.com/pexip/go-openssl/blob/60019a99ece1aea7302abbb6b9a6157252bac72a/provider.go#L26-L31

Because of how we use FIPS crypto in our product, we enable/disable FIPS mode on a VM level, so we do not do any programmatic loading. However, if I were to add support to our fork, I'd probably do something like in https://github.com/pexip/go-openssl/blob/master/provider.go

func loadFIPSProvider() error {
	defaultCtx = &LibraryContext{
		ctx: nil, providers: make(map[string]*C.OSSL_PROVIDER), mu: &sync.Mutex{},
	}
	runtime.SetFinalizer(defaultCtx, func(c *LibraryContext) { c.finalise() })
	if err := defaultCtx.LoadProvider("fips"); err != nil {
		return fmt.Errorf("failed to load fips provider: %w", err)
	}
	if err := defaultCtx.LoadProvider("base"); err != nil {
		return fmt.Errorf("failed to load base provider: %w", err)
	}
	return nil
}

That snippet above roughly matches the spirit of the C example in the manpage.

Then you'd have to fiddle with init.go/init to either not load the default provider, thereby forcing the user to, or alternatively provide a function to unload the preloaded providers in the library context and re-initialise the default library context with the fips one.

Something like this should do the trick

func LoadFIPSProvider() error {
	oldDefaultCtx := defaultCtx
	oldDefaultCtx.finalize()
	return loadFIPSProvider()
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants