search

spacemonkeygo / openssl

OpenSSL bindings for Go
http://godoc.org/github.com/spacemonkeygo/openssl
Apache License 2.0
473 stars 236 forks source link

openssl FIPS_mode_set error #151

Open bimbimprasetyoafif opened 2 years ago

bimbimprasetyoafif commented 2 years ago

i hope this repo not die yet. I face error when running my golang app that used this library. it return # github.com/spacemonkeygo/openssl ../../go/pkg/mod/github.com/spacemonkeygo/openssl@v0.0.0-20181017203307-c2dcc5cca94a/fips.go:31:7: could not determine kind of name for C.FIPS_mode_set my thought is the version of openssl, this library used and mine was different.

note: running on ubuntu 22.04, openssl 3.0.2

nisarg0103 commented 2 years ago

same issue @bimbimprasetyoafif , have you got any solution ?

bimbimprasetyoafif commented 2 years ago

same issue @bimbimprasetyoafif , have you got any solution ?

Nope, i just downgrade to ubuntu 20 to solve my problem, I thought there's no dependency for latest version. Beside, this repo has been no update since 2018 @nisarg0103

ashishm8898 commented 2 years ago

You need to downgrade your ubuntu version to 20 from 22...

ashishm8898 commented 2 years ago

Now this comes in My macbook M1 chip

ricky-charlet commented 2 years ago

See my untested pull request for a possible solution. https://github.com/spacemonkeygo/openssl/pull/154

rodrigorodriguescosta commented 1 year ago

same issue, is there any solution except downgrade ubuntu?

huwcbjones commented 7 months ago

FIPS_mode_set got removed in OpenSSL 3. There is an OpenSSL 3 only fork that doesn't use deprecated symbols here: https://github.com/pexip/go-openssl

Rocky210 commented 2 months ago

Is there any solution for this error

github.com/spacemonkeygo/openssl

../../../go/pkg/mod/github.com/spacemonkeygo/openssl@v0.0.0-20181017203307-c2dcc5cca94a/fips.go:31:7: could not determine kind of name for C.FIPS_mode_set

huwcbjones commented 2 months ago

@Rocky210 see my previous comment regarding deprecated symbols in OpenSSL3 here: https://github.com/spacemonkeygo/openssl/issues/151#issuecomment-1828163438

Rocky210 commented 2 months ago

I need a clear demonstration for implementation ,could you please explain .

On Wed, Apr 17, 2024 at 2:28 PM Huw Jones @.***> wrote:

@Rocky210 https://github.com/Rocky210 see my previous comment regarding deprecated symbols in OpenSSL3 here: #151 (comment) https://github.com/spacemonkeygo/openssl/issues/151#issuecomment-1828163438

— Reply to this email directly, view it on GitHub https://github.com/spacemonkeygo/openssl/issues/151#issuecomment-2060752005, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5N6MQIXVJLOUGXBEPNR5JTY5Y2RTAVCNFSM5ULIZJ7KU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBWGA3TKMRQGA2Q . You are receiving this because you were mentioned.Message ID: @.***>

huwcbjones commented 2 months ago

I need a clear demonstration for implementation ,could you please explain .

I will do my best to explain what's changed, point you in the right direction and provide you with some untested code snippets.

From the OpenSSL 3 manpage, gone are FIPS_mode() and FIPS_mode_set(), hence this issue. They do not exist, you cannot call them.

OpenSSL 3 introduced an architecture change with the introduction of library contexts and providers. If no provider is loaded and cryptographic functions are called, the "default" provider will be loaded. Therefore users requiring programmatic enabling of the FIPS module should load the fips provider into the default library context before performing any crypto operations.

I've just had a look at what we've got in our OpenSSL 3 fork and it appears we load the default provider on init. https://github.com/pexip/go-openssl/blob/master/init.go#L108 https://github.com/pexip/go-openssl/blob/60019a99ece1aea7302abbb6b9a6157252bac72a/provider.go#L26-L31

Because of how we use FIPS crypto in our product, we enable/disable FIPS mode on a VM level, so we do not do any programmatic loading. However, if I were to add support to our fork, I'd probably do something like in https://github.com/pexip/go-openssl/blob/master/provider.go

func loadFIPSProvider() error {
    defaultCtx = &LibraryContext{
        ctx: nil, providers: make(map[string]*C.OSSL_PROVIDER), mu: &sync.Mutex{},
    }
    runtime.SetFinalizer(defaultCtx, func(c *LibraryContext) { c.finalise() })
    if err := defaultCtx.LoadProvider("fips"); err != nil {
        return fmt.Errorf("failed to load fips provider: %w", err)
    }
    if err := defaultCtx.LoadProvider("base"); err != nil {
        return fmt.Errorf("failed to load base provider: %w", err)
    }
    return nil
}

That snippet above roughly matches the spirit of the C example in the manpage.

Then you'd have to fiddle with init.go/init to either not load the default provider, thereby forcing the user to, or alternatively provide a function to unload the preloaded providers in the library context and re-initialise the default library context with the fips one.

Something like this should do the trick

func LoadFIPSProvider() error {
    oldDefaultCtx := defaultCtx
    oldDefaultCtx.finalize()
    return loadFIPSProvider()
}