Lines Matching +full:fips +full:- +full:provider +full:- +full:validation
5 fips_module - OpenSSL fips module guide
14 with the FIPS module. Which is the correct approach to use will depend on your
20 Applications written to use the OpenSSL 3.0 FIPS module should not use any
21 legacy APIs or features that avoid the FIPS module. Specifically this includes:
41 All of the above APIs are deprecated in OpenSSL 3.0 - so a simple rule is to
45 =head2 Making all applications use the FIPS module by default
48 use the FIPS module for cryptographic algorithms by default.
53 FIPS module without the need for any further code changes.
60 $ openssl version -d
67 $ openssl version -v
68 OpenSSL 3.0.0-dev xx XXX xxxx (Library: OpenSSL 3.0.0-dev xx XXX xxxx)
85 fips = fips_sect
92 FIPS module config file that you installed earlier.
93 See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
95 For FIPS usage, it is recommened that the B<config_diagnostics> option is
96 enabled to prevent accidental use of non-FIPS validated algorithms via broken
100 made will start using only the FIPS module unless those applications take
102 also activates the "base" provider. The base provider does not include any
103 cryptographic algorithms (and therefore does not impact the validation status of
105 may be required. It is designed to be used in conjunction with the FIPS module.
108 are required in applications in order to benefit from the FIPS module. There are
115 You may not want all applications to use the FIPS module.
118 FIPS module.
129 The algorithms available in the FIPS module are a subset of the algorithms
130 that are available in the default OpenSSL Provider.
137 Usage of certain deprecated APIs avoids the use of the FIPS module.
139 If any applications use those APIs then the FIPS module will not be used.
143 =head2 Selectively making applications use the FIPS module by default
150 application to be executed with a non-standard config file location:
155 whether the FIPS module is loaded) on an application by application basis.
158 applications to use the FIPS module. All the other advantages and disadvantages
161 =head2 Programmatically loading the FIPS module (default library context)
163 Applications may choose to load the FIPS provider explicitly rather than relying
165 FIPS module config data (such as its self test status and integrity data). But
166 in this case we do not automatically activate the FIPS provider via that config
170 L</Making all applications use the FIPS module by default> above, but edit the
174 FIPS module, but it is not automatically loaded when the application starts. The
175 FIPS provider can then be loaded programmatically like this:
177 #include <openssl/provider.h>
181 OSSL_PROVIDER *fips;
184 fips = OSSL_PROVIDER_load(NULL, "fips");
185 if (fips == NULL) {
186 printf("Failed to load FIPS provider\n");
191 OSSL_PROVIDER_unload(fips);
192 printf("Failed to load base provider\n");
199 OSSL_PROVIDER_unload(fips);
205 cryptographic functions before this occurs then, if no provider has yet been
206 loaded, then the default provider will be automatically loaded. If you then
207 later explicitly load the FIPS provider then you will have both the FIPS and the
208 default provider loaded at the same time. It is undefined which implementation
213 Also note that in this example we have additionally loaded the "base" provider.
214 This loads a sub-set of algorithms that are also available in the default
215 provider - specifically non cryptographic ones which may be used in conjunction
216 with the FIPS provider. For example this contains algorithms for encoding and
217 decoding keys. If you decide not to load the default provider then you
218 will usually want to load the base provider instead.
225 =head2 Loading the FIPS module at the same time as other providers
227 It is possible to have the FIPS provider and other providers (such as the
228 default provider) all loaded at the same time into the same library context. You
232 For example to fetch an implementation of SHA256 which conforms to FIPS
233 standards you can specify the property query C<fips=yes> like this:
237 sha256 = EVP_MD_fetch(NULL, "SHA2-256", "fips=yes");
244 default provider:
248 sha256 = EVP_MD_fetch(NULL, "SHA2-256", "provider=default");
251 example sets the default property query of C<fips=yes> for all fetches within
254 EVP_set_default_properties(NULL, "fips=yes");
261 There are two important built-in properties that you should be aware of:
263 The "provider" property enables you to specify which provider you want an
264 implementation to be fetched from, e.g. C<provider=default> or C<provider=fips>.
265 All algorithms implemented in a provider have this property set on them.
267 There is also the C<fips> property. All FIPS algorithms match against the
268 property query C<fips=yes>. There are also some non-cryptographic algorithms
269 available in the default and base providers that also have the C<fips=yes>
271 can (for example) be used to write out a key generated in the FIPS provider to a
272 file. The encoder and decoder algorithms are not in the FIPS module itself but
273 are allowed to be used in conjunction with the FIPS algorithms.
276 the following config file automatically loads the default and FIPS providers and
277 sets the default property value to be C<fips=yes>. Note that this config file
278 does not load the "base" provider. All supporting algorithms that are in "base"
291 fips = fips_sect
298 default_properties = fips=yes
300 =head2 Programmatically loading the FIPS module (nondefault library context)
302 In addition to using properties to separate usage of the FIPS module from other
305 called F<openssl-fips.cnf> that automatically loads and configures the FIPS and
306 base providers. The other library context will just use the default provider.
314 * Create two nondefault library contexts. One for fips usage and
315 * one for non-fips usage
326 * Load config file for the FIPS library context. We assume that
327 * this config file will automatically activate the FIPS and base
330 if (!OSSL_LIB_CTX_load_config(fips_libctx, "openssl-fips.cnf"))
335 * provider into nonfips_libctx. This happens automatically if no
343 /* Get a FIPS validated digest */
344 fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2-256", NULL);
348 /* Get a non-FIPS validated digest */
349 nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2-256", NULL);
367 Note that we have made use of the special "null" provider here which we load
369 library context for FIPS usage, and just create one additional library context
370 for other usages - or vice versa. However if code has not been converted to use
376 provider into the default library context. Because a provider has been
377 explicitly loaded, the default provider will not automatically load. This means
384 =head2 Using Encoders and Decoders with the FIPS module
394 the key or parameter object. The built-in OpenSSL encoders and decoders are
395 implemented in both the default and base providers and are not in the FIPS
397 it is still possible to use them in conjunction with the FIPS module, and
398 therefore these encoders/decoders have the C<fips=yes> property against them.
399 You should ensure that either the default or base provider is loaded into the
402 =head2 Using the FIPS module in SSL/TLS
404 Writing an application that uses libssl in conjunction with the FIPS module is
406 properties and the default library context to specify usage of FIPS validated
408 in libssl. If you are using a nondefault library context to load the FIPS
409 provider then you can supply this to libssl using the function
419 * We assume that a nondefault library context with the FIPS
420 * provider loaded has been created called fips_libctx.
425 * provider loaded has been created called non_fips_libctx.
431 to specify FIPS usage:
434 * The "fips=yes" property includes all FIPS approved algorithms
435 * as well as encoders from the default provider that are allowed
439 SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(NULL, "fips=yes", TLS_method());
441 * The "provider!=fips" property allows algorithms from any
442 * provider except the FIPS provider
444 SSL_CTX *non_fips_ssl_ctx = SSL_CTX_new_ex(NULL, "provider!=fips",
447 =head2 Confirming that an algorithm is being provided by the FIPS module
450 provider that implements it. The process is similar for all algorithms. Here the
465 Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.