Using EVP api in fips mode (openssl3.0)

[Matt Caswell]

On 14/01/2020 04:51, Manish Patidar wrote:
> Hi
> 
> Can any guide me how to use fips api in openssl?
> 
> I try to use like below but it always returns null. 
> 
> ctx = EVP_CIPHER_CTX_new() ;
> ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ;
> 
> I am doubting fips provider is not loaded.  


Right - the FIPS provider does not get loaded by default.

First set some environment variables which will make the whole process a
bit easier. The OpenSSL libraries read these to locate the various files:

export OPENSSL_CONF_INCLUDE=/path/to/include/dir
export OPENSSL_MODULES=/path/to/providers/dir
export OPENSSL_CONF=/path/to/fips.cnf

Next you will need to "install" the FIPS module. This will create a
fipsinstall.conf file:

openssl fipsinstall -out $OPENSSL_CONF_INCLUDE/fipsinstall.conf -module
$OPENSSL_MODULES/fips.so -provider_name fips -mac_name HMAC -macopt
'digest:SHA256' -macopt 'hexkey:00' -section_name fips_sect

(Aside: probably we should do the above as part of "make install", but
we don't do that AFAIK at the moment)

Now create a config file to automatically load the FIPS module when
OpenSSL starts. Store it in the file pointed to by $OPENSSL_CONF

openssl_conf = openssl_init

.include fipsinstall.conf

[openssl_init]
providers = provider_sect

[provider_sect]
fips = fips_sect


This will have the effect of automatically loading the FIPS provider
*and no others*. In this case you don't need the "fips=yes" in your
EVP_CIPHER_fetch() call because there are no other providers loaded
(although it does no harm).

Alternatively you can load both the default and FIPS providers at the
same time:

openssl_conf = openssl_init

.include fipsinstall.conf

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
fips = fips_sect

[default_sect]
activate = 1

In this case you will need to specify "fips=yes" in the fetch to
disambiguate which implementation you want.

Hope that helps,

Matt