Using EVP api in fips mode (openssl3.0)

Matt Caswell matt at
Thu Jan 16 14:59:06 UTC 2020

On 14/01/2020 04:51, Manish Patidar wrote:
> Hi
> Can any guide me how to use fips api in openssl?
> I try to use like below but it always returns null. 
> ctx = EVP_CIPHER_CTX_new() ;
> ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ;
> I am doubting fips provider is not loaded.  

Right - the FIPS provider does not get loaded by default.

First set some environment variables which will make the whole process a
bit easier. The OpenSSL libraries read these to locate the various files:

export OPENSSL_CONF_INCLUDE=/path/to/include/dir
export OPENSSL_MODULES=/path/to/providers/dir
export OPENSSL_CONF=/path/to/fips.cnf

Next you will need to "install" the FIPS module. This will create a
fipsinstall.conf file:

openssl fipsinstall -out $OPENSSL_CONF_INCLUDE/fipsinstall.conf -module
$OPENSSL_MODULES/ -provider_name fips -mac_name HMAC -macopt
'digest:SHA256' -macopt 'hexkey:00' -section_name fips_sect

(Aside: probably we should do the above as part of "make install", but
we don't do that AFAIK at the moment)

Now create a config file to automatically load the FIPS module when
OpenSSL starts. Store it in the file pointed to by $OPENSSL_CONF

openssl_conf = openssl_init

.include fipsinstall.conf

providers = provider_sect

fips = fips_sect

This will have the effect of automatically loading the FIPS provider
*and no others*. In this case you don't need the "fips=yes" in your
EVP_CIPHER_fetch() call because there are no other providers loaded
(although it does no harm).

Alternatively you can load both the default and FIPS providers at the
same time:

openssl_conf = openssl_init

.include fipsinstall.conf

providers = provider_sect

default = default_sect
fips = fips_sect

activate = 1

In this case you will need to specify "fips=yes" in the fetch to
disambiguate which implementation you want.

Hope that helps,


More information about the openssl-users mailing list