FIPS and default properties

Thomas Dwyer III tomiii at tomiii.com
Thu Jul 30 23:12:37 UTC 2020 

I'm struggling to understand how EVP_default_properties_is_fips_enabled()
works. I cannot get this function to return nonzero unless I first call
either EVP_default_properties_enable_fips() or
EVP_set_default_properties(), even when the config file sets
default_properties to enable fips.

Also, the return value of this function doesn't seem to have any effect on
which provider gets selected (which I think is what issue #11594
describes?).

My config file has the following:



*[openssl_init]providers = provider_sectalg_section = alg_sect*



*[provider_sect]fips = fips_sectdefault = default_sect*


*[default_sect]activate = 1*


*[alg_sect]default_properties = fips=yes*

*.include /path/to/fips.cnf*

I understand this to mean both the default provider and the fips provider
will be loaded into the default context, and both of these providers will
be activated. I also see that:

*EVP_MD_fetch(NULL, "sha256", NULL);*

returns a pointer which EVP_MD_provider() confirms as being from the fips
provider (as expected). Changing this to "fips=no" in the config file
results in EVP_MD_fetch() returning EVP_MD from the default provider, again
as expected. However, in both cases,
EVP_default_properties_is_fips_enabled() always returns zero. I don't see
anything in #11594 that would explain this.

Calling EVP_default_properties_enable_fips(NULL, 1) results in
EVP_default_properties_is_fips_enabled() returning 1, but this does not
appear to override the fips=no from the config file during EVP_MD_fetch()
(which is what I believe #11594 describes).

Is the result of EVP_default_properties_is_fips_enabled() supposed to take
into account the default properties specified in the config file? I don't
see it doing that. Also, regarding #11594, if default properties are
currently still broken, why do those in the config appear to work properly?

And finally the burning question: Any ETA on a fix? :-) :-) :-)


Thanks,
Tom.III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200730/16710bec/attachment.html>

More information about the openssl-users mailing list