Matt Caswell matt at openssl.org
Tue Feb 16 22:26:19 UTC 2021



On 16/02/2021 19:40, Nagarjun J wrote:
> How to verify if the application is using fips provider from
> openssl-3.0.0 ( similar to fips_mode() api in openssl-fips-2.0.16) 

Using the FIPS provider in Openssl 3.0 works quite differently to the
old FIPS module. There isn't a one-to-one correspondence to the old APIs.

I suggest you make sure you read the 3.0 wiki page to get a good
understand about how it works:

https://wiki.openssl.org/index.php/OpenSSL_3.0

There are a number of ways to ensure that you are always using the FIPS
provider (for example by ensuring that that is the only provider that is
loaded). It's also possible to have multiple providers loaded but using
properties to ensure that only FIPS algorithms are ever selected.

If you use properties to control this then you can use
EVP_default_properties_enable_fips() to set the default global
properties to "fips=yes". You can then also use
EVP_default_properties_is_fips_enabled() to check whether the default
properties are set to "fips=yes".

> and
> does fips provider do run time check and through error if application
> using non fips ciphers.

When you attempt to use a cipher then libcrypto will attempt to find a
suitable one from the available providers that have been loaded based on
any property query string that is being used. As long as you configure
things in the right way (as per the  various options described in the
wiki page above) then you will only have fips validated ciphers loaded
and that match the property query. If you attempt to use some other
non-validated cipher then libcrypto would throw and error because it is
unable to find a matching cipher.

Matt



More information about the openssl-users mailing list