openssl 3.0 fips provider and low level APIs

Tomas Mraz tomas at
Tue May 3 16:08:00 UTC 2022

All the providers can use the low-level APIs internally to implement
crypto algorithms. The FIPS provider however includes all the low level
implementations as a separately built and statically linked code.

That means you cannot use the low-level calls in an application and
still be FIPS compliant as the low-level API calls called from an
application are implemented by the libcrypto library and not the FIPS

Tomas Mraz, OpenSSL

On Tue, 2022-05-03 at 10:12 -0500, Joy Latten wrote:
> Hi,
> I understand that low-level APIs have been deprecated in version 3. I
> have been playing some with the fips provider trying to understand
> the config options to use with it. I noticed that the fips provider
> source code includes a few low level APIs like SHA256_Init(). 
> Is it correct to conclude that although use of the low level APIs are
> deprecated, perhaps for a grace period for transitioning they are
> permitted in the fips provider?
> Thanks for all help!
> regards,
> Joy

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list