EVP_default_properties_enable_fips()

pauli at openssl.org pauli at openssl.org
Thu Feb 16 21:24:32 UTC 2023


It needs to be called for each library context.

If you are only using the default library context, calling it in a 
constructor would be enough.
Alternatively, modify the library context creation function to include a 
call to this.


Pauli

On 17/2/2023 7:51 am, Thomas Dwyer III wrote:
> For historical reasons going way back to the earliest days of the FIPS 
> Object Module, we modified libcrypto to add a constructor function 
> that reads a configuration file and calls FIPS_mode_set() to enable or 
> disable FIPS mode. This mechanism ensures that FIPS mode is enabled 
> for all applications system-wide. I need to preserve this 
> functionality with OpenSSL 3.x, even for applications that might 
> explicitly set OPENSSL_CONF to point at some other configuration 
> (effectively forcing them to fail if that other configuration does not 
> have a valid FIPS section from "openssl fipsinstall"). I'd like to 
> confirm that with OpenSSL 3.x and the new FIPS provider, is it valid 
> to call EVP_default_properties_enable_fips(NULL, 1) from a libcrypto 
> constructor prior to main() or any other OpenSSL APIs getting invoked?
>
>
> Thanks,
> Tom.III
>



More information about the openssl-users mailing list