<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
You aren't using the EVP_MD APIs to access MD5, you are bypassing
the EVP layer and calling the low level function directly. In
OpenSSL 3.0, when using FIPS, you must only use the EVP APIs.<br>
Anything else is non-compliant. This is a change from the 1.0.2
compatible FOM.<br>
<br>
<br>
Paul Dale<br>
<br>
<br>
<div class="moz-cite-prefix">On 8/3/23 04:26, Prasad, PCRaghavendra
via openssl-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MN2PR19MB4029912D0C9A3DA2754918919AB79@MN2PR19MB4029.namprd19.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:"Cascadia Mono";
panose-1:2 11 6 9 2 0 0 2 0 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.msipfooter90245289, li.msipfooter90245289, div.msipfooter90245289
{mso-style-name:msipfooter90245289;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any help on this will be helpful<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">How to set fips enabled for the complete
application (process/service) which is running.<o:p></o:p></p>
<p class="MsoNormal">I have provided all the samples which I
have used for testing the same in the below mails<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Prasad, PCRaghavendra <br>
<b>Sent:</b> Tuesday, March 7, 2023 10:33 AM<br>
<b>To:</b> openssl-users<br>
<b>Subject:</b> RE: OpenSSL 3.0.x + Python 3.9.x + Enable
FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any help/inputs on this will be really
helpful, please <o:p>
</o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Prasad, PCRaghavendra <br>
<b>Sent:</b> Tuesday, March 7, 2023 12:31 AM<br>
<b>To:</b> openssl-users<br>
<b>Cc:</b> Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal,
Srinath<br>
<b>Subject:</b> RE: OpenSSL 3.0.x + Python 3.9.x + Enable
FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tried another approach by loading the
required providers as mentioned in the docs.<o:p></o:p></p>
<p class="MsoNormal">The assumption was that the highlighted
line in the code will fail when the FIPS provider is enabled.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">At the beginning of the application fips
provider are enabled and in between code will take care of any
non-approved algorithms (like MD5)<o:p></o:p></p>
<p class="MsoNormal">And at the end unloading the providers.
This is our understanding.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please let us know if any settings are
missing here or if something else needed to be added to the
code/config file.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Openssl.cnf<o:p></o:p></b></p>
<p class="MsoNormal"><b>=========<o:p></o:p></b></p>
<p class="MsoNormal">.include
c:\\usr\\local\\ssl\\fipsmodule.cnf<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[openssl_init]<o:p></o:p></p>
<p class="MsoNormal">providers = provider_sect<o:p></o:p></p>
<p class="MsoNormal">#alg_section = algorithm_sect<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># List of providers to load<o:p></o:p></p>
<p class="MsoNormal">[provider_sect]<o:p></o:p></p>
<p class="MsoNormal">default = default_sect<o:p></o:p></p>
<p class="MsoNormal"># The fips section name should match the
section name inside the<o:p></o:p></p>
<p class="MsoNormal"># included fipsmodule.cnf.<o:p></o:p></p>
<p class="MsoNormal">fips = fips_sect<o:p></o:p></p>
<p class="MsoNormal">#base = base_sect<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># If no providers are activated explicitly,
the default one is activated implicitly.<o:p></o:p></p>
<p class="MsoNormal"># See man 7 OSSL_PROVIDER-default for more
details.<o:p></o:p></p>
<p class="MsoNormal">#<o:p></o:p></p>
<p class="MsoNormal"># If you add a section explicitly
activating any other provider(s), you most<o:p></o:p></p>
<p class="MsoNormal"># probably need to explicitly activate the
default provider, otherwise it<o:p></o:p></p>
<p class="MsoNormal"># becomes unavailable in openssl. As a
consequence applications depending on<o:p></o:p></p>
<p class="MsoNormal"># OpenSSL may not work correctly which
could lead to significant system<o:p></o:p></p>
<p class="MsoNormal"># problems including inability to remotely
access the system.<o:p></o:p></p>
<p class="MsoNormal">[default_sect]<o:p></o:p></p>
<p class="MsoNormal">activate = 0<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[base_sect]<o:p></o:p></p>
<p class="MsoNormal">activate = 1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[algorithm_sect]<o:p></o:p></p>
<p class="MsoNormal">default_properties = fips=yes<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include
<Windows.h><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include
<stdio.h><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include
<openssl/provider.h><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include
"openssl/md5.h"<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal"><b>C sample code <o:p></o:p></b></p>
<p class="MsoNormal"><b>===========<o:p></o:p></b></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">int main(void)<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">{<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">
OSSL_PROVIDER* fips;<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">
OSSL_PROVIDER* base;<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> fips =
OSSL_PROVIDER_load(NULL, "fips");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> if (fips ==
NULL) {<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">
printf("Failed to load FIPS provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">
exit(EXIT_FAILURE);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> }<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">
printf("Success to load FIPS provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> base =
OSSL_PROVIDER_load(NULL, "base");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> if (base ==
NULL) {<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">
OSSL_PROVIDER_unload(fips);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">
printf("Failed to load base provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">
exit(EXIT_FAILURE);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> }<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">
printf("Success to load base provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> /* Rest of
application */<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"> unsigned
char* Temp = NULL;<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <span
style="background:yellow;mso-highlight:yellow">
Temp = MD5("The quick brown fox jumps over the lazy dog",
100, NULL);</span> <o:p>
</o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf(Temp);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">
printf("\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">
OSSL_PROVIDER_unload(base);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">
OSSL_PROVIDER_unload(fips);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">
exit(EXIT_SUCCESS);<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Output<o:p></o:p></b></p>
<p class="MsoNormal"><b>======<o:p></o:p></b></p>
<p class="MsoNormal">C:\Work\OpenSSL3.x\TEST>test_provider.exe<o:p></o:p></p>
<p class="MsoNormal">Success to load FIPS provider<o:p></o:p></p>
<p class="MsoNormal">Success to load base provider<o:p></o:p></p>
<p class="MsoNormal"><span
style="background:yellow;mso-highlight:yellow">pá«í</span><span
style="font-family:DengXian;background:yellow;mso-highlight:yellow"
lang="ZH-CN">╤δ</span><span
style="font-family:"Arial",sans-serif;background:yellow;mso-highlight:yellow">░</span><span
style="background:yellow;mso-highlight:yellow">Å9¥ê₧IδH*</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span
style="font-size:7.0pt;color:#737373">Internal Use -
Confidential</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Prasad, PCRaghavendra <br>
<b>Sent:</b> Monday, March 6, 2023 8:37 PM<br>
<b>To:</b> openssl-users<br>
<b>Cc:</b> Ds, Pradeep Kumar; Kuppam, Pradeep<br>
<b>Subject:</b> OpenSSL 3.0.x + Python 3.9.x + Enable
FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Dr. Paul/Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We are following the OpenSSL org docs to
enable the fips programmatically \.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">With our understanding and refereeing
multiple docs, we came up with the following code.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Initially, we wanted to check the fips
enablement from the <u>
C code</u> then we wanted to check with Python as our
application is completely in Python.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Query:<o:p></o:p></p>
<p class="MsoNormal"> How can we enable fips
programmatically for the entire application, meaning just like
<u>fips_mode_set(1)</u> in previous OpenSSL releases which
will make the complete application run in the fips mode?<o:p></o:p></p>
<p class="MsoNormal">In OpenSSL 3.0.x how can we make the
application level ( process level ) to be in FIPS compliance?
In our example, we used the context for FIPS and for default.
How this FIPS context can be applied to the entire
application?<o:p></o:p></p>
<p class="MsoNormal">Is there a way to do this? Can you please
provide some input on this, please let us know if we are doing
something wrong here.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Providing the complete information from our
system which is done till now to enable the fips
programmatically.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Steps:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">Installed/Built
OpenSSL 3.0.8 version on windows by following the doc<o:p></o:p></li>
</ul>
<p class="MsoListParagraph">c:\usr\local\ssl\bin>openssl.exe
version -v<o:p></o:p></p>
<p class="MsoListParagraph"><span
style="background:yellow;mso-highlight:yellow">OpenSSL 3.0.8
7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)</span><o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">Openssl and
fipsmodule cnf files are available at the installed
location.<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3"><b>Contents
of OpenSSL.cnf<o:p></o:p></b></li>
</ul>
<p class="MsoListParagraph">====<o:p></o:p></p>
<p class="MsoListParagraph">[openssl_init]<o:p></o:p></p>
<p class="MsoListParagraph">providers = provider_sect<o:p></o:p></p>
<p class="MsoListParagraph"><b>alg_section = algorithm_sect<o:p></o:p></b></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"># List of providers to load<o:p></o:p></p>
<p class="MsoListParagraph">[provider_sect]<o:p></o:p></p>
<p class="MsoListParagraph">default = default_sect<o:p></o:p></p>
<p class="MsoListParagraph"># The fips section name should match
the section name inside the<o:p></o:p></p>
<p class="MsoListParagraph"># included fipsmodule.cnf.<o:p></o:p></p>
<p class="MsoListParagraph"><b>fips = fips_sect<o:p></o:p></b></p>
<p class="MsoListParagraph">#base = base_sect<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"># If no providers are activated
explicitly, the default one is activated implicitly.<o:p></o:p></p>
<p class="MsoListParagraph"># See man 7 OSSL_PROVIDER-default
for more details.<o:p></o:p></p>
<p class="MsoListParagraph">#<o:p></o:p></p>
<p class="MsoListParagraph"># If you add a section explicitly
activating any other provider(s), you most<o:p></o:p></p>
<p class="MsoListParagraph"># probably need to explicitly
activate the default provider, otherwise it<o:p></o:p></p>
<p class="MsoListParagraph"># becomes unavailable in openssl.
As a consequence applications depending on<o:p></o:p></p>
<p class="MsoListParagraph"># OpenSSL may not work correctly
which could lead to significant system<o:p></o:p></p>
<p class="MsoListParagraph"># problems including inability to
remotely access the system.<o:p></o:p></p>
<p class="MsoListParagraph">[default_sect]<o:p></o:p></p>
<p class="MsoListParagraph">activate = 0<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph">[base_sect]<o:p></o:p></p>
<p class="MsoListParagraph">activate = 1<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph">[algorithm_sect]<o:p></o:p></p>
<p class="MsoListParagraph"><b>default_properties = fips=yes<o:p></o:p></b></p>
<p class="MsoListParagraph">==========<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">Contents of
the fipsmodule cnf file<o:p></o:p></li>
</ul>
<p class="MsoListParagraph">[fips_sect]<o:p></o:p></p>
<p class="MsoListParagraph"><b>activate = 1<o:p></o:p></b></p>
<p class="MsoListParagraph">conditional-errors = 1<o:p></o:p></p>
<p class="MsoListParagraph">security-checks = 1<o:p></o:p></p>
<p class="MsoListParagraph">module-mac = 53:C8.xxx<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3"><b>C code to
invoke programmatically<o:p></o:p></b></li>
</ul>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:gray">#include</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#A31515"><Windows.h></span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:gray">#include</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#A31515"><stdio.h></span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:gray">#include</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#A31515">"openssl/types.h"</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:gray">#include</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#A31515">"openssl/crypto.h"</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:gray">#include</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black">
</span><span style="font-size:9.5pt;font-family:"Cascadia
Mono";color:#A31515">"openssl/md5.h"</span><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none"><span
style="font-size:9.5pt;font-family:"Cascadia
Mono";color:black"><o:p> </o:p></span></p>
<p class="MsoListParagraph">int main()<o:p></o:p></p>
<p class="MsoListParagraph">{<o:p></o:p></p>
<p class="MsoListParagraph"> printf("hello\n");<o:p></o:p></p>
<p class="MsoListParagraph"> OSSL_LIB_CTX*
fips_libctx, * nonfips_libctx;<o:p></o:p></p>
<p class="MsoListParagraph"> printf("good\n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> OSSL_PROVIDER*
defctxnull = NULL;<o:p></o:p></p>
<p class="MsoListParagraph"> EVP_MD* fipssha256 =
NULL, * nonfipssha256 = NULL, * fipsmd5 = NULL, * fipssha1 =
NULL;<o:p></o:p></p>
<p class="MsoListParagraph"> int ret = 1;<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /*<o:p></o:p></p>
<p class="MsoListParagraph"> * Create two
nondefault library contexts. One for fips usage and<o:p></o:p></p>
<p class="MsoListParagraph"> * one for non-fips
usage<o:p></o:p></p>
<p class="MsoListParagraph"> */<o:p></o:p></p>
<p class="MsoListParagraph"> fips_libctx =
OSSL_LIB_CTX_new();<o:p></o:p></p>
<p class="MsoListParagraph"> nonfips_libctx =
OSSL_LIB_CTX_new();<o:p></o:p></p>
<p class="MsoListParagraph"> if (fips_libctx ==
NULL || nonfips_libctx == NULL)<o:p></o:p></p>
<p class="MsoListParagraph">
printf("null \n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /* Prevent anything
from using the default library context */<o:p></o:p></p>
<p class="MsoListParagraph"> defctxnull =
OSSL_PROVIDER_load(NULL, "null");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /*<o:p></o:p></p>
<p class="MsoListParagraph"> * Load config file
for the FIPS library context. We assume that<o:p></o:p></p>
<p class="MsoListParagraph"> * this config file
will automatically activate the FIPS and base<o:p></o:p></p>
<p class="MsoListParagraph"> * providers so we
don't need to explicitly load them here.<o:p></o:p></p>
<p class="MsoListParagraph"> */<o:p></o:p></p>
<p class="MsoListParagraph"> if
(!OSSL_LIB_CTX_load_config(fips_libctx,
"c:\\usr\\local\\ssl\\openssl.cnf"))<o:p></o:p></p>
<p class="MsoListParagraph">
printf("err OSSL_LIB_CTX_load_config\n ");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /*<o:p></o:p></p>
<p class="MsoListParagraph"> * We don't need to do
anything special to load the default<o:p></o:p></p>
<p class="MsoListParagraph"> * provider into
nonfips_libctx. This happens automatically if no<o:p></o:p></p>
<p class="MsoListParagraph"> * other providers are
loaded.<o:p></o:p></p>
<p class="MsoListParagraph"> * Because we don't
call OSSL_LIB_CTX_load_config() explicitly for<o:p></o:p></p>
<p class="MsoListParagraph"> * nonfips_libctx it
will just use the default config file.<o:p></o:p></p>
<p class="MsoListParagraph"> */<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /* As an example get
some digests */<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /* Get a FIPS
validated digest */<o:p></o:p></p>
<p class="MsoListParagraph"> fipssha256 =
EVP_MD_fetch(fips_libctx, "SHA2-256", NULL);<o:p></o:p></p>
<p class="MsoListParagraph"> if (fipssha256 ==
NULL)<o:p></o:p></p>
<p class="MsoListParagraph">
printf("err fipssha256 \n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> fipssha1 =
EVP_MD_fetch(fips_libctx, "SHA1", NULL);<o:p></o:p></p>
<p class="MsoListParagraph"> if (fipssha1 == NULL)<o:p></o:p></p>
<p class="MsoListParagraph">
printf("err fipssha1 \n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> <span
style="background:yellow;mso-highlight:yellow">
fipsmd5 = EVP_MD_fetch(fips_libctx, "MD5", NULL); -- </span><b><span
style="color:#70AD47">This is throwing error w.r.t context
which is expected</span></b><span
style="background:yellow;mso-highlight:yellow"><o:p></o:p></span></p>
<p class="MsoListParagraph"><span
style="background:yellow;mso-highlight:yellow">
if (fipsmd5 == NULL)<o:p></o:p></span></p>
<p class="MsoListParagraph"><span
style="background:yellow;mso-highlight:yellow">
printf("err fipsmd5 \n");</span><o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /* Get a non-FIPS
validated digest */<o:p></o:p></p>
<p class="MsoListParagraph"> nonfipssha256 =
EVP_MD_fetch(nonfips_libctx, "SHA2-256", NULL);<o:p></o:p></p>
<p class="MsoListParagraph"> if (nonfipssha256 ==
NULL)<o:p></o:p></p>
<p class="MsoListParagraph">
printf("err nonfipssha256 \n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> unsigned char* Temp =
NULL;<o:p></o:p></p>
<p class="MsoListParagraph"> <span
style="background:yellow;mso-highlight:yellow">
Temp = MD5("The quick brown fox jumps over the lazy dog",
100, NULL);</span> <span style="color:red">
-- <b>This is working fine</b> </span><o:p></o:p></p>
<p class="MsoListParagraph"> printf(Temp);<o:p></o:p></p>
<p class="MsoListParagraph"> printf("\n");<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> /* Use the digests */<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"> printf("Success\n");<o:p></o:p></p>
<p class="MsoListParagraph"> ret = 0;<o:p></o:p></p>
<p class="MsoListParagraph">}<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks in advance<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Raghavendra<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span
style="font-size:7.0pt;color:#737373">Internal Use -
Confidential</span><o:p></o:p></p>
</div>
</blockquote>
<br>
</body>
</html>