<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cascadia Mono \;color\:gray";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cascadia Mono \;color\:black";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cascadia Mono \;color\:\#A31515";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msipfooter90245289, li.msipfooter90245289, div.msipfooter90245289
{mso-style-name:msipfooter90245289;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:173231111;
mso-list-template-ids:-1030711620;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:791558909;
mso-list-template-ids:2010795560;}
@list l2
{mso-list-id:1197932636;
mso-list-template-ids:-353478384;}
@list l2:level1
{mso-level-start-at:4;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3
{mso-list-id:1219630146;
mso-list-template-ids:-1320246540;}
@list l3:level1
{mso-level-start-at:2;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:1277758378;
mso-list-template-ids:1856937886;}
@list l4:level1
{mso-level-start-at:5;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Thanks Dr. Paul.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So we should use only EVP_* (high-level APIs) instead of the low-level APIs (MD5 ) directly, understood.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Are there any specific .h files where we can refer to this method that needs to be used ( ex: evp.h )? still, are there any files that we can go through once before calling in the fips mode?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">One more doubt is How can we set fips enabled for the complete application (process/service) while running so that if we are using non-compliant algorithms/methods it should throw errors? Is it possible in OpenSSL 3.0.x?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks once again Dr. Paul.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span style="font-size:7.0pt;color:#737373">Internal Use - Confidential</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> openssl-users <openssl-users-bounces@openssl.org>
<b>On Behalf Of </b>Dr Paul Dale<br>
<b>Sent:</b> Wednesday, March 8, 2023 4:13 AM<br>
<b>To:</b> openssl-users@openssl.org<br>
<b>Subject:</b> Re: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p><span style="color:#CE1126">[EXTERNAL EMAIL] <o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">You aren't using the EVP_MD APIs to access MD5, you are bypassing the EVP layer and calling the low level function directly. In OpenSSL 3.0, when using FIPS, you must only use the EVP APIs.<br>
Anything else is non-compliant. This is a change from the 1.0.2 compatible FOM.<br>
<br>
<br>
Paul Dale<o:p></o:p></p>
<div>
<p class="MsoNormal">On 8/3/23 04:26, Prasad, PCRaghavendra via openssl-users wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Any help on this will be helpful<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">How to set fips enabled for the complete application (process/service) which is running.<o:p></o:p></p>
<p class="MsoNormal">I have provided all the samples which I have used for testing the same in the below mails<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Prasad, PCRaghavendra <br>
<b>Sent:</b> Tuesday, March 7, 2023 10:33 AM<br>
<b>To:</b> openssl-users<br>
<b>Subject:</b> RE: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Any help/inputs on this will be really helpful, please <o:p>
</o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Prasad, PCRaghavendra <br>
<b>Sent:</b> Tuesday, March 7, 2023 12:31 AM<br>
<b>To:</b> openssl-users<br>
<b>Cc:</b> Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal, Srinath<br>
<b>Subject:</b> RE: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Tried another approach by loading the required providers as mentioned in the docs.<o:p></o:p></p>
<p class="MsoNormal">The assumption was that the highlighted line in the code will fail when the FIPS provider is enabled.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">At the beginning of the application fips provider are enabled and in between code will take care of any non-approved algorithms (like MD5)<o:p></o:p></p>
<p class="MsoNormal">And at the end unloading the providers. This is our understanding.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Please let us know if any settings are missing here or if something else needed to be added to the code/config file.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Openssl.cnf</b><o:p></o:p></p>
<p class="MsoNormal"><b>=========</b><o:p></o:p></p>
<p class="MsoNormal">.include c:\\usr\\local\\ssl\\fipsmodule.cnf<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">[openssl_init]<o:p></o:p></p>
<p class="MsoNormal">providers = provider_sect<o:p></o:p></p>
<p class="MsoNormal">#alg_section = algorithm_sect<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"># List of providers to load<o:p></o:p></p>
<p class="MsoNormal">[provider_sect]<o:p></o:p></p>
<p class="MsoNormal">default = default_sect<o:p></o:p></p>
<p class="MsoNormal"># The fips section name should match the section name inside the<o:p></o:p></p>
<p class="MsoNormal"># included fipsmodule.cnf.<o:p></o:p></p>
<p class="MsoNormal">fips = fips_sect<o:p></o:p></p>
<p class="MsoNormal">#base = base_sect<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"># If no providers are activated explicitly, the default one is activated implicitly.<o:p></o:p></p>
<p class="MsoNormal"># See man 7 OSSL_PROVIDER-default for more details.<o:p></o:p></p>
<p class="MsoNormal">#<o:p></o:p></p>
<p class="MsoNormal"># If you add a section explicitly activating any other provider(s), you most<o:p></o:p></p>
<p class="MsoNormal"># probably need to explicitly activate the default provider, otherwise it<o:p></o:p></p>
<p class="MsoNormal"># becomes unavailable in openssl. As a consequence applications depending on<o:p></o:p></p>
<p class="MsoNormal"># OpenSSL may not work correctly which could lead to significant system<o:p></o:p></p>
<p class="MsoNormal"># problems including inability to remotely access the system.<o:p></o:p></p>
<p class="MsoNormal">[default_sect]<o:p></o:p></p>
<p class="MsoNormal">activate = 0<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">[base_sect]<o:p></o:p></p>
<p class="MsoNormal">activate = 1<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">[algorithm_sect]<o:p></o:p></p>
<p class="MsoNormal">default_properties = fips=yes<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include <Windows.h><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include <stdio.h><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include <openssl/provider.h><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">#include "openssl/md5.h"<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal"><b>C sample code </b><o:p></o:p></p>
<p class="MsoNormal"><b>===========</b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">int main(void)<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">{<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> OSSL_PROVIDER* fips;<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> OSSL_PROVIDER* base;<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> fips = OSSL_PROVIDER_load(NULL, "fips");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> if (fips == NULL) {<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf("Failed to load FIPS provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> exit(EXIT_FAILURE);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> }<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf("Success to load FIPS provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> base = OSSL_PROVIDER_load(NULL, "base");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> if (base == NULL) {<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> OSSL_PROVIDER_unload(fips);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf("Failed to load base provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> exit(EXIT_FAILURE);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> }<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf("Success to load base provider\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> /* Rest of application */<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> unsigned char* Temp = NULL;<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <span style="background:yellow;mso-highlight:yellow">
Temp = MD5("The quick brown fox jumps over the lazy dog", 100, NULL);</span> <o:p>
</o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf(Temp);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> printf("\n");<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> OSSL_PROVIDER_unload(base);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> OSSL_PROVIDER_unload(fips);<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> exit(EXIT_SUCCESS);<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Output</b><o:p></o:p></p>
<p class="MsoNormal"><b>======</b><o:p></o:p></p>
<p class="MsoNormal">C:\Work\OpenSSL3.x\TEST>test_provider.exe<o:p></o:p></p>
<p class="MsoNormal">Success to load FIPS provider<o:p></o:p></p>
<p class="MsoNormal">Success to load base provider<o:p></o:p></p>
<p class="MsoNormal"><span style="background:yellow;mso-highlight:yellow">pá«í</span><span lang="ZH-CN" style="font-family:DengXian;background:yellow;mso-highlight:yellow">╤δ</span><span style="font-family:"Arial",sans-serif;background:yellow;mso-highlight:yellow">░</span><span style="background:yellow;mso-highlight:yellow">Å9¥ê₧IδH*</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span style="font-size:7.0pt;color:#737373">Internal Use - Confidential</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Prasad, PCRaghavendra <br>
<b>Sent:</b> Monday, March 6, 2023 8:37 PM<br>
<b>To:</b> openssl-users<br>
<b>Cc:</b> Ds, Pradeep Kumar; Kuppam, Pradeep<br>
<b>Subject:</b> OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Hi Dr. Paul/Team,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">We are following the OpenSSL org docs to enable the fips programmatically \.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">With our understanding and refereeing multiple docs, we came up with the following code.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Initially, we wanted to check the fips enablement from the <u>
C code</u> then we wanted to check with Python as our application is completely in Python.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Query:<o:p></o:p></p>
<p class="MsoNormal"> How can we enable fips programmatically for the entire application, meaning just like
<u>fips_mode_set(1)</u> in previous OpenSSL releases which will make the complete application run in the fips mode?<o:p></o:p></p>
<p class="MsoNormal">In OpenSSL 3.0.x how can we make the application level ( process level ) to be in FIPS compliance? In our example, we used the context for FIPS and for default. How this FIPS context can be applied to the entire application?<o:p></o:p></p>
<p class="MsoNormal">Is there a way to do this? Can you please provide some input on this, please let us know if we are doing something wrong here.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Providing the complete information from our system which is done till now to enable the fips programmatically.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Steps:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo3">Installed/Built OpenSSL 3.0.8 version on windows by following the doc<o:p></o:p></li></ol>
<p class="MsoListParagraph">c:\usr\local\ssl\bin>openssl.exe version -v<o:p></o:p></p>
<p class="MsoListParagraph"><span style="background:yellow;mso-highlight:yellow">OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)</span><o:p></o:p></p>
<ol style="margin-top:0in" start="2" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo3">Openssl and fipsmodule cnf files are available at the installed location.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo3"><b>Contents of OpenSSL.cnf</b><o:p></o:p></li></ol>
<p class="MsoListParagraph">====<o:p></o:p></p>
<p class="MsoListParagraph">[openssl_init]<o:p></o:p></p>
<p class="MsoListParagraph">providers = provider_sect<o:p></o:p></p>
<p class="MsoListParagraph"><b>alg_section = algorithm_sect</b><o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"># List of providers to load<o:p></o:p></p>
<p class="MsoListParagraph">[provider_sect]<o:p></o:p></p>
<p class="MsoListParagraph">default = default_sect<o:p></o:p></p>
<p class="MsoListParagraph"># The fips section name should match the section name inside the<o:p></o:p></p>
<p class="MsoListParagraph"># included fipsmodule.cnf.<o:p></o:p></p>
<p class="MsoListParagraph"><b>fips = fips_sect</b><o:p></o:p></p>
<p class="MsoListParagraph">#base = base_sect<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"># If no providers are activated explicitly, the default one is activated implicitly.<o:p></o:p></p>
<p class="MsoListParagraph"># See man 7 OSSL_PROVIDER-default for more details.<o:p></o:p></p>
<p class="MsoListParagraph">#<o:p></o:p></p>
<p class="MsoListParagraph"># If you add a section explicitly activating any other provider(s), you most<o:p></o:p></p>
<p class="MsoListParagraph"># probably need to explicitly activate the default provider, otherwise it<o:p></o:p></p>
<p class="MsoListParagraph"># becomes unavailable in openssl. As a consequence applications depending on<o:p></o:p></p>
<p class="MsoListParagraph"># OpenSSL may not work correctly which could lead to significant system<o:p></o:p></p>
<p class="MsoListParagraph"># problems including inability to remotely access the system.<o:p></o:p></p>
<p class="MsoListParagraph">[default_sect]<o:p></o:p></p>
<p class="MsoListParagraph">activate = 0<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph">[base_sect]<o:p></o:p></p>
<p class="MsoListParagraph">activate = 1<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph">[algorithm_sect]<o:p></o:p></p>
<p class="MsoListParagraph"><b>default_properties = fips=yes</b><o:p></o:p></p>
<p class="MsoListParagraph">==========<o:p></o:p></p>
<ol style="margin-top:0in" start="4" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo3">Contents of the fipsmodule cnf file<o:p></o:p></li></ol>
<p class="MsoListParagraph">[fips_sect]<o:p></o:p></p>
<p class="MsoListParagraph"><b>activate = 1</b><o:p></o:p></p>
<p class="MsoListParagraph">conditional-errors = 1<o:p></o:p></p>
<p class="MsoListParagraph">security-checks = 1<o:p></o:p></p>
<p class="MsoListParagraph">module-mac = 53:C8.xxx<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<ol style="margin-top:0in" start="5" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo3"><b>C code to invoke programmatically</b><o:p></o:p></li></ol>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.5in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;text-autospace:none">
<span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:gray",serif">#include</span><span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:black",serif">
</span><span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:#A31515",serif"><Windows.h></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.5in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;text-autospace:none">
<span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:gray",serif">#include</span><span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:black",serif">
</span><span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:#A31515",serif"><stdio.h></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.5in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;text-autospace:none">
<span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:gray",serif">#include</span><span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:black",serif">
</span><span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:#A31515",serif">"openssl/types.h"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.5in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;text-autospace:none">
<span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:gray",serif">#include</span><span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:black",serif">
</span><span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:#A31515",serif">"openssl/crypto.h"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.5in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;text-autospace:none">
<span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:gray",serif">#include</span><span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:black",serif">
</span><span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:#A31515",serif">"openssl/md5.h"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.5in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;text-autospace:none">
<span style="font-size:9.5pt;font-family:"Cascadia Mono ;color:black",serif"> </span><o:p></o:p></p>
<p class="MsoListParagraph">int main()<o:p></o:p></p>
<p class="MsoListParagraph">{<o:p></o:p></p>
<p class="MsoListParagraph"> printf("hello\n");<o:p></o:p></p>
<p class="MsoListParagraph"> OSSL_LIB_CTX* fips_libctx, * nonfips_libctx;<o:p></o:p></p>
<p class="MsoListParagraph"> printf("good\n");<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> OSSL_PROVIDER* defctxnull = NULL;<o:p></o:p></p>
<p class="MsoListParagraph"> EVP_MD* fipssha256 = NULL, * nonfipssha256 = NULL, * fipsmd5 = NULL, * fipssha1 = NULL;<o:p></o:p></p>
<p class="MsoListParagraph"> int ret = 1;<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> /*<o:p></o:p></p>
<p class="MsoListParagraph"> * Create two nondefault library contexts. One for fips usage and<o:p></o:p></p>
<p class="MsoListParagraph"> * one for non-fips usage<o:p></o:p></p>
<p class="MsoListParagraph"> */<o:p></o:p></p>
<p class="MsoListParagraph"> fips_libctx = OSSL_LIB_CTX_new();<o:p></o:p></p>
<p class="MsoListParagraph"> nonfips_libctx = OSSL_LIB_CTX_new();<o:p></o:p></p>
<p class="MsoListParagraph"> if (fips_libctx == NULL || nonfips_libctx == NULL)<o:p></o:p></p>
<p class="MsoListParagraph"> printf("null \n");<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> /* Prevent anything from using the default library context */<o:p></o:p></p>
<p class="MsoListParagraph"> defctxnull = OSSL_PROVIDER_load(NULL, "null");<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> /*<o:p></o:p></p>
<p class="MsoListParagraph"> * Load config file for the FIPS library context. We assume that<o:p></o:p></p>
<p class="MsoListParagraph"> * this config file will automatically activate the FIPS and base<o:p></o:p></p>
<p class="MsoListParagraph"> * providers so we don't need to explicitly load them here.<o:p></o:p></p>
<p class="MsoListParagraph"> */<o:p></o:p></p>
<p class="MsoListParagraph"> if (!OSSL_LIB_CTX_load_config(fips_libctx, "c:\\usr\\local\\ssl\\openssl.cnf"))<o:p></o:p></p>
<p class="MsoListParagraph"> printf("err OSSL_LIB_CTX_load_config\n ");<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> /*<o:p></o:p></p>
<p class="MsoListParagraph"> * We don't need to do anything special to load the default<o:p></o:p></p>
<p class="MsoListParagraph"> * provider into nonfips_libctx. This happens automatically if no<o:p></o:p></p>
<p class="MsoListParagraph"> * other providers are loaded.<o:p></o:p></p>
<p class="MsoListParagraph"> * Because we don't call OSSL_LIB_CTX_load_config() explicitly for<o:p></o:p></p>
<p class="MsoListParagraph"> * nonfips_libctx it will just use the default config file.<o:p></o:p></p>
<p class="MsoListParagraph"> */<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> /* As an example get some digests */<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> /* Get a FIPS validated digest */<o:p></o:p></p>
<p class="MsoListParagraph"> fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2-256", NULL);<o:p></o:p></p>
<p class="MsoListParagraph"> if (fipssha256 == NULL)<o:p></o:p></p>
<p class="MsoListParagraph"> printf("err fipssha256 \n");<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> fipssha1 = EVP_MD_fetch(fips_libctx, "SHA1", NULL);<o:p></o:p></p>
<p class="MsoListParagraph"> if (fipssha1 == NULL)<o:p></o:p></p>
<p class="MsoListParagraph"> printf("err fipssha1 \n");<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> <span style="background:yellow;mso-highlight:yellow">
fipsmd5 = EVP_MD_fetch(fips_libctx, "MD5", NULL); -- </span><b><span style="color:#70AD47">This is throwing error w.r.t context which is expected</span></b><o:p></o:p></p>
<p class="MsoListParagraph"><span style="background:yellow;mso-highlight:yellow"> if (fipsmd5 == NULL)</span><o:p></o:p></p>
<p class="MsoListParagraph"><span style="background:yellow;mso-highlight:yellow"> printf("err fipsmd5 \n");</span><o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> /* Get a non-FIPS validated digest */<o:p></o:p></p>
<p class="MsoListParagraph"> nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2-256", NULL);<o:p></o:p></p>
<p class="MsoListParagraph"> if (nonfipssha256 == NULL)<o:p></o:p></p>
<p class="MsoListParagraph"> printf("err nonfipssha256 \n");<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> unsigned char* Temp = NULL;<o:p></o:p></p>
<p class="MsoListParagraph"> <span style="background:yellow;mso-highlight:yellow">
Temp = MD5("The quick brown fox jumps over the lazy dog", 100, NULL);</span> <span style="color:red">
-- <b>This is working fine</b> </span><o:p></o:p></p>
<p class="MsoListParagraph"> printf(Temp);<o:p></o:p></p>
<p class="MsoListParagraph"> printf("\n");<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> /* Use the digests */<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoListParagraph"> printf("Success\n");<o:p></o:p></p>
<p class="MsoListParagraph"> ret = 0;<o:p></o:p></p>
<p class="MsoListParagraph">}<o:p></o:p></p>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks in advance<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Raghavendra<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span style="font-size:7.0pt;color:#737373">Internal Use - Confidential</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>