On 14/01/2020 04:51, Manish Patidar wrote: > Hi > > Can any guide me how to use fips api in openssl? > > I try to use like below but it always returns null. > > ctx = EVP_CIPHER_CTX_new() ; > ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ; > > I am doubting fips provider is not loaded. Right - the FIPS provider does not get loaded by default. First set some environment variables which will make the whole process a bit easier. The OpenSSL libraries read these to locate the various files: export OPENSSL_CONF_INCLUDE=/path/to/include/dir export OPENSSL_MODULES=/path/to/providers/dir export OPENSSL_CONF=/path/to/fips.cnf Next you will need to "install" the FIPS module. This will create a fipsinstall.conf file: openssl fipsinstall -out $OPENSSL_CONF_INCLUDE/fipsinstall.conf -module $OPENSSL_MODULES/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_sect (Aside: probably we should do the above as part of "make install", but we don't do that AFAIK at the moment) Now create a config file to automatically load the FIPS module when OpenSSL starts. Store it in the file pointed to by $OPENSSL_CONF openssl_conf = openssl_init .include fipsinstall.conf [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect This will have the effect of automatically loading the FIPS provider *and no others*. In this case you don't need the "fips=yes" in your EVP_CIPHER_fetch() call because there are no other providers loaded (although it does no harm). Alternatively you can load both the default and FIPS providers at the same time: openssl_conf = openssl_init .include fipsinstall.conf [openssl_init] providers = provider_sect [provider_sect] default = default_sect fips = fips_sect [default_sect] activate = 1 In this case you will need to specify "fips=yes" in the fetch to disambiguate which implementation you want. Hope that helps, Matt
