I'm struggling to understand how EVP_default_properties_is_fips_enabled() works. I cannot get this function to return nonzero unless I first call either EVP_default_properties_enable_fips() or EVP_set_default_properties(), even when the config file sets default_properties to enable fips.
Also, the return value of this function doesn't seem to have any effect on which provider gets selected (which I think is what issue #11594 describes?).
My config file has the following:
[openssl_init]
providers = provider_sect
alg_section = alg_sect
providers = provider_sect
alg_section = alg_sect
[provider_sect]
fips = fips_sect
default = default_sect
fips = fips_sect
default = default_sect
[default_sect]
activate = 1
activate = 1
[alg_sect]
default_properties = fips=yes
default_properties = fips=yes
.include /path/to/fips.cnf
I understand this to mean both the default provider and the fips provider will be loaded into the default context, and both of these providers will be activated. I also see that:
EVP_MD_fetch(NULL, "sha256", NULL);
returns a pointer which EVP_MD_provider() confirms as being from the fips provider (as expected). Changing this to "fips=no" in the config file results in EVP_MD_fetch() returning EVP_MD from the default provider, again as expected. However, in both cases, EVP_default_properties_is_fips_enabled() always returns zero. I don't see anything in #11594 that would explain this.
Calling EVP_default_properties_enable_fips(NULL, 1) results in EVP_default_properties_is_fips_enabled() returning 1, but this does not appear to override the fips=no from the config file during EVP_MD_fetch() (which is what I believe #11594 describes).
Is the result of EVP_default_properties_is_fips_enabled() supposed to take into account the default properties specified in the config file? I don't see it doing that. Also, regarding #11594, if default properties are currently still broken, why do those in the config appear to work properly?
And finally the burning question: Any ETA on a fix? :-) :-) :-)
Thanks,
Tom.III
