On 08/03/2023 05:31, Dr Paul Dale wrote:
One more doubt is How can we set fips enabled for the complete
application (process/service) while running so that if we are using
non-compliant algorithms/methods it should throw errors? Is it
possible in OpenSSL 3.0.x?
The call you are looking for is:
EVP_set_default_properties(libctx, "fips=yes");
Or just:
EVP_default_properties_enable_fips(libctx, 1);
You must call these functions for every libctx that you use (or just
once for the default libctx if that's all you use).
These functions only restrict the EVP calls. If you use deprecated
functions then there is a significant risk that you aren't using FIPS
crypto.
I strongly suggest reading the documentation about the FIPS provider
<https://www.openssl.org/docs/man3.0/man7/fips_module.html> and the
migration guide
<https://www.openssl.org/docs/man3.0/man7/migration_guide.html>. Both
the avoidance of low level calls and setting the default properties are
covered therein. There are a number of other nuances to trip over when
using the FIPS provider.
I'd consider the fips_module link above as essential reading for anyone
using the FIPS module.
Matt
