On 23/08/2023 01:45, Robert Brown via openssl-users wrote:
Hi,
I'm working on a Windows Program that utilizes the OpenSSL libraries and
DLLs. I'm looking to enable FIPS in some cases (where it is required by
the user). Currently, I'm looking at restarting the program when the
FIPS mode is changed and changing the loaded provider.
I've compiled and installed OpenSSL 3.1 with the enable-fips option, run
the fips install, generated the .cnf file, and copied the FIPS module
along with the .cnf to my program I'm following the code provided at
https://wiki.openssl.org/index.php/OpenSSL_3.0
<https://wiki.openssl.org/index.php/OpenSSL_3.0> under the
_Programmatically loading the FIPS module (default library context)_
heading. I'm not able to load the FIPS module, the provider value is null.
A better link to use is this one (its probably more up-to-date):
https://www.openssl.org/docs/man3.1/man7/fips_module.html
Is there anything I'm missing here or pointers to reference material
folks can provide me?
If after attempting to load the provider you get NULL back then it is
usually worth checking the OpenSSL error stack, e.g. via ERR_print_errors().
https://www.openssl.org/docs/man3.1/man3/ERR_print_errors.html
A frequent problem is that either the config file or the module is not
found.
OpenSSL will look in a standard directory for fips.dll (the MODULESDIR
returned by "openssl version -m"). If the OPENSSL_MODULES environment
variable has been set then it will look for fips.dll in that directory
instead. Check that fips.dll is in the expected location.
Matt
As a side not I'm wondering if anyone has tips for running the
fips-install command on each client as it seems we can't copy config
files between machines.
Thanks,
Robert
