5 OSSL_PROVIDER-FIPS - OpenSSL FIPS provider
9 The OpenSSL FIPS provider is a special provider that conforms to the Federal
10 Information Processing Standards (FIPS) specified in FIPS 140-3. This 'module'
11 contains an approved set of cryptographic algorithms that is validated by an
12 accredited testing laboratory.
16 The implementations in this provider specifically have these properties
27 It may be used in a property query string with fetching functions such as
28 L<EVP_MD_fetch(3)> or L<EVP_CIPHER_fetch(3)>, as well as with other
29 functions that take a property query string, such as
30 L<EVP_PKEY_CTX_new_from_name(3)>.
32 To be FIPS compliant, it is mandatory to include C<fips=yes> as
33 part of all property queries. This ensures that only FIPS approved
34 implementations are used for cryptographic operations. The C<fips=yes>
35 query may also include other non-crypto support operations that
36 are not in the FIPS provider, such as asymmetric key encoders, see
37 L<OSSL_PROVIDER-default(7)/Asymmetric Key Management>.
39 It is not mandatory to include C<provider=fips> as part of your property
40 query. Including C<provider=fips> in your property query guarantees
41 that the OpenSSL FIPS provider is used for cryptographic operations
42 rather than other FIPS capable providers.
44 =head1 OPERATIONS AND ALGORITHMS
46 The OpenSSL FIPS provider supports these operations and algorithms:
48 =head2 Hashing Algorithms / Message Digests
52 =item SHA1, see L<EVP_MD-SHA1(7)>
54 =item SHA2, see L<EVP_MD-SHA2(7)>
56 =item SHA3, see L<EVP_MD-SHA3(7)>
58 =item KECCAK-KMAC, see L<EVP_MD-KECCAK-KMAC(7)>
62 =head2 Symmetric Ciphers
66 =item AES, see L<EVP_CIPHER-AES(7)>
70 =head2 Message Authentication Code (MAC)
74 =item CMAC, see L<EVP_MAC-CMAC(7)>
76 =item GMAC, see L<EVP_MAC-GMAC(7)>
78 =item HMAC, see L<EVP_MAC-HMAC(7)>
80 =item KMAC, see L<EVP_MAC-KMAC(7)>
84 =head2 Key Derivation Function (KDF)
88 =item HKDF, see L<EVP_KDF-HKDF(7)>
90 =item TLS13-KDF, see L<EVP_KDF-TLS13_KDF(7)>
92 =item SSKDF, see L<EVP_KDF-SS(7)>
94 =item PBKDF2, see L<EVP_KDF-PBKDF2(7)>
96 =item SSHKDF, see L<EVP_KDF-SSHKDF(7)>
98 =item TLS1-PRF, see L<EVP_KDF-TLS1_PRF(7)>
100 =item KBKDF, see L<EVP_KDF-KB(7)>
102 =item X942KDF-ASN1, see L<EVP_KDF-X942-ASN1(7)>
104 =item X942KDF-CONCAT, see L<EVP_KDF-X942-CONCAT(7)>
106 =item X963KDF, see L<EVP_KDF-X963(7)>
114 =item DH, see L<EVP_KEYEXCH-DH(7)>
116 =item ECDH, see L<EVP_KEYEXCH-ECDH(7)>
118 =item X25519, see L<EVP_KEYEXCH-X25519(7)>
120 =item X448, see L<EVP_KEYEXCH-X448(7)>
124 =head2 Asymmetric Signature
128 =item RSA, see L<EVP_SIGNATURE-RSA(7)>
130 =item X25519, see L<EVP_SIGNATURE-ED25519(7)>
132 =item X448, see L<EVP_SIGNATURE-ED448(7)>
134 =item HMAC, see L<EVP_SIGNATURE-HMAC(7)>
136 =item CMAC, see L<EVP_SIGNATURE-CMAC(7)>
140 =head2 Asymmetric Cipher
144 =item RSA, see L<EVP_ASYM_CIPHER-RSA(7)>
148 =head2 Asymmetric Key Encapsulation
152 =item RSA, see L<EVP_KEM-RSA(7)>
156 =head2 Asymmetric Key Management
160 =item DH, see L<EVP_KEYMGMT-DH(7)>
162 =item DHX, see L<EVP_KEYMGMT-DHX(7)>
164 =item DSA, see L<EVP_KEYMGMT-DSA(7)>
166 =item RSA, see L<EVP_KEYMGMT-RSA(7)>
168 =item EC, see L<EVP_KEYMGMT-EC(7)>
170 =item X25519, see L<EVP_KEYMGMT-X25519(7)>
172 =item X448, see L<EVP_KEYMGMT-X448(7)>
176 =head2 Random Number Generation
180 =item CTR-DRBG, see L<EVP_RAND-CTR-DRBG(7)>
182 =item HASH-DRBG, see L<EVP_RAND-HASH-DRBG(7)>
184 =item HMAC-DRBG, see L<EVP_RAND-HMAC-DRBG(7)>
186 =item TEST-RAND, see L<EVP_RAND-TEST-RAND(7)>
188 TEST-RAND is an unapproved algorithm.
194 One of the requirements for the FIPS module is self testing. An optional callback
195 mechanism is available to return information to the user using
196 L<OSSL_SELF_TEST_set_callback(3)>.
198 The parameters passed to the callback are described in L<OSSL_SELF_TEST_new(3)>
200 The OpenSSL FIPS module uses the following mechanism to provide information
201 about the self tests as they run.
202 This is useful for debugging if a self test is failing.
203 The callback also allows forcing any self test to fail, in order to check that
204 it operates correctly on failure.
205 Note that all self tests run even if a self test failure occurs.
207 The FIPS module passes the following type(s) to OSSL_SELF_TEST_onbegin().
211 =item "Module_Integrity" (B<OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY>)
213 Uses HMAC SHA256 on the module file to validate that the module has not been
214 modified. The integrity value is compared to a value written to a configuration
215 file during installation.
217 =item "Install_Integrity" (B<OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY>)
219 Uses HMAC SHA256 on a fixed string to validate that the installation process
220 has already been performed and the self test KATS have already been tested,
221 The integrity value is compared to a value written to a configuration
222 file after successfully running the self tests during installation.
224 =item "KAT_Cipher" (B<OSSL_SELF_TEST_TYPE_KAT_CIPHER>)
226 Known answer test for a symmetric cipher.
228 =item "KAT_AsymmetricCipher" (B<OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER>)
230 Known answer test for a asymmetric cipher.
232 =item "KAT_Digest" (B<OSSL_SELF_TEST_TYPE_KAT_DIGEST>)
234 Known answer test for a digest.
236 =item "KAT_Signature" (B<OSSL_SELF_TEST_TYPE_KAT_SIGNATURE>)
238 Known answer test for a signature.
240 =item "PCT_Signature" (B<OSSL_SELF_TEST_TYPE_PCT_SIGNATURE>)
242 Pairwise Consistency check for a signature.
244 =item "KAT_KDF" (B<OSSL_SELF_TEST_TYPE_KAT_KDF>)
246 Known answer test for a key derivation function.
248 =item "KAT_KA" (B<OSSL_SELF_TEST_TYPE_KAT_KA>)
250 Known answer test for key agreement.
252 =item "DRBG" (B<OSSL_SELF_TEST_TYPE_DRBG>)
254 Known answer test for a Deterministic Random Bit Generator.
256 =item "Conditional_PCT" (B<OSSL_SELF_TEST_TYPE_PCT>)
258 Conditional test that is run during the generation of key pairs.
260 =item "Continuous_RNG_Test" (B<OSSL_SELF_TEST_TYPE_CRNG>)
262 Continuous random number generator test.
266 The "Module_Integrity" self test is always run at startup.
267 The "Install_Integrity" self test is used to check if the self tests have
268 already been run at installation time. If they have already run then the
269 self tests are not run on subsequent startups.
270 All other self test categories are run once at installation time, except for the
271 "Pairwise_Consistency_Test".
273 There is only one instance of the "Module_Integrity" and "Install_Integrity"
274 self tests. All other self tests may have multiple instances.
277 The FIPS module passes the following descriptions(s) to OSSL_SELF_TEST_onbegin().
281 =item "HMAC" (B<OSSL_SELF_TEST_DESC_INTEGRITY_HMAC>)
283 "Module_Integrity" and "Install_Integrity" use this.
285 =item "RSA" (B<OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1>)
287 =item "ECDSA" (B<OSSL_SELF_TEST_DESC_PCT_ECDSA>)
289 =item "DSA" (B<OSSL_SELF_TEST_DESC_PCT_DSA>)
291 Key generation tests used with the "Pairwise_Consistency_Test" type.
293 =item "RSA_Encrypt" (B<OSSL_SELF_TEST_DESC_ASYM_RSA_ENC>)
295 =item "RSA_Decrypt" (B<OSSL_SELF_TEST_DESC_ASYM_RSA_DEC>)
297 "KAT_AsymmetricCipher" uses this to indicate an encrypt or decrypt KAT.
299 =item "AES_GCM" (B<OSSL_SELF_TEST_DESC_CIPHER_AES_GCM>)
301 =item "AES_ECB_Decrypt" (B<OSSL_SELF_TEST_DESC_CIPHER_AES_ECB>)
303 =item "TDES" (B<OSSL_SELF_TEST_DESC_CIPHER_TDES>)
305 Symmetric cipher tests used with the "KAT_Cipher" type.
307 =item "SHA1" (B<OSSL_SELF_TEST_DESC_MD_SHA1>)
309 =item "SHA2" (B<OSSL_SELF_TEST_DESC_MD_SHA2>)
311 =item "SHA3" (B<OSSL_SELF_TEST_DESC_MD_SHA3>)
313 Digest tests used with the "KAT_Digest" type.
315 =item "DSA" (B<OSSL_SELF_TEST_DESC_SIGN_DSA>)
317 =item "RSA" (B<OSSL_SELF_TEST_DESC_SIGN_RSA>)
319 =item "ECDSA" (B<OSSL_SELF_TEST_DESC_SIGN_ECDSA>)
321 Signature tests used with the "KAT_Signature" type.
323 =item "ECDH" (B<OSSL_SELF_TEST_DESC_KA_ECDH>)
325 =item "DH" (B<OSSL_SELF_TEST_DESC_KA_DH>)
327 Key agreement tests used with the "KAT_KA" type.
329 =item "HKDF" (B<OSSL_SELF_TEST_DESC_KDF_HKDF>)
331 =item "TLS13_KDF_EXTRACT" (B<OSSL_SELF_TEST_DESC_KDF_TLS13_EXTRACT>)
333 =item "TLS13_KDF_EXPAND" (B<OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND>)
335 =item "SSKDF" (B<OSSL_SELF_TEST_DESC_KDF_SSKDF>)
337 =item "X963KDF" (B<OSSL_SELF_TEST_DESC_KDF_X963KDF>)
339 =item "X942KDF" (B<OSSL_SELF_TEST_DESC_KDF_X942KDF>)
341 =item "PBKDF2" (B<OSSL_SELF_TEST_DESC_KDF_PBKDF2>)
343 =item "SSHKDF" (B<OSSL_SELF_TEST_DESC_KDF_SSHKDF>)
345 =item "TLS12_PRF" (B<OSSL_SELF_TEST_DESC_KDF_TLS12_PRF>)
347 =item "KBKDF" (B<OSSL_SELF_TEST_DESC_KDF_KBKDF>)
349 Key Derivation Function tests used with the "KAT_KDF" type.
351 =item "CTR" (B<OSSL_SELF_TEST_DESC_DRBG_CTR>)
353 =item "HASH" (B<OSSL_SELF_TEST_DESC_DRBG_HASH>)
355 =item "HMAC" (B<OSSL_SELF_TEST_DESC_DRBG_HMAC>)
357 DRBG tests used with the "DRBG" type.
359 = item "RNG" (B<OSSL_SELF_TEST_DESC_RNG>)
361 "Continuous_RNG_Test" uses this.
367 A simple self test callback is shown below for illustrative purposes.
369 #include <openssl/self_test.h>
371 static OSSL_CALLBACK self_test_cb;
373 static int self_test_cb(const OSSL_PARAM params[], void *arg)
376 const OSSL_PARAM *p = NULL;
377 const char *phase = NULL, *type = NULL, *desc = NULL;
379 p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
380 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
382 phase = (const char *)p->data;
384 p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
385 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
387 desc = (const char *)p->data;
389 p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
390 if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
392 type = (const char *)p->data;
394 /* Do some logging */
395 if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
396 BIO_printf(bio_out, "%s : (%s) : ", desc, type);
397 if (strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0
398 || strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) == 0)
399 BIO_printf(bio_out, "%s\n", phase);
401 /* Corrupt the SHA1 self test during the 'corrupt' phase by returning 0 */
402 if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) == 0
403 && strcmp(desc, OSSL_SELF_TEST_DESC_MD_SHA1) == 0) {
404 BIO_printf(bio_out, "%s %s", phase, desc);
414 The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms,
415 consequently the property query C<fips=yes> is mandatory for applications that
416 want to operate in a FIPS approved manner. The algorithms are:
430 L<openssl-fipsinstall(1)>,
432 L<OSSL_SELF_TEST_set_callback(3)>,
433 L<OSSL_SELF_TEST_new(3)>,
435 L<openssl-core.h(7)>,
436 L<openssl-core_dispatch.h(7)>,
441 This functionality was added in OpenSSL 3.0.
443 OpenSSL 3.0 includes a FIPS 140-2 approved FIPS provider.
445 OpenSSL 3.1 includes a FIPS 140-3 approved FIPS provider.
449 Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
451 Licensed under the Apache License 2.0 (the "License"). You may not use
452 this file except in compliance with the License. You can obtain a copy
453 in the file LICENSE in the source distribution or at
454 L<https://www.openssl.org/source/license.html>.