5 fips_module - OpenSSL fips module guide
9 See the individual manual pages for details.
13 This guide details different ways that OpenSSL can be used in conjunction
14 with the FIPS module. Which is the correct approach to use will depend on your
15 own specific circumstances and what you are attempting to achieve.
17 Note that the old functions FIPS_mode() and FIPS_mode_set() are no longer
18 present so you must remove them from your application if you use them.
20 Applications written to use the OpenSSL 3.0 FIPS module should not use any
21 legacy APIs or features that avoid the FIPS module. Specifically this includes:
27 Low level cryptographic APIs (use the high level APIs, such as EVP, instead)
35 Any functions that create or modify custom "METHODS" (for example
36 EVP_MD_meth_new(), EVP_CIPHER_meth_new(), EVP_PKEY_meth_new(), RSA_meth_new(),
37 EC_KEY_METHOD_new(), etc.)
41 All of the above APIs are deprecated in OpenSSL 3.0 - so a simple rule is to
42 avoid using all deprecated functions. See L<migration_guide(7)> for a list of
45 =head2 Making all applications use the FIPS module by default
47 One simple approach is to cause all applications that are using OpenSSL to only
48 use the FIPS module for cryptographic algorithms by default.
50 This approach can be done purely via configuration. As long as applications are
51 built and linked against OpenSSL 3.0 and do not override the loading of the
52 default config file or its settings then they can automatically start using the
53 FIPS module without the need for any further code changes.
55 To do this the default OpenSSL config file will have to be modified. The
56 location of this config file will depend on the platform, and any options that
57 were given during the build process. You can check the location of the config
58 file by running this command:
61 OPENSSLDIR: "/usr/local/ssl"
63 Caution: Many Operating Systems install OpenSSL by default. It is a common error
64 to not have the correct version of OpenSSL in your $PATH. Check that you are
65 running an OpenSSL 3.0 version like this:
68 OpenSSL 3.0.0-dev xx XXX xxxx (Library: OpenSSL 3.0.0-dev xx XXX xxxx)
70 The B<OPENSSLDIR> value above gives the directory name for where the default
71 config file is stored. So in this case the default config file will be called
72 F</usr/local/ssl/openssl.cnf>.
74 Edit the config file to add the following lines near the beginning:
76 openssl_conf = openssl_init
78 .include /usr/local/ssl/fipsmodule.cnf
81 providers = provider_sect
90 Obviously the include file location above should match the path and name of the
91 FIPS module config file that you installed earlier.
92 See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
94 Any applications that use OpenSSL 3.0 and are started after these changes are
95 made will start using only the FIPS module unless those applications take
96 explicit steps to avoid this default behaviour. Note that this configuration
97 also activates the "base" provider. The base provider does not include any
98 cryptographic algorithms (and therefore does not impact the validation status of
99 any cryptographic operations), but does include other supporting algorithms that
100 may be required. It is designed to be used in conjunction with the FIPS module.
102 This approach has the primary advantage that it is simple, and no code changes
103 are required in applications in order to benefit from the FIPS module. There are
104 some disadvantages to this approach:
110 You may not want all applications to use the FIPS module.
112 It may be the case that some applications should and some should not use the
117 If applications take explicit steps to not load the default config file or
118 set different settings.
120 This method will not work for these cases.
124 The algorithms available in the FIPS module are a subset of the algorithms
125 that are available in the default OpenSSL Provider.
127 If any applications attempt to use any algorithms that are not present,
132 Usage of certain deprecated APIs avoids the use of the FIPS module.
134 If any applications use those APIs then the FIPS module will not be used.
138 =head2 Selectively making applications use the FIPS module by default
140 A variation on the above approach is to do the same thing on an individual
141 application basis. The default OpenSSL config file depends on the compiled in
142 value for B<OPENSSLDIR> as described in the section above. However it is also
143 possible to override the config file to be used via the B<OPENSSL_CONF>
144 environment variable. For example the following, on Unix, will cause the
145 application to be executed with a non-standard config file location:
147 $ OPENSSL_CONF=/my/nondefault/openssl.cnf myapplication
149 Using this mechanism you can control which config file is loaded (and hence
150 whether the FIPS module is loaded) on an application by application basis.
152 This removes the disadvantage listed above that you may not want all
153 applications to use the FIPS module. All the other advantages and disadvantages
156 =head2 Programmatically loading the FIPS module (default library context)
158 Applications may choose to load the FIPS provider explicitly rather than relying
159 on config to do this. The config file is still necessary in order to hold the
160 FIPS module config data (such as its self test status and integrity data). But
161 in this case we do not automatically activate the FIPS provider via that config
164 To do things this way configure as per
165 L</Making all applications use the FIPS module by default> above, but edit the
166 F<fipsmodule.cnf> file to remove or comment out the line which says
167 C<activate = 1> (note that setting this value to 0 is I<not> sufficient).
168 This means all the required config information will be available to load the
169 FIPS module, but it is not automatically loaded when the application starts. The
170 FIPS provider can then be loaded programmatically like this:
172 #include <openssl/provider.h>
179 fips = OSSL_PROVIDER_load(NULL, "fips");
181 printf("Failed to load FIPS provider\n");
184 base = OSSL_PROVIDER_load(NULL, "base");
186 OSSL_PROVIDER_unload(fips);
187 printf("Failed to load base provider\n");
191 /* Rest of application */
193 OSSL_PROVIDER_unload(base);
194 OSSL_PROVIDER_unload(fips);
198 Note that this should be one of the first things that you do in your
199 application. If any OpenSSL functions get called that require the use of
200 cryptographic functions before this occurs then, if no provider has yet been
201 loaded, then the default provider will be automatically loaded. If you then
202 later explicitly load the FIPS provider then you will have both the FIPS and the
203 default provider loaded at the same time. It is undefined which implementation
204 of an algorithm will be used if multiple implementations are available and you
205 have not explicitly specified via a property query (see below) which one should
208 Also note that in this example we have additionally loaded the "base" provider.
209 This loads a sub-set of algorithms that are also available in the default
210 provider - specifically non cryptographic ones which may be used in conjunction
211 with the FIPS provider. For example this contains algorithms for encoding and
212 decoding keys. If you decide not to load the default provider then you
213 will usually want to load the base provider instead.
215 In this example we are using the "default" library context. OpenSSL functions
216 operate within the scope of a library context. If no library context is
217 explicitly specified then the default library context is used. For further
218 details about library contexts see the L<OSSL_LIB_CTX(3)> man page.
220 =head2 Loading the FIPS module at the same time as other providers
222 It is possible to have the FIPS provider and other providers (such as the
223 default provider) all loaded at the same time into the same library context. You
224 can use a property query string during algorithm fetches to specify which
225 implementation you would like to use.
227 For example to fetch an implementation of SHA256 which conforms to FIPS
228 standards you can specify the property query C<fips=yes> like this:
232 sha256 = EVP_MD_fetch(NULL, "SHA2-256", "fips=yes");
234 If no property query is specified, or more than one implementation matches the
235 property query then it is undefined which implementation of a particular
236 algorithm will be returned.
238 This example shows an explicit request for an implementation of SHA256 from the
243 sha256 = EVP_MD_fetch(NULL, "SHA2-256", "provider=default");
245 It is also possible to set a default property query string. The following
246 example sets the default property query of C<fips=yes> for all fetches within
247 the default library context:
249 EVP_set_default_properties(NULL, "fips=yes");
251 If a fetch function has both an explicit property query specified, and a
252 default property query is defined then the two queries are merged together and
253 both apply. The local property query overrides the default properties if the
254 same property name is specified in both.
256 There are two important built-in properties that you should be aware of:
258 The "provider" property enables you to specify which provider you want an
259 implementation to be fetched from, e.g. C<provider=default> or C<provider=fips>.
260 All algorithms implemented in a provider have this property set on them.
262 There is also the C<fips> property. All FIPS algorithms match against the
263 property query C<fips=yes>. There are also some non-cryptographic algorithms
264 available in the default and base providers that also have the C<fips=yes>
265 property defined for them. These are the encoder and decoder algorithms that
266 can (for example) be used to write out a key generated in the FIPS provider to a
267 file. The encoder and decoder algorithms are not in the FIPS module itself but
268 are allowed to be used in conjunction with the FIPS algorithms.
270 It is possible to specify default properties within a config file. For example
271 the following config file automatically loads the default and fips providers and
272 sets the default property value to be C<fips=yes>. Note that this config file
273 does not load the "base" provider. All supporting algorithms that are in "base"
274 are also in "default", so it is unnecessary in this case:
276 openssl_conf = openssl_init
278 .include /usr/local/ssl/fipsmodule.cnf
281 providers = provider_sect
282 alg_section = algorithm_sect
286 default = default_sect
292 default_properties = fips=yes
294 =head2 Programmatically loading the FIPS module (nondefault library context)
296 In addition to using properties to separate usage of the FIPS module from other
297 usages this can also be achieved using library contexts. In this example we
298 create two library contexts. In one we assume the existence of a config file
299 called F<openssl-fips.cnf> that automatically loads and configures the FIPS and
300 base providers. The other library context will just use the default provider.
302 OSSL_LIB_CTX *fips_libctx, *nonfips_libctx;
303 OSSL_PROVIDER *defctxnull = NULL;
304 EVP_MD *fipssha256 = NULL, *nonfipssha256 = NULL;
308 * Create two nondefault library contexts. One for fips usage and
309 * one for non-fips usage
311 fips_libctx = OSSL_LIB_CTX_new();
312 nonfips_libctx = OSSL_LIB_CTX_new();
313 if (fips_libctx == NULL || nonfips_libctx == NULL)
316 /* Prevent anything from using the default library context */
317 defctxnull = OSSL_PROVIDER_load(NULL, "null");
320 * Load config file for the FIPS library context. We assume that
321 * this config file will automatically activate the FIPS and base
322 * providers so we don't need to explicitly load them here.
324 if (!OSSL_LIB_CTX_load_config(fips_libctx, "openssl-fips.cnf"))
328 * We don't need to do anything special to load the default
329 * provider into nonfips_libctx. This happens automatically if no
330 * other providers are loaded.
331 * Because we don't call OSSL_LIB_CTX_load_config() explicitly for
332 * nonfips_libctx it will just use the default config file.
335 /* As an example get some digests */
337 /* Get a FIPS validated digest */
338 fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2-256", NULL);
339 if (fipssha256 == NULL)
342 /* Get a non-FIPS validated digest */
343 nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2-256", NULL);
344 if (nonfipssha256 == NULL)
347 /* Use the digests */
353 EVP_MD_free(fipssha256);
354 EVP_MD_free(nonfipssha256);
355 OSSL_LIB_CTX_free(fips_libctx);
356 OSSL_LIB_CTX_free(nonfips_libctx);
357 OSSL_PROVIDER_unload(defctxnull);
361 Note that we have made use of the special "null" provider here which we load
362 into the default library context. We could have chosen to use the default
363 library context for FIPS usage, and just create one additional library context
364 for other usages - or vice versa. However if code has not been converted to use
365 library contexts then the default library context will be automatically used.
366 This could be the case for your own existing applications as well as certain
367 parts of OpenSSL itself. Not all parts of OpenSSL are library context aware. If
368 this happens then you could "accidentally" use the wrong library context for a
369 particular operation. To be sure this doesn't happen you can load the "null"
370 provider into the default library context. Because a provider has been
371 explicitly loaded, the default provider will not automatically load. This means
372 code using the default context by accident will fail because no algorithms will
375 See L<migration_guide(7)/Library Context> for additional information about the
378 =head2 Using Encoders and Decoders with the FIPS module
380 Encoders and decoders are used to read and write keys or parameters from or to
381 some external format (for example a PEM file). If your application generates
382 keys or parameters that then need to be written into PEM or DER format
383 then it is likely that you will need to use an encoder to do this. Similarly
384 you need a decoder to read previously saved keys and parameters. In most cases
385 this will be invisible to you if you are using APIs that existed in
386 OpenSSL 1.1.1 or earlier such as L<i2d_PrivateKey(3)>. However the appropriate
387 encoder/decoder will need to be available in the library context associated with
388 the key or parameter object. The built-in OpenSSL encoders and decoders are
389 implemented in both the default and base providers and are not in the FIPS
390 module boundary. However since they are not cryptographic algorithms themselves
391 it is still possible to use them in conjunction with the FIPS module, and
392 therefore these encoders/decoders have the C<fips=yes> property against them.
393 You should ensure that either the default or base provider is loaded into the
394 library context in this case.
396 =head2 Using the FIPS module in SSL/TLS
398 Writing an application that uses libssl in conjunction with the FIPS module is
399 much the same as writing a normal libssl application. If you are using global
400 properties and the default library context to specify usage of FIPS validated
401 algorithms then this will happen automatically for all cryptographic algorithms
402 in libssl. If you are using a nondefault library context to load the FIPS
403 provider then you can supply this to libssl using the function
404 L<SSL_CTX_new_ex(3)>. This works as a drop in replacement for the function
405 L<SSL_CTX_new(3)> except it provides you with the capability to specify the
406 library context to be used. You can also use the same function to specify
407 libssl specific properties to use.
409 In this first example we create two SSL_CTX objects using two different library
413 * We assume that a nondefault library context with the FIPS
414 * provider loaded has been created called fips_libctx.
416 SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(fips_libctx, NULL, TLS_method());
418 * We assume that a nondefault library context with the default
419 * provider loaded has been created called non_fips_libctx.
421 SSL_CTX *non_fips_ssl_ctx = SSL_CTX_new_ex(non_fips_libctx, NULL,
424 In this second example we create two SSL_CTX objects using different properties
425 to specify FIPS usage:
428 * The "fips=yes" property includes all FIPS approved algorithms
429 * as well as encoders from the default provider that are allowed
430 * to be used. The NULL below indicates that we are using the
431 * default library context.
433 SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(NULL, "fips=yes", TLS_method());
435 * The "provider!=fips" property allows algorithms from any
436 * provider except the FIPS provider
438 SSL_CTX *non_fips_ssl_ctx = SSL_CTX_new_ex(NULL, "provider!=fips",
441 =head2 Confirming that an algorithm is being provided by the FIPS module
443 A chain of links needs to be followed to go from an algorithm instance to the
444 provider that implements it. The process is similar for all algorithms. Here the
445 example of a digest is used.
447 To go from an B<EVP_MD_CTX> to an B<EVP_MD>, use L<EVP_MD_CTX_md(3)> .
448 To go from the B<EVP_MD> to its B<OSSL_PROVIDER>, use L<EVP_MD_provider(3)>.
449 To extract the name from the B<OSSL_PROVIDER>, use L<OSSL_PROVIDER_name(3)>.
453 L<migration_guide(7)>,
458 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
460 Licensed under the Apache License 2.0 (the "License"). You may not use
461 this file except in compliance with the License. You can obtain a copy
462 in the file LICENSE in the source distribution or at
463 L<https://www.openssl.org/source/license.html>.