fips_module.pod - OpenGrok cross reference for /freebsd/crypto/openssl/doc/man7/fips

Lines Matching +full:non +full:- +full:l
5 fips_module - OpenSSL fips module guide
18 L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
44 All of the above APIs are deprecated in OpenSSL 3.0 - so a simple rule is to
45 avoid using all deprecated functions. See L<ossl-guide-migration(7)> for a list of
63     $ openssl version -d
70     $ openssl version -v
71     OpenSSL 3.0.0-dev xx XXX xxxx (Library: OpenSSL 3.0.0-dev xx XXX xxxx)
100 See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
103 enabled to prevent accidental use of non-FIPS validated algorithms via broken
104 or mistaken configuration.  See L<config(5)>.
157 application to be executed with a non-standard config file location:
177 L</Making all applications use the FIPS module by default> above, but edit the
221 This loads a sub-set of algorithms that are also available in the default
222 provider - specifically non cryptographic ones which may be used in conjunction
230 details about library contexts see the L<OSSL_LIB_CTX(3)> man page.
244     sha256 = EVP_MD_fetch(NULL, "SHA2-256", "fips=yes");
255     sha256 = EVP_MD_fetch(NULL, "SHA2-256", "provider=default");
268 There are two important built-in properties that you should be aware of:
275 property query C<fips=yes>. There are also some non-cryptographic algorithms
312 called F<openssl-fips.cnf> that automatically loads and configures the FIPS and
322      * one for non-fips usage
337     if (!OSSL_LIB_CTX_load_config(fips_libctx, "openssl-fips.cnf"))
342      * ensure that only FIPS algorithms can be used.  There are a few non-FIPS
359     fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2-256", NULL);
363     /* Get a non-FIPS validated digest */
364     nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2-256", NULL);
385 for other usages - or vice versa. However if code has not been converted to use
396 See L<ossl-guide-migration(7)/Library Context> for additional information about the
407 OpenSSL 1.1.1 or earlier such as L<i2d_PrivateKey(3)>. However the appropriate
409 the key or parameter object. The built-in OpenSSL encoders and decoders are
425 L<SSL_CTX_new_ex(3)>. This works as a drop in replacement for the function
426 L<SSL_CTX_new(3)> except it provides you with the capability to specify the
468 To go from an B<EVP_MD_CTX> to an B<EVP_MD>, use L<EVP_MD_CTX_md(3)> .
470 use L<EVP_MD_get0_provider(3)>.
472 L<OSSL_PROVIDER_get0_name(3)>.
477 FIPS 140-3 requires indicators to be used if the FIPS provider allows non
482 L<fips_config(5)/FIPS indicator options>) OR in code using an algorithm context
484 L<OSSL_INDICATOR_set_callback(3)> can be called to register a callback to log
487 (e.g. "fips-indicator").
488 An example of an algorithm context setter is "key-check"
489 in L<EVP_KDF-HKDF(7)/Supported parameters>.
491 The following algorithms use "fips-indicator" to query if the algorithm
499 See L<EVP_PKEY-DSA(7)/DSA parameters>
504 See L<EVP_SIGNATURE-DSA(7)/Signature Parameters>
508 See L<EVP_SIGNATURE-ECDSA(7)/ECDSA Signature Parameters>
512 See L<EVP_PKEY-EC(7)/Common EC parameters>
518 See L<EVP_ASYM_CIPHER-RSA(7)/RSA Asymmetric Cipher parameters> and
519 L<EVP_KEM-RSA(7)/RSA KEM parameters>
523 See L<EVP_SIGNATURE-RSA(7)/Signature Parameters>
527 See L<EVP_RAND-HASH-DRBG(7)/Supported parameters> and
528 EVP_RAND-HMAC-DRBG(7)/Supported parameters>
532 Triple-DES is not longer approved for encryption.
533 See L<EVP_CIPHER-DES(7)/Parameters>
537 See L<EVP_KEYEXCH-DH(7)/DH and DHX key exchange parameters>
541 See L<EVP_KEYEXCH-ECDH(7)/ECDH Key Exchange parameters>
545 See relevant KDF documentation e.g. L<EVP_KDF-HKDF(7)/Supported parameters>
549 See L<EVP_MAC-CMAC(7)/Supported parameters> and
550 L<EVP_MAC-KMAC(7)/Supported parameters>
554 The following FIPS algorithms are unapproved and use the "fips-indicator".
558 =item RAND-TEST-RAND
560 See L<EVP_RAND-TEST-RAND(7)/Supported parameters>
562 internally for non security purposes.
568 The unapproved (non FIPS validated) algorithms have a property query value of
576 =item AES-GCM ciphers support the indicator "iv-generated"
578 See L<EVP_EncryptInit(3)/PARAMETERS> for further information.
580 =item ECDSA and RSA Signatures support the indicator "verify-message".
582 See L<EVP_SIGNATURE-ECDSA(7)/ECDSA Signature Parameters> and
583 L<EVP_SIGNATURE-RSA(7)/Signature Parameters> /for further information.
592 L<OpenSSL Downloads page|https://www.openssl.org/source/>.  If you
593 require FIPS-approved functionality, it is essential to build your FIPS
600 As the FIPS provider still supports non-FIPS validated algorithms,
606 L<ossl-guide-migration(7)>, L<crypto(7)>, L<fips_config(5)>,
607 L<https://www.openssl.org/source/>
617 Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
622 L<https://www.openssl.org/source/license.html>.