Lines Matching +full:non +full:- +full:default
1 .\" -*- mode: troff; coding: utf-8 -*-
58 .TH FIPS_MODULE 7ossl 2025-09-30 3.5.4 OpenSSL
64 fips_module \- OpenSSL fips module guide
75 <https://github.com/openssl/openssl/blob/master/README\-FIPS.md>.
91 All of the above APIs are deprecated in OpenSSL 3.0 \- so a simple rule is to
92 avoid using all deprecated functions. See \fBossl\-guide\-migration\fR\|(7) for a list of
94 .SS "Making all applications use the FIPS module by default"
95 .IX Subsection "Making all applications use the FIPS module by default"
97 use the FIPS module for cryptographic algorithms by default.
101 default config file or its settings then they can automatically start using the
104 To do this the default OpenSSL config file will have to be modified. The
110 \& $ openssl version \-d
114 Caution: Many Operating Systems install OpenSSL by default. It is a common error
119 \& $ openssl version \-v
120 \& OpenSSL 3.0.0\-dev xx XXX xxxx (Library: OpenSSL 3.0.0\-dev xx XXX xxxx)
123 The \fBOPENSSLDIR\fR value above gives the directory name for where the default
124 config file is stored. So in this case the default config file will be called
152 See <https://github.com/openssl/openssl/blob/master/README\-FIPS.md>.
155 enabled to prevent accidental use of non-FIPS validated algorithms via broken
160 explicit steps to avoid this default behaviour. Note that this configuration
175 If applications take explicit steps to not load the default config file or
181 that are available in the default OpenSSL Provider.
189 .SS "Selectively making applications use the FIPS module by default"
190 .IX Subsection "Selectively making applications use the FIPS module by default"
192 application basis. The default OpenSSL config file depends on the compiled in
196 application to be executed with a non-standard config file location:
208 .SS "Programmatically loading the FIPS module (default library context)"
209 .IX Subsection "Programmatically loading the FIPS module (default library context)"
217 "Making all applications use the FIPS module by default" above, but edit the
255 loaded, then the default provider will be automatically loaded. If you then
257 default provider loaded at the same time. It is unspecified which implementation
263 This loads a sub-set of algorithms that are also available in the default
264 provider \- specifically non cryptographic ones which may be used in conjunction
266 decoding keys. If you decide not to load the default provider then you
269 In this example we are using the "default" library context. OpenSSL functions
271 explicitly specified then the default library context is used. For further
276 default provider) all loaded at the same time into the same library context. You
286 \& sha256 = EVP_MD_fetch(NULL, "SHA2\-256", "fips=yes");
294 default provider:
299 \& sha256 = EVP_MD_fetch(NULL, "SHA2\-256", "provider=default");
302 It is also possible to set a default property query string. The following
303 example sets the default property query of \f(CW\*(C`fips=yes\*(C'\fR for all fetches within
304 the default library context:
311 default property query is defined then the two queries are merged together and
312 both apply. The local property query overrides the default properties if the
315 There are two important built-in properties that you should be aware of:
318 implementation to be fetched from, e.g. \f(CW\*(C`provider=default\*(C'\fR or \f(CW\*(C`provider=fi…
322 property query \f(CW\*(C`fips=yes\*(C'\fR. There are also some non-cryptographic algorithms
323 available in the default and base providers that also have the \f(CW\*(C`fips=yes\*(C'\fR
329 It is possible to specify default properties within a config file. For example
330 the following config file automatically loads the default and FIPS providers and
331 sets the default property value to be \f(CW\*(C`fips=yes\*(C'\fR. Note that this config file
333 are also in "default", so it is unnecessary in this case:
347 \& default = default_sect
360 called \fIopenssl\-fips.cnf\fR that automatically loads and configures the FIPS and
361 base providers. The other library context will just use the default provider.
371 \& * one for non\-fips usage
378 \& /* Prevent anything from using the default library context */
386 \& if (!OSSL_LIB_CTX_load_config(fips_libctx, "openssl\-fips.cnf"))
390 \& * Set the default property query on the FIPS library context to
391 \& * ensure that only FIPS algorithms can be used. There are a few non\-FIPS
398 \& * We don\*(Aqt need to do anything special to load the default
402 \& * nonfips_libctx it will just use the default config file.
408 \& fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2\-256", NULL);
412 \& /* Get a non\-FIPS validated digest */
413 \& nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2\-256", NULL);
433 into the default library context. We could have chosen to use the default
435 for other usages \- or vice versa. However if code has not been converted to use
436 library contexts then the default library context will be automatically used.
441 provider into the default library context. Because a provider has been
442 explicitly loaded, the default provider will not automatically load. This means
443 code using the default context by accident will fail because no algorithms will
446 See "Library Context" in \fBossl\-guide\-migration\fR\|(7) for additional information about the
458 the key or parameter object. The built-in OpenSSL encoders and decoders are
459 implemented in both the default and base providers and are not in the FIPS
463 You should ensure that either the default or base provider is loaded into the
469 properties and the default library context to specify usage of FIPS validated
488 \& * We assume that a nondefault library context with the default
501 \& * as well as encoders from the default provider that are allowed
503 \& * default library context.
527 FIPS 140\-3 requires indicators to be used if the FIPS provider allows non
529 such as minimum key size. By default an error will occur if any check fails.
537 (e.g. "fips-indicator").
538 An example of an algorithm context setter is "key-check"
539 in "Supported parameters" in \fBEVP_KDF\-HKDF\fR\|(7).
541 The following algorithms use "fips-indicator" to query if the algorithm
546 See "DSA parameters" in \fBEVP_PKEY\-DSA\fR\|(7)
550 See "Signature Parameters" in \fBEVP_SIGNATURE\-DSA\fR\|(7)
553 See "ECDSA Signature Parameters" in \fBEVP_SIGNATURE\-ECDSA\fR\|(7)
556 See "Common EC parameters" in \fBEVP_PKEY\-EC\fR\|(7)
561 See "RSA Asymmetric Cipher parameters" in \fBEVP_ASYM_CIPHER\-RSA\fR\|(7) and
562 "RSA KEM parameters" in \fBEVP_KEM\-RSA\fR\|(7)
565 See "Signature Parameters" in \fBEVP_SIGNATURE\-RSA\fR\|(7)
568 See "Supported parameters" in \fBEVP_RAND\-HASH\-DRBG\fR\|(7) and
569 \&\fBEVP_RAND\-HMAC\-DRBG\fR\|(7)/Supported parameters>
572 Triple-DES is not longer approved for encryption.
573 See "Parameters" in \fBEVP_CIPHER\-DES\fR\|(7)
576 See "DH and DHX key exchange parameters" in \fBEVP_KEYEXCH\-DH\fR\|(7)
579 See "ECDH Key Exchange parameters" in \fBEVP_KEYEXCH\-ECDH\fR\|(7)
582 See relevant KDF documentation e.g. "Supported parameters" in \fBEVP_KDF\-HKDF\fR\|(7)
585 See "Supported parameters" in \fBEVP_MAC\-CMAC\fR\|(7) and
586 "Supported parameters" in \fBEVP_MAC\-KMAC\fR\|(7)
588 The following FIPS algorithms are unapproved and use the "fips-indicator".
589 .IP RAND-TEST-RAND 4
590 .IX Item "RAND-TEST-RAND"
591 See "Supported parameters" in \fBEVP_RAND\-TEST\-RAND\fR\|(7)
593 internally for non security purposes.
597 The unapproved (non FIPS validated) algorithms have a property query value of
602 .IP "AES-GCM ciphers support the indicator ""iv-generated""" 4
603 .IX Item "AES-GCM ciphers support the indicator ""iv-generated"""
605 .IP "ECDSA and RSA Signatures support the indicator ""verify-message""." 4
606 .IX Item "ECDSA and RSA Signatures support the indicator ""verify-message""."
607 See "ECDSA Signature Parameters" in \fBEVP_SIGNATURE\-ECDSA\fR\|(7) and
608 "Signature Parameters" in \fBEVP_SIGNATURE\-RSA\fR\|(7) /for further information.
615 require FIPS-approved functionality, it is essential to build your FIPS
622 As the FIPS provider still supports non-FIPS validated algorithms,
627 \&\fBossl\-guide\-migration\fR\|(7), \fBcrypto\fR\|(7), \fBfips_config\fR\|(5),
636 Copyright 2021\-2025 The OpenSSL Project Authors. All Rights Reserved.