Lines Matching +full:sub +full:- +full:engines
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
134 .TH FIPS_MODULE 7ossl "2023-09-19" "3.0.11" "OpenSSL"
140 fips_module \- OpenSSL fips module guide
147 with the \s-1FIPS\s0 module. Which is the correct approach to use will depend on your
150 For information related to installing the \s-1FIPS\s0 module see
151 <https://github.com/openssl/openssl/blob/master/README\-FIPS.md>.
156 Applications written to use the OpenSSL 3.0 \s-1FIPS\s0 module should not use any
157 legacy APIs or features that avoid the \s-1FIPS\s0 module. Specifically this includes:
159 Low level cryptographic APIs (use the high level APIs, such as \s-1EVP,\s0 instead)
161 Engines
163 Any functions that create or modify custom \*(L"\s-1METHODS\*(R"\s0 (for example
167 All of the above APIs are deprecated in OpenSSL 3.0 \- so a simple rule is to
170 .SS "Making all applications use the \s-1FIPS\s0 module by default"
173 use the \s-1FIPS\s0 module for cryptographic algorithms by default.
178 \&\s-1FIPS\s0 module without the need for any further code changes.
186 \& $ openssl version \-d
195 \& $ openssl version \-v
196 \& OpenSSL 3.0.0\-dev xx XXX xxxx (Library: OpenSSL 3.0.0\-dev xx XXX xxxx)
199 The \fB\s-1OPENSSLDIR\s0\fR value above gives the directory name for where the default
223 \&\s-1FIPS\s0 module config file that you installed earlier.
224 See <https://github.com/openssl/openssl/blob/master/README\-FIPS.md>.
226 For \s-1FIPS\s0 usage, it is recommended that the \fBconfig_diagnostics\fR option is
227 enabled to prevent accidental use of non-FIPS validated algorithms via broken
231 made will start using only the \s-1FIPS\s0 module unless those applications take
236 may be required. It is designed to be used in conjunction with the \s-1FIPS\s0 module.
239 are required in applications in order to benefit from the \s-1FIPS\s0 module. There are
242 You may not want all applications to use the \s-1FIPS\s0 module.
245 \&\s-1FIPS\s0 module.
252 The algorithms available in the \s-1FIPS\s0 module are a subset of the algorithms
258 Usage of certain deprecated APIs avoids the use of the \s-1FIPS\s0 module.
260 If any applications use those APIs then the \s-1FIPS\s0 module will not be used.
261 .SS "Selectively making applications use the \s-1FIPS\s0 module by default"
265 value for \fB\s-1OPENSSLDIR\s0\fR as described in the section above. However it is also
266 possible to override the config file to be used via the \fB\s-1OPENSSL_CONF\s0\fR
268 application to be executed with a non-standard config file location:
275 whether the \s-1FIPS\s0 module is loaded) on an application by application basis.
278 applications to use the \s-1FIPS\s0 module. All the other advantages and disadvantages
280 .SS "Programmatically loading the \s-1FIPS\s0 module (default library context)"
282 Applications may choose to load the \s-1FIPS\s0 provider explicitly rather than relying
284 \&\s-1FIPS\s0 module config data (such as its self test status and integrity data). But
285 in this case we do not automatically activate the \s-1FIPS\s0 provider via that config
289 \&\*(L"Making all applications use the \s-1FIPS\s0 module by default\*(R" above, but edit the
293 \&\s-1FIPS\s0 module, but it is not automatically loaded when the application starts. The
294 \&\s-1FIPS\s0 provider can then be loaded programmatically like this:
328 later explicitly load the \s-1FIPS\s0 provider then you will have both the \s-1FIPS\s0 and the
335 This loads a sub-set of algorithms that are also available in the default
336 provider \- specifically non cryptographic ones which may be used in conjunction
337 with the \s-1FIPS\s0 provider. For example this contains algorithms for encoding and
344 details about library contexts see the \s-1\fBOSSL_LIB_CTX\s0\fR\|(3) man page.
345 .SS "Loading the \s-1FIPS\s0 module at the same time as other providers"
347 It is possible to have the \s-1FIPS\s0 provider and other providers (such as the
352 For example to fetch an implementation of \s-1SHA256\s0 which conforms to \s-1FIPS\s0
358 \& sha256 = EVP_MD_fetch(NULL, "SHA2\-256", "fips=yes");
365 This example shows an explicit request for an implementation of \s-1SHA256\s0 from the
371 \& sha256 = EVP_MD_fetch(NULL, "SHA2\-256", "provider=default");
387 There are two important built-in properties that you should be aware of:
393 There is also the \f(CW\*(C`fips\*(C'\fR property. All \s-1FIPS\s0 algorithms match against the
394 property query \f(CW\*(C`fips=yes\*(C'\fR. There are also some non-cryptographic algorithms
397 can (for example) be used to write out a key generated in the \s-1FIPS\s0 provider to a
398 file. The encoder and decoder algorithms are not in the \s-1FIPS\s0 module itself but
399 are allowed to be used in conjunction with the \s-1FIPS\s0 algorithms.
402 the following config file automatically loads the default and \s-1FIPS\s0 providers and
427 .SS "Programmatically loading the \s-1FIPS\s0 module (nondefault library context)"
429 In addition to using properties to separate usage of the \s-1FIPS\s0 module from other
432 called \fIopenssl\-fips.cnf\fR that automatically loads and configures the \s-1FIPS\s0 and
443 \& * one for non\-fips usage
458 \& if (!OSSL_LIB_CTX_load_config(fips_libctx, "openssl\-fips.cnf"))
472 \& fipssha256 = EVP_MD_fetch(fips_libctx, "SHA2\-256", NULL);
476 \& /* Get a non\-FIPS validated digest */
477 \& nonfipssha256 = EVP_MD_fetch(nonfips_libctx, "SHA2\-256", NULL);
498 library context for \s-1FIPS\s0 usage, and just create one additional library context
499 for other usages \- or vice versa. However if code has not been converted to use
512 .SS "Using Encoders and Decoders with the \s-1FIPS\s0 module"
515 some external format (for example a \s-1PEM\s0 file). If your application generates
516 keys or parameters that then need to be written into \s-1PEM\s0 or \s-1DER\s0 format
522 the key or parameter object. The built-in OpenSSL encoders and decoders are
523 implemented in both the default and base providers and are not in the \s-1FIPS\s0
525 it is still possible to use them in conjunction with the \s-1FIPS\s0 module, and
529 .SS "Using the \s-1FIPS\s0 module in \s-1SSL/TLS\s0"
531 Writing an application that uses libssl in conjunction with the \s-1FIPS\s0 module is
533 properties and the default library context to specify usage of \s-1FIPS\s0 validated
535 in libssl. If you are using a nondefault library context to load the \s-1FIPS\s0
542 In this first example we create two \s-1SSL_CTX\s0 objects using two different library
559 In this second example we create two \s-1SSL_CTX\s0 objects using different properties
560 to specify \s-1FIPS\s0 usage:
577 .SS "Confirming that an algorithm is being provided by the \s-1FIPS\s0 module"
583 To go from an \fB\s-1EVP_MD_CTX\s0\fR to an \fB\s-1EVP_MD\s0\fR, use \fBEVP_MD_CTX_md\fR\|(3) .
584 To go from the \fB\s-1EVP_MD\s0\fR to its \fB\s-1OSSL_PROVIDER\s0\fR,
586 To extract the name from the \fB\s-1OSSL_PROVIDER\s0\fR, use
591 \&\s-1FIPS\s0 provider. To determine which versions have undergone
594 require FIPS-approved functionality, it is essential to build your \s-1FIPS\s0
596 it is possible to utilize a \s-1FIPS\s0 provider constructed from one of the
599 you to address bug fixes and CVEs that fall outside the \s-1FIPS\s0 boundary.
606 The \s-1FIPS\s0 module guide was created for use with the new \s-1FIPS\s0 provider
610 Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
614 in the file \s-1LICENSE\s0 in the source distribution or at