It was meant for the second method only. The first method is using
different library contexts to distinguish FIPS algorithms. Using the
properties in addition is harmless and might prevent a future mistake
that breaks compliance.
Pauli
On 26/10/21 4:46 am, Jason Schultz wrote:
Thanks again. I think most of that makes sense. Going back to your
initial response, there is something I'm not clear on.
The second method you explained (which I don't plan to use) starting
with "Alternatively,..." included the calls to OSSL_PRIVIDER_load(),
and then discussed calling the following API for FIPS:
EVP_set_default_properties(NULL, “fips=yes”);
Was the EVP_set_default_properties() call specifically and only for
the 2nd method, or did that API call apply to both the first and
second methods you explained? From reading the doc for that call, it
seems like I should be doing it if I use the first method as well.
Regards,
Jason
------------------------------------------------------------------------
*From:* openssl-users <[email protected]> on behalf of
Dr Paul Dale <[email protected]>
*Sent:* Sunday, October 24, 2021 11:12 PM
*To:* [email protected] <[email protected]>
*Subject:* Re: OpenSSL 3.0 FIPS questions
The configuration shouldn't have much impact. You will need a fips
section specifying where the integrity check data are. You shouldn't
need base or default sections.
Pauli
On 25/10/21 5:23 am, Jason Schultz wrote:
Thank you for your response. I think all of that makes sense, and
seems to accomplish what I want programmatically, limiting it to my
application. I guess the only question I have is what about the
config files? Should they remain as they were installed, or do I need
to provide sections for fips, base, default, etc?
Regards,
Jason
------------------------------------------------------------------------
*From:* openssl-users <[email protected]>
<mailto:[email protected]> on behalf of Dr Paul Dale
<[email protected]> <mailto:[email protected]>
*Sent:* Sunday, October 24, 2021 12:28 AM
*To:* [email protected] <mailto:[email protected]>
<[email protected]> <mailto:[email protected]>
*Subject:* Re: OpenSSL 3.0 FIPS questions
Oops, the second time this occurs "defp =
OSSL_PROVIDER_load(non_fips_libctx, "default");" it should be "defp =
OSSL_PROVIDER_load(NULL, "default");"
Pauli
On 24/10/21 10:06 am, Dr Paul Dale wrote:
defp = OSSL_PROVIDER_load(non_fips_libctx, "default");
