FIPS mode()

From OpenSSLWiki
Jump to navigationJump to search

The FIPS_mode() function is used to determine the current FIPS 140-2 mode of operation by a program utilizing the services of the validated library. The library must have been built with the FIPS Object Module, and the FIPS Object Module must have been acquired, built, and installed in accordance with the security policy.

The return value is either 0 to indicate that the FIPS mode of operation is not enabled, or the value used for the ONOFF parameter passed to an earlier successful call to FIPS_mode_set(). Effectively, any non-zero value indicates FIPS mode. Values other than 1 may have additional significance, such as designating an additional restriction to Suite B algorithms.

The only current FIPS-capable release of OpenSSL is version 1.0.2. Calling the function from an application linked to OpenSSL versions 1.1.0 or 1.1.1 will always return 0, indicating non-FIPS mode, with an error code of CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065).


History[edit]

FIPS support was introduced in version 0.9.7 of OpenSSL.


Example[edit]

To call the function, the OpenSSL crypto header must be included.

#include <openssl/crypto.h>

The function itself takes no parameters, and returns an integer indicating the mode of operation as described above.

int FIPS_MODE(void);

In the following example, the program tests the return value of the FIPS_mode() function call, exiting with an error if the library being linked to is not FIPS-capable. The return value of the function is saved because the return code may carry additional information, in addition to FIPS-capability (see above).

int fips_compatible_build = -1;

if ((fips_compatible_build = FIPS_mode()) == 0) {
    fprintf(stderr, "The current version of OpenSSL is not FIPS-capable.\n");
    exit(EXIT_FAILURE);
}

// ...


See Also[edit]

  • FIPS_mode_set(3)
  • FIPS_selftest(3)


Notes[edit]

FIPS_mode() was formerly included with <openssl/fips.h>.


External Links[edit]