I'm struggling to understand how EVP_default_properties_is_fips_enabled() works. I cannot get this function to return nonzero unless I first call either EVP_default_properties_enable_fips() or EVP_set_default_properties(), even when the config file sets default_properties to enable fips.
Also, the return value of this function doesn't seem to have any effect on which provider gets selected (which I think is what issue #11594 describes?).
[provider_sect] fips = fips_sect default = default_sect
[default_sect] activate = 1
[alg_sect] default_properties = fips=yes
I understand this to mean both the default provider and the fips provider will be loaded into the default context, and both of these providers will be activated. I also see that:
EVP_MD_fetch(NULL, "sha256", NULL);
returns a pointer which EVP_MD_provider() confirms as being from the fips provider (as expected). Changing this to "fips=no" in the config file results in EVP_MD_fetch() returning EVP_MD from the default provider, again as expected. However, in both cases, EVP_default_properties_is_fips_enabled() always returns zero. I don't see anything in #11594 that would explain this.
Calling EVP_default_properties_enable_fips(NULL, 1) results in EVP_default_properties_is_fips_enabled() returning 1, but this does not appear to override the fips=no from the config file during EVP_MD_fetch() (which is what I believe #11594 describes).
Is the result of EVP_default_properties_is_fips_enabled() supposed to take into account the default properties specified in the config file? I don't see it doing that. Also, regarding #11594, if default properties are currently still broken, why do those in the config appear to work properly?
And finally the burning question: Any ETA on a fix? :-) :-) :-)
On 31/07/2020 00:12, Thomas Dwyer III wrote:
> Is the result of EVP_default_properties_is_fips_enabled() supposed to
> take into account the default properties specified in the config file? I
> don't see it doing that. Also, regarding #11594, if default properties
> are currently still broken, why do those in the config appear to work
EVP_default_is_fips_enabled() is supposed to take into account the
default properties specified in the config file, so it sounds like you
may have encountered a bug. I've raised this issue here: