Cryptography and SSL/TLS Toolkit



OSSL_INDICATOR_set_callback, OSSL_INDICATOR_get_callback - specify a callback for FIPS indicators


#include <openssl/indicator.h>

typedef int (OSSL_INDICATOR_CALLBACK)(const char *type, const char *desc, const OSSL_PARAM params[]);

void OSSL_INDICATOR_set_callback(OSSL_LIB_CTX *libctx,
                                 OSSL_INDICATOR_CALLBACK *cb);
void OSSL_INDICATOR_get_callback(OSSL_LIB_CTX *libctx,
                                 OSSL_INDICATOR_CALLBACK **cb);


OSSL_INDICATOR_set_callback() sets a user callback cb associated with a libctx that will be called when a non approved FIPS operation is detected.

The user's callback may be triggered multiple times during an algorithm operation to indicate different approved mode checks have failed.

Non approved operations may only occur if the user has deliberately chosen to do so (either by setting a global FIPS configuration option or via an option in an algorithm's operation context).

The user's callback OSSL_INDICATOR_CALLBACK type and desc contain the algorithm type and operation that is not approved. params is not currently used.

If the user callback returns 0, an error will occur in the caller. This can be used for testing purposes.


OSSL_INDICATOR_get_callback() returns the callback that has been set via OSSL_INDICATOR_set_callback() for the given library context libctx, or NULL if no callback is currently set.


A simple indicator callback to log non approved FIPS operations

 static int indicator_cb(const char *type, const char *desc,
                         const OSSL_PARAM params[])
     if (type != NULL && desc != NULL)
         fprintf(stdout, "%s %s is not approved\n", type, desc);
     /* For Testing purposes you could return 0 here to cause an error */
     return 1;

 OSSL_INDICATOR_set_callback(libctx, indicator_cb);


openssl-core.h(7), OSSL_PROVIDER-FIPS(7) OSSL_LIB_CTX(3)


The functions described here were added in OpenSSL 3.4.

Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at