Dev news

Commit b00f7b6c30 for openssl.org

commit b00f7b6c30f82a1bb2610f97d4349ed5d932c7d4
Author: Pauli <paul.dale@oracle.com>
Date:   Tue Jun 23 09:01:17 2026 +1000

    demo: add program that shows how to query the FIPS provider version

    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    Reviewed-by: Simo Sorce <simo@redhat.com>
    (Merged from https://github.com/openssl/openssl/pull/31654)

diff --git a/demos/Makefile b/demos/Makefile
index 208249e0fd..3b411fe052 100644
--- a/demos/Makefile
+++ b/demos/Makefile
@@ -6,6 +6,7 @@ MODULES = bio \
           encrypt \
           guide \
           http3 \
+          info \
           kdf \
           keyexch \
           mac \
diff --git a/demos/README.txt b/demos/README.txt
index 1a7d4f447f..9ccb5f1c2f 100644
--- a/demos/README.txt
+++ b/demos/README.txt
@@ -42,6 +42,9 @@ tls-client-non-block.c:  A simple non-blocking SSL/TLS client
 http3:                 Demonstration of how to use OpenSSL's QUIC capabilities
                        for HTTP/3.

+info:
+fips-version.c         Demonstration of how to query the FIPS provider version
+
 kdf:
 hkdf.c                 Demonstration of HMAC based key derivation
 pbkdf2.c               Demonstration of PBKDF2 password based key derivation
diff --git a/demos/build.info b/demos/build.info
index 3c74e8f331..49068f74ec 100644
--- a/demos/build.info
+++ b/demos/build.info
@@ -1,4 +1,4 @@
-SUBDIRS=bio cipher digest keyexch mac kdf pkey signature \
+SUBDIRS=bio cipher digest info keyexch mac kdf pkey signature \
         encrypt encode sslecho

 IF[{- !$disabled{"h3demo"} -}]
diff --git a/demos/info/Makefile b/demos/info/Makefile
new file mode 100644
index 0000000000..ef93a25df6
--- /dev/null
+++ b/demos/info/Makefile
@@ -0,0 +1,29 @@
+#
+# To run the demos when linked with a shared library (default) ensure
+# that libcrypto is on the library path. For example:
+#
+#    LD_LIBRARY_PATH=../.. ./info
+
+TESTS = fips-version
+
+CFLAGS  = -I../../include -g -Wall
+LDFLAGS = -L../..
+LDLIBS  = -lcrypto
+
+all: $(TESTS)
+
+fips-version: fips-version.o
+
+$(TESTS):
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS)
+
+clean:
+	$(RM) *.o $(TESTS)
+
+.PHONY: test
+test: all
+	@echo "\nINFO tests:"
+	@set -e; for tst in $(TESTS); do \
+		echo "\n"$$tst; \
+		LD_LIBRARY_PATH=../.. ./$$tst; \
+	done
diff --git a/demos/info/build.info b/demos/info/build.info
new file mode 100644
index 0000000000..b5339cec91
--- /dev/null
+++ b/demos/info/build.info
@@ -0,0 +1,11 @@
+#
+# To run the demos when linked with a shared library (default) ensure
+# that libcrypto is on the library path. For example:
+#
+#    LD_LIBRARY_PATH=../.. ./info
+
+PROGRAMS{noinst} = fips-version
+
+INCLUDE[fips-version]=../../include
+SOURCE[fips-version]=fips-version.c
+DEPEND[fips-version]=../../libcrypto
diff --git a/demos/info/fips-version.c b/demos/info/fips-version.c
new file mode 100644
index 0000000000..6b1bb4bfab
--- /dev/null
+++ b/demos/info/fips-version.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2026 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/core_names.h>
+#include <openssl/params.h>
+#include <openssl/provider.h>
+
+int main(int argc, char **argv)
+{
+    int ret = EXIT_FAILURE;
+    OSSL_LIB_CTX *libctx;
+    OSSL_PROVIDER *fips_provider = NULL;
+    OSSL_PARAM params[2];
+    char *version;
+
+    /* Replace this with your libctx if you are using a non-default one */
+    libctx = NULL;
+
+    /* Check if the FIPS provider is available in this libctx */
+    if (!OSSL_PROVIDER_available(libctx, "fips")) {
+        puts("FIPS provider is not available");
+        goto done;
+    }
+
+    /* Load the FIPS provider */
+    fips_provider = OSSL_PROVIDER_load(libctx, "fips");
+    if (fips_provider == NULL) {
+        puts("Failed to load FIPS provider");
+        goto done;
+    }
+
+    /* Query the FIPS provider version */
+    params[0] = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
+        &version, 0);
+    params[1] = OSSL_PARAM_construct_end();
+    OSSL_PARAM_set_all_unmodified(params);
+    if (!OSSL_PROVIDER_get_params(fips_provider, params)) {
+        puts("Failed to query FIPS provider version");
+        goto done;
+    }
+
+    /* Check if the FIPS provider returned a version to us */
+    if (!OSSL_PARAM_modified(params)) {
+        puts("FIPS provider failed to set version");
+        goto done;
+    }
+
+    printf("FIPS provider version is %s\n", version);
+    ret = EXIT_SUCCESS;
+done:
+    OSSL_PROVIDER_unload(fips_provider);
+    return ret;
+}