SQLCipher 4.5.1 for Android and OpenSSL 3.0.2

Will SQLCipher utilize the FIPS support in OpenSSL 3.0 if the FIPS provider has been loaded and is the default OpenSSL provider?

I have built OpenSSL to use the FIPS provider and can tell it is being used when calling OpenSSL crypto apis directly. I just can’t tell if SQLCipher is using it or using Android native apis instead.

I noticed there is an SQLCipher build flag - SQLCIPHER_FIPS - but it appears to be specific for OpenSSL 1.1.0 FIPS support.

Thanks.

Hello @jmm09312 - SQLCipher community edition doesn’t include FIPS support. You should be able to build against OpenSSL 3.0 from source if you so desire. We also offer some turnkey FIPS options under the SQLCipher Enterprise Program.

Hi sjlombardo, Hope you don’t mind a follow up question. Is there anything preventing SQLCipher from using OpenSSL with FIPS support?

The reason I ask is that I have modified the SQLCipher build to build OpenSSL with FIPS support. Since FIPS is now a “provider” it is loaded by OpenSSL itself via a config file. So calls to OpenSSL will default to calling the FIPS provider (in this situation). I have validated that calls to OpenSSL directly from the app are using the FIPS provider, but I have not confirmed that SQLCipher is yet. I have assumed it would since SQLCipher is calling OpenSSL without knowledge if FIPS is the provider or not.
Anyways, thought I would ask. Thanks.

Hi @jmm09312 - there isn’t anything specific that would prevent SQLCipher from using OpenSSL, and provided that the library is operating in FIPS mode then SQLCipher would use it. However, runtime verification of that would be sensible, since it is possible to alter an environment in such a way that an application could be forced to use a different library. For this reason, applications using a FIPS validated cryptographic module typically have to perform some sort of runtime test to confirm that FIPS mode is actually being used. Thus you would probably need to make corresponding changes to SQLCipher’s provider (or use a new provider) to expose that sort of runtime check.