FIPS methods and symlinks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> On Feb 24, 2015, at 9:42 PM, jonetsu at teksavvy.com wrote:
> 
> On Tue, 24 Feb 2015 16:16:17 +0000
> "Dr. Stephen Henson" <steve at openssl.org> wrote:
> 
>> On Tue, Feb 24, 2015, jonetsu wrote:
> 
>>> Hello,
>>> 
>>>   To grasp how FIPS methods are called, and following one method
>>> as an example, HMAC_Update() in hmac.c, we can see that if FIPS
>>> mode is active then FIPS_hmac_update() will be called.  This is
>>> fine although searching the sources for the physical definiton of
>>> FIPS_hmac_update() does not yield any results.  How does the
>>> symbolic links function, what ends up being executed in this case
>>> and through which path ?
>> 
>> Function names get changed through fips/fipssyms.h in the FIPS module
>> source.
> 
> Yes, for instance there is:
> 
> #define HMAC_Update FIPS_hmac_update
> 
> My question is about not having found FIPS_hmac_update.  If it is
> called, then where is it ?  May sound like a simple question, although
> grep did not return any actual method.  

You?ll find it in the FIPS Object Module.  But in the source for the FIPS Object Module, it?s called HMAC_Update.  You just need to read the table backwards.  If you want to understand why, think about it a moment.  The module is mostly just a specific, tested, version of OpenSSL?s libcrypto (with extra fluff added, and some stuff removed*).  It was pretty simple** to just keep the source identical (with appropriate #ifdef to control adding in the fluff and removing other things), and then rename all the symbols in the result to avoid duplicate symbols.  It may make it a little harder to follow after the fact, but it?s really not that hard ? HMAC_Update() in your FIPS-capable libcrypto will invoke the renamed HMAC_Update() in the FIPS Object Module when operating in FIPS mode.

Steve Marquess: Is the document (which IIRC, you published back before the first validation) on how/why the FIPS Object Module was coded still available somewhere?  If so, that?d probably be a good starting point for people who post questions like this.  It?s certainly not something that?s easy to figure out if one doesn?t already have an idea of what?s going on. :)

TOM

* That?s probably not the best way to put it, it?s certainly not precise. :)
** Says a guy who in no way contributed to that effort. :)

> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux