Re: FIPs algorithm code vs default implementation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



1> Can you please help to understand the differences in the FIPs algorithm implementation code vs default?

      Are there additional validations performed in FIPs code?
There are some additional validations, there are other differences. Grep the source code for FIPS_MODULE to find all the code differences.  There are other differences.  The FIPS provider offers a cut down selection of algorithsm, look at providers/fips/fipsprov.c for these.  The FIPS provider also has to run power up selt tests, these are in the providers/fips directory.


      Can you point to any API (FIPs and non FIPs version) to make this clear?
One example is for AES XTS mode where the two keys are confirmed to be different: Lines 54 - 63 of providers/implementations/ciphers/cipher_aes_xts.c.  There are plenty of others, grep for FIPS_MODULE.



2> In normal code, EVP_DigestFinal_ex->HASH_FINAL

       Which API is equivalent to HASH_FINAL in FIPs code? How can we navigate to the FIPs code path?
EVP_DisgestFinal_ex is the equivalent.  The decision to use FIPS or not is made when fetching the algorithm not when using it.  In use FIPS and non-FIPS algorithms are accessed identically.

I'd suggest having a look at the 3.0 design document: https://www.openssl.org/docs/OpenSSL300Design.html and the 3.0 wiki page: https://wiki.openssl.org/index.php/OpenSSL_3.0.

3> When does "FIPS_MODULE" get defined?
When OpenSSL is being build and a FIPS relevant file is being compiled.  This symbol is never defined for you when you build your application.


Pauli




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux