On 19/08/2023 00:50, Thomas Dwyer III wrote:
Following up on this, I have legacy applications that are FIPS-enabled
with OpenSSL 1.0.2+FOM that I'm porting to OpenSSL 3.x and these
applications are failing because of the now-invalid DH parameters that
weren't invalid in 1.0.2. I understand that compliance based on whether
the parameters are validated using 186-4 vs 186-2 is a question for the
FIPS lab rather than the OpenSSL community, but if I wanted to revert
back to 186-2 validation in the FIPS provider and submit that to CMVP
what would be the best way to achieve this? I see this comment in
ffc_params_validate.c directly above the definition of
ossl_ffc_params_FIPS186_2_validate():
/* This may be used in FIPS mode to validate deprecated FIPS-186-2
Params */
int ossl_ffc_params_FIPS186_2_validate(OSSL_LIB_CTX *libctx,
const FFC_PARAMS *params,
int type,
int *res, BN_GENCB *cb)
but I can't find a codepath through the FIPS provider that gets me
there. All of the logic that checks FFC_PARAM_FLAG_VALIDATE_LEGACY is
removed when FIPS_MODULE is defined. Is the comment incorrect?
Yes, it looks to me like the comment is incorrect. There are two callers
of that function, and neither of them seem to be compiled in if
FIPS_MODULE is defined.
Matt
