FIPS 3.0 private_* hash functions

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS 3.0 private_* hash functions

Neptune
Hi all,
I am in the process of making required changes to migrate our code to the
1.1.x branch. We are currently using the FIPS Object Module 2.0 and eagerly
await word on the new 3.0 FIPS Object Module, but in the meantime there is
one issue of concern in our code for which I need some clarification:

This is a fairly old code base which contains some MD4 and MD5 usages. These
are merely used to create some comparison hashes, but because of constraints
with other applications we integrate with, it would be painful to replace
these with newer FIPS-compliant hashes. For our current code using 1.0.2 we
got around the FIPS Object Module in these cases by using the private
variants of these hash functions (i.e. private_MD5_init).

Will there be any such provisions for the 3.0 FIPS Object Module?

Thank you!
Paul



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: FIPS 3.0 private_* hash functions

Matt Caswell-2


On 10/10/2019 16:40, Neptune wrote:

> Hi all,
> I am in the process of making required changes to migrate our code to the
> 1.1.x branch. We are currently using the FIPS Object Module 2.0 and eagerly
> await word on the new 3.0 FIPS Object Module, but in the meantime there is
> one issue of concern in our code for which I need some clarification:
>
> This is a fairly old code base which contains some MD4 and MD5 usages. These
> are merely used to create some comparison hashes, but because of constraints
> with other applications we integrate with, it would be painful to replace
> these with newer FIPS-compliant hashes. For our current code using 1.0.2 we
> got around the FIPS Object Module in these cases by using the private
> variants of these hash functions (i.e. private_MD5_init).
>
> Will there be any such provisions for the 3.0 FIPS Object Module?
>

OpenSSL 3.0 is a completely different architecture to the older versions.

Algorithm implementations are available via "providers". There will be 3
providers available initially (others might come from 3rd parties). These are
the default, legacy and fips providers. FIPS validated algorithms will be in the
fips provider. The legacy provider will have MD4 and MD5 implementations.

It is perfectly possible to have more than one provider loaded at the same time.
Configuration will enable you to specify which algorithm implementations you
wish to use for any given circumstance. You can also override configuration on a
per call site basis. For example you can load both the fips and legacy providers
and configure things so that by default you only ever use fips algorithms. For
specific cases you can override the default configuration to load algorithms
from the legacy provider.

Matt

Reply | Threaded
Open this post in threaded view
|

Re: FIPS 3.0 private_* hash functions

Tomas Mraz-2
In reply to this post by Neptune
On Thu, 2019-10-10 at 08:40 -0700, Neptune wrote:

> Hi all,
> I am in the process of making required changes to migrate our code to
> the
> 1.1.x branch. We are currently using the FIPS Object Module 2.0 and
> eagerly
> await word on the new 3.0 FIPS Object Module, but in the meantime
> there is
> one issue of concern in our code for which I need some clarification:
>
> This is a fairly old code base which contains some MD4 and MD5
> usages. These
> are merely used to create some comparison hashes, but because of
> constraints
> with other applications we integrate with, it would be painful to
> replace
> these with newer FIPS-compliant hashes. For our current code using
> 1.0.2 we
> got around the FIPS Object Module in these cases by using the private
> variants of these hash functions (i.e. private_MD5_init).
>
> Will there be any such provisions for the 3.0 FIPS Object Module?

Yes, they already are there in the master branch!

See:
https://github.com/openssl/openssl/issues/10129

--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]