FIPs algorithm code vs default implementation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPs algorithm code vs default implementation

OpenSSL - User mailing list
Hi All,

This is a basic question regarding FIPs algorithm code in OpenSSL 3.0, can you kindly let me know:

1> Can you please help to understand the differences in the FIPs algorithm implementation code vs default?

     Are there additional validations performed in FIPs code?

     Can you point to any API (FIPs and non FIPs version) to make this clear?

2> In normal code, EVP_DigestFinal_ex->HASH_FINAL

      Which API is equivalent to HASH_FINAL in FIPs code? How can we navigate to the FIPs code path?

3> When does "FIPS_MODULE" get defined?

Thanks
Bala
Reply | Threaded
Open this post in threaded view
|

Re: FIPs algorithm code vs default implementation

Dr Paul Dale-2
> 1> Can you please help to understand the differences in the FIPs algorithm implementation code vs default?
>
>       Are there additional validations performed in FIPs code?
There are some additional validations, there are other differences. Grep
the source code for FIPS_MODULE to find all the code differences.  There
are other differences.  The FIPS provider offers a cut down selection of
algorithsm, look at providers/fips/fipsprov.c for these.  The FIPS
provider also has to run power up selt tests, these are in the
providers/fips directory.


>       Can you point to any API (FIPs and non FIPs version) to make this clear?
One example is for AES XTS mode where the two keys are confirmed to be
different:
Lines 54 - 63 of providers/implementations/ciphers/cipher_aes_xts.c. 
There are plenty of others, grep for FIPS_MODULE.


>
> 2> In normal code, EVP_DigestFinal_ex->HASH_FINAL
>
>        Which API is equivalent to HASH_FINAL in FIPs code? How can we navigate to the FIPs code path?
EVP_DisgestFinal_ex is the equivalent.  The decision to use FIPS or not
is made when fetching the algorithm not when using it.  In use FIPS and
non-FIPS algorithms are accessed identically.

I'd suggest having a look at the 3.0 design document:
https://www.openssl.org/docs/OpenSSL300Design.html and the 3.0 wiki
page: https://wiki.openssl.org/index.php/OpenSSL_3.0.

> 3> When does "FIPS_MODULE" get defined?
When OpenSSL is being build and a FIPS relevant file is being compiled. 
This symbol is never defined for you when you build your application.


Pauli