Replacement fpr FIPS_Digest
Kory Hamzeh
kory at avatarci.com
Mon Dec 6 22:30:09 UTC 2021
Hi,
I am working on converting this code to OpenSSL 3 for FIPS-140 KASVS ECDH testing:
https://github.com/majek/openssl/blob/master/fips/ecdh/fips_ecdhvs.c <https://github.com/majek/openssl/blob/master/fips/ecdh/fips_ecdhvs.c>
The only consequential change I made to the code was replacing the call to FIPS_Digest with a call to EVP_Digest when calculating the Z hash. I am loading the FIPS module using a configuration file and then calling property() to “fips=yes”.
I am only testing ECDH key gen and verification. When I run the test against NIST test vectors per SP800-56A, all of the verifies fail.
I am wondering if replacing FIPS_Digest with EVP_Digest is not enough? Also, code in the above link used a now unsupported callback function to register a fake entropy source. However, I don’t think entropy is at play for ECDH key verification.
Thanks,
Kory
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211206/170ac4d3/attachment.htm>
More information about the openssl-users
mailing list