Fips provider and non-Fips context

Dr Paul Dale pauli at openssl.org
Mon Apr 17 00:16:01 UTC 2023 

The FIPS provider looks up any required algorithms /internally/, so it 
won't find provider A's implementation.

This was a deliberate decision to guarantee FIPS compliance and to avoid 
the intricacies of the mandated secure channel when data crosses FIPS 
boundaries.


Pauli

On 17/4/23 10:06, Afshin Pir wrote:
>
> Hi,
>
> Is it allowed to use a non-fips provider algorithm as fips algorithm 
> provider internal algorithm? For example, let’s say that I want to use 
> Fips version of CMAC like this:
>
> EVP_MAC *mac = EVP_MAC_fetch(libctx, "CMAC", "fips=yes");
>
> and libctx has already loaded provider fips and provider A. Now if I 
> want to init it, I use a code like this:
>
> char ciphername[] = "HW-AES-128-CBC";
>
> char propname[] ="?provider=A";
>
> OSSL_PARAM params[3];
>
> params[0] = OSSL_PARAM_construct_utf8_string("cipher", ciphername, 0);
>
> params[1] = OSSL_PARAM_construct_utf8_string("properties", propname, 0);
>
> params[2] = OSSL_PARAM_construct_end();
>
> EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(mac);
>
> Int res = EVP_MAC_init(ctx, (const unsigned char *)key, strlen(key), 
> params);
>
> Now should EVP_MAC_init() succeed here or not for fips provider 
> algorithm? Because it seems that I cannot use provider A with fips 
> provider while I can with default provider.
>
> Best Regards,
>
> Afshin
>
> ------------------------------------------------------------------------
> This email is confidential and may contain information subject to 
> legal privilege. If you are not the intended recipient please advise 
> us of our error by return e-mail then delete this email and any 
> attached files. You may not copy, disclose or use the contents in any 
> way. The views expressed in this email may not be those of Gallagher 
> Group Ltd or subsidiary companies thereof.
> ------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230417/961808ac/attachment.htm>

More information about the openssl-users mailing list