<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
font-variant:normal !important;
color:windowtext;
text-transform:none;
font-weight:normal;
font-style:normal;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal" style="background:white"><span style="color:black">Hello,<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">We are using Openssl-1.0.2a with FIPS 2.0.9 on Linux PPC environment. We have code that we assume needs updating,<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">to avoid using low level routines in FIPS. For example, our snmp v3 implementation currently decrypts/encrypts using<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">AES_set_encrypt_key() and AES_cfb128_encrypt().
<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">The old decryption routine is as follows:<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black">BOOL /* TRUE:=ok, FALSE=error condition */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black">sc_aes_decrypt(SN_PRIVPROT privProto, /* usm priv protocol type */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> UCHAR * key, /* priv key */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> UINT keylen, /* priv key length */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> UCHAR * iv, /* iv buffer */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> UINT ivlen, /* iv length */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> UCHAR * ciphertext, /* encrypted buffer: the cipher text */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> UINT ctlen, /* encrypted data length */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> UCHAR * plaintext, /* OUT: decrypted buffer */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> int *ptlen)</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black">{ /* IN: decrypt buf len, OUT: decrypt data */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> static char fname[] = "sc_aes_decrypt";</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> AES_KEY aes_key;</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> char my_iv[16];</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> int new_ivlen = 0;</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> int ret;</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> ret = AES_set_encrypt_key(key, (keylen * 8), &aes_key);</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> if (ret < 0) {</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> errorMsg("%s: call to AES_set_encrypt_key() failed (error=%d)", fname,</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> ret);</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> return FALSE;</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> }</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> memcpy(my_iv, iv, ivlen);</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> /*</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> * Decrypt the data.</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> */</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> AES_cfb128_encrypt(ciphertext, plaintext, ctlen,</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> &aes_key, my_iv, &new_ivlen, AES_DECRYPT);</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> *ptlen = ctlen;</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> return TRUE;</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><em><span style="font-family:"Calibri","sans-serif";color:black">}</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">AES_set_encrypt_key() is no longer useable in FIPS mode as<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">shown in the following code snippet from openssl-1.0.2a/crypto/aes/aes_misc.c -<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">/* FIPS wrapper functions to block low level AES calls in FIPS mode */<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black">int AES_set_encrypt_key(const unsigned char *userKey, const int bits,</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> AES_KEY *key)</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black">{</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black">#ifdef OPENSSL_FIPS</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> fips_cipher_abort(AES);</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black">#endif</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> return private_AES_set_encrypt_key(userKey, bits, key);</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black">}</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black"><br>
I could not find a parallel routine for AES_set_encrypt_key() in the high level EVP routines. I also looked on the Openssl wiki.<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">Do I need one? Does one exist? <o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">I am attempting to replace the old code with FIPS safe EVP routines EVP_CIPHER_CTX_init(), EVP_DecryptInit_ex() using EVP_aes_128_cfb, EVP_DecryptUpdate(), EVP_DecryptFinal_ex() and EVP_CIPHER_CTX_cleanup(). <o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">The data passed into the decrypt routine<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">is not a fixed length (not necessarily a multiple of block size). Is that the correct path?<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">Are there any gotchas I should watch out for, for example, with padding issues? I am asking because my first attempt <o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="color:black">at the new code results in a decryption error from Openssl crypto/evp/evp_enc.c EVP_DecryptFinal_ex() line 519<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black">if (b > 1) {</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> if (ctx->buf_len) {</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> <b> EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_WRONG_FINAL_BLOCK_LENGTH);</b></span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> return (0);</span></em><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"> }<o:p></o:p></span></em></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></em></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black;font-style:normal">Any help/guidance would be most appreciated.<o:p></o:p></span></em></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black;font-style:normal"><o:p> </o:p></span></em></p>
<p class="MsoNormal" style="background:white"><em><span style="font-family:"Calibri","sans-serif";color:black;font-style:normal">Thank you.</span></em><i><span style="color:black"><o:p></o:p></span></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#7F7F7F">Phil Bellino<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;color:#7F7F7F">Principal Software Engineer</span></b><b><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#7F7F7F">
</span></b><b><span style="font-size:10.0pt;color:#5A4099">| </span></b><b><span style="font-size:10.0pt;color:#7F7F7F">MRV Communications Inc.<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#7F7F7F">300 Apollo Drive
</span><b><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#8064A2">|
</span></b><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#7F7F7F">Chelmsford, MA 01824
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#7F7F7F">Phone: 978-674-6870</span><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:teal">
</span><b><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#8064A2">|
</span></b><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#7F7F7F">Fax: 978-674-6799<o:p></o:p></span></p>
<p class="MsoNormal"><a href="www.mrv.com"><span style="font-size:9.0pt;color:#7F7F7F">www.mrv.com</span></a><span style="font-size:9.0pt;color:#7F7F7F"><br>
<br>
</span><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#7F7F7F"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt"><img border="0" width="188" height="25" id="Picture_x0020_3" src="cid:image001.png@01D07040.0F050730" alt="MRV-email"></span><span style="font-size:10.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<a href="http://www.mrv.com/landing/video-datasheet-mrvs-optidriver-platform"><img src="http://www.mrv.com/images/Awards_Banner.jpg" alt="E-Banner"></a><br>
<br>
<div style="background-color:#FFFFFF; padding:.8em; ">
<p style="font-size:8pt;color:#b8b9c8; line-height:8pt; font-family:
'arial','times roman',serif;">
The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the
sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited.</p>
</div>
</body>
</html>