[openssl-dev] Intent of the private_ wrappers
Dr. Stephen Henson
steve at openssl.org
Wed Mar 11 00:03:26 UTC 2015
On Fri, Mar 06, 2015, Steve Schefter wrote:
> Hi.
>
> I am compiling OpenSSL with the FIPS options and seeing a build
> error. My question is more about the intent than the problem.
>
> One example: When apps/speed.c is compiled with FIPS enabled,
> OPENSSL_FIPS is defined and DES_set_key_unchecked gets defined to be
> private_DES_set_key_unchecked.
>
> The use of the private_ function means that fips_cipher_abort is not called.
>
> Am I correct that the intent is to allow the OpenSSl-provided apps
> to use the low level APIs (like DES) while user applications linking
> with libcrypto.so can not?
>
> The problem is that the OpenSSL-provided apps also link with that
> library and the private_ functions are not global (they are not in
> openssl.ld). So the OpenSSL-provided apps fail to link. In the
> above example, apps/speed.c can't find
> private_DES_set_key_unchecked().
>
> Or am I not understanding the intent?
>
Which OS and version of OpenSSL are you using?
The intent of the private_ wrappers is to block the accidental use of low
level APIs in appllications in FIPS mode. In FIPS mode you can only use EVP:
so if an application did use low level APIs it would not be compliant.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list