[openssl-dev] [openssl.org #4693] Re: [openssl.org #4692] AutoReply: Change EVP_aes_xxx_wrap to use FIPS crypto module in FIPS mode
Kent Peacock via RT
rt at openssl.org
Mon Oct 3 02:25:38 UTC 2016
Recommemded change to the previous diff in aes_wrap_cleanup, since
cipher data and the context are cleaned up by the caller (avoids a
double free):
if (wctx) {
EVP_CIPHER_CTX_cleanup(&wctx->aes_ctx);
- OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
- OPENSSL_free(c->cipher_data);
}
- memset(c, 0, sizeof(EVP_CIPHER_CTX));
On 10/01/2016 04:02 AM, The default queue via RT wrote:
>
> Greetings,
>
> This message has been automatically generated in response to the
> creation of a trouble ticket regarding:
> "Change EVP_aes_xxx_wrap to use FIPS crypto module in FIPS mode",
> a summary of which appears below.
>
> There is no need to reply to this message right now. Your ticket has been
> assigned an ID of [openssl.org #4692].
>
> Please include the string:
>
> [openssl.org #4692]
>
> in the subject line of all future correspondence about this issue. To do so,
> you may reply to this message.
>
> Thank you,
> rt at openssl.org
>
> -------------------------------------------------------------------------
> The FIPS certified 2.0.x crypto module does not incorporate the key wrap
> modes within the module boundary, and calls the local
> AES_{encrypt,decrypt} functions (which is, strictly speaking, a no-no).
> So, it's not using FIPS validated crypto. This patch provides a
> modification to use the appropriate underlying FIPS EVP_aes_..._ecb APIs
> which use the FIPS module to do the actual block-at-a-time
> encryption/decryption.
>
> Kent
>
>
> -------------------------------------------------------------------------
> http://rt.openssl.org/Ticket/Display.html?id=4692&user=guest&pass=guest
>
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4693
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list