fips mode and key management

Tomas Mraz tmraz at redhat.com
Tue Jan 21 14:33:35 UTC 2020


I can only add +1 to what Matthias suggests. Although I know the
meaning of the FIPS_MODE define, for a newcomer it is obviously not
clear what the define really means.

Tomas

On Tue, 2020-01-21 at 13:31 +0100, Matthias St. Pierre wrote:
> On 21.01.20 10:36, Richard Levitte wrote:
> > I think that the misunderstanding lies in when FIPS_MODE is
> > defined.
> 
> Reading this sentence it occurred to me that the misunderstanding
> comes from
> the fact that the define is indeed misnamed. The term "FIPS mode" is
> a relict
> from FIPS 2.0, where the OpenSSL 1.0.x library had an API to enable
> FIPS mode
> *at runtime*.
> 
> (Note that the *compile time* option to include the FOM was called
> OPENSSL_FIPS,
> not FIPS_MODE. So the misleading name must have crept in only
> recently.)
> 
> > It's defined when the FIPS provider module is being built, never
> > otherwise.
> 
> Exactly, in OpenSSL 3.0 the DEFAULT and the FIPS provider are
> partially built from
> the same source files, which is the reason why we need a build time
> constant to
> distinguish those two cases. Maybe the name OSSL_FIPS_PROVIDER would
> be
> more fitting than FIPS_MODE?
> 
> 
>      #ifdef OSSL_FIPS_PROVIDER
>          ...
>      #endif
> 
> 
> Matthias
> 
> 
> P.S: Even though it is an internal define, it should have an OSSL_
> prefix IMHO.
> P.P.S: Optionally, one could also #define an OSSL_DEFAULT_PROVIDER,
> OSSL_LEGACY_PROVIDER, ...
> 
-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]




More information about the openssl-project mailing list