[openssl-users] FIPS_drbg_*() are not exported from FIPS capable libeay32.dll on Windows (OpenSSL 1.0.2x and 1.0.1x)

Dr. Matthias St. Pierre Matthias.St.Pierre at ncp-e.com
Wed Aug 26 15:14:22 UTC 2015


Dear Mr. Henson,

I noticed that for OpenSSL 1.0.2x and 1.0.1x on Windows the FIPS capable libeay32.dll
does not export any of the FIPS_drbg_*() functions, although they are officially
documented by the OpenSSL FIPS 2.0 User Guide.

Is this an oversight or was this done on purpose? (IOW, is it a bug or a feature? ;-)

I checked the git repository and found out that the symbols are listed in util/libeay.num
on the master branch but are missing on the OpenSSL_1_0_2-stable and OpenSSL_1_0_1-stable
branch (see [1]).

In fact, the entire log of the OpenSSL_1_0_{1,2}-stable branch shows no indication that these
symbols were ever added to or removed from libeay.num (see [2]).

This is strange, because the symbols were initially added by you in the following commit,
where you state that symbol ordinals are in sync with the 1.0.1 stable branch.

    commit 7bd4095b127f7376bafd9010c45673c7d354fe81
    Author: Dr. Stephen Henson <steve at openssl.org>
    Date:   Sun Oct 9 15:29:43 2011 +0000
    
        Sync ordinals with 1.0.1-stable.


It would be nice if you could be so kind to shed some light on this to clear up my confusion.

Best regards,
MSP



[1] ~/src/openssl$ git checkout master
    Switched to branch 'master'
    Your branch is up-to-date with 'origin/master'.
	
    ~/src/openssl$ grep FIPS_drbg_ util/libeay.num 
    FIPS_drbg_set_check_interval            4808	NOEXIST::FUNCTION:
    FIPS_drbg_set_callbacks                 4811	NOEXIST::FUNCTION:
    FIPS_drbg_free                          4812	NOEXIST::FUNCTION:
    FIPS_drbg_get_strength                  4813	NOEXIST::FUNCTION:
    FIPS_drbg_set_reseed_interval           4814	NOEXIST::FUNCTION:
	(...)

    ~/src/openssl$ git checkout OpenSSL_1_0_2-stable 
    Switched to branch 'OpenSSL_1_0_2-stable'
    Your branch is up-to-date with 'origin/OpenSSL_1_0_2-stable'.
	
    ~/src/openssl$ grep FIPS_drbg_ util/libeay.num
	<no output>


[2] ~/src/openssl$ git log -p OpenSSL_1_0_2-stable -- util/libeay.num | grep FIPS_drbg_
    <no output>

    ~/src/openssl$ git log -p OpenSSL_1_0_1-stable -- util/libeay.num | grep FIPS_drbg_
    <no output>

    msp at msppc:~/src/openssl$ git log -p master -- util/libeay.num | grep FIPS_drbg_ 
     FIPS_drbg_set_check_interval            4808	NOEXIST::FUNCTION:
     FIPS_drbg_get_app_data                  4870	NOEXIST::FUNCTION:
     FIPS_drbg_get_app_data                  4870	NOEXIST::FUNCTION:
     FIPS_drbg_set_check_interval            4808	NOEXIST::FUNCTION:
    -FIPS_drbg_set_check_interval            4685	EXIST:OPENSSL_FIPS:FUNCTION:
    -FIPS_drbg_set_rand_callbacks            4687	EXIST:OPENSSL_FIPS:FUNCTION:
	<more output ...>


More information about the openssl-users mailing list