[openssl-users] FIPS methods and symlinks

Tom Francis thomas.francis.jr at pobox.com
Wed Feb 25 03:26:18 UTC 2015

> On Feb 24, 2015, at 9:42 PM, jonetsu at teksavvy.com wrote:
> On Tue, 24 Feb 2015 16:16:17 +0000
> "Dr. Stephen Henson" <steve at openssl.org> wrote:
>> On Tue, Feb 24, 2015, jonetsu wrote:
>>> Hello,
>>>   To grasp how FIPS methods are called, and following one method
>>> as an example, HMAC_Update() in hmac.c, we can see that if FIPS
>>> mode is active then FIPS_hmac_update() will be called.  This is
>>> fine although searching the sources for the physical definiton of
>>> FIPS_hmac_update() does not yield any results.  How does the
>>> symbolic links function, what ends up being executed in this case
>>> and through which path ?
>> Function names get changed through fips/fipssyms.h in the FIPS module
>> source.
> Yes, for instance there is:
> #define HMAC_Update FIPS_hmac_update
> My question is about not having found FIPS_hmac_update.  If it is
> called, then where is it ?  May sound like a simple question, although
> grep did not return any actual method.  

You’ll find it in the FIPS Object Module.  But in the source for the FIPS Object Module, it’s called HMAC_Update.  You just need to read the table backwards.  If you want to understand why, think about it a moment.  The module is mostly just a specific, tested, version of OpenSSL’s libcrypto (with extra fluff added, and some stuff removed*).  It was pretty simple** to just keep the source identical (with appropriate #ifdef to control adding in the fluff and removing other things), and then rename all the symbols in the result to avoid duplicate symbols.  It may make it a little harder to follow after the fact, but it’s really not that hard — HMAC_Update() in your FIPS-capable libcrypto will invoke the renamed HMAC_Update() in the FIPS Object Module when operating in FIPS mode.

Steve Marquess: Is the document (which IIRC, you published back before the first validation) on how/why the FIPS Object Module was coded still available somewhere?  If so, that’d probably be a good starting point for people who post questions like this.  It’s certainly not something that’s easy to figure out if one doesn’t already have an idea of what’s going on. :)


* That’s probably not the best way to put it, it’s certainly not precise. :)
** Says a guy who in no way contributed to that effort. :)

> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list