Fips provider and non-Fips context

Wed Apr 19 01:21:24 UTC 2023

That is a question for a FIPS lab to answer.  I don't know.

Pauli

On 19/4/23 10:46, Afshin Pir wrote:
>
> Thanks for quick reply.
>
> As a side question, I just don’t understand how the FIPS 140-2 key 
> entry requirements are handled in OpenSSL v3.0 provider. I thought 
> when you want to import a key into a FIPS 140-2 compliant module, you 
> need to use a secure channel. But when we call EVP_EncryptInit, we 
> pass key as plain. How does this not conflict FIPS 140-2?
>
> Best Regards
>
> *From:*openssl-users <openssl-users-bounces at openssl.org> *On Behalf Of 
> *Dr Paul Dale
> *Sent:* Monday, 17 April 2023 12:16 pm
> *To:* openssl-users at openssl.org
> *Subject:* Re: Fips provider and non-Fips context
>
> The FIPS provider looks up any required algorithms /internally/, so it 
> won't find provider A's implementation.
>
> This was a deliberate decision to guarantee FIPS compliance and to 
> avoid the intricacies of the mandated secure channel when data crosses 
> FIPS boundaries.
>
>
> Pauli
>
> On 17/4/23 10:06, Afshin Pir wrote:
>
>     Hi,
>
>     Is it allowed to use a non-fips provider algorithm as fips
>     algorithm provider internal algorithm? For example, let’s say that
>     I want to use Fips version of CMAC like this:
>
>     EVP_MAC *mac = EVP_MAC_fetch(libctx, "CMAC", "fips=yes");
>
>     and libctx has already loaded provider fips and provider A. Now if
>     I want to init it, I use a code like this:
>
>     char ciphername[] = "HW-AES-128-CBC";
>
>     char propname[] ="?provider=A";
>
>     OSSL_PARAM params[3];
>
>     params[0] = OSSL_PARAM_construct_utf8_string("cipher", ciphername, 0);
>
>     params[1] = OSSL_PARAM_construct_utf8_string("properties",
>     propname, 0);
>
>     params[2] = OSSL_PARAM_construct_end();
>
>     EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(mac);
>
>     Int res = EVP_MAC_init(ctx, (const unsigned char *)key,
>     strlen(key), params);
>
>     Now should EVP_MAC_init() succeed here or not for fips provider
>     algorithm? Because it seems that I cannot use provider A with fips
>     provider while I can with default provider.
>
>     Best Regards,
>
>     Afshin
>
>     ------------------------------------------------------------------------
>
>     This email is confidential and may contain information subject to
>     legal privilege. If you are not the intended recipient please
>     advise us of our error by return e-mail then delete this email and
>     any attached files. You may not copy, disclose or use the contents
>     in any way. The views expressed in this email may not be those of
>     Gallagher Group Ltd or subsidiary companies thereof.
>
>     ------------------------------------------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230419/50a1538f/attachment.htm>