<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
The FIPS provider looks up any required algorithms <i>internally</i>,
so it won't find provider A's implementation.<br>
<br>
This was a deliberate decision to guarantee FIPS compliance and to
avoid the intricacies of the mandated secure channel when data
crosses FIPS boundaries.<br>
<br>
<br>
Pauli<br>
<br>
<div class="moz-cite-prefix">On 17/4/23 10:06, Afshin Pir wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SY2PR01MB2778B46BEAA30D6BA03BD8DE949C9@SY2PR01MB2778.ausprd01.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Is it allowed to use a non-fips provider
algorithm as fips algorithm provider internal algorithm? For
example, let’s say that I want to use Fips version of CMAC
like this:<o:p></o:p></p>
<p class="MsoNormal">EVP_MAC *mac = EVP_MAC_fetch(libctx,
"CMAC", "fips=yes");<o:p></o:p></p>
<p class="MsoNormal">and libctx has already loaded provider fips
and provider A. Now if I want to init it, I use a code like
this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">char ciphername[] = "HW-AES-128-CBC";<o:p></o:p></p>
<p class="MsoNormal">char propname[] ="?provider=A";<o:p></o:p></p>
<p class="MsoNormal">OSSL_PARAM params[3];<o:p></o:p></p>
<p class="MsoNormal">params[0] =
OSSL_PARAM_construct_utf8_string("cipher", ciphername, 0);<o:p></o:p></p>
<p class="MsoNormal">params[1] =
OSSL_PARAM_construct_utf8_string("properties", propname, 0);<o:p></o:p></p>
<p class="MsoNormal">params[2] = OSSL_PARAM_construct_end();<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(mac);<o:p></o:p></p>
<p class="MsoNormal">Int res = EVP_MAC_init(ctx, (const unsigned
char *)key, strlen(key), params);<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Now should EVP_MAC_init() succeed here or
not for fips provider algorithm? Because it seems that I
cannot use provider A with fips provider while I can with
default provider.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regards,<o:p></o:p></p>
<p class="MsoNormal">Afshin<o:p></o:p></p>
</div>
<hr>
This email is confidential and may contain information subject to
legal privilege. If you are not the intended recipient please
advise us of our error by return e-mail then delete this email and
any attached files. You may not copy, disclose or use the contents
in any way. The views expressed in this email may not be those of
Gallagher Group Ltd or subsidiary companies thereof.
<hr>
</blockquote>
<br>
</body>
</html>