<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
That is a question for a FIPS lab to answer. I don't know.<br>
<br>
Pauli<br>
<br>
<div class="moz-cite-prefix">On 19/4/23 10:46, Afshin Pir wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SY2PR01MB2778D2E75BEF773F09F968DB94629@SY2PR01MB2778.ausprd01.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Thanks for quick reply.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As a side question, I just don’t understand
how the FIPS 140-2 key entry requirements are handled in
OpenSSL v3.0 provider. I thought when you want to import a key
into a FIPS 140-2 compliant module, you need to use a secure
channel. But when we call EVP_EncryptInit, we pass key as
plain. How does this not conflict FIPS 140-2?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regards <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="mso-fareast-language:EN-NZ" lang="EN-US">From:</span></b><span
style="mso-fareast-language:EN-NZ" lang="EN-US">
openssl-users <a class="moz-txt-link-rfc2396E" href="mailto:openssl-users-bounces@openssl.org"><openssl-users-bounces@openssl.org></a>
<b>On Behalf Of </b>Dr Paul Dale<br>
<b>Sent:</b> Monday, 17 April 2023 12:16 pm<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<b>Subject:</b> Re: Fips provider and non-Fips context<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">The FIPS
provider looks up any required algorithms
<i>internally</i>, so it won't find provider A's
implementation.<br>
<br>
This was a deliberate decision to guarantee FIPS compliance
and to avoid the intricacies of the mandated secure channel
when data crosses FIPS boundaries.<br>
<br>
<br>
Pauli<span style="mso-fareast-language:EN-NZ"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">On 17/4/23 10:06, Afshin Pir wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Is it allowed to use a non-fips provider
algorithm as fips algorithm provider internal algorithm? For
example, let’s say that I want to use Fips version of CMAC
like this:<o:p></o:p></p>
<p class="MsoNormal">EVP_MAC *mac = EVP_MAC_fetch(libctx,
"CMAC", "fips=yes");<o:p></o:p></p>
<p class="MsoNormal">and libctx has already loaded provider
fips and provider A. Now if I want to init it, I use a code
like this:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">char ciphername[] = "HW-AES-128-CBC";<o:p></o:p></p>
<p class="MsoNormal">char propname[] ="?provider=A";<o:p></o:p></p>
<p class="MsoNormal">OSSL_PARAM params[3];<o:p></o:p></p>
<p class="MsoNormal">params[0] =
OSSL_PARAM_construct_utf8_string("cipher", ciphername, 0);<o:p></o:p></p>
<p class="MsoNormal">params[1] =
OSSL_PARAM_construct_utf8_string("properties", propname, 0);<o:p></o:p></p>
<p class="MsoNormal">params[2] = OSSL_PARAM_construct_end();<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(mac);<o:p></o:p></p>
<p class="MsoNormal">Int res = EVP_MAC_init(ctx, (const
unsigned char *)key, strlen(key), params);<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Now should EVP_MAC_init() succeed here or
not for fips provider algorithm? Because it seems that I
cannot use provider A with fips provider while I can with
default provider.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Best Regards,<o:p></o:p></p>
<p class="MsoNormal">Afshin<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span style="mso-fareast-language:EN-NZ">
<hr width="100%" size="2" align="center">
</span></div>
<p class="MsoNormal"><span style="mso-fareast-language:EN-NZ">This
email is confidential and may contain information subject
to legal privilege. If you are not the intended recipient
please advise us of our error by return e-mail then delete
this email and any attached files. You may not copy,
disclose or use the contents in any way. The views
expressed in this email may not be those of Gallagher
Group Ltd or subsidiary companies thereof.
<o:p></o:p></span></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span style="mso-fareast-language:EN-NZ">
<hr width="100%" size="2" align="center">
</span></div>
</blockquote>
<p class="MsoNormal"><span style="mso-fareast-language:EN-NZ"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>