Re: AES key wrap feature unavailable in FIPS mode OpenSSL?

Wed, 26 Oct 2011 14:00:06 -0700 

On 10/26/2011 9:43 PM, Bill Durant wrote:

Hello,

Has the AES key wrap feature been removed from the nightly OpenSSL in FIPS mode?

I have built a FIPS-capable OpenSSL using the following:

        ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111025.tar.gz

        ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111025.tar.gz

When I call AES_set_encrypt_key(), while in FIPS mode, I get the following 
abort:

.\crypto\aes\aes_misc.c(73): OpenSSL internal error, assertion failed: Low level
  API call to cipher AES forbidden in FIPS mode!

I can see that this is intentional per crypto\aes\aes_misc.c:

  67 /* FIPS wrapper functions to block low level AES calls in FIPS mode */
  68
  69 int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
  70             AES_KEY *key)
  71     {
  72 #ifdef OPENSSL_FIPS
  73     fips_cipher_abort(AES);
  74 #endif
  75     return private_AES_set_encrypt_key(userKey, bits, key);
  76     }
Note: This looks buggy to me. If fips_cipher_abort() is a function/macro which never returns, then the return line should be in a #else conditional so compilers don't waste memory creating code to 
actually do the call.


No such abort occurs with a FIPS-capable OpenSSL using the following:

        http://openssl.org/source/openssl-0.9.8r.tar.gz

        http://openssl.org/source/openssl-fips-1.2.3.tar.gz
        
Is there an alternate way to do AES key wrap using the nightly OpenSSL in FIPS 
mode?
More to the point: Is the FIPS module limited to a subset of the FIPS

approved modes of operation?

Can it do the NIST specified (badly designed!) key wrap mode, which
unnecessarily helps attackers by including a MAC of the wrapped key?

Can it do traditional modes (ECB, CBC, CFB, OFB)?

Can it do the new FIPS modes (CTR, GCM)?

Can it do the various modes from the modes workshop days (ABC, XCBC,
the flawed CBC-MAC etc.)?

Can the key and/or IV be set directly?

Can the key and/or IV be set to the output of an approved RNG?

Can the key and/or IV be set from a decrypted wrapped key?

Can the key and/or IV be set from the output of an approved hash algorithm?
Can the key and/or IV be set from one of the approved DH variants, with all of 
the parametric variations permitted?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to