On 10/26/2011 9:43 PM, Bill Durant wrote:
Hello,
Has the AES key wrap feature been removed from the nightly OpenSSL in FIPS mode?
I have built a FIPS-capable OpenSSL using the following:
ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111025.tar.gz
ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111025.tar.gz
When I call AES_set_encrypt_key(), while in FIPS mode, I get the following
abort:
.\crypto\aes\aes_misc.c(73): OpenSSL internal error, assertion failed: Low level
API call to cipher AES forbidden in FIPS mode!
I can see that this is intentional per crypto\aes\aes_misc.c:
67 /* FIPS wrapper functions to block low level AES calls in FIPS mode */
68
69 int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
70 AES_KEY *key)
71 {
72 #ifdef OPENSSL_FIPS
73 fips_cipher_abort(AES);
74 #endif
75 return private_AES_set_encrypt_key(userKey, bits, key);
76 }
Note: This looks buggy to me. If fips_cipher_abort() is a
function/macro which never returns, then
the return line should be in a #else conditional so compilers don't
waste memory creating code to
actually do the call.
No such abort occurs with a FIPS-capable OpenSSL using the following:
http://openssl.org/source/openssl-0.9.8r.tar.gz
http://openssl.org/source/openssl-fips-1.2.3.tar.gz
Is there an alternate way to do AES key wrap using the nightly OpenSSL in FIPS
mode?
More to the point: Is the FIPS module limited to a subset of the FIPS
approved modes of operation?
Can it do the NIST specified (badly designed!) key wrap mode, which
unnecessarily helps attackers by including a MAC of the wrapped key?
Can it do traditional modes (ECB, CBC, CFB, OFB)?
Can it do the new FIPS modes (CTR, GCM)?
Can it do the various modes from the modes workshop days (ABC, XCBC,
the flawed CBC-MAC etc.)?
Can the key and/or IV be set directly?
Can the key and/or IV be set to the output of an approved RNG?
Can the key and/or IV be set from a decrypted wrapped key?
Can the key and/or IV be set from the output of an approved hash algorithm?
Can the key and/or IV be set from one of the approved DH variants, with
all of
the parametric variations permitted?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org