On Fri, Mar 06, 2015, Steve Schefter wrote: > Hi. > > I am compiling OpenSSL with the FIPS options and seeing a build > error. My question is more about the intent than the problem. > > One example: When apps/speed.c is compiled with FIPS enabled, > OPENSSL_FIPS is defined and DES_set_key_unchecked gets defined to be > private_DES_set_key_unchecked. > > The use of the private_ function means that fips_cipher_abort is not called. > > Am I correct that the intent is to allow the OpenSSl-provided apps > to use the low level APIs (like DES) while user applications linking > with libcrypto.so can not? > > The problem is that the OpenSSL-provided apps also link with that > library and the private_ functions are not global (they are not in > openssl.ld). So the OpenSSL-provided apps fail to link. In the > above example, apps/speed.c can't find > private_DES_set_key_unchecked(). > > Or am I not understanding the intent? >
Which OS and version of OpenSSL are you using? The intent of the private_ wrappers is to block the accidental use of low level APIs in appllications in FIPS mode. In FIPS mode you can only use EVP: so if an application did use low level APIs it would not be compliant. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
