> On Feb 24, 2015, at 9:42 PM, jone...@teksavvy.com wrote: > > On Tue, 24 Feb 2015 16:16:17 +0000 > "Dr. Stephen Henson" <st...@openssl.org> wrote: > >> On Tue, Feb 24, 2015, jonetsu wrote: > >>> Hello, >>> >>> To grasp how FIPS methods are called, and following one method >>> as an example, HMAC_Update() in hmac.c, we can see that if FIPS >>> mode is active then FIPS_hmac_update() will be called. This is >>> fine although searching the sources for the physical definiton of >>> FIPS_hmac_update() does not yield any results. How does the >>> symbolic links function, what ends up being executed in this case >>> and through which path ? >> >> Function names get changed through fips/fipssyms.h in the FIPS module >> source. > > Yes, for instance there is: > > #define HMAC_Update FIPS_hmac_update > > My question is about not having found FIPS_hmac_update. If it is > called, then where is it ? May sound like a simple question, although > grep did not return any actual method.
You’ll find it in the FIPS Object Module. But in the source for the FIPS Object Module, it’s called HMAC_Update. You just need to read the table backwards. If you want to understand why, think about it a moment. The module is mostly just a specific, tested, version of OpenSSL’s libcrypto (with extra fluff added, and some stuff removed*). It was pretty simple** to just keep the source identical (with appropriate #ifdef to control adding in the fluff and removing other things), and then rename all the symbols in the result to avoid duplicate symbols. It may make it a little harder to follow after the fact, but it’s really not that hard — HMAC_Update() in your FIPS-capable libcrypto will invoke the renamed HMAC_Update() in the FIPS Object Module when operating in FIPS mode. Steve Marquess: Is the document (which IIRC, you published back before the first validation) on how/why the FIPS Object Module was coded still available somewhere? If so, that’d probably be a good starting point for people who post questions like this. It’s certainly not something that’s easy to figure out if one doesn’t already have an idea of what’s going on. :) TOM * That’s probably not the best way to put it, it’s certainly not precise. :) ** Says a guy who in no way contributed to that effort. :) > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
