Re: [openssl-users] FIPS methods and symlinks
On 02/24/2015 10:26 PM, Tom Francis wrote: ... Steve Marquess: Is the document (which IIRC, you published back before the first validation) on how/why the FIPS Object Module was coded still available somewhere? If so, that’d probably be a good starting point for people who post questions like this. It’s certainly not something that’s easy to figure out if one doesn’t already have an idea of what’s going on. :) Hmmm ... that's a long time ago (over a dozen years) and TBH I have no memory of that document. If you can recall a file name or some distinctive content I could search for it in our extensive internal archives, but that early history is extensive and convoluted so I doubt I could find it otherwise. For that first validation it took a lot of false starts to eventually stumble into an approach the CMVP considered acceptable. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS methods and symlinks
Hello, To grasp how FIPS methods are called, and following one method as an example, HMAC_Update() in hmac.c, we can see that if FIPS mode is active then FIPS_hmac_update() will be called. This is fine although searching the sources for the physical definiton of FIPS_hmac_update() does not yield any results. How does the symbolic links function, what ends up being executed in this case and through which path ? Thanks, regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS methods and symlinks
On Tue, Feb 24, 2015, jonetsu wrote: Hello, To grasp how FIPS methods are called, and following one method as an example, HMAC_Update() in hmac.c, we can see that if FIPS mode is active then FIPS_hmac_update() will be called. This is fine although searching the sources for the physical definiton of FIPS_hmac_update() does not yield any results. How does the symbolic links function, what ends up being executed in this case and through which path ? Function names get changed through fips/fipssyms.h in the FIPS module source. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS methods and symlinks
On Tue, 24 Feb 2015 16:16:17 + Dr. Stephen Henson st...@openssl.org wrote: On Tue, Feb 24, 2015, jonetsu wrote: Hello, To grasp how FIPS methods are called, and following one method as an example, HMAC_Update() in hmac.c, we can see that if FIPS mode is active then FIPS_hmac_update() will be called. This is fine although searching the sources for the physical definiton of FIPS_hmac_update() does not yield any results. How does the symbolic links function, what ends up being executed in this case and through which path ? Function names get changed through fips/fipssyms.h in the FIPS module source. Yes, for instance there is: #define HMAC_Update FIPS_hmac_update My question is about not having found FIPS_hmac_update. If it is called, then where is it ? May sound like a simple question, although grep did not return any actual method. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS methods and symlinks
On Feb 24, 2015, at 9:42 PM, jone...@teksavvy.com wrote: On Tue, 24 Feb 2015 16:16:17 + Dr. Stephen Henson st...@openssl.org wrote: On Tue, Feb 24, 2015, jonetsu wrote: Hello, To grasp how FIPS methods are called, and following one method as an example, HMAC_Update() in hmac.c, we can see that if FIPS mode is active then FIPS_hmac_update() will be called. This is fine although searching the sources for the physical definiton of FIPS_hmac_update() does not yield any results. How does the symbolic links function, what ends up being executed in this case and through which path ? Function names get changed through fips/fipssyms.h in the FIPS module source. Yes, for instance there is: #define HMAC_Update FIPS_hmac_update My question is about not having found FIPS_hmac_update. If it is called, then where is it ? May sound like a simple question, although grep did not return any actual method. You’ll find it in the FIPS Object Module. But in the source for the FIPS Object Module, it’s called HMAC_Update. You just need to read the table backwards. If you want to understand why, think about it a moment. The module is mostly just a specific, tested, version of OpenSSL’s libcrypto (with extra fluff added, and some stuff removed*). It was pretty simple** to just keep the source identical (with appropriate #ifdef to control adding in the fluff and removing other things), and then rename all the symbols in the result to avoid duplicate symbols. It may make it a little harder to follow after the fact, but it’s really not that hard — HMAC_Update() in your FIPS-capable libcrypto will invoke the renamed HMAC_Update() in the FIPS Object Module when operating in FIPS mode. Steve Marquess: Is the document (which IIRC, you published back before the first validation) on how/why the FIPS Object Module was coded still available somewhere? If so, that’d probably be a good starting point for people who post questions like this. It’s certainly not something that’s easy to figure out if one doesn’t already have an idea of what’s going on. :) TOM * That’s probably not the best way to put it, it’s certainly not precise. :) ** Says a guy who in no way contributed to that effort. :) ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users