1

In https://www.openssl.org/docs/man3.0/man7/fips_module.html. it says: " If no property query is specified, or more than one implementation matches the property query then it is undefined which implementation of a particular algorithm will be returned. "

This sounds like there may be different implementations for the same algorithm.

But I am reading openssl code and compare the fips VS default, it seems they are from the same code.(implementation),

fipsprov.c has something:

static const OSSL_ALGORITHM fips_digests[] = {
    /* Our primary name:NiST name[:our older names] */
    { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions },
    { PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions },
    { PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions },

defltprov.c has same thing:

static const OSSL_ALGORITHM deflt_digests[] = {
    /* Our primary name:NIST name[:our older names] */
    { PROV_NAMES_SHA1, "provider=default", ossl_sha1_functions },
    { PROV_NAMES_SHA2_224, "provider=default", ossl_sha224_functions },
    { PROV_NAMES_SHA2_256, "provider=default", ossl_sha256_functions },

The default provider and fips provider using the same implementation. (ya, I thought the same algorithm may have different implementations for fips and for default under providers\fips folder, but no).

Could I understand the fips provider only limit fips approved algorithm and do fips test. It shares the same implementation of the default provider?

Could I understand the fips provider only limit fips approved algorithm and do fips test. It shares the same implementation of the default provider?

ben956
  • 33
  • 5

1 Answers1

3

The source code of the various algorithms is shared between the fips and default providers. The code is actually compiled twice - once for inclusion in libcrypto and once for inclusion in fips.so/fips.dll (the FIPS provider module). The resulting object files may not be the same between the fips and default providers. There are numerous differences in functionality: if you search the OpenSSL source you will see many instances of conditional compilation based on the FIPS_MODULE define (which is defined when compiling the source for inclusion in fips.so but not when compiling for the default provider).

The differences are primarily to enforce FIPS rules that do not apply to the default provider. Obviously the default provider also includes many more algorithms than the set available in the FIPS provider.

Matt Caswell
  • 8,167
  • 25
  • 28