Topic: wolfEngine configuration options

Hi,
 
It is possible to enable wolfEngine FIPS checks by setting "enable_fips_checks" to 1. What is effect of enabling FIPS check ? 


Thanks,

Share

Re: wolfEngine configuration options

Hi m_u_h,

wolfEngine FIPS checks only have an effect when using a FIPS validated (or FIPS Ready) version of wolfSSL/wolfCrypt under wolfEngine.

These "FIPS checks" are checks inside wolfEngine to help make sure the caller doesn't use non-FIPS modes or key lengths of some algorithms, including:

- Check that RSA key sizes are valid. For wolfCrypt FIPS, 1024-bit RSA keys can only be used for verification, not generation or signing.
- Check that RSA signatures with SHA-1 digests are valid. For wolfCrypt FIPS, SHA-1 isn't allowed for signing, only for verifying.
- Check that ECC P-192 usage is valid. For wolfCrypt FIPS, ECC P-192 isn't allowed for ECDH, key generation, or signing. Only allowed for signature verification.

By default, if using a FIPS validated version of wolfCrypt these checks are on by default.  The "enable_fips_checks" control command lets users override the default of all being enabled, and can pass a bitmask of available options from "include/wolfengine/we_fips.h".

Are you using a FIPS validated version of wolfCrypt with wolfEngine?

Thanks,
Chris

Re: wolfEngine configuration options

Hi Chris,

Thanks for your detailed reply. Yes, we are using FIPS validated version of wolfCrypt with wolfEngine. Does that mean that we don't have to set this option in configuration file ?

Best Regards,

Share

Re: wolfEngine configuration options

Hi m_u_h,

Yes, that is correct.  If you are using wolfCrypt FIPS, wolfEngine will by default use all three checks listed above.  You would only need to override "enable_fips_checks" if you wanted to use a subset of the default options.

Keep in mind that these FIPS checks only apply to the scenarios listed above.  Applications consuming OpenSSL with wolfEngine and wolfCrypt FIPS still need to be cautious not to call/use non-FIPS validated cryptography if trying to remain FIPS compliant.  If an application calls an algorithm that is unsupported by wolfCrypt FIPS (thus unsupported in FIPS mode), OpenSSL may re-route that algorithm to the underlying non-FIPS validated OpenSSL cryptography.

Best Regards,
Chris