Topic: Restricting wolfengine to FIPS supported algorithms

Hi,

We have successfully build wolfengine with fips i.e. "--enable-fips=v2" and debug i.e. "--enable-debug" support on Linux machine. The OpenSSL configuration file has been updated to use wolfengine.

The OpenSSL is using the wolfengine by default. However, wolfengine is not blocking un-supported FIPS algorithms and it is still possible to use non-fips supported algorithms as shown below. Do we need to configure some parameter to enable fips for wolfengine ?

=========================================
Output of "openssl dgst -md4  test.txt" Command
==========================================   

wolfEngine Leaving wolfengine_ctrl, return 1
wolfEngine Entering we_ciphers
wolfEngine Leaving we_ciphers, return 18
wolfEngine Entering we_digests
wolfEngine Leaving we_digests, return 6
wolfEngine Entering we_pkey
Returning 11 supported public key NIDs
wolfEngine Leaving we_pkey, return 11
MD4(test.txt)= 9a2a5dcb1fb54b8a97bd3c4d73a111e4 <========================
wolfEngine Entering we_pkey
Returning 11 supported public key NIDs
wolfEngine Leaving we_pkey, return 11
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering wolfengine_destroy
wolfEngine Entering we_final_random
wolfEngine Leaving we_final_random, return 1
wolfEngine Leaving wolfengine_destroy, return 1

===================================================
Output of  openssl des -in test.txt -out encrypted.txt  Command
================================ ===================

wolfEngine Leaving wolfengine_ctrl, return 1
wolfEngine Entering we_ciphers
wolfEngine Leaving we_ciphers, return 18
wolfEngine Entering we_digests
wolfEngine Leaving we_digests, return 6
wolfEngine Entering we_pkey
Returning 11 supported public key NIDs
wolfEngine Leaving we_pkey, return 11
enter des-cbc encryption password:
Verifying - enter des-cbc encryption password:
wolfEngine Entering we_rand_bytes
wolfEngine Entering we_rand_add_weak_entropy
wolfEngine Entering we_rand_mix_seed
wolfEngine Leaving we_rand_mix_seed, return 1
wolfEngine Leaving we_rand_add_weak_entropy, return 1
wolfEngine Leaving we_rand_bytes, return 1
wolfEngine Entering we_pkey
Returning 11 supported public key NIDs
wolfEngine Leaving we_pkey, return 11
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering we_pkey
wolfEngine Leaving we_pkey, return 1
wolfEngine Entering wolfengine_destroy
wolfEngine Entering we_final_random
wolfEngine Leaving we_final_random, return 1
wolfEngine Leaving wolfengine_destroy, return 1



Thanks,

Share

Re: Restricting wolfengine to FIPS supported algorithms

Hello m_u_h

It is the responsibility of the application making a claim to be using FIPS validated cryptography to only use FIPS validated cryptography.

Please submit a support ticket by emailing support@wolfssl.com for further clarification.

Kind regards,
Eric, wolfSSL Support

Re: Restricting wolfengine to FIPS supported algorithms

Hi Eric,

Thanks for the clarification. We will send support ticket to "support@wolfssl.com" for further clarification.

Best Regards,

Share