Topic: wolfEngine configuration options
Hi,
It is possible to enable wolfEngine FIPS checks by setting "enable_fips_checks" to 1. What is effect of enabling FIPS check ?
Thanks,
You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → wolfCrypt → wolfEngine configuration options
Hi,
It is possible to enable wolfEngine FIPS checks by setting "enable_fips_checks" to 1. What is effect of enabling FIPS check ?
Thanks,
Hi m_u_h,
wolfEngine FIPS checks only have an effect when using a FIPS validated (or FIPS Ready) version of wolfSSL/wolfCrypt under wolfEngine.
These "FIPS checks" are checks inside wolfEngine to help make sure the caller doesn't use non-FIPS modes or key lengths of some algorithms, including:
- Check that RSA key sizes are valid. For wolfCrypt FIPS, 1024-bit RSA keys can only be used for verification, not generation or signing.
- Check that RSA signatures with SHA-1 digests are valid. For wolfCrypt FIPS, SHA-1 isn't allowed for signing, only for verifying.
- Check that ECC P-192 usage is valid. For wolfCrypt FIPS, ECC P-192 isn't allowed for ECDH, key generation, or signing. Only allowed for signature verification.
By default, if using a FIPS validated version of wolfCrypt these checks are on by default. The "enable_fips_checks" control command lets users override the default of all being enabled, and can pass a bitmask of available options from "include/wolfengine/we_fips.h".
Are you using a FIPS validated version of wolfCrypt with wolfEngine?
Thanks,
Chris
Hi Chris,
Thanks for your detailed reply. Yes, we are using FIPS validated version of wolfCrypt with wolfEngine. Does that mean that we don't have to set this option in configuration file ?
Best Regards,
Hi m_u_h,
Yes, that is correct. If you are using wolfCrypt FIPS, wolfEngine will by default use all three checks listed above. You would only need to override "enable_fips_checks" if you wanted to use a subset of the default options.
Keep in mind that these FIPS checks only apply to the scenarios listed above. Applications consuming OpenSSL with wolfEngine and wolfCrypt FIPS still need to be cautious not to call/use non-FIPS validated cryptography if trying to remain FIPS compliant. If an application calls an algorithm that is unsupported by wolfCrypt FIPS (thus unsupported in FIPS mode), OpenSSL may re-route that algorithm to the underlying non-FIPS validated OpenSSL cryptography.
Best Regards,
Chris
wolfSSL - Embedded SSL Library → wolfCrypt → wolfEngine configuration options
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.019 seconds (94% PHP - 6% DB) with 10 queries