I'm just saying that there are options to allow this and it just doesn't seem
to work.
#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
* in FIPS mode */
/* Allow non FIPS cipher in FIPS mode */
#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000
Obviously the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag handling works, since the
SSL/TLS processing uses this to allow MD5 during the handshake.
Erik
-----Original Message-----
From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On
Behalf Of Thor Lancelot Simon
Sent: Friday, February 10, 2012 10:08 AM
To: openssl-dev@openssl.org
Subject: Re: FIPS Module 2.0 -- using non-FIPS ciphers
On Fri, Feb 10, 2012 at 10:01:43AM -0500, Erik Tkal wrote:
> Yes, I understand all that; we currently have our own certified FIPS module
> that I wired into OpenSSL via the engine APIs. Assuming that the module
> boundary is the code in the FIPS canister, I want that module to perform all
> FIPS-compliant operations, but still need the "outer" OpenSSL to perform
> other operations.
Personally, I think if they're in the same address space (or, at least,
namespace) this is dubious. But you probably have people advising you
(or available to advise you) who know a lot better than I do!
Thor
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
