Dr. Stephen Henson wrote:
On Wed, Apr 18, 2012, Erik Tkal wrote:
Any takers? Should I be able to build a FIPS-capable OpenSSL and have some of
the implementation be provided via an ENGINE (e.g. let's say I have a hardware
module to perform AES) but some by the OpenSSL FIPS canister? Or is it truly
all or nothing?
Yes the FIPS capable OpenSSL should behave in a manner similar to non-FIPS
capable OpenSSL when not in FIPS mode, though it currently use the algorithm
implementations in the FIPS module even when not in FIPS mode.
I'll look into it.
Openssl test start to fail after "only call FIPS_cipherinit in FIPS
mode" - 1.0.{1|2}_stable fips build:
....
aes-128-cbc
Error setting cipher AES-128-CBC
Error setting cipher AES-128-CBC
cmp: EOF on ./p.aes-128-cbc.clear
....
Steve.
--
Roumen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org