On Fri, Apr 20, 2012, Roumen Petrov wrote:
> Dr. Stephen Henson wrote:
> >On Wed, Apr 18, 2012, Erik Tkal wrote:
> >
> >>Any takers? Should I be able to build a FIPS-capable OpenSSL and have some
> >>of the implementation be provided via an ENGINE (e.g. let's say I have a
> >>hardware module to perform AES) but some by the OpenSSL FIPS canister? Or
> >>is it truly all or nothing?
> >>
> >Yes the FIPS capable OpenSSL should behave in a manner similar to non-FIPS
> >capable OpenSSL when not in FIPS mode, though it currently use the algorithm
> >implementations in the FIPS module even when not in FIPS mode.
> >
> >I'll look into it.
> Openssl test start to fail after "only call FIPS_cipherinit in FIPS
> mode" - 1.0.{1|2}_stable fips build:
> ....
> aes-128-cbc
> Error setting cipher AES-128-CBC
> Error setting cipher AES-128-CBC
> cmp: EOF on ./p.aes-128-cbc.clear
> ....
>
Ooops! This should fix it:
http://cvs.openssl.org/chngview?cn=22456
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
