On Fri, Apr 20, 2012, Roumen Petrov wrote: > Dr. Stephen Henson wrote: > >On Wed, Apr 18, 2012, Erik Tkal wrote: > > > >>Any takers? Should I be able to build a FIPS-capable OpenSSL and have some > >>of the implementation be provided via an ENGINE (e.g. let's say I have a > >>hardware module to perform AES) but some by the OpenSSL FIPS canister? Or > >>is it truly all or nothing? > >> > >Yes the FIPS capable OpenSSL should behave in a manner similar to non-FIPS > >capable OpenSSL when not in FIPS mode, though it currently use the algorithm > >implementations in the FIPS module even when not in FIPS mode. > > > >I'll look into it. > Openssl test start to fail after "only call FIPS_cipherinit in FIPS > mode" - 1.0.{1|2}_stable fips build: > .... > aes-128-cbc > Error setting cipher AES-128-CBC > Error setting cipher AES-128-CBC > cmp: EOF on ./p.aes-128-cbc.clear > .... >
Ooops! This should fix it: http://cvs.openssl.org/chngview?cn=22456 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org