In message <20160222185829.ga19...@openssl.org> on Mon, 22 Feb 2016 18:58:29 +0000, "Dr. Stephen Henson" <st...@openssl.org> said:
steve> On Mon, Feb 22, 2016, Wall, Stephen wrote: steve> steve> > I wonder if I could get the thoughts of some of you developers on how steve> > difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of steve> > the current (2.0.11?) fipscanister.o. Also, opinions on if this would be a steve> > legitimate way to get FIPS in 1.1.0. steve> > steve> steve> Just to add a few thoughts to this. steve> steve> It would be very tricky and rather messy. The 2.0.x module uses various steve> shortcuts (which were pretty much essential given the time pressure on its steve> development) such as keeping structure compatible with OpenSSL. For 1.1.0 many steve> structures have changed considerably and many are opaque so this wont work. steve> steve> Add to that that it isn't just a case of having an external ENGINE. There steve> needs to be some extensive glue code in OpenSSL itself to (for example) ensure steve> that the correct imeplementation is used and to block unapproved APIs and steve> algorithms. steve> steve> So while I think it is theoretically possible I think handling this as part of steve> a new validation effort would be the best approach. We could then incorporate steve> some of the new FIPS 140-2 requirements and add some new algorithms. This is where I go dreamy eyed with a desire to make all our built in algorithm into an engine, loadable like any other engine. The current retrofit we do because we want to support having the low level functions as dispatchers into a loaded engine still gives me the heeby jeebies. With that kind of setup, wouldn't it be incredibly easy to have the approved FIPS 140-2 engine? (if this ever happens, it's in the far future, folks) -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
