(Note: Please don't use the Outlook Reply button to start a new thread, it will make Outlook send mail flags(headers) that indicate it is part of the old thread, and some non-MS mail clients will list your messages as part of the old thread)
On 1/25/2013 7:14 PM, Gibbs, Pierce M (IS) (Contr) wrote:
I implemented HMAC, AES encryption and DSA routines using openssl
> version 1.2.3. I used the EVP_EncryptInit, EVP_EncryptUpdate, > EVP_EncryptFinal etc routines. I have a requirement to use FIPS > compliant version of OPenSSL. I recently got OpenSSL 2.0 and cannot > find the EVP_* routines. Are they supported in FIPS mode? If not, > any suggestions on what to use instead?
I think you are confusing the OpenSSL library that can be used for FIPS-compliant work (known around here is as the "FIPS-capable" build of OpenSSL) currently at version 1.0.1c with the source code of the FIPS-certified code blob loaded by that library (known around here as the FIPS module) currently at version 2.0.0. The FIPS module is not intended to be called directly by anything other than the FIPS-capable OpenSSL and any remnants of the regular OpenSSL library (such as the EVP_ entrypoints) found in the source code for the FIPS module is neither intended for use nor certified by anyone. This is essentially a box-in-a-box setup (Set Outlook to a fixed width font such as "Lucida Console" to view this diagram): +----------- Your project ------------+ | +-- FIPS-capable OpenSSL 1.0.1c --+ | | | +----- FIPS Module 2.0.0 -----+ | | | | | Certified implementations | | | | | | AES etc. | | | | | +-----------------------------+ | | | | Code to detect tampering with | | | | the copy of the module. | | | | APIs that use the module, such | | | | as EVP_xxx functions. | | | +---------------------------------+ | | Your code calling EVP_xxx functions | +-------------------------------------+ For detailed instructions, please refer to the formal "guide" document, which is a legal prerequisite for the FIPS certification to be valid for Government work. Also check with your superiors if your intended use can make do with the FIPS certification level that the OpenSSL 2.0 module in an up to date FIPS-capable OpenSSL 1.0.1c library has attained, given that much of the FIPS certification program (the CMVP) is geared towards civilian government use and might not meet the needs of all military classification levels (I am not cleared to know the details of that either, so don't tell me or the public list what you find out). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
