[openssl-dev] OpenSSL 1.1.0 and FIPS
Dr. Stephen Henson
steve at openssl.org
Mon Feb 22 18:58:29 UTC 2016
On Mon, Feb 22, 2016, Wall, Stephen wrote:
> I wonder if I could get the thoughts of some of you developers on how
> difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of
> the current (2.0.11?) fipscanister.o. Also, opinions on if this would be a
> legitimate way to get FIPS in 1.1.0.
>
Just to add a few thoughts to this.
It would be very tricky and rather messy. The 2.0.x module uses various
shortcuts (which were pretty much essential given the time pressure on its
development) such as keeping structure compatible with OpenSSL. For 1.1.0 many
structures have changed considerably and many are opaque so this wont work.
Add to that that it isn't just a case of having an external ENGINE. There
needs to be some extensive glue code in OpenSSL itself to (for example) ensure
that the correct imeplementation is used and to block unapproved APIs and
algorithms.
So while I think it is theoretically possible I think handling this as part of
a new validation effort would be the best approach. We could then incorporate
some of the new FIPS 140-2 requirements and add some new algorithms.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list