[openssl-dev] OpenSSL 1.1.0 and FIPS

Wall, Stephen swall at redcom.com
Tue Feb 23 13:55:00 UTC 2016


> A generic
> way to handle that (aside from Richards dream proposal) would be to
> have a NO_INTERNAL_ALGORITHMS setting somewhere in the API.  Possibly
> split into NO_INTERNAL_SYMMETRIC_ALGOS, ASYMMETRIC, HASHES, etc, for
> finer grained control.

Replying to my own post, a second idea: what if the engine claims it can do all possible algorithms, but returns EVP_R_DISABLED_FOR_FIPS for the ones that FIPS does not allow?  Would that be sufficient to prevent the core from trying to run any algorithms, or would the failure prompt a fallback to the internal code?


More information about the openssl-dev mailing list