fips mode and key management

Richard Levitte levitte at
Tue Jan 21 09:36:47 UTC 2020

This doesn't affect applications.  Our FIPS module holds its own
keys, but reuse the same structures as libcrypto to hold them
internally, and *there*, the EX_DATA field is irrelevant.
Applications will never get that far in.  The EX_DATA added by the
application is still valid.

I think that the misunderstanding lies in when FIPS_MODE is defined.
It's defined when the FIPS provider module is being built, never


On Sat, 18 Jan 2020 12:19:25 +0100,
Roumen Petrov wrote:
> Hello,
> Recently I note that when build is in FIPS_MODE some functionality is
> lost. For instance RSA_{g|s}et_ex_data is not available.
> Reading the code I expect that in FIPS mode use of external keys is
> forbidden.
> Remark: ex_data is used to store reference information for external keys.
> Please confirm that in FIPS mode we could use external keys?
> Regards
> Roumen Petrov
> P.S. If is not allowed this regression to previous FIPS
> releases(validations).
> Neither OpenSSL nor Red Hat nor Solaris FIPS validation forbid use of
> "external" keys.
Richard Levitte         levitte at
OpenSSL Project

More information about the openssl-project mailing list