[openssl-users] Key Deriviation Function Tests for TLS

Steve Marquess marquess at openssl.com
Wed Sep 23 12:16:26 UTC 2015

On 09/23/2015 07:09 AM, Steve Marquess wrote:
> On 09/22/2015 07:26 PM, John Foley (foleyj) wrote:
>> Pull request 368 has KDF support for FIPS:
>>  https://github.com/openssl/openssl/pull/368
>> I've already updated libsrtp to use this API for FIPS compliance. We
>> would like to contribute to other downstream projects as well.  But it
>> would help if OpenSSL accepted this pull request.
> John, the problem is that we have no FIPS validation in which that can
> be used. We're not allowed to make such changes to existing validated
> modules, and have no immediate prospects of doing any new validation.
> IMHO there isn't much point in accepting and committing speculative
> code, i.e. code that we can't actually use in OpenSSL.

John, let me elaborate on my comment above by noting that the Cisco
contribution includes a bunch of FIPS specific code for which there is
no counterpart on the master branch (i.e. no place to put it). A version
which worked on master with all the FIPS stuff stripped out and with
tests via evp_test would be a lot more interesting.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list