AES-cipher offload to engine in openssl-fips

Jakob Bohm jb-openssl at
Wed Feb 27 20:55:29 UTC 2019

On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
> If you change a single line of code or do not build it EXACTLY as documented, you cannot claim to use the OpenSSL validation.

I believe the context here is one I also mentioned in my comment on
the 3.0 draft spec:

- OpenSSL FIPS Module provides FIPS validated software implementations of
  all/most of the permitted algorithms.
- Engine provides FIPS validated (hardware?) implementations of one or
  more implementations, under a separate FIPS validation, perhaps done
  at the hardware level.
- FIPS-capable OpenSSL (outside the FIPS boundary) is somehow made to use
  both FIPS validated modules depending on various conditions (such as
  algorithm availability).  FIPS-capable OpenSSL can be changed without
  breaking the FIPS validation of the modules.
- Overall application claims FIPS compliance as all crypto is done by
  FIPS validated modules.

A hypothetical US gov example would be using a certificate on a FIPS
validated FIPS 201 PIV ID card.


Jakob Bohm, CIO, Partner, WiseMo A/S.
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list