AES-cipher offload to engine in openssl-fips

Wed Feb 27 23:17:13 UTC 2019

>    Huh?  From the design document, section "Example dynamic views of
    algorithm selection", after the second diagram:

        An EVP_DigestSign* operation is more complicated because it
        involves two algorithms: a signing algorithm, and a digest
        algorithm. In general those two algorithms may come from different
        providers or the same one. In the case of the FIPS module the
        algorithms must both come from the same FIPS module provider. The
        operation will fail if an attempt is made to do otherwise.

There are two options.  First, the application does the digest and sign as two separate things.  Second, the provider implementing digestSign has to be validated to use the other FIPS module.