On Mon, Feb 22, 2016, Wall, Stephen wrote: > I wonder if I could get the thoughts of some of you developers on how > difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of > the current (2.0.11?) fipscanister.o. Also, opinions on if this would be a > legitimate way to get FIPS in 1.1.0. >
Just to add a few thoughts to this. It would be very tricky and rather messy. The 2.0.x module uses various shortcuts (which were pretty much essential given the time pressure on its development) such as keeping structure compatible with OpenSSL. For 1.1.0 many structures have changed considerably and many are opaque so this wont work. Add to that that it isn't just a case of having an external ENGINE. There needs to be some extensive glue code in OpenSSL itself to (for example) ensure that the correct imeplementation is used and to block unapproved APIs and algorithms. So while I think it is theoretically possible I think handling this as part of a new validation effort would be the best approach. We could then incorporate some of the new FIPS 140-2 requirements and add some new algorithms. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
