Thanks for the feedback, I was deliberately ignoring the issue of not running non-FIPS algos, there are actually instances where it's desirable to have access to them in FIPS mode (RADIUS, eg). A generic way to handle that (aside from Richards dream proposal) would be to have a NO_INTERNAL_ALGORITHMS setting somewhere in the API. Possibly split into NO_INTERNAL_SYMMETRIC_ALGOS, ASYMMETRIC, HASHES, etc, for finer grained control. Or even a bit per specific algo to go to the extreme. Probably too late to get something like that in for a 1.1.0 release...?
As far as structure incompatibility, translation could be handled internally to the engine (though that would require a lot of near-duplicate structures). Feasible, maybe not practical. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
