On 02/23/2016 08:16 AM, Wall, Stephen wrote: > Thanks for the feedback, I was deliberately ignoring the issue of not > running non-FIPS algos, there are actually instances where it's > desirable to have access to them in FIPS mode (RADIUS, eg). A > generic way to handle that (aside from Richards dream proposal) would > be to have a NO_INTERNAL_ALGORITHMS setting somewhere in the API. > Possibly split into NO_INTERNAL_SYMMETRIC_ALGOS, ASYMMETRIC, HASHES, > etc, for finer grained control. Or even a bit per specific algo to > go to the extreme. Probably too late to get something like that in > for a 1.1.0 release...? > > As far as structure incompatibility, translation could be handled > internally to the engine (though that would require a lot of > near-duplicate structures). Feasible, maybe not practical.
Sufficient desperation and sufficiently deep pockets set the boundaries of "feasible". FIPS 140-2 isn't practical to begin with. I know of several commercial vendors planning to hand-jamb some variant of the current FIPS module into OpenSSL 1.1 (what they see as their least bad option). The result is going to be horrible, though, and will still require validation. It will leave them with a maintenance tail that will haunt them for years to come. I wish them luck, and understand that FIPS 140-2 is important enough to their business that they have no choice. But here at the OpenSSL project we've made the conscious decision to not allow FIPS 140-2 to distort and pervert OpenSSL even more than has already been the case. We'll do a (relatively) clean and sane implementation for 1.1 if and when we can, and nothing otherwise. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
