I recently inherited the task of adding FIPS support to our product. The product has a fairly large codebase that I'm still coming up to speed on, including our existing use of OpenSSL.
I've read the Security Policy and User Guides for 1.1.2 and have been analyzing our code and delving into OpenSSL code a bit, but have a few questions. I'm currently working on getting our product built against the FIPS Module 1.1.2. Questions: 1. I'm trying to determine if the removal of DSA from 1.1.2 impacts us. We use the following DSA methods, but it's not clear to me whether or not this breaks the rules. (psuedocode) DSA->meth = DSA_get_default_method() DSA->meth->do_verify() DSA_SIG_new() DSA_SIG_free() >From reading the security policy I am concerned that this will be problem and result in FIPS errors. Is this correct? 2. I'm also searching our code for other sections that potentially violate the rules of FIPS. I'm doing a code review and am curious if others found a particular strategy helpful for locating potential FIPS problems. For example, given a large code base, what was your strategy for finding potential FIPS violating code? I don't want to rely solely on the internal error checking calls such as FIPS_dsa_check(). Cheers, Rich Taylor -- View this message in context: http://www.nabble.com/FIPS-1.1.2-and-DSA-tp15580564p15580564.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
