Hi,
I'm in the process of upgrading from openssl-0.9.8/fips-1.2 to
openssl-1.0.1/fips-2.0. Our system can be built both with and without the fips
module. Furthermore, it can be built in a limited feature set configuration (no
fips). The limited feature set config only calls low-level openssl APIs
(SHA1_Init, AES_cbc_encrypt, etc) in order to avoid linking in the full
libcrypto.
In openssl-1.0.1/fips-2.0 it is not possible to call the low-level APIs when in
FIPS 140-2 mode. Is there another alternative that I can use? E.g. some API in
the FIPS module? Changing to the EVP API for the FIPS 140-2 config and use the
low-level APIs for the limited-feature-set config would have a pretty big
impact on our code. Hence, I would prefer to avoid that approach, if possible.
--
R
