Dear Peter Thanks for the replying
> 1. All the block ciphers currently supported by crypt() and gen_salt() are not > FIPS-compliant. > > 2. The crypt() and gen_salt() methods built on top of them (modes of > operation, > kind of) are not FIPS-compliant. > > 3. The implementations (crypt-blowfish.c, crypt-des.c, etc.) are not > structured > in a way that OpenSSL calls can easily be patched in. Indeed, all the algorithm could not be used in FIPS and huge engineering might be needed for the replacement. If the benefit is smaller than the cost, we should consider another way - e.g., prohibit to call these functions in FIPS mode as in the pseudocode Daniel sent. Replacing OpenSSL is a way, the objective is to eliminate the user's error in choosing an encryption algorithm. ----------------------------------------------- Fujitsu Limited Shibagaki Koshi shibagaki.ko...@fujitsu.com
