On 09/23/2015 07:09 AM, Steve Marquess wrote: > On 09/22/2015 07:26 PM, John Foley (foleyj) wrote: >> Pull request 368 has KDF support for FIPS: >> https://github.com/openssl/openssl/pull/368 >> >> >> I've already updated libsrtp to use this API for FIPS compliance. We >> would like to contribute to other downstream projects as well. But it >> would help if OpenSSL accepted this pull request. >> > > John, the problem is that we have no FIPS validation in which that can > be used. We're not allowed to make such changes to existing validated > modules, and have no immediate prospects of doing any new validation. > IMHO there isn't much point in accepting and committing speculative > code, i.e. code that we can't actually use in OpenSSL. John, let me elaborate on my comment above by noting that the Cisco contribution includes a bunch of FIPS specific code for which there is no counterpart on the master branch (i.e. no place to put it). A version which worked on master with all the FIPS stuff stripped out and with tests via evp_test would be a lot more interesting. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
