Re: Enable the FIPS mode in the library level

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 05.03.2018 11:57, Dr. Matthias St. Pierre wrote:
>
> However, I am sceptical whether this approach will be accepted,
> because there are (at least) two potential problems:
>
> * Normally, it is mandatory to check the result of FIPS_mode_set() or
> FIPS_mode() to ensure that the FIPS initialization succeeded. However,
> an application which is not FIPS-aware won't check the result.
> * It can happen that applications which have their own configuration
> and enable/disable FIPS mode explicitely, call FIPS_mode_set(0)
> afterwards.
>
>
> HTH,
> Matthias
>

One more obstacle: In FIPS mode it is not allowed to use low level
crypto algorithms, only the EVP interface is allowed. So most of your
non-fips-aware applications will malfunction when forced into FIPS mode.
The consequence is: it's probably not possible to do it.

Matthias

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux