On Wed, Nov 06, 2013, Vuille, Martin (Martin) wrote: > On Wed, Nov 6, 2013, Dr. Stephen Henson wrote: > > > On Tue, Nov 05, 2013, Vuille, Martin (Martin) wrote: > > > > > > > > Another approach I am considering is to have both a FIPS-capable and > > > non-FIPS capable version of OpenSSL installed on the system (with > > > suitable adjustments to .so file names to avoid conflicts) with the > > > application using the former when FIPS mode is required and the latter > > > otherwise (perhaps by dynamically loading the appropriate one, or by > > using a different LD_LIBRARY_PATH). > > > > > > Any thoughts on the viability of that approach? > > > > > > > The FIPS capable version of OpenSSL outside FIPS mode should be > > compatible with the non-FIPS build of the same version of OpenSSL so there > > shouldn't be a need to do this. > > > > Any incompatibilities would be regarded as bugs which should be fixed. > > > > Understood, but my understanding is that even in non-FIPS mode the code > from the FIPS Object Module is used. Is that understanding incorrect? >
The software implementations of algorithms in the FIPS module are used via EVP when not in FIPS mode for OpenSSL 1.0.1. For 1.0.2 and later that no longer applies. > When not using FIPS mode, I do not want to suffer a performance penalty, > as I am running on a very CPU-constrained platform, and want the ability to > use patches provided by my platform vendor to leverage their hardware > crypto acceleration, which obviously cannot be applied to the FIPS Object > Module. > That depends on how the crypto acceleration is performed. If it is via changes to the OpenSSL algorithm implementations themselves then yes, they wont be used for 1.0.1 outside FIPS mode. If the changes are via a new ENGINE the they will be used. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
