Your assumption is incorrect. Note that when you use the FIPS module, that you should not attempt to use the FIPS module directly — instead, you build a separate version of OpenSSL that uses the FIPS module (after building the FIPS module). You then link the new libcrypto (and libssl if you need it), and invoke the usual OpenSSL functions. If your application calls FIPS_mode_set() first, then the FIPS module will be used for all crypto routines, while regular OpenSSL stuff is used for non-crypto functionality. If you don’t call FIPS_mode_set() first, then cryptographic routines come from the regular OpenSSL library*, and your application cannot be considered as using any kind of FIPS 140 module.
See the FIPS User’s guide for more info, because FIPS 140 compliance means that some cryptographic algorithms are disabled when in “FIPS mode”. IIRC, there’s also a full list of algorithms that are available in FIPS mode in the User’s guide, and if not, the Security Policy should detail that information. TOM * IIRC, there’s a bug when using the 1.x FIPS modules, where all encryption still routes through the FIPS module, even when not in FIPS mode, unless the algorithm is unavailable in the FIPS module. I don’t recall if that problem was fixed for use with the current FIPS module. On Oct 2, 2014, at 12:49 PM, Graham Leggett <minf...@sharp.fm> wrote: > Hi all, > > Looking at the headers in the FIPS module of openssl, I see none of the > EVP_Encrypt* functions are available. Am I assuming correctly that no > symmetrical encryption is possible at all in FIPS mode? > > Regards, > Graham > — > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
