Dear Peter
Thanks for the replying
> 1. All the block ciphers currently supported by crypt() and gen_salt() are not
> FIPS-compliant.
>
> 2. The crypt() and gen_salt() methods built on top of them (modes of operation,
> kind of) are not FIPS-compliant.
>
> 3. The implementations (crypt-blowfish.c, crypt-des.c, etc.) are not structured
> in a way that OpenSSL calls can easily be patched in.
Indeed, all the algorithm could not be used in FIPS and huge engineering might
be needed for the replacement. If the benefit is smaller than the cost, we
should consider another way - e.g., prohibit to call these functions in FIPS
mode as in the pseudocode Daniel sent. Replacing OpenSSL is a way, the objective
is to eliminate the user's error in choosing an encryption algorithm.
-----------------------------------------------
Fujitsu Limited
Shibagaki Koshi
shibagaki.koshi@fujitsu.com