[erlang-questions] OTP in FIPS mode ?

jonetsu <>
Tue Apr 21 15:48:37 CEST 2015


Hello,

We are using an Erlang-based middleware using OTP, ConfD, which
must now support FIPS mode.  Briefly, FIPS is a U.S. standard
that imposes a set of crypto parameters (ciphers, algorithms,
etc...).  FIPS-applications must use high-level OpenSSL
methods (The EVP set of methods) since the low-level functions
will make OpenSSL abort.  The application must also call
FIPS_mode_set(1) to enable this mode for a suitable OpenSSL build
that supports FIPS.

OTP uses low-level OpenSSL functions.

Initially I considered replacing, for instance, the AES_* uses in
crypto.c by their EVP equivalent, while keeping the interface to
Erlang intact.

Now, looking at the extent of the FIPS modifications to the OTP
code done last year by Dániel Szoboszlay, who worked at Ericsson
and Erlang Solutions, I wonder about my naïve approach.

Are anyone here familiar with this FIPS OTP port ?  Any comments
? To anyone also familiar with ConfD: do you know of any effort
done in using this FIPS-enabled OTP code ?

Thanks for any comments and suggestions !

Regards.






More information about the erlang-questions mailing list