<div dir="ltr"><div><div><div><div>Hi!<br><br></div>This question is in the OTP 19 scope. FIPS requires the use of the EVP-API which sounds interesting regardless of <br></div>FIPS.
We see this as a possible first step, then we can consider if and what
else we might want to do, to support or facilitate for others to
support FIPS. My current understanding is that using only the EVP-API
functions we can not make the crypto API completely functional,
which will require at least some additions to the crypto API and perhaps
OTP-techincal board considerations.<br></div></div><div><br></div>Regards Ingela Erlang/OTP - Ericsson AB</div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-21 20:22 GMT+02:00 Drew Varner <span dir="ltr"><<a href="mailto:drew.varner@redops.org" target="_blank">drew.varner@redops.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Here’ s the discussion on a FIPS pull request that’s now closed: <a href="https://github.com/erlang/otp/pull/377" target="_blank">https://github.com/erlang/otp/pull/377</a><span class="HOEnZb"><font color="#888888"><div><br></div></font></span><div><span class="HOEnZb"><font color="#888888">- Drew</font></span><div><div class="h5"><br><div><br></div><div><div><blockquote type="cite"><div>On Apr 21, 2015, at 12:32 PM, Niclas Eklund <<a href="mailto:nick@tail-f.com" target="_blank">nick@tail-f.com</a>> wrote:</div><br><div>Hi!<br><br>IMHO I think that it would be good if FIPS could supported by OTP, especially since the purpose of the FIPS standards are issued to ensure computer security and interoperability. I've seen a question about this at least once before on this list before - <a href="http://erlang.org/pipermail/erlang-questions/2012-April/065902.html" target="_blank">http://erlang.org/pipermail/erlang-questions/2012-April/065902.html</a> But I don't know what became of it.<br><br>Best regards,<br><br>Nick<br><br><br>On 04/21/2015 03:48 PM, jonetsu wrote:<br><blockquote type="cite">Hello,<br><br>We are using an Erlang-based middleware using OTP, ConfD, which<br>must now support FIPS mode. Briefly, FIPS is a U.S. standard<br>that imposes a set of crypto parameters (ciphers, algorithms,<br>etc...). FIPS-applications must use high-level OpenSSL<br>methods (The EVP set of methods) since the low-level functions<br>will make OpenSSL abort. The application must also call<br>FIPS_mode_set(1) to enable this mode for a suitable OpenSSL build<br>that supports FIPS.<br><br>OTP uses low-level OpenSSL functions.<br><br>Initially I considered replacing, for instance, the AES_* uses in<br>crypto.c by their EVP equivalent, while keeping the interface to<br>Erlang intact.<br><br>Now, looking at the extent of the FIPS modifications to the OTP<br>code done last year by Dániel Szoboszlay, who worked at Ericsson<br>and Erlang Solutions, I wonder about my naïve approach.<br><br>Are anyone here familiar with this FIPS OTP port ? Any comments<br>? To anyone also familiar with ConfD: do you know of any effort<br>done in using this FIPS-enabled OTP code ?<br><br>Thanks for any comments and suggestions !<br><br>Regards.<br><br><br><br><br>_______________________________________________<br>erlang-questions mailing list<br><a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br><a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br></blockquote><br>_______________________________________________<br>erlang-questions mailing list<br><a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br><a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br></div></blockquote></div><br></div></div></div></div></div><br>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><br></div>