[erlang-questions] OTP in FIPS mode ?
Fri May 1 15:03:46 CEST 2015
From: "Dániel Szoboszlay" <dszoboszlay@REDACTED>
Date: 05/01/15 04:01
Thanks for your comments, much appreciated !
> - Blocked non-compliant calls in FIPS mode before they would reach
> OpenSSL (so you get an Erlang error instead of killing your
> VM). This is a must have for any FIPS fork, but it was quite
> trivial to implement.
That would be the CHECK_NO_FIPS_MODE in crypto.c. Is there any at the
Erlang level ?
I'm asking beacause what I am considering at the moment is to only
modify the crypto.c code. No modification to Erlang code. For two
reasons. One is that I do not know Erlang, although by browsing the
code lately I find it quite interesting :) But nowhere near being able
to modify an application that is used in the field. Let alone
establishing test harnesses in the first place. Second is, the OTP
that is used is already modified by tail-f AG as part of the ConfD
product. For instance, if I'm not mistaken, the SSL component is
different, with crypto being the only part used from OpenSSL. I have
the impression that the OTP base used in the product dates from some
time. It is possible to compile locally crypto.c, but when it comes
to altering the company's Erlang code then all support is lost.
This approach also means to keep the C <-> Erlang interface intact.
Do you think it is at all possible to have a working FIPS mode without
any modification to Erlang code ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the erlang-questions