libica (>=3.0.0) can be configured with the --enable-fips option to have built-in FIPS 140-2 support:
When /proc/sys/crypto/fips_enabled is 1, libica runs in FIPS mode and triggers OpenSSL's FIPS mode via FIPS_mode_set(1).
When running in FIPS mode, the OpenSSL/ibmca/libica stack crashes (SIGSEGV) in OpenSSL's RNG (which uses SHA-1).
libica currently does not block SHA-1 in FIPS mode: It is not allowed to be used in signatures, while still being allowed in HMAC-SHA1.
This problem needs to be investigated. Maybe the engines sha1 implementation has to set the EVP_MD_FLAG_FIPS flag.
libica (>=3.0.0) can be configured with the --enable-fips option to have built-in FIPS 140-2 support: When /proc/sys/crypto/fips_enabled is 1, libica runs in FIPS mode and triggers OpenSSL's FIPS mode via FIPS_mode_set(1).
When running in FIPS mode, the OpenSSL/ibmca/libica stack crashes (SIGSEGV) in OpenSSL's RNG (which uses SHA-1).
libica currently does not block SHA-1 in FIPS mode: It is not allowed to be used in signatures, while still being allowed in HMAC-SHA1.
This problem needs to be investigated. Maybe the engines sha1 implementation has to set the EVP_MD_FLAG_FIPS flag.