Removal of Dual EC DRBG from the OpenSSL FIPS module
It took a couple of hours of code hacking followed by six long months of
waiting, but at long last revision 2.0.6 of the OpenSSL FIPS Object
Module v2.0 (validation certificate #1747) has finally been approved:
Usually new revisions add support for new platforms; with 2.0.6 the Dual
EC DRBG algorithm implementation is entirely removed from the module.
This removal eliminates dead code that no one in their right mind would
use deliberately, and also eliminates the accidental or malicious
enabling of that algorithm.
Revision 2.0.6 is a direct replacement for all previous revisions (2.0,
2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5). Anyone concerned about the presence
of the toxic and officially deprecated Dual EC DRBG algorithm is
encouraged to upgrade to revision 2.0.6.
Note that the formal paperwork for revision 2.0.7, with support for
eleven new platforms, was submitted some time ago. As the removal of
Dual EC DRBG was not approved at that time, that revision still includes
the Dual EC DRBG implementation. We've put in a query asking if we will
be permitted to retroactively remove Dual EC DRBG from that as well. If
that approval is not given we'll be in the odd position of
re-introducing Dual EC DRBG with revision 2.0.7 when that is eventually