On Wed, Jun 23, 2004, Marquess, Steve Mr JMLFDC wrote: > > There is a User Guide for FIPS mode which will be released when the > validation is complete. When we the mechanisms for disabling non-FIPS mode > are known (such as a bad return code from EVP_CipherInit) I will document > them there. Note that source code modifications are necessary to convert an > application to use FIPS mode, those mods can include checking the return > codes that might have been ignored before. >
Well as far as error codes for use non-FIPS mode algorithms are concerned there are two cases. One is if the application specifically requests the algorithm with something like EVP_md5(). The easiest way to fix that is for the application to not even attempt to use EVP_md5() in FIPS mode though obviously OpenSSL needs to trap it as well, maybe forcefully with an assertion failure? The other case is where an appliction looks up an algorithm from OpenSSLs internal tables. There are a couple of ways to deal with that. One is to simply not add the non-FIPS algorithms to the table in FIPS mode. That might however lead to misleading error conditions such as "unknown digest" when an attempt is made to use them. The other is to allow them to be added but not looked up. The lookup would fail and give a more meaningful error such as "non FIPS algorithm". Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
