Ok, some weirdness happening here... I've selected to test with option 2 and recompiled my openssl 1.0.1e withOUT "fips" in "./config fips".
$ openssl version OpenSSL 1.0.1e 11 Feb 2013 I've verified that the AES-XTS cipher is present with: $ openssl list-cipher-algorithms In my app I resolve the NID_aes_256_xts to a name with OBJ_nid2sn() and get the same name as in the list above. However when I call EVP_get_cipherbyname() with this name I get a NULL. I've never had an error with this in the FIPS compiled module. This just does not seem possible as an error, so any ideas on what may be wrong with my system? I've working in VirtualBox VM with a default installed Ubuntu 12.04.02. Thanks LJB > -----Original Message----- > From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] > On Behalf Of Dr. Stephen Henson > Sent: 26 August 2013 03:23 PM > To: openssl-dev@openssl.org > Subject: Re: AES-XTS problem in non-FIPS mode > > On Mon, Aug 26, 2013, Leon Brits wrote: > > > I am using a FIPS compiled OpenSSL and I switch between FIPS and non- > FIPS mode with the FIPS_mode_set() API call. The selection is made by the > application linked to my library based on its configuration. > > > > That's weird. It should be using exactly the same algorithm implementation > then. > > Assuming there's no problem with your code the only thing I can think of > is some inconsistency between FIPS and non-FIPS initialisation of EVP. To > test that have a look in crypto/evp/evp_enc.c in OpenSSL 1.0.1 for the > lines that check FIPS_mode(). Change them so they're always caled and not > just if > FIPS_mode() is non-zero. > > If possible also try OpenSSL 1.0.1 without the "fips" compilation option: > it will then use its internal implementation and not the one in the FIPS > module. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
