On Tue, Jul 10, 2007, Raymond Yuan wrote: > Hi, > After building OpenSSL FIPS module in a manner required by security > policy, I tested non-supported algorithm in FIPS mode. I saw two different > result behaviours: > > 1. application aborts > when non-supported symmetric key encryption algorithms are invoked, > like rc2, rc4, idea. They will end up invoking abort() if FIPS mode is > detected; > > 2. application finish smoothly but with incorrect result > This happend against non-supported hash functions like md5, ripemd. > Wrong hash result will be got. However, when I invoke openssl > ERR_peek_last_error(), I can get error code, further I can get error message > like "disabled for fips". > > Why are the FIPS check processings on those algorithm different? Is > there a good way to programmatically check if an algorithm is supported in > FIPS mode?
Where the functions return a value an error is returned. Some applications ignore the return codes of some functions which might explain #2. Functions which don't return a value have to abort. This is only a problem if the low level interface is used. The recommended EVP interface indicates errors via return codes and only via an assertion failure if the error is ignored. You can check if an algorithm is supported from EVP by checking the flags. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]