OK, sorry this stupid error has been resolved. There was some openssl init code which got disabled when I disabled lines of source for FIPS mode.
The problem however still persists for me even with this OpenSSL which has been compiled without fips. I will continue looking at my code. Thanks LJB > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Leon Brits > Sent: 27 August 2013 12:08 PM > To: [email protected] > Subject: RE: AES-XTS problem in non-FIPS mode > > Ok, some weirdness happening here... > > I've selected to test with option 2 and recompiled my openssl 1.0.1e > withOUT "fips" in "./config fips". > > $ openssl version > OpenSSL 1.0.1e 11 Feb 2013 > > I've verified that the AES-XTS cipher is present with: > $ openssl list-cipher-algorithms > > In my app I resolve the NID_aes_256_xts to a name with OBJ_nid2sn() and > get the same name as in the list above. > > However when I call EVP_get_cipherbyname() with this name I get a NULL. > I've never had an error with this in the FIPS compiled module. This just > does not seem possible as an error, so any ideas on what may be wrong with > my system? I've working in VirtualBox VM with a default installed Ubuntu > 12.04.02. > > Thanks > LJB > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] > > On Behalf Of Dr. Stephen Henson > > Sent: 26 August 2013 03:23 PM > > To: [email protected] > > Subject: Re: AES-XTS problem in non-FIPS mode > > > > On Mon, Aug 26, 2013, Leon Brits wrote: > > > > > I am using a FIPS compiled OpenSSL and I switch between FIPS and > > > non- > > FIPS mode with the FIPS_mode_set() API call. The selection is made by > > the application linked to my library based on its configuration. > > > > > > > That's weird. It should be using exactly the same algorithm > > implementation then. > > > > Assuming there's no problem with your code the only thing I can think > > of is some inconsistency between FIPS and non-FIPS initialisation of > > EVP. To test that have a look in crypto/evp/evp_enc.c in OpenSSL 1.0.1 > > for the lines that check FIPS_mode(). Change them so they're always > > caled and not just if > > FIPS_mode() is non-zero. > > > > If possible also try OpenSSL 1.0.1 without the "fips" compilation > option: > > it will then use its internal implementation and not the one in the > > FIPS module. > > > > Steve. > > -- > > Dr Stephen N. Henson. OpenSSL project core developer. > > Commercial tech support now available see: http://www.openssl.org > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > Development Mailing List [email protected] > > Automated List Manager [email protected] > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
