2014-04-23 0:13 GMT+04:00 Christopher Schultz <ch...@christopherschultz.net>: > Konstantin, > > On 4/22/14, 12:15 PM, kkoli...@apache.org wrote: >> Author: kkolinko >> Date: Tue Apr 22 16:15:49 2014 >> New Revision: 1589195 >> > >> + c) "enterFipsMode = 1 != fipsModeState;" code and comment before it >> are wrong. >> >> FIPS_mode() function of OpenSSL is documented to return non-zero >> value when in FIPS mode. You cannot expect it to be '1'. > > We *must* expect it to be '1'. I've gone through great pains to add > in-line documentation explaining the stupidity behind OpenSSL's > confusing documentation that "any non-zero value will work as long as > that non-zero value is 1". Perhaps this is a case where I should have > used FIPS_ON. One could argue that checking for any non-zero value would > be more appropriate, here, but it's not /wrong/.
http://wiki.openssl.org/index.php/FIPS_mode%28%29 says "values other than 1 may have additional significance such as designating an additional restriction to Suite B algorithms." If you really expect "1" (or let's assume that the value of FIPS_ON is configurable), then non-1 value does not mean that "FIPS mode is off". It means "FIPS mode value is different from expected" and would better have a separate error message. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
