Re: [openssl-users] Digest MD5 forbidden in FIPS mode
MD5 is not considered a safe function to use hence it is forbidden in FIPS mode. Can you use a different hash function ( such as SHA-something ) for your use case? On Mon, Jan 18, 2016 at 4:43 PM, Marcos Bontempowrote: > Hello, > > I wrote a C code which enter in FIPS mode with fips_mod_set(1). > > But, when I call MD5 functions after setting FIPS mode, I get this error: > > md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API > call to digest MD5 forbidden in FIPS mode! Aborted. > > Does anybody know what is wrong? How can I correct it? > > Any tip will be very helpful, > Thanks. > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Digest MD5 forbidden in FIPS mode
> I wrote a C code which enter in FIPS mode with fips_mod_set(1). > > But, when I call MD5 functions after setting FIPS mode, I get this error: > > md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call > to digest MD5 forbidden in FIPS mode! Aborted. > > Does anybody know what is wrong? How can I correct it? Nothing is going wrong; everything is working as expected. MD5 is essentially forbidden in US Federal except under a few exemptions. The exemptions include the PRF in TLS. But I've never seen a library expose MD5 even if its using it under the hood. Also see FIPS 140-2 and http://www.nsrl.nist.gov/collision.html. Jeff ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Digest MD5 forbidden in FIPS mode
On Mon, Jan 18, 2016, Marcos Bontempo wrote: > Hello, > I wrote a C code which enter in FIPS mode with fips_mod_set(1). > But, when I call MD5 functions after setting FIPS mode, I get this error: > md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call > to digest MD5 forbidden in FIPS mode! Aborted. > Does anybody know what is wrong? How can I correct it? > Any tip will be very helpful,Thanks. As well as the fact that MD5 is forbidden in FIPS mode you also have to use the EVP API for digests. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users