Re: Low Level Digest if Fips mode

Mon, 24 Nov 2014 09:03:32 -0800 

Phil,

You need to use the EVP interface.  Using low level API is not recommended
and disallowed in FIPS mode. EVP interface is also easy to use.

Thanks
Rahul
On Nov 24, 2014 7:07 PM, "Philip Bellino" <pbell...@mrv.com> wrote:

>  Hello,
>
> I am looking for some help  and I do not profess to be an expert in this
> area, so forgive me for asking the following.
>
>
>
> I am running openssl-fips-2.0.7 with openssl-1.0.1j in my application(in
> FIPs mode) and am trying to figure out how to get around the following
> issue:
>
>
>
>
>
> sha_locl.h(128): OpenSSL internal error, assertion failed: Low level API
> call to digest SHA1 forbidden in FIPS mode!
>
>
>
>
>
> From the openssl-1.0.1j “CHANGES” file, I see the following entry:
>
>
>
> Low level digest APIs are not approved in FIPS mode: any attempt
>
>      to use these will cause a fatal error. Applications that *really* want
>
>      to use them can use the private_* version instead.
>
>      [Steve Henson]
>
>
>
> Does this mean that if I want to use  low level digest APIs that I would
> comment out the  ‘ if (FIPS_mode())’ test below?
>
> If this is correct, am I now violating FIPS?
>
>
>
> From crypto/crypto.h:
>
>
>
> #ifdef OPENSSL_FIPS
>
> #define fips_md_init_ctx(alg, cx) \
>
>      int alg##_Init(cx##_CTX *c) \
>
>      { \
>
>      if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
>
>            "Low level API call to digest " #alg " forbidden in FIPS
> mode!"); \
>
>      return private_##alg##_Init(c); \
>
>      } \
>
>      int private_##alg##_Init(cx##_CTX *c)
>
>
>
>
>
> If I am barking up the wrong tree(so to speak), what would be the correct
> course of action for me to take?
>
>
>
> Thank you,
>
> Phil
>
>
>
>
>
> *Phil Bellino*
>
> *Principal Software Engineer* *| **MRV Communications Inc.*
>
> 300 Apollo Drive *|  *Chelmsford, MA 01824
>
> Phone: 978-674-6870  *|   *Fax: 978-674-6799
>
> www.mrv.com
>
>
>
> [image: MRV-email]
>
>
>
>
>  [image: E-Banner]
> <http://www.mrv.com/landing/mrvs-software-defined-networking-sdn-and-network-function-virtualization-nfv-products-and-architecture>
>
>
> The contents of this message, together with any attachments, are intended
> only for the use of the person(s) to whom they are addressed and may
> contain confidential and/or privileged information. If you are not the
> intended recipient, immediately advise the sender, delete this message and
> any attachments and note that any distribution, or copying of this message,
> or any attachment, is prohibited.
>

Reply via email to