On Fri, Jul 24, 2009, Michael Kurecka wrote:
> Dr. Henson,
> I tried the change for MD5 you mentioned of using the EVP interface,
> but it isn't working as I am getting the forbidden algorithm error. Below
> is the new code. The init is passing but it is failing on the update. I
> noticed that the flag is cleared after the init so I set the
> EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag again before update but it still fails.
>
>
> EVP_MD_CTX ctx;
> size_t i;
> unsigned int mac_len;
>
> // We are bypassing the OpenSSL FIPS EVP code since MD5 is not FIPS
> approved
> // but this is only for RADIUS authentication which is approved and
> therefore
> // acceptable.
> EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
>
> EVP_DigestInit(&ctx, EVP_md5());
>
> for(i = 0; i < num_elem; i++)
> {
> EVP_DigestUpdate(&ctx, addr[i], len[i]);
> }
>
> EVP_DigestFinal(&ctx, mac, &mac_len);
Ah, don't use EVP_DigestInit() that's deprecated and resets flags. Instead use
EVP_MD_CTX_init(), then EVP_DigestInit_ex(). You also need to call
EVP_DigestFinal_ex() and EVP_MD_CTX_cleanup().
See the example at:
http://www.openssl.org/docs/crypto/EVP_DigestInit.html
except you need to set the flags after EVP_MD_CTX_init().
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
