[openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

Glen Matthews glenm at opentext.com
Sat Mar 26 22:38:39 UTC 2016


No, nothing unusual. Is there anything from the build process that would be useful in demonstrating this yes or no? I'm not the person responsible for the build process but I'm pretty sure it was followed to the letter - however I'll check on that. Certainly no engines

I can check back in the dump and see where we are in the code in each method call

Sent from my iPhone

> On Mar 26, 2016, at 5:30 PM, Dr. Stephen Henson <steve at openssl.org> wrote:
> 
>> On Thu, Mar 24, 2016, Glen Matthews wrote:
>> 
>> Hi
>> 
>> Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when the dialog box was displayed, and that's how I got the call stack. 
>> 
>>    if (x->ex_flags & EXFLAG_SET)
>>        return;
>> #ifndef OPENSSL_NO_SHA
>>    X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
>> #endif
>> 
>> I inspected the values in x509v3_cache_extensions() - the code above is from the beginning of it - and the test fails, so we drop down into the digest call.
> 
> Something strange is going on and I'm not sure what yet. 
> 
> At he start of EVP_DigestInit_ex() the implementation should be switched to
> the validated module version which then should never call the prohibited low
> level calls.
> 
> When you say it's a standard build you've presumably followed the FIPS module
> build instructions to the letter and produced the FIPS capable OpenSSL from
> that? Is there anything unusual you are doing like using an ENGINE
> for some operations?`
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list