[openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a question about using the OpenSSL libraries; should be in 
openssl-users, copied and reply-to'd.

On 23/03/2016 17:25, Glen Matthews wrote:
>
> We?re receiving this assertion at the start of negotiating an SSL 
> connection:
>
> c:\s\15\src\openssl\build\openssl-1.0.2f\crypto\sha\sha_locl.h(128): 
> OpenSSL internal error, assertion failed: Low level API call to digest 
> SHA1 forbidden in FIPS mode!
>

I notice the assertion message mentions a header from what looks like a 
1.0.2f tree, but the references below are all to a 1.0.2g tree. I've no 
idea if this is relevant to the problem, but I wonder if this is a 
self-consistent build of the libraries.

> The last 2 lines of this stack trace shows that we are performing a 
> BIO_read at this point.
>
> How can we work around this issue? We?re using the self-validated FIPS 
> module and openssl 1.0.2g.
>
> glen
>
> user32!ZwUserWaitMessage+0xa
>
>  user32!DialogBox2+0x212
>
>  user32!InternalDialogBox+0x132
>
>  user32!SoftModalMessageBox+0xee1
>
>  user32!MessageBoxWorker+0x2eb
>
>  user32!MessageBoxTimeoutW+0xba
>
>  user32!MessageBoxW+0x4e
>
>  libeay32f!OPENSSL_showfatal+0x25e 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\cryptlib.c @ 979]
>
>  libeay32f!OpenSSLDie+0x22 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\cryptlib.c @ 1008]
>
>  libeay32f!SHA1_Init+0x33 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\sha\sha_locl.h @ 128]
>
>  libeay32f!EVP_DigestInit_ex+0x269 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\evp\digest.c @ 241]
>
>  libeay32f!EVP_Digest+0x7a 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\evp\digest.c @ 359]
>
>  libeay32f!ASN1_item_digest+0x6a 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\asn1\a_digest.c @ 107]
>
>  libeay32f!X509_digest+0x44 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509\x_all.c @ 414]
>
>  libeay32f!x509v3_cache_extensions+0x43 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509v3\v3_purp.c @ 407]
>
>  libeay32f!X509_check_purpose+0x47 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509v3\v3_purp.c @ 134]
>
>  libeay32f!X509_verify_cert+0x180 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509\x509_vfy.c @ 249]
>
>  ssleay32f!ssl_verify_cert_chain+0x14a 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\ssl_cert.c @ 759]
>
>  ssleay32f!ssl3_get_server_certificate+0x1bb 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s3_clnt.c @ 1255]
>
>  ssleay32f!ssl3_connect+0x258 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s3_clnt.c @ 345]
>
>  ssleay32f!ssl23_get_server_hello+0x44a 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_clnt.c @ 799]
>
>  ssleay32f!ssl23_connect+0x1f2 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_clnt.c @ 228]
>
>  ssleay32f!ssl23_read+0x44 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_lib.c @ 134]
>
>  ssleay32f!ssl_read+0x5e 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\bio_ssl.c @ 167]
>
>  libeay32f!BIO_read+0xbf 
> [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\bio\bio_lib.c @ 212]
>
>  hclftpx!CAsyncSslSocketLayer::OnReceive+0x1a8 
> [c:\s\15\src\montreal\inc\asyncsslsocketlayer.cpp @ 357]
>
-- 
J. J. Farrell
Not speaking for Oracle.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160323/3b2f8748/attachment-0001.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux