[openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 23, 2016, Glen Matthews wrote:

> Hi
> 
> Right, sorry about the wrong posting - and thanks.
> 
> The message is correct - we got this in the 1.0.2f tree and are still getting in in the 1.0.2g tree.
> 
> I notice that in crypto\x509v3\v3_purp.c there is this:
> 
>     if (x->ex_flags & EXFLAG_SET)
>         return;
> #ifndef OPENSSL_NO_SHA
>     X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
> #endif
> 
> We haven't disabled SHA1 because we need it for our ssh implementation. From what I've been reading, the code should not be calling with EVP_sha1().
> 

Is this a standard OpenSSL build or has it been modified in some way?

At what point do you enter FIPS mode?

The above call should be routed through to the SHA1 implementation in the
validated module. It's not clear why not at this point.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux