Thanks for the reply. Appreciated. Have couple of question which are bothering me.
These are the steps I followed to build the fips . The place where I download ftp://ftp.openssl.org/snapshot/ 1) Download openssl-fips-test-1.2.0.tar.gz , build it with ./config fips option to generate fipsld, fipscanister,..etc and downloaded the latest openssl-0.9.8-fips-test-SNAP-20080813.tar.gz to build the fips capable openssl libcrypto and libssl . Are these steps right ..? which I followed through the README. 2) I tried checking the PEM_ASN1_write_bio and even the PEM_read_bio which also uses EVP_md5() internally in 0.9.7. In which of the 0.9.7 fips capable distribution did you mention that it uses EVP_sha1() internally..I could not find it, can you please point me to that? Is there a test website where I can download bits for 0.9.8 which as EVP_sha1() implemented..? 3) Lastly all the PEM_write_bio_* routines points to this function PEM_ASN1_write_bio which uses md5() internally. Will this change to sha1() in the coming releases of 0.9.8..? to supports fips..? Thanks, Justin --- On Wed, 8/13/08, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: From: Dr. Stephen Henson <[EMAIL PROTECTED]> Subject: Re: fips issue with PEM_write_bio_RSAPrivateKey To: openssl-users@openssl.org Date: Wednesday, August 13, 2008, 3:28 AM On Tue, Aug 12, 2008, Justin A wrote: > Hi, > > When fips mode enabled I am running into issue with this call in my code > > 1) > Issue:- > --------------------- > PEM_write_bio_RSAPrivateKey(priv_bp, key, EVP_des_ede3_cbc(), NULL, NULL, some_cb, NULL) > > When I checked the code which in turns points to > > int > PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, > char *x, const EVP_CIPHER *enc, unsigned char *kstr, > int klen, pem_password_cb *callback, void *u) > > The source where I extracted from is > cvs -d [EMAIL PROTECTED]:/openssl-cvs co -r OpenSSL-fips-0_9_8-stable openssl > > 2) > In this implementation internally its using EVP_md5() which is not supported by FIPS. > > So is there a patch for this one..? or a different API which I could us, which is FIPS compliant. > OpenSSL 0.9.8 does not support FIPS mode. The validated 0.9.7 source and the (hopefully) soon to be validate 0.9.8-fips source in FIPS mode redirects such calls automatically to PEM_write_bio_PKCS8PrivateKey() which uses SHA1 for key derivation. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
