Re: OpenSSL internal error, assertion failed: Low level API call to cipher AES forbidden in FIPS mode

Wed, 24 Apr 2013 10:32:14 -0700 

On Wed, Apr 24, 2013, Cipher wrote:

> Hi,
> 
> I complied and installed FIPS capable OPENSSL 1.0.1c and OPENSSH 6.1p1 with
> FIPS. 
> While debugging i found that SSH fails for *ctr* mode of cipher operation. 
> Here is what i get when i connect using aes256-ctr or aes128-cbc
> 
> 
> FIPS mode initialized
> debug1: inetd sockets after dupping: 3, 3
> Connection from 127.0.0.1 port 51395
> debug1: Client protocol version 2.0; client software version OpenSSH_5.5p1
> Debian-6+squeeze1
> debug1: match: OpenSSH_5.5p1 Debian-6+squeeze1 pat OpenSSH_5*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.1
> debug1: permanently_set_uid: 101/65534 [preauth]
> debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
> debug1: SSH2_MSG_KEXINIT sent [preauth]
> debug1: SSH2_MSG_KEXINIT received [preauth]
> debug1: kex: client->server aes256-ctr hmac-sha1 none [preauth]
> debug1: kex: server->client aes256-ctr hmac-sha1 none [preauth]
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
> aes_misc.c(73): OpenSSL internal error, assertion failed: Low level API call
> to cipher AES forbidden in FIPS mode!
> debug1: do_cleanup
> 
> This issue doesnt happen with aes128-cbc . What is wrong here?
> 
> aes_misc(73) : #ifdef OPENSSL_FIPS
>                          fips_cipher_abort(AES);
>                      #endif
> 

I've seen this before and it was caused by the code manually implementing ctr
mode instead of using EVP. If you change it to use the corresponding EVP
ciphers for CTR mode it should work.

Specifically the three entries for evp_aes_128_ctr should be changed to
EVP_aes_128_ctr, EVP_aes_192_ctr and EVP_aes_256_ctr respectively.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to