On 24 May 2013 05:45, Matt Caswell <[email protected]> wrote: > On 24 May 2013 03:21, <[email protected]> wrote: >> Can one use HMAC through EVP? If so, can someone point me to an example? >> >> It seems that when the OpenSSL module is in FIPS mode, it doesn't like >> programs using HMAC_*() functions directly: >> >> "OpenSSL internal error, assertion failed: Low level API call to digest SHA1 >> forbidden in FIPS mode!" >> >> Thanks. >> > Yes you can. You use the sign/verify interface. See the following page > which includes info on MAC codes: > http://wiki.opensslfoundation.com/index.php/EVP_Signing_and_Verifying > > You need to use an EVP_PKEY type of EVP_PKEY_HMAC. See "Working with > EVP_PKEYs" on this page: > > http://wiki.opensslfoundation.com/index.php/EVP >
Just to clarify that answer a bit further - you must use EVP_DigestSign* for MAC support, not EVP_Sign*. Also verifying is slightly different (effectively you recalculate the MAC, and then check it rather than using EVP_DigestVerify*). There is an example on the page I linked to above. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
