Does this call not work in FIPS mode?
unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
int key_len, const unsigned char *d, int n,
unsigned char *md, unsigned int *md_len);
On Fri, May 24, 2013 at 10:24 AM, Matt Caswell <[email protected]> wrote:
> On 24 May 2013 05:45, Matt Caswell <[email protected]> wrote:
> > On 24 May 2013 03:21, <[email protected]> wrote:
> >> Can one use HMAC through EVP? If so, can someone point me to an
> example?
> >>
> >> It seems that when the OpenSSL module is in FIPS mode, it doesn't like
> >> programs using HMAC_*() functions directly:
> >>
> >> "OpenSSL internal error, assertion failed: Low level API call to digest
> SHA1
> >> forbidden in FIPS mode!"
> >>
> >> Thanks.
> >>
> > Yes you can. You use the sign/verify interface. See the following page
> > which includes info on MAC codes:
> > http://wiki.opensslfoundation.com/index.php/EVP_Signing_and_Verifying
> >
> > You need to use an EVP_PKEY type of EVP_PKEY_HMAC. See "Working with
> > EVP_PKEYs" on this page:
> >
> > http://wiki.opensslfoundation.com/index.php/EVP
> >
>
> Just to clarify that answer a bit further - you must use
> EVP_DigestSign* for MAC support, not EVP_Sign*. Also verifying is
> slightly different (effectively you recalculate the MAC, and then
> check it rather than using EVP_DigestVerify*). There is an example on
> the page I linked to above.
>
> Matt
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [email protected]
> Automated List Manager [email protected]
>
