Hi
Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when
the dialog box was displayed, and that's how I got the call stack.
if (x->ex_flags & EXFLAG_SET)
return;
#ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
I inspected the values in x509v3_cache_extensions() - the code above is from
the beginning of it - and the test fails, so we drop down into the digest call.
glen
-----Original Message-----
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Dr.
Stephen Henson
Sent: Thursday, March 24, 2016 1:36 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1
forbidden in FIPS mode - within openssl code
On Wed, Mar 23, 2016, Glen Matthews wrote:
> Hi
>
> Right, sorry about the wrong posting - and thanks.
>
> The message is correct - we got this in the 1.0.2f tree and are still getting
> in in the 1.0.2g tree.
>
> I notice that in crypto\x509v3\v3_purp.c there is this:
>
> if (x->ex_flags & EXFLAG_SET)
> return;
> #ifndef OPENSSL_NO_SHA
> X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif
>
> We haven't disabled SHA1 because we need it for our ssh implementation. From
> what I've been reading, the code should not be calling with EVP_sha1().
>
Is this a standard OpenSSL build or has it been modified in some way?
At what point do you enter FIPS mode?
The above call should be routed through to the SHA1 implementation in the
validated module. It's not clear why not at this point.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
