Re: Using HMAC through EVP interface?
On Thu, May 23, 2013, no_spam...@yahoo.com wrote: > Can one use HMAC through EVP? If so, can someone point me to an example? > > It seems that when the OpenSSL module is in FIPS mode, it doesn't like > programs using HMAC_*() functions directly: > > "OpenSSL internal error, assertion failed: Low level API call to digest SHA1 > forbidden in FIPS mode!" > That shouldn't happen. The HMAC_* interface is used by the TLS code in FIPS mode so it does work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using HMAC through EVP interface?
Does this call not work in FIPS mode? unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d, int n, unsigned char *md, unsigned int *md_len); On Fri, May 24, 2013 at 10:24 AM, Matt Caswell wrote: > On 24 May 2013 05:45, Matt Caswell wrote: > > On 24 May 2013 03:21, wrote: > >> Can one use HMAC through EVP? If so, can someone point me to an > example? > >> > >> It seems that when the OpenSSL module is in FIPS mode, it doesn't like > >> programs using HMAC_*() functions directly: > >> > >> "OpenSSL internal error, assertion failed: Low level API call to digest > SHA1 > >> forbidden in FIPS mode!" > >> > >> Thanks. > >> > > Yes you can. You use the sign/verify interface. See the following page > > which includes info on MAC codes: > > http://wiki.opensslfoundation.com/index.php/EVP_Signing_and_Verifying > > > > You need to use an EVP_PKEY type of EVP_PKEY_HMAC. See "Working with > > EVP_PKEYs" on this page: > > > > http://wiki.opensslfoundation.com/index.php/EVP > > > > Just to clarify that answer a bit further - you must use > EVP_DigestSign* for MAC support, not EVP_Sign*. Also verifying is > slightly different (effectively you recalculate the MAC, and then > check it rather than using EVP_DigestVerify*). There is an example on > the page I linked to above. > > Matt > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: Using HMAC through EVP interface?
On 24 May 2013 05:45, Matt Caswell wrote: > On 24 May 2013 03:21, wrote: >> Can one use HMAC through EVP? If so, can someone point me to an example? >> >> It seems that when the OpenSSL module is in FIPS mode, it doesn't like >> programs using HMAC_*() functions directly: >> >> "OpenSSL internal error, assertion failed: Low level API call to digest SHA1 >> forbidden in FIPS mode!" >> >> Thanks. >> > Yes you can. You use the sign/verify interface. See the following page > which includes info on MAC codes: > http://wiki.opensslfoundation.com/index.php/EVP_Signing_and_Verifying > > You need to use an EVP_PKEY type of EVP_PKEY_HMAC. See "Working with > EVP_PKEYs" on this page: > > http://wiki.opensslfoundation.com/index.php/EVP > Just to clarify that answer a bit further - you must use EVP_DigestSign* for MAC support, not EVP_Sign*. Also verifying is slightly different (effectively you recalculate the MAC, and then check it rather than using EVP_DigestVerify*). There is an example on the page I linked to above. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using HMAC through EVP interface?
On 24 May 2013 03:21, wrote: > Can one use HMAC through EVP? If so, can someone point me to an example? > > It seems that when the OpenSSL module is in FIPS mode, it doesn't like > programs using HMAC_*() functions directly: > > "OpenSSL internal error, assertion failed: Low level API call to digest SHA1 > forbidden in FIPS mode!" > > Thanks. > Yes you can. You use the sign/verify interface. See the following page which includes info on MAC codes: http://wiki.opensslfoundation.com/index.php/EVP_Signing_and_Verifying You need to use an EVP_PKEY type of EVP_PKEY_HMAC. See "Working with EVP_PKEYs" on this page: http://wiki.opensslfoundation.com/index.php/EVP Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Using HMAC through EVP interface?
Can one use HMAC through EVP? If so, can someone point me to an example? It seems that when the OpenSSL module is in FIPS mode, it doesn't like programs using HMAC_*() functions directly: "OpenSSL internal error, assertion failed: Low level API call to digest SHA1 forbidden in FIPS mode!" Thanks.