legacy cipher algorithm EVP_rc2_cbc() not working in fips mode #21577
-
|
EVP_CipherInit_ex(ctx, EVP_rc2_cbc() , NULL, NULL, NULL, false) is not working once we set fips as default provider by setting Though we need to use EVP_rc2_cbc for a operation in fips mode as well. What is the recommended solution for this issue ? I tried using EVP_CIPHER_fetch(NULL,"RC2_CBC","legacy") but it didn't work for me . Please suggest. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
RC2-CBC is not FIPS approved so you cannot use it in application functionality that needs to conform to FIPS standards. If the part of your application wanting to use RC2-CBC does not need to operate to FIPS standards then you should review the information provided on this manual page: In particular take a look at the section "Loading the FIPS module at the same time as other providers". In order to use the "RC2-CBC" algorithm you will need to load the legacy provider. You can either do that in config or programmatically using the https://www.openssl.org/docs/man3.1/man3/OSSL_PROVIDER_load.html An alternative to loading the fips provider and the legacy provider at the same time in the same library context is to use two different library contexts. For example you could use the default (i.e. NULL) library context for just the fips provider, and then a custom library context with the legacy provider loaded in it. Most places you can just use the default library context. Locations where you don't care about FIPS compliance then you can use your custom library context.
The name of the algorithm is "RC2-CBC" (not "RC2_CBC"). If the legacy provider has been loaded then the property query string you want to use is "provider=legacy", i.e. Obviously, if you were to go the custom library context route then replace |
Beta Was this translation helpful? Give feedback.
-
|
Hi @mattcaswell Thanks for your suggestion. I will look to try different options suggested by you . In meantime can you please guid me to a document for getting the correct algorithm name. |
Beta Was this translation helpful? Give feedback.
-
|
The fetch should be: EVP_CIPHER_fetch(NULL, "RC2-CBC", "provider=legacy,-fips");or just: EVP_CIPHER_fetch(NULL, "RC2-CBC", "-fips");The global property query that |
Beta Was this translation helpful? Give feedback.
-
The algorithms that any particular provider supplies are listed on the man page for that provider. Here's the one for the legacy provider: https://www.openssl.org/docs/man3.1/man7/OSSL_PROVIDER-legacy.html From there you will see links to further man pages for each algorithm. Here's the one for RC2: https://www.openssl.org/docs/man3.1/man7/EVP_CIPHER-RC2.html On that page you will see all the names listed for all the different variants of RC2. |
Beta Was this translation helpful? Give feedback.
The fetch should be:
or just:
The global property query that
EVP_default_properties_enable_fips(NULL,1)sets up needs to be overridden.