legacy cipher algorithm EVP_rc2_cbc() not working in fips mode #21577
-
EVP_CipherInit_ex(ctx, EVP_rc2_cbc() , NULL, NULL, NULL, false) is not working once we set fips as default provider by setting Though we need to use EVP_rc2_cbc for a operation in fips mode as well. What is the recommended solution for this issue ? I tried using EVP_CIPHER_fetch(NULL,"RC2_CBC","legacy") but it didn't work for me . Please suggest. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
RC2-CBC is not FIPS approved so you cannot use it in application functionality that needs to conform to FIPS standards. If the part of your application wanting to use RC2-CBC does not need to operate to FIPS standards then you should review the information provided on this manual page: In particular take a look at the section "Loading the FIPS module at the same time as other providers". In order to use the "RC2-CBC" algorithm you will need to load the legacy provider. You can either do that in config or programmatically using the https://www.openssl.org/docs/man3.1/man3/OSSL_PROVIDER_load.html An alternative to loading the fips provider and the legacy provider at the same time in the same library context is to use two different library contexts. For example you could use the default (i.e. NULL) library context for just the fips provider, and then a custom library context with the legacy provider loaded in it. Most places you can just use the default library context. Locations where you don't care about FIPS compliance then you can use your custom library context.
The name of the algorithm is "RC2-CBC" (not "RC2_CBC"). If the legacy provider has been loaded then the property query string you want to use is "provider=legacy", i.e.
Obviously, if you were to go the custom library context route then replace |
Beta Was this translation helpful? Give feedback.
The fetch should be:
or just:
The global property query that
EVP_default_properties_enable_fips(NULL,1)
sets up needs to be overridden.