Just go get source code for RC4 and call it directly when you need RC4.
--David
On 2/10/2012 6:39 AM, Erik Tkal wrote:
I am experimenting with the OpenSSL FIPS Module 2.0, but am
encountering some difficulty.
I need to perform some RC4 calculations in code that does not need to
be FIPS compliant, even though I want all FIPS ciphers to be performed
in FIPS mode.
I'm trying to use the EVP_CIPH_FLAG_NON_FIPS_ALLOW flag, but no matter
what I do it is ignored. If I set the flag via
EVP_CIPHER_CTX_set_flags(&m_ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
then calling
EVP_CipherInit(&m_ctx, EVP_rc4(), NULL, NULL, 1);
first wipes out my context via the following in evp_enc.c:
int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv, int enc)
{
* if (cipher)*
* EVP_CIPHER_CTX_init(ctx);*
return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc);
}
Even if I use the _ex version to avoid this
EVP_CipherInit_ex(&m_ctx, EVP_rc4(), NULL, NULL, NULL, 1);
then the following code in evp_enc.c / EVP_CipherInit_ex() also ends
up wiping the flags out:
*if (cipher)*
{
/* Ensure a context left lying around from last time is
cleared
* (the previous check attempted to avoid this if the same
* ENGINE and EVP_CIPHER could be used). */
*EVP_CIPHER_CTX_cleanup(ctx);*
Since all paths seem to cause the code to wipe out my
EVP_CIPH_FLAG_NON_FIPS_ALLOW flags setting before the call to
FIPS_cipherinit(ctx, cipher, key, iv, enc) gets a chance to test it in
order to allow it, what is the proper mechanism for creating an
EVP_CIPHER usage that will be allowed in FIPS mode?
Thanks,
Erik
....................................
Erik Tkal
Juniper OAC/UAC/Pulse Development
No virus found in this message.
Checked by AVG - www.avg.com <http://www.avg.com>
Version: 2012.0.1913 / Virus Database: 2112/4800 - Release Date: 02/09/12
