I am experimenting with the OpenSSL FIPS Module 2.0, but am encountering some difficulty.
I need to perform some RC4 calculations in code that does not need to be FIPS compliant, even though I want all FIPS ciphers to be performed in FIPS mode. I'm trying to use the EVP_CIPH_FLAG_NON_FIPS_ALLOW flag, but no matter what I do it is ignored. If I set the flag via EVP_CIPHER_CTX_set_flags(&m_ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW); then calling EVP_CipherInit(&m_ctx, EVP_rc4(), NULL, NULL, 1); first wipes out my context via the following in evp_enc.c: int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv, int enc) { if (cipher) EVP_CIPHER_CTX_init(ctx); return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc); } Even if I use the _ex version to avoid this EVP_CipherInit_ex(&m_ctx, EVP_rc4(), NULL, NULL, NULL, 1); then the following code in evp_enc.c / EVP_CipherInit_ex() also ends up wiping the flags out: if (cipher) { /* Ensure a context left lying around from last time is cleared * (the previous check attempted to avoid this if the same * ENGINE and EVP_CIPHER could be used). */ EVP_CIPHER_CTX_cleanup(ctx); Since all paths seem to cause the code to wipe out my EVP_CIPH_FLAG_NON_FIPS_ALLOW flags setting before the call to FIPS_cipherinit(ctx, cipher, key, iv, enc) gets a chance to test it in order to allow it, what is the proper mechanism for creating an EVP_CIPHER usage that will be allowed in FIPS mode? Thanks, Erik .................................... Erik Tkal Juniper OAC/UAC/Pulse Development