I am experimenting with the OpenSSL FIPS Module 2.0, but am encountering some
difficulty.
I need to perform some RC4 calculations in code that does not need to be FIPS
compliant, even though I want all FIPS ciphers to be performed in FIPS mode.
I'm trying to use the EVP_CIPH_FLAG_NON_FIPS_ALLOW flag, but no matter what I
do it is ignored. If I set the flag via
EVP_CIPHER_CTX_set_flags(&m_ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
then calling
EVP_CipherInit(&m_ctx, EVP_rc4(), NULL, NULL, 1);
first wipes out my context via the following in evp_enc.c:
int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv, int enc)
{
if (cipher)
EVP_CIPHER_CTX_init(ctx);
return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc);
}
Even if I use the _ex version to avoid this
EVP_CipherInit_ex(&m_ctx, EVP_rc4(), NULL, NULL, NULL, 1);
then the following code in evp_enc.c / EVP_CipherInit_ex() also ends up wiping
the flags out:
if (cipher)
{
/* Ensure a context left lying around from last time is cleared
* (the previous check attempted to avoid this if the same
* ENGINE and EVP_CIPHER could be used). */
EVP_CIPHER_CTX_cleanup(ctx);
Since all paths seem to cause the code to wipe out my
EVP_CIPH_FLAG_NON_FIPS_ALLOW flags setting before the call to
FIPS_cipherinit(ctx, cipher, key, iv, enc) gets a chance to test it in order to
allow it, what is the proper mechanism for creating an EVP_CIPHER usage that
will be allowed in FIPS mode?
Thanks,
Erik
....................................
Erik Tkal
Juniper OAC/UAC/Pulse Development
