Using des-cbc in 3.0

Dr Paul Dale pauli at openssl.org
Mon May 23 23:17:54 UTC 2022


Sam, it looks like you figured it out.

You don't need the "provider=legacy" in the EVP_CIPHER_fetch call, it 
will be found without this.


Pauli

On 24/5/22 08:38, Sam Varshavchik wrote:
> I'm looking for an example of using des-cbc in openssl 3.0, I think I 
> figured it out, but I'm not certain. I'm having trouble finding 
> documentation, and the best kind of documentation is, of course, code.
>
> I have existing code that uses EVP_des_cbc() followed by 
> EVP_EncryptInit_ex().
>
> It still compiles without issues, EVP_des_cbc() still works, then 
> EVP_EncryptInit_ex fails.
>
> I found 
> https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#Legacy-Algorithms
>
> It directs me to OSSL_PROVIDER-legacy(7), which talks about 
> EVP_CIPHER_fetch() and
>
> # … has this property defined:
> #
> #       "provider=legacy"
>
> I then see the following example in crypto(7):
>
> # EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, "AES-128-CBC", NULL);
>
> so I tried:
>
> EVP_CIPHER *des=EVP_CIPHER_fetch(NULL, "DES-CBC", "provider=legacy");
>
> which got me a NULL. After reading some more, I call
>
> OSSL_PROVIDER_load(NULL, "legacy");
>
> up front. The next thing that happened is all my SSL_CTX_new 
> immediately exploded. So, then I also added an explicit call to
>
> OSSL_PROVIDER_load(NULL, "default");
>
> in addition that one. This /seems/ to work, and everything else that 
> the code is doing, seems to work, but I don't feel like I'm on solid 
> footing.  Did I miss some important detail that's going to bite me in 
> the arse?
>



More information about the openssl-users mailing list