EVP_enc_null() and the FIPS provider
Matt Caswell
matt at openssl.org
Mon Feb 20 09:50:25 UTC 2023
On 18/02/2023 00:09, Thomas Dwyer III wrote:
> I cannot find any documentation to confirm this but my testing seems to
> indicate that the null cipher returned by EVP_enc_null() does not work
> with the FIPS provider. Specifically:
>
> #include <stdio.h>
> #include <openssl/evp.h>
>
> int
> main(int argc, char **argv)
> {
> int rc;
> EVP_CIPHER_CTX *ctx;
> unsigned char iv[1] = {0};
>
> ctx = EVP_CIPHER_CTX_new();
> if (ctx == NULL) {
> fprintf(stderr, "EVP_CIPHER_CTX_new() failed\n");
> exit(1);
> }
>
> rc = EVP_CipherInit(ctx, EVP_enc_null(), NULL, iv, 1);
> printf("EVP_CipherInit() = %d\n", rc);
>
> exit(rc);
> }
>
>
> EVP_CipherInit() returns 1 with the default provider but 0 with the
> FIPS+base providers. This is a behavior change from OpenSSL 1.0.2 and
> the FIPS Object Module where the null cipher still works after calling
> FIPS_mode_set(1); Is this change intentional? If so, is it documented
> somewhere and I just missed it?
This is correct the NULL cipher is only available in the default
provider. Unsurprisingly the NULL cipher is not FIPS approved which is
why it doesn't exist there.
This actually looks like a documentation problem. The list of ciphers
available in the default and fips providers are documented here:
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-default.html
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-FIPS.html
But the list is incomplete for the default provider, since it makes no
mention of the NULL cipher (which it should do). I've raised an issue
for that:
https://github.com/openssl/openssl/issues/20340
Matt
>
>
> Thanks,
> Tom.III
>
More information about the openssl-users
mailing list