EVP_enc_null() and the FIPS provider
Thomas Dwyer III
thomas.dwyer at oracle.com
Sat Feb 18 00:09:12 UTC 2023
I cannot find any documentation to confirm this but my testing seems to
indicate that the null cipher returned by EVP_enc_null() does not work
with the FIPS provider. Specifically:
#include <stdio.h>
#include <openssl/evp.h>
int
main(int argc, char **argv)
{
int rc;
EVP_CIPHER_CTX *ctx;
unsigned char iv[1] = {0};
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL) {
fprintf(stderr, "EVP_CIPHER_CTX_new() failed\n");
exit(1);
}
rc = EVP_CipherInit(ctx, EVP_enc_null(), NULL, iv, 1);
printf("EVP_CipherInit() = %d\n", rc);
exit(rc);
}
EVP_CipherInit() returns 1 with the default provider but 0 with the
FIPS+base providers. This is a behavior change from OpenSSL 1.0.2 and
the FIPS Object Module where the null cipher still works after calling
FIPS_mode_set(1); Is this change intentional? If so, is it documented
somewhere and I just missed it?
Thanks,
Tom.III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230217/7e2b38ed/attachment.htm>
More information about the openssl-users
mailing list