AES_CFB cipher algorithm not provided to OpenSSL

Question

AES_CFB cipher algorithm not provided to OpenSSL

Closed this issue 6 months ago · 5 comments

Hello,

I have a case where I am using the AES_CFB algorithm to encrypt strings. When I use the default OpenSSL provider, this works as expected. But when I use wolfprovider with wolfssl (which has AES_CFB algorithm) this fails with the missing algorithm.

So when I checked what is going on, I found out that this provider doesn't expose the algorithm from wolfcrypt to OpenSSL.

Answer 1 · 2024-04-30T15:09:45.000Z

Hello @adrianjarc

I have requested a review of this issue by our engineers. Could you tell us a bit about your project using wolfSSL?

Thanks,
Eric

Answer 2 · 2024-05-02T06:30:59.000Z

@embhorn thanks for fast response and action.

So because product is proprietary I can’t tell a lot about it, but the gist is that we want it to be able to run in 2 different modes. Non-FIPS and FIPS140-3 certified modes. So with some investigation and testing we came to conclusion that it will be easiest to use OpenSSL (because it was already used) with default provider in non-FIPS mode, and for FIPS mode we would use your soon to be FIPS140-3 certified WolfCrypt module with WolfProvider for OpenSSL 3.0.12.

So we have successfully gotten WolfCrypt compiled in fips mode, added WolfProvider and then started testing existing functionalities. Some have failed. One of them used this encryption algorithm. And with this functionality we have been able to already see what the problem is and why it fails (we also implemented a workaround where instead of calling OpenSSL APIs we directly use WolfSSL and it works (in code but it still fails via CLI)).

We also have an issue with CSR and Self-Signed Certificate creation, but have not yet figured out why that fails, because in this case OpenSSL returns error “Library OK” but fails to create CSR or certificate, so if your engineers also have time to look into that, that would be wonderful. (For this one we also found a workaround with directly calling WolfCrypt API but this only solves the problem in code. It still doesn’t work via CLI).

Also to add we have a custom build of WolfCrypt which is compiled with flag: —fips=v5.

Answer 3 · 2024-05-02T13:20:05.000Z

Hi @adrianjarc

Excellent, thanks for these details. Could you please send an email to support@wolfssl.com mentioning this issue? I can help you from there to create a formal feature request.

Answer 4 · 2024-05-02T15:12:33.000Z

Hi @embhorn,

I have sent an email. But I will probably be unresponsive until Monday.

Thank you.

Answer 5 · 2024-05-02T15:33:29.000Z

@adrianjarc Thanks! I'll close out this github issue and handle this in the support ticket.