I'm cross compiling it to run on arm, so maybe that is the problem (although without FIPS everything is working fine). First I compiled the FIPS object module (using command: './Configure linux-generic32 -Wall -fPIC' ) Then, I created shared object of openSSL which uses fipscanister.o (compiling using fipsld). On strtup, FIPS_mode_set(1) is called successfully.
I think that some of the functions which are implemented by FIPS object module are actually not being called. For example, RSA_generate_key_ex, which I can see is implemented both in FIPS object module and in openSSL. When I call to EVP_PKEY_keygen, what is the expected function flow until it gets to FIPS object module implementation ? Currently, I see this flow (all in openSSL): EVP_PKEY_keygen -> pkey_rsa_keygen -> RSA_generate_key_ex Thanks, Tal -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Sunday, January 20, 2013 6:04 PM To: openssl-users@openssl.org Subject: Re: Failure to generate RSA key in FIPS mode On Sun, Jan 20, 2013, Oz, Tal (Tal) wrote: > Hi, > > I'm using OpenSSL 1.0.1c linked with FIPS object module. > On startup FIPS is enabled successfully (using FIPS_mode_set function). > > When I try to generate rsa key it failed with error 'non fips rsa method'. > I tried calling both EVP API and rsa function directly (RSA_generate_key). > I can see it failed in rsa_gen.c in function RSA_generate_key_ex() > [snip] > Anything I should do differently to make it work ? > Well the openssl genrsa and genpkey commands do essentially the same and they work in FIPS mode. So I'd guess it's something wrong elsewhere, such as how your application is linked or how you enter FIPS mode? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
