<div dir="ltr"><div class="gmail_default" style="font-size:small"><span style="font-family:monospace,monospace">FYI, I played with "no-rsax" without "no-engine", and it works.<br><br></span></div><div class="gmail_default" style="font-size:small"><span style="font-family:monospace,monospace">Without RSAX, the engine is NULL, and the default method (in this case, FIPS) weren't getting overridden in RSA_new_method().<br><br></span></div><div class="gmail_default" style="font-size:small"><span style="font-family:monospace,monospace">I think I will go with this.<br></span></div><div class="gmail_default" style="font-size:small"><span style="font-family:monospace,monospace"><br></span></div><span style="font-family:monospace,monospace">Hong.</span><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 27, 2015 at 12:56 PM, Hong Cho <span dir="ltr"><<a href="mailto:hongcho@gmail.com" target="_blank">hongcho@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">Steve,<br><br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">Thank you for the response.<br><br>Here is what ENGINE_get_id() is saying.<br><br>------<span class=""><br>XXX RSA_new_method: ret->engine = 0x800e28100<br></span>XXX RSA_new_method: ENGINE_get_id(ret->engine) = rsax<span class=""><br>XXX RSA_new_method: ret->meth = 0x800b2ee40<br></span>------<br><br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">Hong.<br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 27, 2015 at 10:16 AM, Dr. Stephen Henson <span dir="ltr"><<a href="mailto:steve@openssl.org" target="_blank">steve@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>On Fri, Feb 27, 2015, Hong Cho wrote:<br>
<br>
> Hi,<br>
><br>
> I generated OpenSSL libcrypto (1.0.1l) with the OpenSSL FIPS crypto module<br>
> (2.0.8) on FreeBSD 8.4 amd64.<br>
><br>
> It seems to build fine, and with OPENSSL_FIPS, it seems to behave correctly<br>
> (e.g., MD5 is refused, DH with 512-bit key is refused, etc.).<br>
><br>
> However, genrsa(1) is failing with the following message.<br>
><br>
> ------<br>
> # /usr/bin/openssl genrsa -out rsa1 2048<br>
> Generating RSA private key, 2048 bit long modulus<br>
> 34374116264:error:0409B09D:rsa routines:RSA_generate_key_ex:non fips rsa<br>
> method:[...]/openssl/crypto/rsa/rsa_gen.c:88:<br>
> ------<br>
><br>
> So, I put some debugging printf's, and this is what I found.<br>
><br>
> ------<br>
> # /usr/bin/openssl genrsa -out rsa1 2048<br>
> XXX MAIN: engine = 0x0<br>
> Generating RSA private key, 2048 bit long modulus<br>
> XXX MAIN: e = 0x0<br>
> XXX RSA_get_default_method: returning FIPS_rsa_pkcs1_ssleay()<br>
> XXX RSA_new_method: ret->meth = 0x800b4a7e0<br>
> XXX RSA_new_method: engine = 0x0<br>
> XXX RSA_new_method: ret->engine = 0x800e28100<br>
> XXX RSA_new_method: ret->meth = 0x800b2ee40<br>
> XXX MAIN: rsa->meth = 0x800b2ee40<br>
> XXX RSA_generate_key_ex: rsa->meth = 0x800b2ee40<br>
> 34374116264:error:0409B09D:rsa routines:RSA_generate_key_ex:non fips rsa<br>
> method:/usr/home/hongch/ns_depot/TOT/usr.src/crypto/openssl/crypto/rsa/rsa_gen.c:88:<br>
> ------<br>
><br>
</div></div>> ???So, it seems like the FIPS RSA_METHOD gets overridden by the default<br>
<span>> ENGINE (the machine does not have any hardware crypto module), which does<br>
</span>> not have??? the RSA_FLAG_FIPS_METHOD flag set.<br>
<span>><br>
> I understand that I can rebuild the library with "./config no-engine", but<br>
> I haven't seen this mentioned in the FIPS guide.<br>
><br>
> Is this the right way to do it? Or can the interaction between FIPS and<br>
> (the default) ENGINE be better?<br>
><br>
<br>
</span>Can you work out which ENGINE it is that is doing that? If you print out<br>
ENGINE_get_id(engine) that will show it. I'm guessing it's the cryptodev<br>
ENGINE?<br>
<br>
Using no-engine is the only way I can immediately think of to address this<br>
without modifying OpenSSL or making some API calls to disable the ENGINE.<br>
<br>
Steve.<br>
--<br>
Dr Stephen N. Henson. OpenSSL project core developer.<br>
Commercial tech support now available see: <a href="http://www.openssl.org" target="_blank">http://www.openssl.org</a><br>
_______________________________________________<br>
openssl-dev mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-dev" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-dev</a><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>