A recent change added RAND_cleanup calls to both the startup and shutdown macros for the applications:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f25c3c05428705b71950fd390a4b712baceb5fcc I'm having trouble running applications that use random numbers (i.e. openssl genrsa) in FIPS mode. What I'm seeing is that OPENSSL_init instantiates the FIPS DRBG, but the call to RAND_cleanup uninstantiates it, before it is used to generate the key. I get the following error: Generating RSA private key, 1024 bit long modulus 1212967048:error:2D07107E:FIPS routines:FIPS_drbg_generate:not instantiated:../../../../scc_lib/openssl-fips-ecp-2.0/fips/rand/fips_drbg_lib.c:459: 1212967048:error:04081003:rsa routines:RSA_BUILTIN_KEYGEN:BN lib:../../../../scc_lib/openssl-fips-ecp-2.0/crypto/rsa/rsa_gen.c:338: I should mention that our FIPS implementation uses the FIPS 2.0 module as a base, but that we have modified how FIPS mode is activated. Also, we are using a newer version of the sources than the validated module uses. I'm wondering if the addition of the call to the shutdown branch was a mistake. Should it, perhaps, have been added to the engine and non-engine startup branches? I don't see the purpose of a RAND_cleanup call during application start-up. Steve Koehler Principal Engineer McAfee, Inc. 2340 Energy Park Drive Saint Paul, MN 55108 Direct: 651.628.1635 Web: www.mcafee.com<http://www.mcafee.com> The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any review, dissemination, distribution or copying is strictly prohibited. If you have received this email message in error, please notify the sender by reply email and delete the message and any attachments.
