[openssl-users] force to use /dev/random for openssl fips module

Ethan Rahn ethan.rahn at gmail.com
Thu Dec 10 21:06:00 UTC 2015


xxiao,

have you changed the code to also increase the timeout and not try to use
other devices to get entropy? If /dev/random is blocking at the time, it
may run into issues trying to look for other sources of entropy than giving
up.

On Tue, Dec 8, 2015 at 8:25 PM, xxiao8 <xxiao8 at fosiao.com> wrote:

> I don't know how critical is the DEVRANDOM for openssl-fips, in e_os.h I
> saw this:
> ----
> #define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom"
> ----
> we have a hardware RNG that is feeding /dev/random via:
> ----
> /sbin/rngd -r /dev/hwrng -W 4000
> ----
> so the /dev/random will never block, I thus change e_os.h to force usage
> of /dev/random(per our fips code reviewer's request, who thinks I need
> change that for fips):
> ----
> #define DEVRANDOM "/dev/random"
> ----
> this looks fine, however I don't know if it's really the right thing to
> do, after this change my system starts to have issues(silent reboot),
> changing this line back everything runs normally.
>
> any help is appreciated.
>
> xxiao
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151210/61b60ed7/attachment.html>


More information about the openssl-users mailing list