[openssl-users] Openssl FIPS uses /dev/urandom by default?
John Foley
foleyj at cisco.com
Thu Nov 12 16:51:06 UTC 2015
Entropy collection is outside the FIPS boundary. If you don't want to
modify the code, you can pass in -DDEVRANDOM using CFLAGS and set it to
whatever value you desire. For instance, maybe you have a hardware
device mapped to /dev/entropy that provides sufficient random data to
seed the DRBG.
On 11/12/2015 11:35 AM, Ethan Rahn wrote:
> xxiao,
>
> Are you sure you can't modify that? My understanding of FIPS mode is
> that you cannot modify the FIPS code canister, which entropy sources
> are not a part of.
>
> Cheers,
>
> Ethan
>
> On Thu, Nov 12, 2015 at 8:08 AM, xxiao8 <xxiao8 at fosiao.com
> <mailto:xxiao8 at fosiao.com>> wrote:
>
> in e_os.h I saw
> ======
> #ifndef DEVRANDOM
>
> /* set this to a comma-separated list of 'random' device files to
> try out.
>
> * My default, we will try to read at least one of these files */
>
> #define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom"
>
> # endif
> ======
> this basically sets /dev/urandom as the default which really is
> not FIPS-friendly, is there a way to override this during
> compilation to set the default to /dev/random instead? I'm not
> supposed to modify the source code as it will invalidate
> openssl-FIPS certificate.
>
> Thanks,
> xxiao
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151112/795d8bee/attachment.html>
More information about the openssl-users
mailing list