<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Entropy collection is outside the FIPS boundary. If you don't want
to modify the code, you can pass in -DDEVRANDOM using CFLAGS and set
it to whatever value you desire. For instance, maybe you have a
hardware device mapped to /dev/entropy that provides sufficient
random data to seed the DRBG. <br>
<br>
<br>
<div class="moz-cite-prefix">On 11/12/2015 11:35 AM, Ethan Rahn
wrote:<br>
</div>
<blockquote
cite="mid:CAEW9rAimTW2=GWj=UkRgYmFgYOMnj6P+3wa_NOCMFS=ZpP3cyQ@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr">xxiao,
<div><br>
</div>
<div>Are you sure you can't modify that? My understanding of
FIPS mode is that you cannot modify the FIPS code canister,
which entropy sources are not a part of.</div>
<div><br>
</div>
<div>Cheers,</div>
<div><br>
</div>
<div>Ethan</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Nov 12, 2015 at 8:08 AM, xxiao8
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:xxiao8@fosiao.com" target="_blank">xxiao8@fosiao.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">in e_os.h
I saw<br>
======<br>
#ifndef DEVRANDOM<br>
<br>
/* set this to a comma-separated list of 'random' device
files to try out.<br>
<br>
* My default, we will try to read at least one of these
files */<br>
<br>
#define DEVRANDOM
"/dev/urandom","/dev/random","/dev/srandom"<br>
<br>
# endif<br>
======<br>
this basically sets /dev/urandom as the default which really
is not FIPS-friendly, is there a way to override this during
compilation to set the default to /dev/random instead? I'm
not supposed to modify the source code as it will invalidate
openssl-FIPS certificate.<br>
<br>
Thanks,<br>
xxiao<br>
<br>
_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a moz-do-not-send="true"
href="https://mta.openssl.org/mailman/listinfo/openssl-users"
rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
openssl-users mailing list
To unsubscribe: <a class="moz-txt-link-freetext" href="https://mta.openssl.org/mailman/listinfo/openssl-users">https://mta.openssl.org/mailman/listinfo/openssl-users</a>
</pre>
</blockquote>
<br>
</body>
</html>